Risky Business - Risky Biz Soap Box: Graph the planet!
Episode Date: December 11, 2025In this sponsored Soap Box edition of the Risky Business podcast, Patrick Gray chats with Jared Atkinson, CTO of SpecterOps, about BloodHound OpenGraph. OpenGraph enume...rates attack paths across platforms and services, not just your primary directories. A compromised GitHub account to on-prem AD compromise attack path? It’s a thing, and OpenGraph will find it. Cross-platform attack path enumeration! So good! This episode is also available on Youtube. Show notes
Transcript
Discussion (0)
Hi everyone and welcome to another soapbox edition of the Risky Business Podcast.
My name's Patrick Gray.
For those who are not familiar, all of these soapbox editions of the show are wholly sponsored,
and that means everyone you hear in one of these editions of the show paid to be here.
And today we are chatting with the fine folks over at SpectorOps,
and they, of course, make Bloodhound.
So joining me now is Jared Atkinson, who is the CTO and one of the founding team members of Bloodhound,
which was spun out of SpectroOps,
which is a professional services company,
doing a lot of offensive security testing,
things like that.
Bloodhound started as a tool that they developed for their own use,
and then, of course, they spun it all out
so that everybody else could enjoy it as well.
So for those who are not familiar, Jared,
today we're going to be talking about OpenGraph, right?
Which is a big change for Bloodhound.
But why don't we just start off by talking about,
you know, the origins of Bloodhound,
the brief history of Bloodhound,
and how we got to the point where OpenGraph is now a thing.
Sure, yeah.
So as you mentioned, we started off as kind of a red team, right?
So consulting.
And one of the things that you run into as a red teamer is when you're in a network
environment, particularly like a gigantic AD domain or maybe AD Forest with tons of different
domains, you might have an objective and you have an arbitrary starting point.
So you fish some user and you get access to their computer.
Very rarely is that the place where you want to be, right?
You want to go somewhere else.
And so there's there's almost this kind of traditionally there's been this guess and check kind of approach, trial and error to where you get access to the one computer.
Maybe you escalate to become system or have root level permissions.
And then you would ask who's logged into the computer and what permissions do those users have have?
Right.
And so like what computers can they administer and that type of thing?
And so then you start to laterally move.
The problem is that you might have several options at your disposal and you're going to pick one or two of them and you're going to go down that path.
and you're just kind of hoping that five hops down the road,
you're getting closer and closer to where you want to go.
In sufficiently large environments,
sometimes that doesn't work out the way that you hope.
And then you have this kind of conundrum of,
do I go all the way back to the beginning?
Do I go back one hop and try a different option?
And there's kind of this enormous selection problem
to where you have all these different options
and you don't know which one to take.
And so Bloodhound came about almost as like Google Maps,
the Google Maps equivalent for navigating your way through a domain environment
to where you would say, let's get initial access, we can gather a bunch of information about what
computers, groups, users are in the domain, all of that, any user in the domain can gather.
And you can start to build out relationships and understand which path you want to take
before you even start moving, right? So you would understand, okay, the interstate, so to speak,
to get from, you know, where I'm at to where I'm going, is this one. And so I'm going to take that
path and kind of follow that direction. And it kind of simplified that problem quite a bit.
Now that's kind of like the offensive use case. What we realized is that if attackers are using that, and they know kind of where they're starting and where they're going, the defenders can do like kind of the inverse, which is, I know the resources that I want to protect. How do I flip that over and say, what are all the different routes that attackers can take from anywhere in the environment to get to this thing that I consider to be really important, right? And then what you would do is you start remediating those permissions, right? So there's a lot of times you would have something like the authenticated users group.
would have admin over a domain controller, like all kinds of crazy configurations like that.
Those configurations may survive in an environment for 15 years. Nobody knows about it.
And then a red teamer finds it, right? What if we can just find that from the get-go
automatically in one quick step, basically? It's kind of the general idea behind Bloodhound
and then Bloodhound Enterprise. Now, of course, when you're talking about moving towards your target,
right? So you might say, okay, well, we want domain admin, right? You land on a box and it's,
you know, Sally or Rob in HR or in a call center or whatever.
