CJ Cox //
ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.
We frequently get requests from customers asking us if we provide consultation defending their systems. The other day I got a question from a customer asking us if we could provide some consulting hours on hardening their Active Directory infrastructure.
Asking BHIS to help you secure your infrastructure is like asking Navy Seals to guard your compound. We can surely do it but we are probably not the most efficient use of resources for the task. At BHIS we are offensive specialists, not defensive. We think you would get a lot more value letting us do what we do best, “Attack.”
Offense informs defense (and vice versa). So when you want to know how good the principles and practices you’ve applied are, we can come stress test it. We will find the holes in your infrastructure and show you what you need to shore up your defenses. We can train you how to defend and you’ll be better, faster, and stronger. That’s much less expensive than waiting for a real incident to show you where you are failing. Putting your defenses to the test of a capable adversary is one of the best ways we know of improving your defense.
Good system administration is knowing your own technology and business and continually applying better security principles and practices. Few consultants can match your own team’s knowledge and understanding of your environment. You will spend significant time and resources on getting an external consultant up to speed on internal infrastructure.
So, where can you turn for help other than a consultant? I always go to one of the most effective security tools ever created, search engines. When I received the inquiry on securing Active Directory, I quickly turned up the following two articles, Best Practices for Securing Active Directory and an oldie but a goodie 19 Smart Tips for Securing Active Directory (I know 2006 but the solid basic advice is still sound). Of course, then there is Microsoft’s own guidelines: Best Practices for Securing Active Directory [https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory]. Don’t overlook CIS guides, SANS white papers, and courses and one million other pieces of advice at your fingertips. Guidelines are only a starting place for ideas. You must balance functionality and business risk when hardening your solutions and infrastructure. Too secure and tools can become non-functional when considering their actual business use. It is very difficult for a consultant to make those kinds of decisions for you. In working through and understanding the tradeoffs, you will make your business and your skills much stronger. Then, put it to the test, hire BHIS. This is all hard, and as John often says (paraphrase):
There’s NO magic bullet for good security. There’s no piece of software that you can switch on and forget Like most things in life, this will take a lot of hard work to get right – and the work will never be finished.
Best of luck on this journey!
______Updated on 08/24/17_______
Just a few clarifying points:
First, everything BHIS does in penetration testing or on our website is oriented around improving defense. We teach and execute offense to inform defense. Our penetration test reports are filled with recommendations for how to improve your defense based on indicators or actual exploits. How could a penetration tester have good offensive skills without understanding defense and how something like active directory works? You can’t hack something you don’t understand.
That doesn’t make the tester an expert on your Active Directory implementation. We have one view, but there are many facets of AD. If anyone, ever, tries to tell you they are total experts on Active Directory and they are not named Fossen or Russinovich it is time to take pause. We desperately want the industry to start moving away from the hacker knows all mythos towards something more collaborative.
BHIS is happy to talk defensive measures, before, during and after your test. Call us anytime. Ask for a blog on a topic or a webcast. I guarantee you’ll learn something, and your defense will be improved.
P.S. This blog post was not a how to on Active Directory. We should probably rename it to something like “The penetration testers right place in improving defense.” My intent was not to tell customers to, “Google it.” There are tons of good resources, consultants, products, testers and ideas out there. You should use them all after careful evaluation of their costs, benefits and most effective uses.
*Sorry this isn’t actually a “how to” article, it’s more like “where to go find advice“. You’ve been Buzzfeeded.