SpecterOps, a provider of adversary-focused cybersecurity solutions and the creators of the free and open-source penetration testing tool BloodHound, today announced BloodHound Enterprise, an Attack Path Management (APM) security solution for Active Directory (AD). Designed to help organizations proactively and continuously identify, manage and remediate millions of AD Attack Paths, BloodHound Enterprise gives IT Ops and SecOps professionals the tools needed to dramatically and measurably improve AD security posture with minimal effort.
We spoke with Justin Kohler, product director for BloodHound Enterprise at SpecterOps to discuss the company and new offering more detail.
Tell us about SpecterOps. What is the company's mission?
SpecterOps provides advanced adversary simulation, detection and training services to enterprise clients. With the launch of BloodHound Enterprise – the company’s first commercial product – SpecterOps is helping organizations to secure Microsoft Active Directory (AD) and reduce the risks associated with AD Attack Paths, which are currently a largely unseen and unmanaged security issue that continues to grow at alarming rates. The company’s vision and mission is to help reduce the impact of vulnerabilities and misconfigurations associated with AD, and simplify the AD management for security teams.
What makes BloodHound special?
To clarify, BloodHound is a free and open source (FOSS) tool created by SpecterOps. It maps Attack Paths and is designed for red teams and penetration testing. It will continue to be fully supported by SpecterOps as a free and open source tool.
BloodHound Enterprise (the product being launched on 7/27/21) is a new enterprise solution built for blue teams and a defensive use case. It provides a level of visibility never before seen by AD architects and defenders. It continuously maps and identifies Attack Path choke points, providing an effective and simple way to cut off millions of Attack Paths that can occur through Active Directory (AD). AD is considered one of the easiest, most reliable, and biggest payoff targets for attackers when it comes to targeting corporate networks. Because it’s constantly evolving, admins struggle to stay on top of alerts and misconfiguration debt. This means attackers are almost guaranteed to find new Attack Paths. BloodHound Enterprise takes a top-down approach protecting high-value (tier zero) assets and mapping every Attack Path from this perspective through a visual interface. By identifying these critical choke points, the product allows teams to sever millions of Attack Paths with minimal effort.
Why does active directory come with so many complex cyber challenges? Why do hackers target it?
Microsoft Active Directory (AD) is a critical business system used by the vast majority of the Fortune 1000 that offers attackers the “keys to the kingdom” that let them compromise any user, system or business process. AD is constantly growing and changing, and AD’s interface makes it extremely difficult to understand user privileges. This confusion means that attackers can almost always find a route to their objective using AD Attack Paths. The potential payoff for attackers is high and existing AD security measures are tedious, unattainable or expensive. This often results in poor AD security.” How can organizations mitigate their AD risk?
Visibility: IT needs to have visibility into AD and possible attack paths or misconfigurations as a first step. BloodHound Enterprise is specifically designed to do this. Organizations can also use less comprehensive solutions to do this that provide a moment-in-time view into AD attack paths such as BloodHound FOSS (https://github.com/BloodHoundAD/BloodHound) or PingCastle (https://github.com/vletoux/pingcastle).
Resilience: IT needs to have a plan for how to deal with misconfigurations, changes to the network, and how to limit the "blast radius" when a compromise occurs. This can be done through comprehensive, ongoing, and accurate asset inventory, and knowing the impactful relations between different assets in the network.
Resources: Organizations need to give IT the resources both in tools and time to address AD security issues and to build protections to limit the impact of a compromised endpoint.
Good resources for securing AD include Microsoft's Securing Privileged Access Documentation (https://docs.microsoft.com/en-us/security/compass/overview), which is Microsoft's guidance on how organizations should architect their networks to secure accounts and restrict access to resources, and ADSecurity.org.