Okay, you pop up on that machine, you have a look around.
You know, as you point out, you're a long way from that domain admin.
So when you're talking about actually moving towards them,
I'm guessing that means, hey, you might need a shell on this box where there's going to be some juicy stuff,
or you need to compromise that user account or one of the user accounts as part of this group,
which gets you this next thing, which gets you the next thing, which gets you the next thing.
I mean, that's basically what you're talking about when you're talking about moving through the graph.
That's right. That's right. Yep. And what we think about is a lot of times we list out kind of like what we're doing is we're graphing relationships between resources. So imagine you have a user as a resource, a group, as you mentioned. There's going to be permission. So for instance, a user might have the ability to add another user or themselves to a group, right? They're not a member of the group, but they might have the ability to add themselves to the group. Maybe a user has admin control over a computer. The way that we are able to make inference from that is that if I have admin control to a computer,
I can compromise any user that's logged on to that computer.
And so if I understand what users are logged on,
I now have kind of a target list of who I can attack
and why I might want to move to that computer in the first place.
And so you start to build up those relationships of what permissions facilitate,
we call them like primitives, escalation primitives.
So what permissions facilitate my ability to take over additional identities, for instance?
Now, of course, Bloodhound, I think it came around about, what, 10 years ago?
It's been around for about 10 years.
O.G. Blahdown.
Probably the worst person to ask this, but I think it was probably 2017, 2018, maybe.
Yeah, so somewhere, I mean, you know, crazily enough, that's like, it's 2026 next year.
So from there, though, I mean, obviously one of the big changes these days is like, okay, there's AD everywhere, right?
We all know that AD is everywhere, and it's probably not going anywhere for quite a long time, so it's always going to be useful there.
but we are seeing more and more basically every enterprise worth its salt now it's kind of what you would call a hybrid environment where you've got either entra or octa plus AD and you know connected together with duct tape and bubble gum and like you know ice cream sticks you know like the the whole thing so at some point you guys realized that you needed to make this about more than just more than just active directory right yeah so just kind of a little background I I run the research
team at SpectorOps. So they're the team that is kind of building out these, these different
attack paths that kind of like understanding these permissions and that kind of thing. And we started
to move into to mapping or graphing Azure environments, right? And so we had AD moved into Azure.
And one of the problems was is that you would, you would do the research and then you would
try to integrate it into the product. And the product wasn't built originally to be super extensible.
And so it would take quite an effort to actually like add new attack pass or this new environment.
And so like honestly, I'm gonna I'm gonna shade you a little bit here and say you guys were a little bit slow with the with the with the Azure slash Antra stuff like
Oh for sure for sure. Yeah and like we we had done a research project on but that's because it's hard. Yeah, it's hard and I don't know that like when we built the original bloodhound
We we we had the idea of active directory in mind. I don't think that we thought that it would go beyond that
Initially and so you know we didn't plan for it which yeah was a tool it was a tool to use on pen test it wasn't like a an
enterprise like Google Maps for, you know, user accounts and entities kind of platform.
And like, and it was also before this whole idea of identity really took off.
Like I, it's interesting because red teamers really have always kind of like targeted identities, so to
speak. The idea is is always how can I take control of user accounts or computers, which are
also identities, to then gain access to more and more resources, right? So you're like,
you want to accumulate access throughout the course of your, your, your operations.
right so that you could then have access to whatever your target is but at the time like there was no idea of identity security in the in the context of the overarching kind of infosec arena
oh 100% because the way you would have done it often was you would get access into okay you know so that first place of access you were talking about with fishing or whatever you might try to get you know remote code execution get the user to run something like use your access to their computer to get that computer to run a piece of code or next startup or whatever and then for
there you weren't really necessarily you wouldn't necessarily have to even touch identities right
because it was all about it was all about you know where where else you could execute code and um
sometimes you would use identities but not always right whereas now like these these identity based attacks
they are they are pretty exotic these days yeah there's there's maybe uh maybe like an argument
so imagine that you have some vulnerability on a system that gets you a system shell imagine that a system
Shell is operating as the computer identity. So like there's maybe an argument that you are always
operating in the context of one identity or the other, or maybe you were just accumulating
control over multiple identities. Nobody thought about it that way. That's just the fact, right?
