"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."
Charles Coates, Senior Product Manager
Identity and Security Business Group
Active Directory
Active Directory is the nerve center of Threat Intelligence.
Active Directory is the lifeline and foundation of IT and cyber security in IT infrastructures powered by Windows Server.
At 85% of organizations worldwide, all organizational user accounts and passwords are stored, protected and managed in Active Directory and almost all organizational computers are joined to, secured by and managed from Active Directory.
Cardinally, in Windows based networks, all three A's of cyber security i.e. Authentication, Authorization and Auditing are completely integrated with and depend on Active Directory, and the most powerful privileged accounts and groups, and the majority of all privileged access lies in Active Directory.
Considering that Active Directory is where all organizational authentications occur and where all accounts and groups including privileged ones reside, Active Directory is the very nerve center of organizational cyber threat intelligence.
Active Directory is Target #1
Active Directory is the #1 target for perpetrators today.
Active Directory is the #1 target for perpetrators today because it's the foundation of cyber security in Windows networks.
After all, all of an organization's user accounts and passwords are stored, protected and managed in Active Directory, all of an organization's computers are joined to, secured and managed from Active Directory, and access to all IT assets (files, folders, apps, portals, email etc.) is controlled using AD groups.
Thus, the compromise of the Active Directory gives perpetrators command and control over the entire IT infrastructure.
Further, history is witness that in virtually all major recent cyber security breaches, including the Colonial Pipeline Hack, the SolarWinds Breach, the Microsoft Breach and so many others, the perpetrators targeted Active Directory.
Any organization whose foundational Active Directory is not adequately protected, could be the next victim of a breach, thus possessing threat intelligence into who can enact the most critical threats against Active Directory is paramount.
Active Directory Attack Vector #1 - Privileged Access
The easiest way to compromise Active Directory is by gaining privileged access.
What do the components that comprise 99% of Active Directory's attack surface, i.e. Domain Controllers, Active Directory privileged accounts and groups, its entire contents, config data and admin workstations, have in common?
They are all represented by an object in Active Directory.
You see, literally everything inside Active Directory is an object, protected by an access control list (ACL), and in each AD, in thousands of ACLs lie millions of security permissions that govern and control exactly who has what access in AD.
These permissions control everything, from who can change the Domain Admins group membership to who can reset a Domain Admin's password to who can link a malicious GPO, to who can control every single privileged user and group.
Anyone who can correctly* analyze this ocean of permissions in Active Directory, could find a thousand ways to compromise any component of it's attack surface, and gain command and control.
* The correct analysis involves determining effective permissions in Active Directory.
Paramount Threat Intelligence
High-value, instantly actionable threat intelligence.
No organization operating on Active Directory can be adequately secured without possessing high-value threat intelligence that can reveal exactly who can enact the following threats against its Active Directory -
Escalate privilege to a Domain Admin in Active Directory
Run Mimikatz DCSync against an Active Directory domain
Change the membership of the Domain Admins group
Reset a privileged user's e.g. a Domain Admin's password
Push a malicious GPO to a DC or any admin workstation
Create an inbound trust relationship with a rogue forest
Disable the use of smartcards for all domain user accounts
Severe Active Directory's connection to Azure Active Directory
After all, the enactment of a single such threat could instantly and directly result in an Active Directory Security breach.
This is merely a small list of high-impact threats enactable against Active Directory.
Paramount Active Directory
Threat Intelligence
Our solution can uniquely deliver high-value AD threat intelligence.
The answer to who can enact the most devastating threats (listed above) against an organization's Active Directory lies deep inside arcane Active Directory access control lists (ACLs), and our high-value intelligence can identify all of them.
You see, from the domain root to the Domain Admins group, and from every privileged user's account to every trust relationship, everything in Active Directory is an object protected by an ACL.
Cardinally, a perpetrator can only enact these threats if he/she possesses sufficient effective permissions on the target Active Directory objects to enact the actions that constitute these attacks.
Consequently, organizations can actually identify who can enact all such threats by "accurately determining effective permissions in Active Directory", which is not the same as identifying who has what permissions in Active Directory.
Our patented, Microsoft-endorsed access assessment technology can uniquely analyze an ocean of Active Directory ACLs to accurately determine effective permissions domain-wide, and instantly uncover exactly who can enact these critical threats against every organization's foundational Active Directory today.
Armed with such valuable threat intel, organizations can immediately take proactive measures to eliminate such threats.
Effective Permissions
- The Key to Threat Intelligence
Effective Permissions are the key to correctly identifying actors who can enact all critical threats against Active Directory.
From Domain Admins to every privileged account and group, and from the Domain Controllers OU to every DC's and admin workstation's computer account, as well as the domain root, literally everything in Active Directory is an AD object.
Every AD object is protected by an access control list (ACL) that specifies who has what permissions on the object, and its the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.
It is not Who has what permissions in Active Directory but Who has what effective permissions in Active Directory that ultimately governs the security of all Active Directory content, including all privileged users and groups, content and DCs.
Thus, effective permissions are the key to identifying who can enact all such critical threats against Active Directory.
Our Solution
How our solution uniquely delivers high-value Active Directory Threat Intelligence.
Not a single threat targeted at an(y) organizational IT asset stored in Active Directory can be successfully enacted without the attacker possessing sufficient effective permissions to do so in Active Directory.
Gold Finger, our unique, innovative Microsoft-endorsed Active Directory Access Assessment tooling, architected by former Microsoft Program Manager for Active Directory Security, is the world's only cyber security solution that can accurately calculate effective permissions in Active Directory.
It can automatically and accurately determine exactly who has what effective permissions in Active Directory, and thus based on it also accurately determine exactly who has what privileged access, where and how, domain-wide in Active Directory, as well as accurately identify privilege escalation paths in Active Directory, in minutes, and at a button's touch.
It is thus unique in its ability to determine exactly who can enact the most high-impact threats against Active Directory, and it can do all this without requiring any administrative access or installation of any agents or services on DCs, etc.
The threat intelligence that Gold Finger can uniquely deliver is extremely valuable because it can empower organizations to identify and eliminate existent high-impact threats to Active Directory before they can be enacted to inflict damage.
Our Unrivaled Threat Intelligence
Here are just a few examples of the real-time Active Directory Threat Intelligence that our solution can uniquely deliver -
- Who can escalate privilege in Active Directory?
- Who can run Mimikatz DCSync against an Active Directory domain?
- Who can change the membership of the Domain Admins security group?
- Who can reset the password of any/every privileged user in Active Directory?
- Who can change the permissions specified in the AdminSDHolder object's ACL?
- Who can create a new inbound trust relationship or modify any existing trust relationship?
- Who can link a malicious GPO to instantly take over any or every administrative workstation?
- Who can change administrative control in Active Directory to instantly obtain access to all organizational IT resources?
- Who can launch a denial-of-service attack against any Active Directory integrated application/service? (e.g. Azure Connect)
- Who can link a malicious GPO to any OU to instantly gain command and control over thousands of domain-joined computers?
The ability to determine who can enact a serious threat and eliminate that possibility is always a far more effective security measure
than trying to detect an attack in progress and then attempting to try and thwart it. i.e. prevention is always more effective than detection.
Our Global Customers
Corporate Headquarters
620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.
Telephone: 001-949-468-5770
