Catching BloodHound Before It Bites

illustration of a fingerprint

This blog was originally published on August 6, 2020.

BloodHound is a public and freely available attack path discovery tool which uses graph theory to map the relationships in an Active Directory (AD) environment. It allows hackers (or pen testers) to know precisely three things: Which computers give admin rights to any user, which users effectively have admin rights to any computer, and effective group membership information (see Figure 1). Because BloodHound can be used maliciously, organizations need to better understand how it is being used, how to protect privileged users, and how to prevent attacks. Security Boulevard recently (August 6, 2020) revived this discussion on a popular AD testing (or attacker) tool, so we’re refreshing your reminder of the CrowdStrike® solution (formerly Preempt Security).

Figure 1. BloodHound Link Analysis

Internal Pen Testing With BloodHound

Organizations leverage BloodHound for internal pen testing because it helps simulates one of two scenarios:

  1. What an external attacker can accomplish after they get past the initial breach
  2. What a malicious insider can accomplish once inside the network

Internal testing requires a high level of experience and a large amount of time to perform effectively. Luckily there are a lot of tools that pen testers use today that can help businesses perform rudimentary security tests on their systems without the need for much manual intervention.

Internal pen testing takes the approach of simulating what an insider attack could accomplish. The target is typically the same as external pen testing with the critical exception that the assessment starts within the internal network, rather than from outside the network. Insider attacks are potentially more devastating than external attacks because insiders already have the knowledge of the critical assets within a network and their locations. Outside attacks do not have this kind of intimate knowledge and would need to spend valuable time in reconnaissance to gather information (see Figure 2).

Figure 2. Internal vs. External Assessment

Protecting Privileged Users Against BloodHound

BloodHound session enumeration (as also seen in Figure 2) can assist in expanding network access to the attacker by identifying users and groups that can lead the attacker to access local administrator rights.

In order to protect against these internal network attacks that aim to take control of enhanced privileges, organizations need to deploy a solution that can continuously monitor and learn user behavior in the network. When risky behavior is spotted (i.e., a user account with administrative privileges accesses a server that it normally doesn’t access and does so from an unknown device). Organizations need to be able to respond to the potential threat in real time.

CrowdStrike offers continuous monitoring and machine learning of user behavior in the network to help detect the use of tools such as BloodHound, Mimikatz, PowerView, and others. In addition to CrowdStrike’s own machine learning and analytics, organizations can set policies that are specific to their own corporate policy and critical infrastructure to make sure that their security is unique to their own environment. Policy can be set to protect any asset to ensure that critical data stores and assets remain protected from insider threats.

Preempt BloodHound Attacks

The CrowdStrike Falcon® platform helps customers detect BloodHound usage in their network to both pass rigorous pen testing audits as well as detect real-life attacks. Below is an example (Figure 3) of how a user leveraging BloodHound to gain administrative privileges was caught.

Figure 3. Catching a BloodHound Attack

In addition to catching malicious activity in real time, CrowdStrike can also alert organizations when administrative accounts are being used on too many machines. This is a critical use case because protecting against administrative account misuse is key to helping your AD administrator and security engineers reduce the attack surface. 

Adaptive Threat Prevention

The comprehensiveness of the CrowdStrike policy engine helps organizations enable conditional access policies to respond in real time when BloodHound is detected.

In addition, a security risk score will be assigned to the accounts involved in running the tools (both on the endpoint and the user’s account) to generate one or more of the following actions:

  1. Multi-factor authentication (MFA): AD enumeration (not commonly used) can be challenged via conditional access for risky users/conditions by prompting them to verify their identity with MFA. This helps with the end user experience as well as increases AD security.
  2. Block: After suspicious activity is detected trying to access network services, the system can  instantly block or limit the accounts from access.
  3. Reset Password: Since pen testing is highly dependent on stealing passwords, resetting passwords is a good security practice for when any weak password is detected or when suspicious user activity is occurring.

Whether due to malicious behavior or honest mistakes, threats from seemingly ‘trusted insiders’ can be the most difficult to manage. To protect against these threats, organizations need more holistic visibility and control to proactively reduce internal risk, detect suspicious behavior and prevent insider threats. By doing so, organizations can mitigate risk and reduce any further damages from impacting their most critical assets and daily operations.

Additional Resources

Related Content