And so that wasn't the conception of how everybody approached this problem. Well, because I'm even
sitting there like, as you're saying that, going, yeah, kind of, you know what I mean? Like,
it's just not the way people thought of it, right? For sure, for sure. Yeah. So,
So then we looked into GitHub.
So we had, let's say we had Active Director, we had Azure, and we took personal interest
in GitHub.
We had some red teams that we had conducted where that was a target.
These CICD workflows were really interesting to people.
Code repositories are where a lot of sensitive information is maintained, especially for
these kind of like software companies.
And so we decided that we were going to start mapping out the relationships of GitHub.
And we tried to implement that, Will Schroeder and myself.
And it took us like three months just to try to get.
everything integrated and we're like, this is not a sustainable plan. And so we had long had this
idea that we should try to change this to be more extensible. And that's kind of where this open
graph idea came from, which is, what if we create a schema that's kind of like an open schema that
everybody understands and then you just output data, you build a collector to query whatever
platform you want, you output your data in this specified format and you're able to build arbitrary
edges, arbitrary nodes in the graph. And now you could represent permissions.
Or even we've had people that have built open graph extensions that go outside of kind of like this identity security use case, right?
They're just leveraging the overarching system to represent relationships between things.
And I could get into that if we're interested.
But it's kind of a fun experiment of work ago.
Let's just take a step back, right?
Because you're talking about GitHub.
And I guess one of the reasons you want to, you know, extend out to there is because, you know, once upon a time, you wouldn't have had unified authentication.
or a unified directory covering developers logging into a platform like GitHub.
Like it would have been a standalone thing that the dev team would manage themselves.
And these days it's like there is an entry group or there is a, you know, there's a directory
group for those users.
Which means that, yeah, I mean, it's great having that centralized kind of control over
permissions and authentication and whatnot, right?
So like SSO is really cool like that.
But it also puts them, they become nodes on a graph at that point.
They become targets on a graph, which in many ways, I mean, you're still ahead, right, by using
unified SSO for something like GitHub.
But that's really why this came about, right?
Is the success of, you know, SSO extending the directory out into places where it traditionally
hadn't been.
That's right.
And like, we just ran into this at Spectreop.
So there's a lifecycle management problem, right?
Which is when somebody leaves the company, for instance, you have to offer.
board them from access to all these different systems. And how do you do that if you don't have a
centralized place to keep track of it? Right. And so SSO is not just useful in like maintaining somebody's,
you know, you have one password and you can access everything. It's how do we make sure that when,
when we have turnover for whatever reason, we're able to revoke access to these systems that
somebody doesn't need or maybe somebody changes within the company to a different position.
They don't need access to these, to these different resources. Maybe we can, we can manage that in one
place. And so, yeah, as we kind of look into it, what we started to realize, especially like
in something like GitHub, is you have the identity management is actually fairly spread out
across different teams. So imagine you have a GitHub administrative team, right? And that
GitHub administrative team is different than your active directory administrative team.
And what happens is when you stand up your GitHub organization, typically organizations will set up
SSO of some kind. Maybe they even use SCIM, which is the system for cross identity management,
is how do you automatically provision? Let's say you have a user in Intra and you want to automatically
give them access into GitHub, you would use a SCIM provider to be able to generate that user
account on the GitHub side, right? And so now I'm able to say, okay, I'm going to have a whole
set of groups, as you mentioned, in Intra. And as I add users to those groups, it's going to
a, create a user in my GitHub organization, but B, it's going to assign them to certain groups
within GitHub as well. There's this like kind of relationship across that. And that,
that becomes this it expands exponentially what the attack surface is here right now now you have to worry
about anybody that can get control over your Azure environment now has control over your GitHub
environment but where this really gets crazy is you know when Bloodhound first came out we had this
problem of like nested group memberships right and so there's this whole idea of like you have to
unroll the groups to understand who has access to what or who has what permissions and there
was this there was this big problem that we tried to unroll there's almost like this one level up
There's the same problem, which is I have a GitHub organization.
