SpecterOps BloodHound Enterprise
Minimize attack paths and secure Active Directory and Azure from every angle. Attack path management is a critical component of defending Active Directory (AD) and Microsoft 365 environments from attacks. When you consider that Microsoft reported more than 25 billion attempted attacks on enterprise accounts in 2021 alone, securing attack paths is essential. SpecterOps BloodHound Enterprise greatly simplifies this process by prioritizing and quantifying attack path choke points, giving you the information you need to identify and eliminate the paths with the most exposure and risk.
Traditionally, attack
path management has been challenging. Why? Because as a security
practitioner, you’re often conditioned to think in terms of lists
– checking thousands of generic configuration issues. Attackers, on
the other hand, think in graphs. This outlook makes it easier for them to
find effective attack routes. SpecterOps BloodHound Enterprise helps you
reduce the risk of attacks significantly by arming you with a
graphical mapping of all AD and Azure attack paths, enabling you to easily
identify,
prioritize and eliminate the most vital avenues that attackers can
exploit.
Key benefits
Continuous attack path mapping
Visualize every relationship and connection in AD and Azure, making it easy to identify new and existing attack paths.
Choke point prioritization
Measure the impact of any point in an attack path and identify optimal locations to block the largest number of pathways.
Critical asset protection
Identify all critical Tier Zero assets and through integration with On Demand Audit automatically monitor them for any suspicious activity indicating they’ve been compromised.
Practical remediation guidance
Get practical remediation guidance, with clear instructions, without having to make drastic changes to AD.
Comprehensive remediation analysis
Leverage On Demand Audit’s detailed user activity history to inspect attack path edges prior to removing access to the path – ensuring there are no unexpected consequences to the remediation.
AD security posture measurement
Establish a continuous baseline of AD and Azure, to monitor and measure the reduced risk as attack paths are removed.
Unprecedented visibility into Azure AD
Azure uses different technologies to manage identities and access, but is vulnerable to the same types of identity attack paths as AD.
Capabilities
Top down view of critical assets
SpecterOps BloodHound
Enterprise greatly supports attack path management by showing you a
superset of your critical assets in AD and Azure (Azure AD and Azure
Resource Manager) – the crown jewels that
would mean game over if a cyber attacker got control of them. It then
maps every attack path down from that view. As a defender, securing
attack paths requires that you understand every possible route, and
SpecterOps BloodHound Enterprise identifies every single relationship
throughout your hybrid environment and articulates how attackers could
abuse any set
of principals to gain access to these vital assets.
Identify and quantify exposure choke points
Mapping critical assets and
paths is only part of attack path management, however. SpecterOps
BloodHound Enterprise takes it further by quantifying those choke points.
For example, it can tell you that 92% of all your Active
Directory users and computers have the ability to compromise the
domain through this one ACL applied to this one domain controller. It
gets extremely specific on the risk involved in this, as well as the
specific permissions or privileges that you need to address to remediate
the attack path and mitigate downstream misconfigurations.
Quantify impact to security posture
Because SpecterOps BloodHound
Enterprise measures every risk, you’ll see the overall risk your
organization is carrying in your hybrid AD environment. But as you
improve attack path management
by eliminating the choke points, you’ll be able to see the effect
these changes will have on your overall security posture. For example, by
securing attack paths, you could improve your exposure to attacks
significantly. Most companies start off with a risk exposure between 70%
and 100%. The goal would be to get your organization’s risk
exposure below 20%, and SpecterOps BloodHound Enterprise can help you get
there.
Comprehensive risk assessment and threat protection
Integrate SpecterOps BloodHound
Enterprise with On Demand Audit and Change Auditor for a
comprehensive risk assessment and threat monitoring solution. Together,
you’ll be able to identify all Tier Zero assets and calculate all the attack paths to those assets, then monitor those attack paths for suspicious activity. You’ll be able to detect
threats early – including unauthorized domain replication, offline
extraction of your AD database, and GPO linking. You’ll even be able block changes to sensitive objects like privileged groups and group policies to prevent privilege escalation attempts and mitigate and
avoid costly ransomware attacks.
Attack path mitigation via securing GPOs
When you use SpecterOps
BloodHound Enterprise with GPOADmin,
you’ll be able to improve attack path management by securing GPOs.
These solutions allow you to ensure that any changes adhere to change
management best practices prior to deployment, a critical step in Active
Directory group policy management. Moreover, you’ll be able to
continually validate GPOs through automated attestation — a must
for any third-party group policy management solution. Furthermore,
you’ll be able to quickly revert back to a working GPO in the event
that a GPO change has an undesired effect, allowing you to get your
environment running smoothly again in seconds.
Risk protection and remediation insurance
For true risk protection and
remediation insurance, combine SpecterOps BloodHound Enterprise with
Recovery
Manager for Active Directory Disaster Recovery Edition or On
Demand Recovery. This product combination gives you comprehensive
capabilities when it comes to backing up hybrid Active Directory and
quickly recovering from any mistakes, corruption or disaster. Moreover,
you’ll be able to highlight any changes since the last backup by
comparing the online state of AD with its backup (or multiple backups).
