On the RADAR - Rearchitecturing of the Active Directory Adversary Resilience Methodology

To give better recommendations on how to improve security in Active Directory, moving to a data driven method is key. The Adversary Resilience Methodology shows us how we can achieve this with BloodHound, but it is currently hard to use and illustrate. By introducing a few extenstions to the BloodHound database along with some clever techniques, we can blazingly fast see exactly what mitigations impact the paths an attacker can take in the AD. This gives us the ability to know exactly what our mitigations will do in the environment, before we even propose them!

The Adversary Resilience Methodology, introduced by Andy Robbins/@_wald0 in 2018, gives defenders tools to make informed decisions when hardening their Active Directory. Instead of guessing what impacts different actions will have, we can now use Bloodhound and the Cypher language to simulate changes in the AD environment.

Say you want to limit the computers domain admins can log in so that privileged credentials is not stored on arbirtraty computers. By simulating this change in the environment with the BloodHound data, we can see that just this change alone often does not impact the ability of attackers to get domain admin. While the attack to compromise credentials in memory might be thwarted, there might be so many more paths an attacker can take to gain the same privileges. Knowing exactly what the change does to the security of the AD deployment before you even suggest it is invaluable.

However, currently you need to do a lot of manual labour to run the methodology. To intitiate some changes, you need to delete nodes or edges in the database, which makes it hard to undo changes without resetting the entire dataset. It is also hard to compare different measures when you can only show one state at a time. If you want to show the effectivenes of two different proposed mitigations, or both at the same time, you would have to run the commands needed three times, while resetting everything in between.

In this talk, I will introduce some extensions to the BloodHound database along with tools and techniques to make the Adversary Resilience Methodology a lot easier. In a sample dataset, I will show how we can simulate the most commonly proposed Active Directory security measures and some ways we can measure the impact of these. Then we will se how these different measures together works to improve security, giving us the most important recommendations and the data to back up these claims.