CypherCon 2023

Offensive Security & The Evolution of Attack Path Management

Joe Mondloch

Abstract:

The corporate network attack path hasn’t changed much in the past twenty years. An attacker might gain control of an end-user’s account through password guessing or phishing. They then elevate privileges and steal additional credentials. This allows them to hop across the network and acquire additional access and accounts. They eventually discover domain administrator credentials and inherit control of everything.

Active Directory is a powerful tool for centralized account and resource management. However, over the course of time considerable amounts of technical debt accumulate in the form of over-provisioned access and deeply nested permissions. The ability to harvest credentials and utilize them through pass-the-hash, or similar techniques, enables attackers to identify attack paths and swiftly move through networks.

While these common paths are timeless, the tools to visualize them (both offensively and defensively), as well as prioritize remediation efforts have certainly improved. This talk will examine how we analyze the security implications of the attack paths that have grown in our environments. It will further cover the multi-tier credential architecture, network micro-segmentation and other controls we utilize in our own network to combat such attack paths.

Joe Mondloch

Evolving Attack Paths

Joe (jmk) is an offensive-focused security practitioner. He contributed ideas, code and support in the early days of the penetration testing industry as a longtime member of the Foofus group. This included creating the Medusa password guesser, contributing to the FgDump/PwDump password extraction utility, as well as other critical tools of yesteryear.

Joe shifted his efforts in recent years from red to blue. He now spends his time creating complicated challenges for penetration testers as a security architect and engineer for the hosting division of a healthcare software company.