Furthermore, you’ll be able to restore any object in AD, including
users, attributes, organizational units (OUs), computers, subnets, sites,
configurations and Group Policy Objects (GPOs).
Tech Specs
SpecterOps BloodHound Enterprise requires installation of the SharpHound Enterprise on-premises agent, a critical element in your deployment that collects and uploads data about your environment to your BloodHound Enterprise instance for processing and analysis. SharpHound Enterprise is generally deployed on a single, domain-joined Windows system per domain, and runs as a domain user account.
The AzureHound Enterprise service collects and uploads data about your Azure environment to your BloodHound Enterprise instance for processing and analysis. AzureHound Enterprise is generally deployed on a single Windows system per Azure tenant, and may run on the same system as your SharpHound Enterprise service account.
System:
- Windows Server 2012+
- 16GB RAM
- 100GB hard disk space
- .NET 4.5.2+
- TLS on 443/TCP to your tenant URL (provided by your account team)
- TLS on 443/TCP to Azure tenant (if applicable)
SharpHound (on-premises Active Directory collection)
- Service account added to local Administrators group
AzureHound (Azure collection)
- Directory Reader on Azure AD Tenant
- Reader on all Azure Subscriptions
- Directory.Read.All on Microsoft Graph
Active Directory enumeration represents the most basic information required for BloodHound Enterprise. Additionally, SharpHound Enterprise enumerates local groups and sessions on all domain-joined Microsoft systems for ideal visibility.
Collection Type
Service Account Permissions
Service Network Access
Active Directory
Domain user account with rights to read Deleted Objects.
LDAP on 389/TCP to at least one domain controller
Local Groups and User Sessions (Privileged)
Local admin on workstations and servers
SMB on 445/TCPto all domain-joined systems
Azure
Directory Reader on Azure AD Tenant, Reader on all Azure Subscriptions, AppRoleAssignment.ReadWrite.All and RoleManagement.Read.All on Microsoft Graph
TLS on 443/TCP to your tenant
FAQ
Tier Zero assets are critical objects in Active Directory that, if exploited by malicious actors, can give them access to effectively control the entire Active Directory. Examples of Tier Zero assets include: Privileged users, built-in admin groups, domain controllers, and Group Policy Objects (GPOs). These assets are prime targets for cyber-attacks and require stringent security controls.
Defining Tier Zero is crucial for effective risk management because it helps identify the most critical assets within your Active Directory environment that need to be protected at all costs. By understanding what constitutes Tier Zero, organizations can focus their cybersecurity efforts on safeguarding these high-value targets, ensuring that if an adversary gains access to lower-tier assets, they still cannot compromise the entire Active Directory infrastructure. Protecting Tier Zero assets is fundamental to maintaining the integrity and security of your entire IT environment and preventing data breaches.
Attack paths are the chains of abusable privileges and user behaviors that create direct and indirect connections between workstations, users and critical Tier Zero assets. These attack paths often exploit vulnerabilities and can be used by cyber-criminals to breach the network.
Attack path management is the process of identifying, analyzing, and remediating the paths (series of steps) attackers could exploit to move laterally through your network to reach Tier Zero assets. It involves continuously monitoring your Active Directory environment to detect potential attack paths, understanding how different user privileges and configurations can create security vulnerabilities, and taking proactive steps to eliminate these risks. Attack path management works by mapping out relationships between users, devices, and privileges, then providing actionable insights to close off pathways that could lead to a security breach. This process is crucial for effective vulnerability management and intrusion detection.
Attack path management should be an integral part of your cybersecurity strategy because it helps prevent attackers from escalating privileges and reaching your most critical assets. Even with robust perimeter defenses like firewalls, determined adversaries often find ways to infiltrate networks through techniques such as phishing or social engineering. Attack path management adds an essential layer of defense by focusing on internal threats and limiting the damage that can be done if an attacker gains a foothold. By continuously monitoring and managing attack paths, organizations can reduce their attack surface and, enhance their overall security posture, and improve their incident response capabilities, ensuring better protection against complex cyber threats and potential data breaches.
Blogs
Retirement and succession planning for Active Directory admins
Learn what the succession plan for future Active Directory admins should look like ahead of the retirement boom of more experienced admins.
What you need to know about man-in-the-middle (MitM) attacks
Learn what man-in-the-middle attacks are, the most common attack techniques and key strategies for increasing your defenses against them.
Understanding attack paths targeting Active Directory
Learn about attack paths, including the most common ones targeting Active Directory, and discover measures to protect your organization.
The anatomy of Active Directory attacks
Learn the most common Active Directory attacks, how they unfold and what steps organizations can take to mitigate their risk.
The importance of Tier 0 and what it means for Active Directory
Learn what can be done to increase your organization’s security posture and how tier 0 assets like Active Directory come into play.
8 ways to secure your Active Directory environment
Secure your Active Directory against potential risks with these 8 best practices and ensure robust security measures for your system.
Get started now
Comprehensive attack path management.