Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.


Defender Mindset

A lot of network defense goes wrong before any contact with an adversary, starting with how defenders conceive of the battlefield. Most defenders focus on protecting their assets, prioritizing them, and sorting them by workload and business function. Defenders are awash in lists of assets—in system management services, in asset inventory databases, in BCDR spreadsheets. There’s one problem with all of this. Defenders don’t have a list of assets—they have a graph. Assets are connected to each other by security relationships. Attackers breach a network by landing somewhere in the graph using a technique such as spearphishing and they hack, finding vulnerable systems by navigating the graph. Who creates this graph? You do.

What Is the Graph?

The graph in your network is the set of security dependencies that create equivalence classes among your assets. The design of your network, the management of your network, the software and services used on your network, and the behavior of users on your network all influence this graph. Take a domain controller for example. Bob admins the DC from a workstation. If that workstation is not protected as much as the domain controller, the DC can be compromised. Any other account that is an admin on Bob’s workstation can compromise Bob and the DC. Every one of those admins logs on to one or more other machines in the natural course of business. If attackers compromise any of them, they have a path to compromise the DC.

Six Degrees of Mallory

Attackers can lay in wait on a compromised machine, using a password dumper such as mimikatz until a high value account logs on to the machine. Let’s examine an example graph.

Figure 1 Example network logon graph

The cluster on the left is single Terminal Server used by hundreds of users. If attackers compromise this machine, they can dump the credentials of many users over time.

Figure 2 A compomised terminal server can lead to many credentials

How can attackers move laterally to get to the High Value Asset?

Figure 3 An attack path exists from compromising a terminal server to a high value asset

By searching the graph, attackers discover multiple paths to the High Value Asset. Compromising the terminal server can allow attackers to also compromise User46 and User128. Those users are admins on Machine2821 and Machine115 respectively. Compromising those workstations allows attackers to compromise User1 and User34, both of which are admins on the High Value Asset. For the High Value Asset to be protected, all the dependent elements must be as protected as thoroughly as the HVA—forming an equivalence class.

Security Dependencies

In a Windows network, when users perform certain kinds of logons (Interactive, Terminal Server, and others), those users’ credentials (and single-sign-on equivalents such as a Kerberos TGT or NTLM hash) are exposed to theft if the underlying host is compromised. Beyond this, there are many kinds of relationships that create security dependencies:

  • Local admin accounts with a common password. Compromise one system, dump the local admin password, and use that password on other hosts with the same password.
  • File servers housing logon scripts that run for many users and software update servers.
  • Print servers that deliver print drivers to client machines when used.
  • Certificate authorities that issue certificates valid for smart card logons.
  • Database admins that can run code under the context of a database server running as a privileged user.

And so on. There are indirect relations as well. A machine that has a vulnerability can be compromised, suddenly allowing attackers to create new edges in the graph. Or users may have an account in two untrusted domains with the same password, creating a hidden edge between domains.

Manage your Graph

What can you do as a defender? The first step is to visualize your network by turning your lists into graphs. Next, implement controls to prune the graph:

  • Examine unwanted edges that create huge connectivity bursts. Implement infrastructure partitioning and credential silos to reduce them.
  • Reduce the number of admins. Use Just-In-Time / Just Enough techniques for privilege minimization.
  • Use two factor authentication to mitigate certain edge traversals.
  • Apply a solid credential rotation approach in case a user account is compromised.
  • Rethink forest trust relationships.

Learn to Spot List Thinking

Defenders need to ensure that attackers don’t have a leg up on them when visualizing the battlefield. In this contest, defenders can have the upper hand. They can have full information about their own network, whereas attackers need to study the network piece by piece. Defenders should take a lesson from how attackers come to understand the graph. Attackers study the infrastructure as it is—not as an inaccurate mental model, viewed from an incomplete asset inventory system, or a dated network diagram. Manage from reality because that’s the prepared Defenders Mindset.

Further Reading

There are a number of papers about attack graphs. Here are a few:

Heat-ray: Combating Identity Snowball Attacks Using Machine Learning, Combinatorial Optimization and Attack Graph by J. Dunagan, D. Simon, and A. Zheng, http://alicezheng.org/papers/sosp2009-heatray-10pt.pdf

Two Formal Analyses of Attack Graphs by S. Jha, O. Sheyner and J. Wing, http://www.cs.cmu.edu/~scenariograph/jha-wing.pdf

Using Model Checking to Analyze Network Vulnerabilities by P. Ammann and R. Ritchey, http://cyberunited.com/wp-content/uploads/2013/03/Using-Model-Checking-to-Analyze-Network-Vulnerabilities.pdf

A Graph-Based System for Network-Vulnerability Analysis by C. Phillips and L. Swiler, http://web2.utc.edu/~djy471/CPSC4660/graph-vulnerability.pdf