I've set up SSO from Intra into GitHub, but then I've also federated my Intra into Active Directory.
So now there's an Active Directory account that's tied to an Intra account, which is tied to a GitHub account.
And the GitHub administrator may not even know about that federation between Active Directory and Intra.
And so now there's this attack service that they're not even managing.
And there's almost a point where...
I mean, what you're saying is that that GitHub account, which might only be used for logging into
GitHub is now also an active directory account on the local network. So if someone gets that
GitHub account, they can fish it or whatever, happy days onwards and upwards through that customer's
AD. That's right. Yeah. And the inverse direction as well, right? So that that becomes a massive
problem. And what we find is that those gaps between systems are almost nobody's responsible for it.
And so it's this problem that exists to where nobody is really paying attention. Like you might
you might be worried you might have somebody who's responsible for active directory and they're trying to reduce the attack pass to tier zero in active directory and then you have somebody that's in charge of intra and they're worried about attack pass to tier zero and intra but what they're not paying attention to are what are the attack pass from active directory into intra to where for instance you might have a non-privileged user in active directory that is tied to a privilege user that is tied to github and now they can access your github repositories as a result of that.
So it's just this big mess.
Well, it is.
And it's funny just as you were talking about that.
And, you know, there's that whole the identities of the new perimeter thing, which I actually, you know, I think about like maybe 12 months ago, I actually turned around and said, you know what?
That's actually probably right.
At this point, that that probably feels right.
But you just think how we used to say unmanaged machines were the thing that would get you owned, right?
And that's been, you know, a mantra for like 25 years, right?
like an un-patched, unmanaged machine is what will get you.
You know, and from what you're saying, you know,
it seems like now an unmanaged identity is what's going to get you, right?
It seems like a very similar sort of, like an improperly managed identity
that no one's really responsible for.
It's just kind of fallen through the cracks.
It can be used in all sorts of ways that it was never intended to be used.
And, you know, that's what's going to burn you.
You know, we talk about this idea of least privilege.
I was doing some research.
probably six months ago now, but trying to figure out when was least privilege first uttered
by somebody in any meaningful context. And I found the first white paper in the academic
literature that talked about least privilege. It was from 19, what was it, 1975, so 50 years ago
was the first time somebody talked about least privilege. But what ends up happening is
least privilege is a negative testing philosophy where you have to validate that you have
the privilege to do the thing that you need to do. But then you have to also,
validate that you don't have any additional privilege beyond that. And so that's a, you have to
negatively test that, right? But what we find is that most people are doing enough privilege,
which is, and I think people don't appreciate this enough. I think intellectually, we all understand
this once you start talking about it, but you start off with a certain set of privilege,
just naturally, right? That, like, every user is going to have some amount of privilege to begin with.
And then you are adding additional privileges so that they can accomplish whatever their job
role requires them to accomplish. But then you never go back and say, okay, we finally got them
to the point to where they can do what they need to do. Now let's go back and take away everything
that they don't actually need. Right. And that's... Yeah, so, so you know, Travis McPeek
used to work at Netflix a long time ago. He wrote a thing, he opened sourced it. It was called
repo kid. And the whole point of repo kid was it was monitor all of like the AWS stuff that
they were using at Netflix. I think it was AWS. And if there were permissions that those accounts
weren't using it would just remove them. Oh, okay. So that was like...
It's kind of monitoring.
Yeah, yeah.
Just over time it would chop it back, right?
So it was called Repo Kid as in like it repossesses the, you know, permissions, but it was very cool.
So look, let me just ask you another question on that, on that GitHub thing, right?
So we've talked about how you've gone from AD to now, you know, Entra.
