A pen tester shares most-exploited Active Directory vulnerabilities

Computer security experts have two options: you can look at what went wrong, and learn from it. Or, you can look at what could go wrong, and prevent it. If you want to do the latter, that’s where pen testers (some call them white hats, or ethical hackers) come into play.

Fifteen years ago, pen testers were experts on the periphery of computer security working only for a few large organizations. A lot has changed since then. But one thing hasn’t: pen testers are still usually the first to know when something is going wrong in the way organizations deploy and use technology.

Scotsman William Wright, founder of Closed Door Security, is one of these people. Taking a traditional route into the profession, Wright’s career began as a network engineer before discovering that the demand for security skills was increasingly defining his industry. His first taste of pen testing came while studying for an Offensive Security Certified Professional (OSCP) certification, where he conducted tests on Royal Navy aircraft carriers and submarines for BAE Systems and defense contractor QinetiQ.

On top of his work at Closed Door, he has worked with IASME to create the Maritime Cyber Baseline framework in conjunction with the Royal Institution of Naval Architects (RINA) and the International Maritime Organization (IMO).

We sat down with Wright to get his take on where hackers see vulnerabilities right now. And how IT leaders can get ahead of those vulnerabilities to prevent a breach.

Pen testing is suddenly very important. What do you think is behind this rise?

Wiliam Wright: Pen testers are like the vanguard, the people who go out and find the enemy and tell everyone about it. We find the stuff that nobody else knows about so that it can be fixed.

Take the recent [late 2023] hack of a mobile provider in Ukraine. The hackers had been inside the organization for six months. If pen testers had been involved, they might have spotted the vulnerability years ago.

White hats fulfill two main roles. The first is assurance. That is, to check that an organization is doing security in the way it says it is. The second is reassurance for board members, which lets them sleep at night.

We’ve seen a conveyor belt of ransomware attacks. Cybersecurity never seems to get fixed — why is this?

Wright: One issue is that most of the ransomware groups have an almost unlimited budget. They can hire the best talent in the world from all over the world. You’re essentially up against an army of people whose only job is to extort money.

That said, the ones who get targeted are the ones who skip the basic stuff. It’s often old systems, for example an out of date version of Exchange Server with a remote code exploit (RCE) vulnerability.  When the better-resourced companies get hit, it’s usually through something like social engineering.

What are the biggest vulnerabilities you see out there right now?

Wright: The main weaknesses are old stuff that’s not been updated or a poor password policy.

During some pen tests I’ve been involved with, we’ve been able to take over a company in m minutes because they have an old RDP service with weak credentials.

Of course, a lot of companies have older stuff they need to run so what you have to do is design the network so that they can still run it without it being a major risk.

Over 90% of the world’s organizations use Active Directory. Which vulnerabilities do you most often see hackers exploiting in AD environments?

Wright: One that often comes up in an initial pen test are NTLM relays. When SMB signing is disabled on older versions of Windows, you can still relay hash credentials off them using the older NTLM authentication protocol and use this to impersonate people and move laterally. 

This suggests AD security doesn’t get the attention it deserves.

Wright: On most Azure deployments you can register enterprise applications as a user without any permission from the admins. Obviously, the token impersonation through phishing is really easy as well, and MFA bypass — it’s just endless.

Meanwhile, MFA bypass attacks are becoming more common. What’s your view on the danger these pose?

Wright: The two techniques we use in a pen test to bypass MFA are fatigue attacks where you request MFA authentication until the user approves it, or some kind of token capture that exploits the fact that nine times out of ten the token is set to expire in 30 days. Defeat that and you’ve bypassed MFA for up to 30 days. That’s not to say MFA shouldn’t be used. It’s a useful way of putting a human in between an attacker and a compromise.

Is MFA easy to pen test for weaknesses?

Wright: The problem is not usually the way MFA has been implemented but the way it’s taught to people. People are rarely taught how to detect attacks. Equally, if you take the recent Okta attack, only 6% of the clients were using the platform without MFA. Arguably, Okta should have been enforcing it. There is no excuse for not having MFA.

And presumably, therefore, you’d agree that MFA isn’t always enough on its own.

Wright: Absolutely. You need time-based privileges and identity management in Office 365 to assess specific tasks at specific times. However, this can also be very resource intensive. You have to have the risk to justify using it.

Why don’t organizations always use MFA, or limit its use to privileged accounts?

Wright: I’ve yet to hear a compelling argument for not using MFA for everybody. That said, if an organization decides not to use it universally at least having the admins on it is a step in the right direction.

What are your thoughts on technologies that might replace passwords such as Passkeys or biometric authentication?

Wright: Take Windows Hello, for example. When it’s implemented correctly, it’s rare that someone is going to get past that. But that doesn’t mean that passwords should disappear. There’s always a balance between security and ease of use for people who just want to get the job done. For admin tasks, I doubt you can get rid of passwords fully and I wouldn’t want to see this. I wouldn’t give control of a network to someone based on biometrics alone.

If you suspect that a hacker has obtained valid credentials, how would you recommend mitigating this?

Wright: The first thing you should do is to change the password. If you don’t know whose credential, the best thing is to force a password change for everybody as inconvenient as that might be.

This is also why it’s good to enforce MFA for everyone. Have a quick 10-minute call with everybody giving them information on how to detect whether someone is trying to log into their account.

One of the most useful techniques is empowering users to secure themselves. An example of that is the user who sends the admin lots of phishing emails. A good admin knows they are not dangerous but asks the user to keep them coming because eventually it will be a real phishing email. Empower the users.

Any industry trends you’d highlight for the next year or two?

Wright: Not necessarily a trend but something we’re investing quite heavily in is maritime security. Think about the Maersk cyberattack of 2017. And not just shipping but private vessels too such as cruise ships, ferries, and yachts. If I can control a vessel, I can sink it by driving it into a wall or another ship. Before you had high-latency satellite links or bad DSL or slow 3G when vessels were in port. The advent of Starlink has given a 400-megabit connection to every ship that’s got it in the world. That’s why I’m working with IASME on the Maritime Cyber Framework. It’s a start.

It’s widely assumed that AI will be a huge tool for attackers. What are your views on the benefits versus the threats?

Wright: Right now, AI is more of an information security risk. For example, with ChatGPT people are pasting in documents and asking it to rewrite them. Maybe that document has some classified or personally identifiable information in it. But AI will also lower the barrier to entry such as creating malicious code. It won’t be perfect, but it could be enough to do damage.  In a couple of years, we’ll be looking at end-to-end automated attacks that will be called AI. Soon, you might see AI ransomware-as-a-service.