Threat HUNTing Platform
Credential Risk Assessment and Remediation
ORKOS: Preventing the 9 steps to domain collapse
R9B understands the cognitive aspects of cyber operations. Our curriculum provides the hands-on technical skills students require to attain a variety of advanced cybersecurity qualifications. We instill the knowledge, skills, and abilities necessary for our students to defeat the adversary. Below are our available courses. Please check back often as our course offerings are updated regularly. Government organizations, please contact R9B directly via training@root9B.com for pricing and purchasing information.
The Pyramids of Delegation
Securing an enterprise against credential theft is, I believe, a painfully dull topic to discuss, yet I also believe this is one of cybersecurity’s most important subjects. Delegation models lay the foundation of what permissions users should have and where those permissions are valid. Instead of deploying the latest and greatest threat analytical platform to watch alerts flood your screen, creating delegation models is mostly about establishing written policies. Eventually, a company will use technologies that enforce these policies, but again, most of the work is creating and maintaining documentation. Frankly, most people in the cybersecurity world hate dealing with IT and Cybersecurity policies, but delegation models serve as a critical foundation for your identity management program and offer the best defense against credential theft.
What is a “delegation model”?
A delegation model is the formal structure of all your administrative groups: which user accounts are members of what administrative groups and what powers those groups have. It becomes a policy map that your network defenders and auditors can use to visualize who has been authorized certain powers.
It is important for network owners to take the time to establish effective delegation models. If not, adversaries will more easily compromise these domains. Almost all network owners will use the default “Domain Admins” as their default administrator which is not a sound delegation model. In most cases while these administrators may delegate control to other active directory groups, “Domain Admins” still has full access to every system on the domain. Relying on the Microsoft default allows adversaries to gain access to highly-sensitive credentials scattered across a domain by free-roaming admin.
To make matters worse, network owners don’t realize this situation exists until after a compromise. In the wake of a compromise, network administrators must figure out how to lock down their “Domain Admins” groups, granting permissions to only a handful of systems, and map out where these permissions have been delegated.
Formalizing a list of which users have administrative rights and where their access has been granted aids the network defenders in knowing when such privileges are out of place. Let’s say that an active directory group named “CEO Exempted” was added to the administrators group on a handful of laptops. How can your network defenders know if that was an authorized change or not? Are they going to ask Jon from the AD team every time they have a question, or should a document exist stating that “CEO Exempted” was granted the following privileges to these laptops?
Delegation Model Foundation
Pyramid of Delegation
These five bullet points are just the start of formalizing delegation models; the process can be as simple or complex as desired. (I only listed these points as a starting point, as it will take a significant effort to simply put these in place when a network owner is starting from scratch.) Linked below is the official Microsoft theory of delegation models which provides a lot more detail on how to formalize this process. (The article covers situations such as legitimate uses of crossing a tier boundary under the right security configuration and more.) Again, the steps I provided are a general, fundamental approach necessary to getting an organization started.
(The first time I saw an illustration of a delegation model, it was represented in a pyramid shape. I liked it so much, that I decided to share it with you. In the “Pyramid of Delegation,” Tier 0 sits at the top with the fewest assets, and each additional tier features additional elements with most of the network, including workstations, residing in the bottom tier.)
In my next post, I’ll continue building on what I listed here and share some techniques on how to enforce your delegation models.
BACK TO NEWSROOM