You keep calling it Azure, which is really funny because you're thinking Azure AD, which is why I still call X Twitter.
Same thing.
So then you've gone off to Azure AD slash Entra.
Yep.
And then you're like, well, hang on, we got some cool stuff with GitHub here.
And then pretty quickly you could start seeing, oh, well, you know, there's other things I would like to bring into this graph.
Like one thing that I'm thinking here, and it's a, it's, I don't know if anyone's done this, because I imagine it would be really difficult.
But, okay, say you are looking at a GitHub user, have a look at the repos they've got access to.
Yep.
Throw trufflehog at that.
Yep.
And see if you can find out what secrets they have access to and where those secrets get that person.
Now, that might be a little bit difficult because sometimes you're going to be finding secrets and you don't know where they belong.
However, however, you know, is this the sort of thing that you can do now with Open Graph, which is the part of Bloodhound that lets people sort of build their own integrations into.
Yeah, so, okay, so we built the GitHub Open Graph extension.
So we call each of these new platforms, we call them extensions.
So we built that.
And then we had one of our research or one of our consultants, J.D. Crandell,
and he started looking into what he calls SecretHound.
And so this is more of like a generic approach,
but he used GitHub as the first example
to where he used GitHub has a secret scanning interface.
So they're looking for kind of secrets
that are in plain text in the contents of your repositories.
He also used Trufflehog,
and there's a few other examples,
Nemesis, which is one of the platforms
that we built from SpectreOps
to be able to process and look for files
that have passwords in them.
And so what he's doing is he's integrating that,
and then he's drawing nodes and edges
as a result, right? And so one of the problems that comes about with that that makes it a little
bit difficult is you often, it's one thing to figure out that there's a secret. It's another thing
to figure out what user or what organization or what tenant that secret is associated with.
That's literally what I just said then, which is like I imagine it would be difficult to actually,
okay, well, it's a secret, great, where does it go? What does it unlock? And that's going to make it a
little bit difficult to put on a graph. But some of them, I'm guessing you could. Yeah, his solution
so far, and I think it's, it kind of depends on how you find the secret and what secret it is.
But like, for instance, if you find a GitHub PAT, for instance, personal access token, you usually can
hit the GitHub API and there's like a Who Am I type aspect, so then it will just return the context
that that PAT belongs to. So you can do stuff like that. He's also found that what he does is he
just draws an arbitrary node. So imagine that each of these graphs, there's the gigantic
graph, which is the whole world, right? And then there's
what we call subgraphs,
or like there's a GitHub subgraph. It's almost
like a continent or like an AD subgraph,
which is another continent. And so what he's doing is
he's just dropping a node when
he scans GitHub with Trufflehog, for instance.
He'll drop a node in the
AD subgraph that's, or
well, AD doesn't make that much sense, but in the intra
subgraph that says, hey, in this GitHub
organization, I found a secret, that secret is
related to this intratenant.
So, like, I don't know what it does. I don't know
what permissions it has. It's not necessarily
You can just call it its own, you can make it its own entity, I guess, which is, you know, path from, and you know, when you're calculating a path, it could be path from where I am now too secret.
Yep.
And this is, right?
This is more, I would say, on the enterprise side, there's, that lacks the specificity or like kind of the control that we really want to be able to point people in the right direction.
But on the red teamer side, that's useful, right?
Because it's kind of like a, that's a threat I'm going to go pull at some point.
If I feel that I need to get over into intra, I can, I at least have something that I could start looking into.
And then I could discern what's going on kind of manually.
Something funny occurred to me too there, which is once you start
auto-validating secrets that you find through this stuff,
I imagine you've got to set off a few canary alarm bells, right?
Because some of these secrets are going to be canary tokens.
Yeah, yeah, yeah.
It's a good idea from the kind of the Opsack perspective of being really careful there.
Yeah, yeah.
So onwards, right?
So what we've talked about is we've talked AD to Enter, oh my God, to GitHub,
Oh, now to secrets.
So by the time you've done this,
like just what we've talked about,
you're not going to have gotten that far
without developing a method, right,
for actually building these extensions, as you called them, right?
