Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/16/2021
05:20 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Semperis Releases Free Security Assessment Tool, Purple Knight, to Combat Systemic Attacks Exploiting Active Directory Vulnerabilities

Purple Knight Exposes Critical Security Gaps - Organizations Score an Average of 61%, Usually Failing the First Evaluation

Semperis, the pioneer of identity-driven cyber resilience for enterprises, today announced the availability of Purple Knight, a free security assessment tool that allows organizations to safely probe their Microsoft Active Directory (AD) environment to uncover dangerous misconfigurations and other weaknesses that attackers can exploit to steal data and launch malware campaigns. Built and managed by an elite group of Microsoft identity experts, the tool empowers organizations to combat the deluge of escalating attacks targeting AD by spotting indicators of exposure and compromise in their environments and providing corrective guidance to close gaps.

As the gatekeeper to critical applications and data in 90% of organizations worldwide, AD is a prime target for attackers and extremely complex to secure. Increasingly, stealth attacks take advantage of built-in protocols in the Windows operating system—and AD itself—to avoid detection. The threat actors associated with the SolarWinds attack, for example, allegedly used native Windows tools such as Windows Management Instrumentation (WMI) to enumerate the certificate-signing capability of AD Federation Services. Since AD is rarely safeguarded effectively, attackers have come to depend on weak configurations to identify attack paths, access privileged credentials, and get a foothold into target networks.

“Considering that 80% or more of cyberattacks involve the abuse of privileged credentials, inherent Active Directory vulnerabilities have the potential to compromise an organization’s entire security infrastructure, which puts pressure on AD managers and security teams to stay ahead of the threats," said Mickey Bresman, CEO of Semperis. “However, securing AD can be difficult given its constant flux and the relatively limited number of AD security specialists in the world. To lock down AD, you must think like an attacker. With the release of Purple Knight, Semperis is giving organizations a window into the security posture of their AD environments, with the ultimate goal of empowering organizations to safely challenge their defenses, find weak spots, and take immediate action before those weaknesses are exploited.”

To flag security vulnerabilities such as suboptimal configurations and policies, Purple Knight queries an organization’s AD environment and performs a comprehensive set of tests against the most common and effective attack vectors that correlate to known security frameworks such as the MITRE ATT&CK. With no special installation required, the tool maps to pre- and post-attack security indicators across five core aspects of AD’s security posture, including AD delegation, account security, AD infrastructure security, Group Policy security, and Kerberos security. Once the assessment is complete, Purple Knight generates a summary report that provides an overall risk score, details the indicators of exposure detected and likelihood of compromise, and recommends actionable remediation steps before any weaknesses can be exploited by attackers.

Purple Knight is currently used by some of the largest organizations with the most complex identity environments in the world. In early findings from the tool, users report an average failing score of 61%, with Kerberos security being the top risk area with an average score of 43%. Other category scores from initial results were 58% for Group Policy security, 59% for account security, 68% for AD delegation, and 77% for AD infrastructure security. Results from these early reports also revealed that the largest organizations, often with the most resources, are particularly susceptible to falling behind in securing their critical identity systems because of the sheer size and complexity of their environments.

Some of the common scenarios uncovered in the Purple Knight security assessments that lead to AD vulnerabilities are:

  • Password policies that are inadequate for modern account protection
  • Accounts with elevated privileges in place that have not been adequately reviewed
  • Accounts with delegated permissions over Active Directory that have unwanted consequences on AD security that have proliferated over time
  • Weaknesses in Kerberos usage that are increasingly being exploited to gain privileged access
  • Weak Group Policy configuration, which creates a variety of holes that attackers can exploit

 

“Purple Knight addresses a need that has become more pronounced in the wake of the Exchange Server Hafnium attack, which prompted Microsoft to advise customers to scan their systems for IOEs and IOCs,” said Darren Mar-Elia, Semperis VP of Products. “Any large organization that has had Active Directory deployed for a long time is going to have weaknesses in their security posture, which means that if attackers got in, they would find it easy to exploit these vulnerabilities. Large, complex organizations tend to have a spider web of permissions that have accumulated over time—and no idea whether that situation can be exploited. You have to plug the holes and hope for the best.”

Purple Knight will initially be distributed through an approved network of partners, who have all rigorously tested the tool and are able to help organizations understand the implications of their unique results.

“With Purple Knight, we have the power of elite Active Directory domain expertise packaged into an easy to use, extremely powerful tool," said Chris Vermilya, Director of Identity and Access Management (IAM) at Fishtech Group. “The tool safely uncovers weak configurations in client environments and helps us quickly close the gaps before attackers can exploit them. Since Active Directory is such a critical system that is constantly targeted, Purple Knight goes a long way in hardening organizational security, starting at the most common initial access point.”

For more information on how to evaluate the security of your AD environment with Purple Knight, please visit: www.purple-knight.com. For organizations who prefer not to work with a partner or don't currently work with an approved partner, please contact: [email protected].

About Semperis

For security teams charged with defending hybrid identity and multi-cloud environments, Semperis ensures integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts disaster recovery time by 90%. Purpose-built for securing Active Directory, Semperis’ patented technology protects over 40 million identities from cyberattacks, data breaches, and operational errors. The world’s leading organizations trust Semperis to spot directory vulnerabilities, intercept cyberattacks in progress, and quickly recover from ransomware and other data integrity emergencies. Semperis is headquartered in New Jersey and operates internationally, with its research and development team distributed between San Francisco and Tel Aviv.

Semperis hosts the award-winning Hybrid Identity Protection conference (www.hipconf.com). The company has received the highest level of industry accolades and was recently ranked the fourth fastest-growing company in the tri-state area and 35th overall in Deloitte’s 2020 Technology Fast 500™. Semperis is accredited by Microsoft and recognized by Gartner.

Twitter: https://twitter.com/SemperisTech
LinkedIn: https://www.linkedin.com/company/semperis
Facebook: https://www.facebook.com/SemperisTech
YouTube: https://www.youtube.com/channel/UCycrWXhxOTaUQ0sidlyN9SA

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.