Why Choke-Point Analysis Is Essential in Active Directory Security

Defense should focus on high-value choke points first to ensure that their most critical assets are protected, before moving on to deal with other attack paths.

Attackers that want to steal data, deploy ransomware, or conduct espionage must go through a series of steps, from initial access through establishing persistence and lateral movement to eventually exfiltrating the data. Abusing identity attack paths in Microsoft Active Directory (AD) is a popular method for attackers to accomplish several of these steps, including achieving persistence, privilege escalation, defensive evasion, credential access, discovery, and lateral movement.

But securing Active Directory is difficult, especially at the enterprise level, because AD environments are so large that they offer attackers a huge number of potential routes to their objectives. From my work as a penetration tester and red teamer, I believe one of the most practical ways to secure AD is by mapping and prioritizing "choke points" that large numbers of attack paths must pass through. Defensive teams should focus on these high-value choke points first to ensure that their most critical assets are protected, before moving on to deal with other attack paths in the environment.

Here's why I think this is a useful approach.

Attackers use attack paths because they're easy to use and hard to detect. Attack paths are created by poor user behavior, like Domain Admins interactively logging into workstations, and misconfigurations in AD, like giving the Domain User group "full control" of the domain head (yes, we have seen this!). Unlike abusing a software vulnerability, abusing an Attack Path often appears to be normal user behavior to defenders (like resetting user passwords or using administrative tools to execute privileged commands on remote systems). Since nearly all of the Fortune 1,000 uses AD, attackers can use the same techniques against multiple targets with success virtually guaranteed.

The average enterprise will have tens or hundreds of thousands of users and millions or even billions of attack paths that constantly change as new users are added and new attack techniques are developed – far too many for defenders to secure. Removing a single Attack Path accomplishes very little because there's always an alternate route. Imagine someone driving from Los Angeles to Manhattan – avoiding a specific city or specific section of highway won't stop them from getting there.

The size of most enterprise AD environments means that defenders usually get overwhelmed if they try to secure them. There are tools that generate lists of misconfigurations in AD, but these tools commonly produce hundreds or even thousands of "critical" misconfigurations. An overworked AD admin or identity and access management team doesn't have the time to work through all of those and in my experience, most won't even try.

Focusing on choke points fixes this issue by identifying the attack paths and misconfigurations that will have the greatest impact on the organization's overall security posture if fixed. To do this, the team must think like an attacker. First, identify the high-priority targets in an environment – the systems most attackers will want access to. This should include tier-zero assets like domain controllers, and other high-value systems unique to that enterprise. Next, map the AD environment to determine how attack paths reach those high-value targets. 

There are always choke points – users or systems that most or all attack paths pass though en route to those high-value targets. Imagine someone driving from LA to Manhattan again. There are only a few tunnels and bridges that go to the island of Manhattan, so no matter what path the driver takes, they must pass through one of them eventually. In AD, these choke points are often accounts or groups with direct or indirect administrative control of Active Directory.

A prioritized list of attack paths and misconfigurations is much less intimidating for AD admins to address and knowing how many attack paths pass through a choke point can help justify remediation action to a reluctant CIO. Going through this mapping process also helps security teams to measure their overall AD exposure and quantify how their actions will reduce it, which helps to get other IT leaders on board with the changes. Overall, the choke-point approach enables security and AD teams to improve AD security more efficiently with fewer changes and lower overall risk.

The free and open source tools BloodHound (which I am a co-creator of) and PingCastle can both help with AD mapping and investigation. AD security is beginning to receive more attention across the industry, and I expect more development and tools to emerge in the months to come. All in all, stopping attack paths is a stiff challenge at the enterprise level because of the size and complexity of AD environments but focusing on high-value targets and choke points can bring that complexity down to a manageable level.

Recommended Reading: