Good afternoon everyone, and thank you for coming after the lunch. I know it's quite challenging, but I really appreciate it.
So Samir, and I'm gonna be talking about from shadow to light or about a shadow admin problem or at least a problem with shadow admin that's you might not be aware of. And in general, we are going to talk about a couple of things. So first we are going to be aligned about what Shadow Army are. Then we are going to tackle one of the problems that Shadow Army can cause to our environment. Summary is gonna be talking about a solution he develop and we're gonna tell you some insights and takeaways from this.
So before we talk about the problem of shadow admins, let's just be aligned about what it is. So basically shadow admins are not administrative users that hold sensitive permissions that effectively grant them admin privileges.
Or in simple words, if I'm a regular user and I can reset the password to Samir, which is an admin, I'm a shadow admin, why should I care? So basically shadow admins are platform for attackers to perform breaches.
So if attackers get into your environment and get, somehow they obtain the credentials of shadow admins, they practically have, they have, they can do whatever they want in the environment because they can just reset a password of it admin and do whatever they want. Why you have shadow admins in your environments? It's also a good question. So most of them are because misconfigurations, because of human error, some of them are back doors. So if for instance the admin forgots their passwords, shadow admin can revert it and and grant them access again.
And the third common reason is just attackers that's already in your environment might change configuration and create shadow admins for persistency.
So it's very, very dangerous and there are a lot of tools like bloodhound that's help you discover them. What we claim is that knowing your shadow admins is not enough, you need to do more to handle with them. So I'll just give you a a quick example visually what shadow admins are. So for instance, Alice is an admin in my, in my organization and Dave has a a reset password over Alice's account. So he's basically a shadow admin.
Now I'm assuming Bob is another regular user and Bob can reset the password of Dave. He's also a shadow admin because he can reset the password of Dave take over his account and then uses Dave account to take over Alice's account, which is an admin and do whatever he wants in the environment.
Alex, however, is not a shared admin. She has a permission over Dave, but it's not a reset password, it's a weak permission. So not everyone has permission over other users, our shadow admins and if I want to resolve them what I can do in this case, I can just go to Dave and try to revoke his permission over Alice.
However, it's not as easy, it's not that easy to just revoke permissions in their in their environment because some services and processes depends on it. So what you need to do, basically you want to find the permissions you need to tackle, you want to resolve and focus on on them.
So a bit statistics about the like about the number of shadow admins. So we collected statistics from our customers more than 250 organizations and the very most of them have double digit of of shadow admins where the median is 40.
It means that more than 50% of the organizations has at least 40 per 40 shadow admins and some of them have hundreds which is extremely dangerous because they're very vulnerable for attackers. So let's see why finding the right permissions to revoke is not that easy. So let's see that example. So Alice is still an admin, Bob and Dave and Carol are regular users.
I can try to resolve the red permission to revoke the red permission and then Bob won't be a shadow admin but Dave is going to be shadow admin and Carol's still gonna be a shadow admin because she can reset the password of Dave which can reset the password of ali's. If I revoke the blue one, Bob is going to be a shadow admin and Carol's still going to be a shadow admin because she can reset the password of Bob that could reset the password of Ali's.
So if you notice here in this example, there is no one single permission I can revoke that will prevent Carol from being a shadow admin, which is a problem. And it can be even more complicated than that. Let's assume I have two admins. Usually I have 20 in the, in my organization Dave and Alice, all the other ones are regular users.
You have 100 users who have recent password permissions over Eve. So from the previous example you know that Carol is gonna be shared. Well I mean if you revoke single permission.
So if I want to eliminate as many shadow admins as possible by revoking one permission you, you can easily notice it's going to be the red one because I'm going to eliminate 100 users and now any other permission. And if you realize the, the red one does not lead directly to any admin. So the problem is not that simple. And what Samir is going to show you now is are real examples of real environments and how it looks like. And he's going to talk very briefly about the
Solution, how to find
Those permissions to revoke.
Great, thank you all. Awesome. So we understood what the shadow admins issues are and we wanted to tackle this issue in pretty much an easy way relatively to the companies 'cause we don't want to add more work to the IT teams and security teams. We want to minimize the effect of of the permissions because we know it's in big issue and it needs a lot of investigation. First thing first we decided okay, let's try and look at it in a graphical way. So we put all of the shared admins and their connections on a graph and we started to look at it this way.
Here we can see that we have the admins, they are the red notes, those are basically our accounts that we want to protect. And everything else can be a single account or a group or OU or whatever. But like this on its own, it doesn't tell us much yet.
