Identity Threat Defense

For Active Directory, BloodHound Barks, But Lacks Bite

Share with your network!

We’ve written a lot on this blog about the challenge of managing excess credentials in Active Directory and how much of a cybersecurity threat they potentially pose to organizations of all sizes. In this post, we’ll review the key drivers of that threat, and then examine two tools that can—at least partially—empower security teams to gain improved visibility into these credentials and increase cyber hygiene.

A Cyber Exposure Threat 

The credential landscape—what we call the “access footprint”—is constantly changing, even in the most well-run organizations. It’s always difficult to deploy identity and access management changes as fast as user functions change, so access-related security gaps are common. However, even through normal business operations, credentials get stored and hidden in a variety of places. Cyberattackers look for these rogue credentials and connections that lead them to an organization’s critical assets—their crown jewels.

These exposed credentials and connections are the most dangerous and neglected aspect of the attack surface, and traditional vulnerability management solutions are not well-adapted to detect or remove them. As attacks become increasingly automated, this is a gaping hole. 74% of 2018 breaches involved privileged account access.

Enterprises need a solution that locates excess credentials in Active Directory, presents them in an easy to visualize and understandable way for security teams, and finally must be automated in order to save time and empower different team members to work efficiently and confidently. Fortunately, a couple of options are available to organizations to do this.

An Open Source Option

One available option to surface exposed credentials and connections is BloodHound. BloodHound is an open-source tool used to examine loose credentials in your network environment.

From its Github page description:

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attacks can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths.

BloodHound technically consists of two tools, which can be broken down as follows:

  • SharpHound – a tool that collects AD/LSASS data from the environment into a static format
  • BloodHound – an analysis tool that absorbs the SharpHound output.

BloodHound provides a graphical representation of all available paths that an attacker might take towards critical AD assets, such as control over Domain Admins. As a free tool for a quick graph of major connections within Active Directory, BloodHound does provide some value in attack simulations for both red and blue teams. Yet it is limited as a comprehensive cyber hygiene solution. It’s important to note that BloodHound does not provide any capabilities for cleaning, remediation or any other mitigation once excess credentials or connections are discovered. And as an open source tool, its scale is limited as well.

Visibility through Ongoing Cyber Hygiene

If BloodHound’s approach sounds promising, but raises concerns about enterprise-readiness, a second option for excess credential discovery is Illusive’s Attack Surface Manager (ASM). ASM is a mature, enterprise-tested solution offering full technical support, extensive quality control, and professional engineering development.

Often referred to rhetorically as ‘BloodHound on Steroids’, ASM discovers and displays the actual paths between ordinary endpoints and all systems classified as critical crown jewels. It also provides an easy interface for defining where and how domain admin user and other privileged credentials are allowed to persist on systems, and then automatically discovers and enables easy remediation of any violations.

While both BloodHound and ASM are valuable as an attack simulation tools, Attack Surface Manager adds comprehensive capabilities for path identification, network visibility, and threat reduction. ASM also provides the ability to examine each cyberattack pathway to critical assets, and apply risk metrics to identify dangerous paths to eliminate immediately, paths that are critical to business processes, and extraneous paths that can be safely removed without affecting valid users’ ability to reach necessary resources.

Attack Surface Manager is also able to discover attack vectors where BloodHound lacks visibility. In addition to stored domain credentials and shadow admins, ASM can also discover saved connections, credentials to local admins, and suspicious files.

Unlike BloodHound, Attack Surface Manager is highly scalable. Current Illusive customers include large enterprise-size companies and organizations around the world, who also receive services and support from the Illusive team.

Security teams will also want to be able to utilize comprehensive reports and summaries of attack service metrics. With Attack Surface Manager, customers are able to leverage these reports for drill down investigations to improve their network security and reduce vulnerabilities. An attack risk assessment empowers companies to quickly and easily examine any hidden vulnerabilities within their network. With this information in hand, Illusive experts and end-user security teams will review and analyze results in an on-site workshop to determine how your organization could act on the data to reduce the attack surface.


Watch this on-demand webcast, Securing Active Directory – How to Reduce Blind Spots and Paralyze Attackers.