So then the question becomes, well,
can you now make a toolkit, and this is OpenGraph, right?
Can you now make a toolkit that makes it easy
for other people to write their own extensions?
And that's essentially what OpenGraph is,
and now you've thrown that out there to the,
the world and said have at it.
Have at it.
Now, I think that was only a few months ago.
We had one of your people on talking about OpenGraph and saying, like, go on everybody,
go have a play.
People have been actually working with it, right?
So I spoke with H.D. Moore.
I think he's got like, what is it?
Run Zero Hound or, yeah, run Zero Hound and whatnot.
But I'm guessing, you know, he ain't the only one.
What's interesting when you release a tool like this is the creative.
on display when people actually start using it is usually something to behold. What have people
been building for the, what extensions have been, have people been building for themselves? The very first
extension was within 24 hours of us releasing it. So the first extension was GitHub because that was
the one that we built as like kind of a test case. But the first kind of community extension was built
24 hours. We kind of like issued a little challenge for somebody to build it within 24 hours. We
gave them some swag or something as a prize for doing that. And some guys from Canada built
Ancible Tower Hound, I think it's called. And so it allows you to kind of see your Ancible
deployments and how things granting permissions and management over those different Ansible
deployments. So that was pretty cool. Some other ones that we built internally are like SCCM Hound.
We've also have MSSQL Hound. We have one password hound. So that's, you could see that we have
really great naming creativity.
Very creative, yeah.
Yeah, yeah. But one password hound was
pretty fun because we built it in two hours.
So that's like, obviously one password
is going to be much simpler than
say, AWS, right? So there's different
levels of complexity for the different
permission structures and all that kind of stuff.
But one password hound was pretty simple and we were
able to just like... Where are you getting the data
from one password, right? Because isn't that just like,
isn't one password like on everybody's desktop or is it
centrally managed? I don't use it. Yeah, yeah.
So there's different versions of OnePassword.
OnePassword for business is a cloud-hosted capability.
And so everybody has a secret key that they have on their laptop, which gives them access.
But then there's kind of like a central management plane that you can hit.
And so you grant permissions.
We built a collector based on OnePassword has OPECLA, which is their CLI program that allows you to query vaults and users and groups and all that kind of stuff.
And so we were able to evaluate that, build out all the relationships to where we could say,
this user is a member of this group, which has access to this vault, which has these, you know,
items.
Items are kind of like the colloquial term for passwords, logins, SSH keys, all that kind of stuff.
And just imagine, we talked about that secret hound.
Just imagine what that looks like.
That thing will explode, right?
Well, and what's really interesting there is you're going to be seeing stuff that is not SSO at that point, like at all.
you might see I mean first of all you're going to get some well I guess one
passwords the thing doing that part I mean you're going to get some interesting
inventory using something like one password in terms of like where accounts are
being created push security you know they offer a browser extension as well it's
give you that sort of information but what is really interesting is you can say
well say somebody gets this GitHub account what's the path from that GitHub
account over to this person's you know consumer grade account with this service
where they're obviously putting company data.
That's crazy.
Yeah, yeah.
Oh, yeah, there's all kinds of craziness.
I mean, you talked about the identity as the new perimeter,
and I think there's some truth to that.
I worry that that causes people to take their eye off the ball
as far as, like, on-prem attacks.
Yeah.
Right, and don't get me wrong.
Like, a lot of attackers have an incentive
to target these cloud-based platforms
because we don't have as good of security controls there.
And so if I can get what I want
without ever going on-prem,
that's probably advantageous to me as an attacker.
However, the idea is that identities are in use in your on-prem environment all the time.
So imagine you log into GitHub.
There's now a browser cookie or a session token there that I can steal as an attacker once I have control of your computer.
So it's not just about control of computer indicates the ability to take control of a user that's logged into that computer from an AD perspective,
but also imagine that every system, like if you were to dump your cookies on your laptop,
the amount of systems that you have cookies for right now is probably would shock you, right?
So like you're logged into all kinds of things.
