Okay, thank you everyone. Good to be back. See a lot of familiar faces, so happy to be here. So my talk today is about slaying the sacred cows and identity and access management. I'm Patrick Parker. I'm the CEO, one of the co-founders of empower ID. So sacred cows there's any widely held belief that we no longer question that we take for granted, whether it's accurate or not. So we're gonna look today at some of the sacred cows and identity and access management and see if they've outlived their usefulness. Were they ever true? Are they still true? And are they worthwhile?
So the, the annual state of the state report for security is the Verizon D B I R it really measures the, in the breach incidents, how have they changed from the years previous? What are the most common attacks? And they really describe how are company security getting compromised?
There are lots of topics in security, some of them very esoteric, but this really brings it down to how are hackers getting in and stealing our data, exposing our networks, charging us for ransomware. And they find that this year 88% of the breaches were pretty much the same attack vectors.
As they'd found since 2014, 81% of them were reusing passwords, stealing password, hashes, cracking passwords. And a lot of these could be prevented by simple, basic hygiene measures, measures, and identity access management.
Now, we'll talk about that. That kind of oversimplifies it because you could say, well, if they got in this way, basically if your security at the workstation level is like an eggshell that they could poke a hole here.
Well, if you block that hole, they could just as easily poke a hole anywhere else that however they did get in, it really isn't the you're playing whack-a-mole if you're patching that, and then they're over here and they're cracking that and they're cracking that.
So really if your users are admins on their workstations, the initial TVET vector really doesn't matter, they can get in. You cannot prevent that. And we'll talk about that a little bit.
So what's behind the breach is hacking is on the rise might have influenced a couple of elections recently, but so definitely hacking is on the rise. It's becoming much more organized and more targeted and more professional, 75% perpetrated by outsiders. So it's not this insider threat. There is an insider threat, but definitely the majority of it are outside hackers in organized in, in organizations, criminal organizations, they're using hacking techniques and they're breaching organizations for profit. So it's very, very, very organized that they know what they're after.
It's not someone inside who's just disgruntled. So one of the things that's they found in the study is that everyone's pretty much doing the same thing.
Things haven't changed. The technology's changing, it's getting easier to hack, but everyone's doing the same things. And I would say in identity access management, we need to make sure we set the agenda. So we're not talking about the same things you don't want to come.
You know, how many years later and still be talking about the same things that aren't being adjusted every year for the reality of what's important to actually secure your network. They, they used to say that the, in the middle ages, the monks and the philosophers would talk about how many angels that could dance on the head of a pin. And it's just to say that, you know, time spent talking about ridiculous things.
So I would say, you know, some of the things and identity access management that we're still talking about, you know, things like our back versus aback, or is this the year that passwords die, or maybe the year they get a bad infection that leads to a slow debilitating illness that eventually leads to their early death.
I mean, something like that, or what's the walking dead technology of the months, you know, it makes for great headlines, but it's not really useful in securing our networks. I did a little research in Google.
If you keep modifying the Google search, you can find the first rback versus aback discussion was 20 years ago. So it's kind of like, okay, I hope in 20 years, I, I mean, I'll be, I'll get I'll retire. If in 20 years, we're still talking about rback versus AAC. How many hacks or breaches wherever, because someone chose rback instead of AAC, it's, it's inconsequential. It's all about real time externalized authorization. And that's a whole nother topic that doesn't even, it's not even that important when you're talking about breaches or security.
So the question is, what should we be talking about? What should we be thinking about? What's actually what matters right now that will actually make our organizations more secure.
So you gotta think like a hacker, the one thing that's found in all the studies is that user, the initial attack vector, how they get in through the initial attack, vector is almost always fishing emails.
So Bruce Schneider rephrased someone elses saying, they said that given the choice of security and a million warnings, that an end user it'll always choose to click on the dancing pig video instead of choosing to be secure and, and given the success of sing at the B off box office, that looks like people really do like to see dancing pigs more than I would've expected. So you really, you really can't block that one. So given that, that they're gonna click on the fishing emails is, you know, identity is the new perimeter.
Other such things are those oversimplifications is that is really identity, the new perimeter or some of these other things that we say are they that important or accurate today to lead, to lead to a more secure network.
