The World's #1 Cyber Security Risk - Active Directory Privilege Escalation
Active Directory Privilege Escalation threatens organizational cyber security worldwide and poses a clear and present danger to 85% of organizations.
Active Directory is the foundation of cyber security and privileged access at 85% of organizations worldwide, and today, within every organization's Active Directory deployment lie thousands of privilege escalation paths to privileged access.
Active Directory Privilege Escalation based on the identification and exploitation of an ocean of excessive access that exists inside access control lists in Active Directory deployments worldwide, remains the world's #1 cyber security risk.
Overview
Within thousands of Active Directory deployments worldwide, lie hundreds of millions of domain user accounts (including those of privileged users), computer accounts and security groups, each protected by an AD access control list (ACL).
Within these Active Directory ACLs lie permissions that allow or deny access to various users and groups, and together millions of such permissions collectively and effectively determine who actually has access to what on each object in Active Directory.
To attain and maintain least privilege access in Active Directory, organizations require the fundamental ability to accurately and adequately assess effective permissions in Active Directory.
Astonishingly, Active Directory lacks this fundamental ability, and as a result organizations worldwide have no idea who actually has what privileged access in their Active Directory.
Consequently, organizations have been provisioning access in Active Directory for years, without any insight, resulting in an ocean of excessive access that has paved billions of privilege escalation paths that can be easily identified by anyone with a domain account, and exploited to inflict colossal damage.
The World's #1 Cyber Security Risk
Active Directory Privilege Escalation remains the world's #1 cyber security risk because it clearly and directly threatens the foundational security of over 85% of organizations worldwide.
Specifically, it can be easily exploited to compromise the security of virtually everything in Active Directory, including all-powerful Active Directory privileged user accounts and security groups.
Should someone be able to compromise even a single Active Directory privileged user account or security group, he/she could instantly gain complete control over the entire Active Directory.
Since it can be used to easily gain complete command and control of 85% of organizations worldwide, it poses a clear and present danger, and remains the world's #1 cyber security risk.
Fact - In virtually ever major recent cyber security breach, including the SolarWinds Breach, the Colonial Pipeline Hack, the Okta Breach and others, perpetrators targeted, compromised and misused a single Active Directory privileged user account to gain unrestricted system-wide access and then inflict colossal damage.
Just One.
100% of all major recent cyber security breaches involved the compromise of just one Active Directory privileged user account.
Ten Examples
Anyone who could escalate privilege in Active Directory to be able to enact any one of the following tasks could
instantly and substantially compromise the entire organization, resulting in a massive cyber security breach -
- Run Mimikatz DCSync against an Active Directory domain
- Change the membership of the Domain Admins security group
- Reset the password of any privileged user /C*O in Active Directory
- Change the permissions specified in the AdminSDHolder object's ACL
- Create a new inbound trust relationship or modify any existing trust relationship
- Link a malicious GPO to instantly take over any or every administrative workstation
- Modify the Active Directory Schema to make crippling irreversible changes to Active Directory
- Change administrative control in Active Directory to instantly obtain access to all organizational IT resources
- Launch a denial-of-service attack against any Active Directory integrated application/service (e.g. Azure Connect)
- Link a malicious GPO to any OU to instantly gain command and control over thousands of domain-joined computers
Organizations that do not know exactly who is delegated what administrative access in their foundational Active Directory
are vulnerable to Active Directory Privilege Escalation today, and could potentially be compromised within minutes.
A Simple Paramount Question
How many privilege escalation paths does an attacker need to compromise Active Directory?
Just One
One privilege escalation path to an AD privileged user/group, is all a perpetrator needs to compromise Active Directory.
Once Active Directory is compromised, the perpetrator has command and control over the entire IT infrastructure.
From that point on, the extent of damage that the perpetrator could inflict, is limited only by proficiency and objective.
(Need one say more?)
This cyber security risk is 100% mitigatable.
The key to mitigating this risk lies in a simple, fundamental Active Directory security capability.
100% Mitigatable
The risk posed by Active Directory Privilege Escalation to organizational cyber security worldwide is 100% mitigatable.
To mitigate this risk, organizations need to accurately assess and then lockdown privileged access in Active Directory, which fundamentally involves and requires accurately determining effective permissions in and across Active Directory.
From that point on, they can easily maintain least privilege access in Active Directory, completely eliminating this risk.
Subsequently, even if thousands of perpetrators were to query a locked-down Active Directory domain to analyze Active Directory permissions, they will likely not be able to find a single exploitable privilege escalation path in Active Directory.
Cardinally, the key to mitigating this risk lies in possessing the capability to accurately determine "who has what effective permissions in Active Directory", which is not the same as "who has what permissions in Active Directory."
Our Global Customers