Automated Generation and Analysis of Attack Graphs by J. Haines, S. Jha, R. Lippman, O. Sheyner, J. Wing, https://www.cs.cmu.edu/~scenariograph/sheyner-wing02.pdf

[And thanks to @4Dgifts for mentioning the two below]

Modern Intrusion Practices by Gerardo Richarte, https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-richarte.pdf

Attack Planning in the Real World by Jorge Lucangeli Obes, Gerardo Richarte, Carlos Sarraute, http://arxiv.org/pdf/1306.4044.pdf


Comments (19)

  1. Anonymous says:

    @JA, My text is what I intended–though it doesn’t seem to be clear. i.e. Defenders (often mentally) think they have a list of things to protect, but in reality it’s not a list, it’s this graph of connected attack surfaces. They need to think about the
    closure.

  2. Anonymous says:

    @Ryan, yes the graphing tool is i2. @jakx_, see my comment above.

  3. dan says:

    There’s one problem with all of this. Defenders don’t have a list of assets. Typo?

  4. bobdodd says:

    I read that although defenders have many lists of assets, assets aren’t a list, they are a set of relationships best described with a graph.

  5. Sam says:

    Hmm, interesting graphs. Please could you tell us the name of the tool used to generate them; its a good way to conceptualise and visualise the network in the event of an incident.

  6. G says:

    Lists can represent graphs (see LISP &. al.) The problem isn’t necessarily list-orientation, it’s that the lists aren’t security lists but accounting lists, and accounting lists can’t comprehend non-money resources such as technical risk. So the problem
    stems not from list-thinking but from the fact that businesses are over-oriented to a financial viewpoint. This viewpoint is rewarded in the short term because of the flexibility and adaptability that comes from having money as opposed to other resources,
    and so is going to be difficult to displace. It’s not that security has a list-thinking problem; it’s that security is forced to think of things in a purely financial manner. Security needs to find measurable and correct but non-financial value (or at least
    less directly financial value) in IT things.

  7. Torbjorn says:

    Does a product like this exist? I´ve seen something similar with Maltego, but out of the box it does not support Active Directory. To visualize and protect critical assets, this is genius. Please do tell if you found a product that links users, AD Groups
    and asset like this 🙂

  8. Dino says:

    Userinsight from Rapid7

  9. michel says:

    This very idea of "graph thinking" is at the heart of an AD security tool published last year : "Active Directory Control Paths" (https://github.com/ANSSI-FR/AD-control-paths/). This tool creates
    graphs of aggregated relations between various AD objects, which can then be used to find paths to what you called "the High Value Asset", typically in this case the "Domain Admins" group.

  10. josh says:

    I wrote a library that might help with that kind of work.
    http://lowrekey.github.io/fourd.js/

  11. JA says:

    Clarifying the suspected typo of comment #1:
    "Defenders don’t have a list of assets—they have a graph" should be
    "Attackers don’t have a list of assets—they have a graph"

  12. CyberSec Researcher says:

    I feel that while this has some truth in it, it’s a rather broad and rough over-simplification of both mindsets, and especially the attacker mindset.

    I’m not sure if it’s a good thing or not- Seeing has most people dealing with cybersec start with a rather limited understanding – maybe simplifying it for them is a good start.
    But it could also be damaging if this will lead them to stop at that point and assume that this approach is sufficient.

    More on the attacker mindset:
    http://landing.edgewave.com/WhitePaper-Choice-Vulnerabilities-Website-Confirmation.html

  13. Buy Tough says:

    Check out our website for new and refurbished toughbooks and toughpads!
    http://mooringtech.com/

  14. Jean says:

    Great article. For those looking for a way to visualize and protect assets, I suggest looking into Linkurious, a graph visualization startup:
    http://linkurio.us/

  15. jakx_ says:

    Really enjoyed this article. When you said "Defenders don’t have a list of assets—they have a graph" did you mean "attackers"?

  16. Rich says:

    You just expanded on a tweet you wrote over a year ago. Kind of epic. 😀

    I still think it’s possible to wrap an up to the minute graph topology in a checklist and have the best of both worlds. (aka checklists saving pilots, surgeons, etc)

  17. Ryan says:

    FYI for those who were curious: The graph software used here looks a lot like "i2 Analyst notebook."

  18. Chase says:

    In theory, I agree. However, I’ve generally found the opportunity cost of graphing a full network enumeration to be prohibitive, and once you start collapsing network sections, you’re back to listing. 🙂 If it’s restricted to servers/admins, though, it’s
    very helpful – makes it very easy to visualize credential creep.

  19. Raffy says:

    There is entire community out there that does visualization for security: http:/secviz.org – participate!