And they could be personal or they could be business related.
There's all kinds of different relationships there.
So I think there's like identity is the new perimeter and that's going to cause us to really try to lock down things like just like raw internet access to your snowflake tenant.
Right?
You probably shouldn't have that.
But once you once you get that locked down sufficiently, now that's going to drive attackers back on prim, which
is probably a good thing to some degree because you have you have those security controls there
but they're they're going to then kind of try to route back through that to get access to these
resources as well yeah yeah and i mean it's identity is the new perimeter unless you're like
a fortinet customer yeah right and then it's like no fortinet is your perimeter and it's a bad one
i can't believe it man i was out at dinner like i go to a pub once a week with a group of
friends have a steak right usually on wednesdays after the show and i'm sitting there and there's
golf on a screen like over by the way, right, while we're having dinner. And it just kept distracting
me because apparently this tournament is sponsored by Fortinet. So I'm sitting there trying to
enjoy my steak after a show, after putting down an episode of risky biz and there is Fortnite,
Fortnite, Fortnite signage. So yeah, thank God to them. Did you know why you were being distracted
immediately or was it like in retrospect you realized it was Fortnite that was causing you the angst?
Oh no, I knew. It's like I cannot see that logo without,
becoming annoyed, basically. But I mean, I guess even in those cases now, like when a non-identity
attack becomes one, when you could just trivially pop shell on a domain joined appliance and then,
you know, then you've got the identities. That's right. That's right. Yeah. I mean,
once you get through, now you have, now you have this whole problem. I mean, there are,
there are so many different routes of this like whole open graph thing can take. Like,
I was at the Sissau Summit at Black Hat and they had the, uh, they had the, uh,
SISO of one of the telcos in Canada that was talking about that, I forget which threat group did it, but salt typhoon. Yeah, salt typhoon breach of all the, uh, tachshunders and all that kind of stuff. And it's like, imagine that you could have a tack X plus hound that would represent the, the, uh, permission structure within the like, like, critical infrastructure and routers of these, these, uh, telcos. Like that, that's a real thing. And like, nobody, nobody understands what that looks like. I'm sure it's just this gigantic mess of, of,
And I'm not even sure, like, one of the hard things would be, does one organization sufficiently
control those resources to be able to actually put together a coherent, cohesive map?
Right? Because would we have to get everybody on board to actually understand?
I don't even know how the router infrastructure is laid out enough to know what the,
what the questions that should be asked are for that.
Well, I mean, I think anyone who attempts to understand those relationships is sort of going to
wind up with the mental state of Jack Nicholson at the end of, what was that moving?
be the pledge where he winds up sort of a crazy alcoholic wandering around the streets near a gas
station at the end of the at the end of the film for sure um bit of a deep cut that one sorry uh sorry
everybody um so look okay so we've talked now about uh all sorts of integrations uh but these are the
ones that you've sort of worked on as well right like what have customers done that that's sort
of been like well you that that that surprised you right because everything that we've spoken about
it's like yeah that makes sense but there must have been some stuff where it's like you're using
it to do what? Yeah. Okay. So let me, let me hit a few that are like really, really cool. So one was
run zero hound where we we thought that like another vendor trying to visualize their stuff in
Bloodhound was super interesting to us. Like obviously that's advantageous from our perspective.
Another one was ping one or ping identity reached out to us to build a graph for them. And so that
was like they took an interest in trying to help their customers realize where they had made
configuration issues. And so that I mean every single, every single identity provides.
right, I should be doing this.
Yes, yes.
I mean, we love it because they gave us access to a tenant that we could do the research
in, and then they would respond to us when we had questions about, hey, this is what we're
seeing.
Is this what you actually intended to happen?
Some cases it was intentional.
Some cases it wasn't.
And so that was really, really useful.
And, like, getting access to these platforms is actually quite difficult for SpectorOps
because we, A, are known as a red team.
And so a lot of organizations don't want to sell their tool to a red team.
And then the alternative is that we're also a small business.
