Jason Crabtree, QOMPLX CEO & Co-founder, explains in a video interview with Security Guy TV why security and risk teams have to be able to dig into some of the fundamental assumptions for Kerberos Security and Active Directory Security. Here are a few key takeaways from the interview.
People Assume It's Working but Maybe It's Not
It’s great to look at how we can get visibility on data or on people, but we ultimately have to keep coming back to ask, “what are the assumptions,” “have we validated that they are still applicable?”
Risk managers must dig into and test the fundamental assumptions to know what they based their downstream investments and operational decisions on. For example, if a user’s identity can be forged, then none of your other solutions will provide the benefits they claim because you can’t trust the user information that you have.
Jason explains that, "instead of just looking at heuristics, we validate that the protocol works correctly. That is so important because your security programs assume authentication is correct."
The Importance of Behavior
If the behavioral analysis inside an enterprise is based on mis-attributed traffic to identities that aren't the right ones because people are forging tickets in Active Directory -- and you haven't detected that -- you end up with a real challenge. You have to look at the root of trust.
Trust but Verify
If you want to go really advanced in terms of privilege escalation, coming back to what we do in the Active Directory world, you’ve got to be careful with insider threat programs where you don’t actually validate that the authentications are real.
What’s Your Exposure?
All CIOs and CISOs should immediately look into their exposure to Active Directory/Kerberos exploits and understand that if they can’t trust the identities of users, then other cyber defense tools and investments are compromised as well.