So we wanted to try and look at it a little bit differently. So we decided to make some adjustment to the problem. First of all, we converted it into a directed graph and we put it in a topological order. So now we have some kind of organization to the, to the basically the permissions and the accounts. But that wasn't enough.
We wanted to say okay, we have a lot of admins like in this example we have only one admin but they can be more. So what we want to do is consolidate all of the admins into a single node. We call it the source. And on the other end we wanted to put everyone that doesn't have anyone has permission o over him. We consolidate into a target. So suddenly we started to see some similarity with what is called the flow problem.
This is a known problem in graph theory where basically you have a network and you have one end the source, the other is the target and there is some kind of movement in the, in the graph.
And we started to see similarities because no matter how many shadow admins I have, like gal noticed showed you like we can have a hundred shadow admins at the end they all flow into single admin or a couple of admins. So it's sort of like a flow problem. And we know this problem has a pretty good solution using an algorithm called mid cut max flow, which basically partitions the, the graph into two.
One side has the source and the other side has the target. And the solution to this algorithm is basically the maximum capacity that can flow. So we decided to try and make, see if we apply it, if we can get some good insights. So let's take a look at few examples. So we applied the solution. This is by the way all real cases. So we applied the algorithm and we algorithm decided to basically gave us two permissions that we can revoke.
And if you can see they basically affect multiple users and only by revoking two permissions.
We got a drop percentage of shadow admins of 40%, which is quite a lot for just going and investigating two, two permissions. And that's the kind of solution we are looking for. So if we take a look at more complex examples here we have multiple shadow multiple admins. And in this case we want to remove an entire path but also prevent it from the other side. And here we also get a pretty high drop percentage of our shadow admins. So it started to look, it, it started to look like a pattern. So we decided to look at easy cases.
So this is pretty naive solution and we can see that the, the, the algorithm gives us also the easy, easy stuff. So it's also good, but what if we have thousands and we have, there are some organizations with thousands of shadow admins.
Suddenly it, it looks something like this. Now imagine yourself taking this graph and giving it to a your IT or your security and basically focusing them only on 20 permissions and you can resolve pretty much over a thousand shadow admins.
'cause we, we don't want to make work hard on them. We want to focus them and narrow their, and narrow basically their work. We don't want to add work to them because they are already, we know that they already have pretty much a lot on their plate. So using this solution gave us pretty much a lot of insights.
So I'll leave you some takeaways. Basically we know that Chad means if we want to, we can remove a hundred percent. That's not the issue. It's not the issue of if it's the issue of how much work will it take.
So going in this direction, we want to minimize the action that we can do and we want to maximize the impact. So we try to go with a solution that can highlight the best permissions to revoke. And we can see that for the most part, we need only a few permissions to evoke and we can already get pretty much a good impact. So identifying the right permission to revoke is the key here and this is something that is very impactful.
Another thing is we always want to look at scale and efficiency and going with something that is already proven, a good algorithm, we know it was studied and pretty much give good solutions. So why not use it? We don't have to reinvent everything, we just need to transform our problems into the right way and we can apply already known problems. And I think that's, that's it. I'll leave some time for questions. Thank you. Thanks guys.
You actually now have a, we amazingly have time for one question.
Having, having booted off the other guy too early, but nevermind. Yes.
If you use passwordless authentication for active directory, do you still have this challenge of shadow admins or would passwordless authentication remove the problem you're trying to solve?
So
I'm, I'm not sure I understand. I mean you still need to have permissions. I mean password is like the wave, if I understand you correctly, is the way to, to log in. But still every user, it's, it's very way relevant for active directory and other identity platforms, you need to have some permission systems.
So in, in active directory you have some permissions of, of, for example, resetting password from one user to another. And you have more complicated, we didn't dive into this. One can write some of the properties in other IDPs like entry ID you have more complicated system, but you deal, you still have it, you have customized permissions and you have default trolls, but you have the same problem. And this solution, by the way, is very generic.
It's, it's relevant for all the platforms, the things we showed you here, relevant mostly to active directory.
Okay, thank I'm sorry, I think we'll have to go to the next speaker.
Yeah, so I think I'll just say if, if I may that we try to present a very long research in the 15 minutes. Yeah, exactly.
But we, we are still here on at floor B and there's gonna be whiskey in our booth.
I was just gonna say, if you wanna catch up with
'em so you can catch up later,
Go outside.
But yeah, sorry everyone, whiskey
Tasting that four.
Thanks.