So if we look at the anatomy of a common attack, they're almost all the same. They follow a clear set of patterns. There's some reconnaissance.
So you go, you, you have your target identified. You go do some recon. You look on LinkedIn, you look on Facebook, you look on Twitter, you find out who are the people in the company that might have access to the data you want to steal. You find out who have they worked with previously, where do they hang out? Are they on Google? Gmail?
Who, who might they work with? That's not that's. They know that they might trust, but they don't work with that frequently that you could try to impersonate that person. You create your own Gmail account, where you have exactly the same first name, last name, the same photo, the same hangout picks. And you add one to the email and that way you do your recon, you can send them Gmail invitation.
They won't really notice it's the, it's not that same person, cuz in Gmail, depending upon how you send it, you can't see the email. You just see their face.
It looks like the same person's profile picture. Everything looks the same. And it'll even let you open up attachments. If they're in Google docs that are executable files. So you it's really easy to get someone to click on a link. And even without these advanced tactics, one in 14 users will click on a fishing link. They wanna see the dancing pigs. They wanna believe that it's a person that they know. So you do the recon. They place malware on a trusted site. They stick it in Google docs where you know, they can click on a link and open up pretty much anything.
You send yours fishing email, you get them to click on it. Now they're compromised users.
In most organizations, many organizations, the users are local administrators on their machines, which means at that point, you own the box. You can open up a reverse shell. You now control the box.
You can, you can play audio for their microphone. You can record their camera. You can capture the keystrokes. You can rewrite the registry. You own that box. You're now in the network. So at that point you can enumerate enumerate the hash passwords on the system. If you're a local admin, any user that's ever logged into that system, you can get their password hash. You don't even have to crack it. And you can just replay that to other systems and log in as that user. And you just start looking around the network until you find a machine where an admin's logged on.
And at that point you have privileged credentials and you can do pretty much anything.
So you move laterally, they call it and that's all, all the, the hacker techniques are about how to go laterally from one machine to another, until you find a machine with privileged credentials to escalate. And then once you're in the, that the domain level, you pretty much own that network. They can't get you out. You're in there for a long time and the tools are amazingly sophisticated and yet super easy to use. We used to have a saying what, it's probably a term, you know, script kiddies.
So script kits, a derogatory term for anyone who considered themselves a hacker because they knew a little bit of Linux scripting and they could download some scripts off the internet and do a little hacking. Well, it's gotten a lot different these days.
I mean, I'd say now you have tools like this that are graphical. You click they'll scan your network and you can even ask it questions.
This one's once called bloodhound that uses a graph database technology. And as a normal user, it will inventory your whole network. It'll show you every user group membership who can log into which machines. And you can ask it. If I wanna get to this domain controller from this machine, what's the shortest path and it'll show you exactly.
Well, you need to compromise this person machine. You send them a spearing email. They're logged into this server. And on that server and domain admin has also logged in. So if you compromise that you're in and you own the network. So it's gotten really easy. It's not really even script kits anymore. It's someone like me. Who's not a programmer. So maybe we've gone from script diddies, script kiddies to maybe hack daddies. And then maybe next is gripping grandpas who knows what'll come next. But it's trivial.
Easy to install these tools. There's power show, empire there's MIAT.
And they, they allow you to do all of this past the hash golden ticket. You can get pretty much all around the network with these tools. Even if you're someone like me who does really doesn't belong there. So what is the new battleground?
If, if I can get on a machine and if anyone else has logged into it, I have their identity. That it's really not the identity as the perimeter. It's the identity plus the device. Cuz as soon as you get on a device where the identity has been, even if it's not there right now, you've you've compromised.
It, you, you can secure the identity, but as soon as it touches the device, basically you have to secure the identity plus the device. So some of the practices we do, you might say what, you know, we're polishing the brass.
As the Titanic goes down, it really feels good. You feel like you're making your network more secure. You're spending a lot of time. You're having meetings. You're reporting to your superiors, but really it's, you're completely in no way doing anything. That's increasing your security.
