Active Directory is a complex system with numerous configurable settings, making it notoriously hard to secure. Design flaws, operational mistakes, and misconfigurations accumulate over time, exposing AD to a spectrum of attacks. For years, attackers have had the upper hand in identifying privilege escalation paths to AD: Countless attack paths lead to AD. Defenders facing the challenge of combing through those thousands of attack paths are likely to miss some risky violations. 

Today, we’re announcing Forest Druid, a free tool that takes an inside-out approach to identifying and prioritizing attack paths that lead to Tier 0 assets. Rather than chasing down every avenue, defenders can use Forest Druid to quickly identify low-hanging fruit for remediation, accelerating the process of closing backdoors into AD. 

Forest Druid is the second in our arsenal of Active Directory community security tools, joining Purple Knight, an AD security assessment tool used by more than 10,000 organizations. Whereas Purple Knight scans for indicators of exposure (IOEs) and indicators of compromise (IOCs) and provides an overall security score, Forest Druid focuses on attack paths that lead to critical Tier 0 assets. Check out the video interview below for some insights we shared at Black Hat USA 2022 about the origin of Forest Druid and our vision for its evolution. 

Identify the true Tier 0 perimeter

One of the problems with traditional attack path management methods is that organizations often don’t have an accurate definition of their Tier 0 assets, and current tools don’t help to define those assets. It’s hard to defend resources that aren’t defined.  

Forest Druid uses an iterative process to clearly define Tier 0 assets. In every iteration, all the control relationships that originate in a node outside of Tier 0 and reach a node inside Tier 0 in a single hop are analyzed to determine whether the originating node should be added to Tier 0 or whether it violates the security model and should be removed. The process concludes after an iteration that shows no additional relationships to Tier 0, thus establishing your privileged-defined perimeter.  

Forest Druid accelerates attack path analysis by focusing on privileged access to Tier 0 from the inside-out, while other attack path discovery tools identify an extensive list of attack paths and chokepoints from the outside-in. Forest Druid automatically graphs relationships among Tier 0 assets, creating an independent source of truth for Tier 0 security that allows defenders to quickly eradicate the threat from AD and identify previously undisclosed domain persistence techniques.  

Save time and resources protecting Tier 0 assets

Rather than chasing down thousands of potential attack paths, defenders can save time by using Forest Druid to identify and address the most problematic security violations—the paths that lead directly to your most sensitive assets.  

Interested in checking out Forest Druid? Request early access and join the Purple Knight community discussion on Slack.  

More resources

Watch as Ran Harel demonstrates Forest Druid at Black Hat USA 2022
Download the Forest Druid Overview: Stop Chasing AD Attack Paths
Watch video interview about Forest Druid with Ran Harel and David Raviv of NY Information Security Meetup
Visit the Forest Druid web site



The post Closing Attack Paths to Tier 0 Assets with Forest Druid appeared first on Semperis.