Catching Bloodhound Before it Bites
BloodHound is a public and freely available tool that uses graph theory to automate much of the confusion behind understanding relationships in an Active Directory (AD) environment. It allows hackers and pentesters to know precisely three things: which computers give admin rights to any user, which users effectively have admin rights to any computer, and effective group membership information (see Image 1). Because Bloodhound can be used maliciously, organizations need to better understand how it is being used, how to protect privileged users, and how to prevent attacks.
Image 1 – BloodHound Link Analysis
Internal Pen Testing with BloodHound
Organizations leverage BloodHound for internal pen testing because it helps simulates one of two scenarios:
1. What an external attacker can accomplish after they get passed the initial breach
2. What a malicious insider can accomplish once inside the network
Internal testing requires a high level of experience and a large amount of time to perform effectively. Luckily there are a lot of tools out there which pen testers use today that can help businesses perform rudimentary security tests on their systems without the need for much manual intervention.
Internal pen testing takes the approach of simulating what an insider attack could accomplish. The target is typically the same as external pen testing with the critical exception that the assessment starts within the internal network, rather than from outside the network. Insider attacks are potentially more devastating than external attacks because insiders already have the knowledge of the critical assets within a network and their location. Outside attacks do not have this kind of intimate knowledge and would need to spend valuable time in reconnaissance to gather information (see Image 2).
Image 2 – Internal vs. External Assessment
Protecting Privileged Users Against BloodHound
BloodHound session enumeration (as also seen in Image 2) can assist to expand network access to the attacker by identifying users and groups who can lead the attacker to access local administrator rights.
In order to protect against these internal network attacks that aim to take control of enhanced privileges, organizations need to deploy a solution that can continuously monitor and learn user behavior in the network. When risky behavior is spotted (i.e. A user account with administrative privileges accesses a server that it normally doesn’t access and also does so from an unknown device), organizations need to be able to respond to the potential threat in real-time.
Preempt offers continuous monitoring and machine learning of user behavior in the network to help detect the use of tools such as Bloodhound, Mimikatz, PowerView, and others. In addition to Preempt’s own machine learning and analytics, organizations can set policies that are specific to their own corporate policy and critical infrastructure to make sure that their security is unique to their own environment. Preempt policy can be set to protect any asset to ensure that critical data stores and assets remain protected from insider threats.
Preempt BloodHound Attacks
The Preempt Platform helps customers detect BloodHound usage in their network to both pass rigorous pen testing audits as well as detect real life attacks. Below is an example (Image 3) of how Preempt caught a user leveraging BloodHound to gain administrative privileges.
Image 3 – Catching a BloodHound Attack
In addition to catching malicious activity in real-time, Preempt can also alert organizations when administrative accounts are being used on too many machines. This is a critical use case because protecting against administrative account misuse is key to helping your AD administrator and security engineers in reducing the attack surface. [Note: Yaron Ziner, one of Preempt’s Senior Researchers, recently did a webinar on how to analyze and prevent common attack tools. You may want to check it out: Taking the Hacker’s Toys Away- Analyzing Top Attacker Tools and How to Stop Them.]
Adaptive Threat Prevention
The comprehensiveness of the Preempt Policy Engine helps organizations adaptively respond in real-time when BloodHound is detected.
In addition, a security risk score will be assigned to the accounts involved in running the tools (both on the endpoint and the user’s account) to generate one or more of the following actions:
- MFA – AD enumeration (not commonly used) can be challenged for risky users/conditions by prompting them to verify their identity with MFA. This experience both helps with the end user experience as well as increasing AD security.
- Block – After suspicious activity is detected trying to access network services, the system can instantly block or limit the accounts from access.
- Reset Password – Since pen testing is highly dependent on stealing passwords, resetting passwords is a good security practice for when any weak password is detected or when suspicious user activity is occurring.
Whether due to malicious behavior or honest mistakes, threats from seemingly ‘trusted insiders’ can be the most difficult to manage. To prevent against these threats, organizations need more holistic visibility and control to proactively reduce internal risk, detect suspicious behavior, and prevent insider threats. By doing so, organizations can mitigate risk and reduce any further damages from impacting their most critical assets and daily operations.
Learn more about how Preempt is leading the field in providing industry-first capabilities that prevent lateral movement and unauthorized domain access due to the misuse of network credentials via reconnaissance tools in one of our recent announcements:
Posted by Nir Yosha on January 3, 2019 9:29 AM