Some things I hear a lot group nesting group nesting is a hacker dream because if someone, if they have all these nested group relationships, no one understands them. Whoever set them up is gone. And if somebody gets dropped into this group, wow, that group's nested into so many others that they're basically everywhere. You go into a lot of networks and you run these hacker tools and you find out that almost anyone could be a local admin on servers because the group nesting was set up and no one understands it. So everyone's a local server admin.
So now of a sudden, you know, the secretary can log into the sequel server because of a group nesting policy and no one's thought about so group nestings horrible makes auditing terrible.
It's a security, vulnerability, privileged accounts. Traditional concept is okay, we're managing privileged accounts. I have my standard account and anybody who needs a privileged, account's gonna get their priv account. Okay. Everybody gets a privileged account.
So that, that really makes a huge problem. It's like, you're going to a network.
It's like, yeah, everybody's got a privileged account. You do anything here, have a privilege account. You can have a privilege account log into every server with it. Now the problem with that is that it leaves behind this trail of password hashes. So it's kinda like a snail trail. And you know, I'm an admin for my priv account. I log in Bob needs help on something. So I log into Bob's machine. Now my PA my hash is there. Bob. Now I'm over on Mary's machine. I'm a domain admin. I'm logging into Fred's machine to fix something next.
I'm logging into the SQL server that has top secret data.
Well, all they need to do is send a phishing email to Bob or Mary or Fred, and they have my creds and they're in your SQL server. They have your data.
It's just, it's too easy. So just giving everyone, everyone a privileged account and saying you don't run emails, your privileged account doesn't solve any problems. It really can create a lot of problems. Another technique is IP shunning.
We think, okay, we're being attacked by this IP address on the firewall. We're just gonna block that IP. They they've shown that if a hacker is attacking and they're running a password script, the brute four script, it literally will change its IP to a different geolocation, a different country. It'll pick up on the next dictionary word and the hack. So IP shunning makes you feel good.
Like you're doing something, but the hacker's tools even have that built in it'll automatically choose a new geolocation. It does.
It's not a human sitting there most of the time, it just that's completely automated. It's gonna switch around. So IP shutting, you look like you're from here. Now you look like from here, but it's really the same person. A lot of people put a lot of stock in curb roast and active directory.
You think, okay, we have curb roast, curb roasts. You know the guard dog of our active directory. Can't crack it. We got curb growth. We got this thing nailed.
Well, curb roast a lot of attacks. Now the biggest one's called curb roasting, where they're roasting your curb roast credits. They basically any user can, they can request a curb roast ticket. They can take it offline and they can run dictionary hacks against it.
And once they get that, then they can initiate. They can generate their own tickets. Once you get the domain level, you get the curb roast ticket, granting service. You can generate a golden ticket from that point forward, you can generate any identity in the network you want. So you're in there to stay.
It's it's pretty much over with so a lot of people say, well, don't our audits protect us from this. Well, I have yet to see a hacker being stopped by an annual audit.
I mean, you gotta do it. It it's mandated, but it's in no way really related to security. It's that you're not stopping hackers because you're doing an annual audit.
It's like, eh, not really. So the question is given all this, can we keep the hackers out? So what do we do? How do we stop them? How do we keep 'em out?
Well, the answer is you can, I mean, it's, it's unrealistic to assume that you're gonna keep the hackers out. You're you're, they're gonna be in there. It's like a persistent infection.
You know, you're gonna have a little infection. You gotta live with it. Hopefully you keep it localized. You treat it, but it's never going away.
You, you can't protect your entire network. You gotta assume breach assume that you are already hacked that some part of your network, people are on it. Looking at it. They put out a, an internet toaster and within an hour it was hacked. So disproved you stick anything out there. You're hacked. If you stick a machine with RDP open, you will have malware on your server within a day.
I mean, we did it. We, we didn't know we had it open, but we did it. You get ransomware, you log in and a big message pops up.
It says send money to this account and it's over. So you have to assume breach. It's not that they're at the walls. And you're trying to defend that they're already inside.
I mean, they, they are inside their probing around. They might not have got to your high value target yet, but the, but they are in. So don't worry. We have a plan. What do you do? You can't stop. 'em it's not all gloom and doom.
You know, Hey, basically we're screwed. They're inside. We can't do anything about it. There is a plan. So what you need to do is basically, if they're in, you need to make their lives difficult. You need to slow them down, make it hard for them to move around and make it really noisy. Hackers call. There's some techniques that are quiet techniques. And there's some techniques that are noisy techniques.
You want them to be, have to resort, to noisy techniques for them to get anywhere. So this was put out by the NSA. They know a little bit about hacking, I'd say.
And really the goal is that, you know, you can't keep 'em out. So you need to move them from a point where there are all these exploits, you're a thin egg shell. They can get in all these different ways. And it's super easy.
You know, there's not much effort if they, if they find you, they're gonna be like, okay, this is easy pickings. You wanna move it to where? To a different area where there's only a few exploits and it's high cost, you're gonna really make 'em work for it. So hopefully they just leave.
You know, if they're not targeting you specifically, they're not a government. They're not something like that. Then they might move on to someone else.
That's an easier target.
You know, someone in your industry, that's in a, a little bit worth off security posture. So when move it to a high, a harder spot, and then you wanna slow it down. You want to move from where they exploit in day one, they own your domain, which is super easy to do.
I mean, you can watch videos on YouTube and in, in an hour you own the active directory and you're moving everywhere. I mean, well, you wanna move it to where you can slow 'em down and hopefully you can stop them before they get all the way.
No, one's really saying you can keep 'em out. You, if users have email their local admin, you're never gonna keep 'em out. Forget about it. So which practices help, if you can kill all the local admins, that's great because 94% of windows vulnerabilities depend on the user having local admin, they that they automatically go away.
A hundred percent of internet Explorer and edge vulnerabilities depend on being a local admin and a hundred percent of office 2016. And this is getting worse.
They actually, the office versions, there are more vulnerabilities per version, the windows, everything has more vulnerabilities per version. So the only thing you could really do is take away local admin. If that's a possibility, the other is what's called zoning or segmentation movie upside down where Kirsten condensed was in the up world, where they had all the money and, and the guy she fell in love with was in a down world. And the two worlds could never, never meet in the middle. If you were up there, you couldn't come down. And that's really what Microsoft recommends.
It's good practice to set up zones or tier so that your admins, your domain admins may be in tier zero. They can never log into any machines.
That's not a domain controller. You're never gonna find those credentials on a less secure level. Your server admins, you might break them up into a zone so that your server admins don't log into your workstations. You can never log in down because you don't want those credentials going down to an unsecure level that then they can be enumerated and used to go back up.
So a lot of practices to slow 'em down segmentation and zoning at the identity and authentication level is critical. Yeah. That's one of the most important practices. You should block any domain admin from ever logging into any server. That's not a domain controller. That's that's step one at the network level you should segment. There's no reason that if a secretary's machine is compromised, that someone can be there running port scans on all your SQL servers and all your servers forever.
And nobody knows about it. There's there's no need for that machine to have that level of communication.
So traditional network segmentation, unique local admin passwords. That's the first thing that hackers look for is that they find a local admin password. Those are typically the same pushed out through group policy. So they'll use that to work their way through every machine, other methods, you know, dedicated, secure admin workstation. So if I'm logging with a priv account, it's not that I log in everywhere. I can only log into a admin workstation that's in my tier. And from there that machine does not have email does not have internet access and that's all that can access the servers.
That way you have a clean machine or clean state you're coming from lease privilege practices, definitely having any access, not be permanent, have it by request, have it on demand, have it temporary short-lived credentials, credentials that are one time use and dying expire, short term machines, VDIs.
So you don't have a machine that's out there that lives forever ever that can have malware on it. You're recycling everything. You're basically the idea is to close the window, to make it really hard for them to get in there and not give them much time.
And then of course, war games, which is, you know, red team versus blue team, the blue team, or your defenders versus your attackers. And you try to work out if you are being hacked, how quickly could you recover? How quickly could you detect that you were hacked, and then I'm gonna go into a lot more depth on this in my privileged count roadmap session. We'll talk about how to roll these strategies out and go into more depth on it, but that that's basically just a high level on that. Thank you everyone. Thank
You. Thank you. Nice overview, Patrick.
Thank you very much.
The next speaker is.