And so sometimes it's hard to get salespeople to care enough to sell you a license for like,
you know, 10 users or 200 users even.
And then we have like some really interesting ones.
We had a customer that did CyberArk hound.
And so imagine that like imagine that CyberArk has all these passwords in them for,
especially for privileged users.
And these privileged users are accessible from Active Directory users.
So imagine that you now can start to map out, I have control of this active directory user,
what privileged accounts do I have access to in CyberArk?
So that's pretty interesting.
And then a community one that is really cool is V-Centerhound, so understanding like your virtualization infrastructure.
One of the things that we find is that the same like physical computer, or it might not be physical,
but the same literal computer might actually be a node across several different subgraphs.
And so imagine that you can have a computer that is an active directory computer.
It's an intra device.
It's an intune device.
It's an SCCM client.
It's a V-Center VM.
And so now what you're doing is you're tying these together because if I get control of that AD computer, I also have control of all these other systems as well.
Or, you know, if I get control of V-Center, I have the ability to have physical access, so to speak, to an active directory computer.
And a lot of organizations will run their domain controllers in VMware.
I mean, I'm sort of mildly horrified by, you know, a lot of the stuff that you're saying,
because you're talking about SCCM and V Center and I'm just like, oh, unclean, unclean.
But, you know, people are still running this stuff.
You've got to meet them where they are, right?
All over the place.
Yep, yep.
It's all over the place and it's been, uh, really we think of the graph as being, uh, representation
of entropy.
So imagine that a, a clean environment that has, uh, very few attack pass is not the natural
state of being, right?
So it takes a lot of work to get there.
And then over time, what happens is you're making configuration changes.
And those configuration changes, a lot of times there's this phenomenon to where
when you think about a single configuration change, it's very easy for us to conceptualize
what the impact of that single configuration change will be.
So it's like, I add this user to the group, to this group.
I now know what's going on there.
But then you think about the fact that over time, you're having millions and millions
of these configuration changes.
And it's very difficult for you to understand what the net effect of that is going to be
and what it is is entropy.
So you end up causing all kinds of problems,
and that's where these attack paths come from.
It's like,
imagine that you've been doing that for 30 years
and nobody's ever tried to get a, like,
get a grasp of what's going on.
And so then you clean it up,
but then once it's cleaned up,
it's not just a one and done thing.
It's, you have to maintain it over time.
Yeah, yeah, it's like gardening.
You know, like it's going to get woolly.
It's going to get overgrown, you know,
depending on what season it is as well.
It's sunny.
It's been raining.
It's a lot of grass.
So look, we're heading towards the end of this.
now, right? But one of the things that we were going to talk about is red team wins that you've had,
particularly with, since you've extended the graph, since you've opened it up, opened it up.
And I mean, you've alluded to some of them there with like, you know, the one password stuff and
whatever. But I'm guessing you've got, because, you know, Spectrop still does off-sec. And well,
might I add, if you are looking for top-tier pen testers, I've sent a few your way.
You know, and these, the top-tier shops are like sort of thinning out a little bit these days.
they keep getting acquired.
You know?
Yep.
That's the danger of the life, I guess.
That's the danger of the game.
So, you know, if you are looking for a top-tier pen test crew,
SpectorOps are very, very good.
So what are some of the wins that your teams have been able to chalk up with OpenGraph?
Yeah, so imagine that as we build out the graph, the graph is like kind of our map, right?
So we're trying to map out what's going on in your environment.
And a lot of times the red teams are able to live within the confines of the map, right?
So like active directory, there's a lot of time spent in active directory, and it's pretty well
mapped out, right?
Like, it's pretty well understood.
But occasionally, the Red Team has some target that takes them into uncharted territory,
so to speak.
They're bushwhacking their way through.
On the research team, we're trying to be as comprehensive as possible when we're building
out these extensions, because that's going to go into the actual product that we sell.
But the cool thing about OpenGraph from a Red Team use case is that it's utilitarian, right?
And so you can map only as much as you need to accomplish your goal, right?
You don't have to be comprehensive.
You don't have to understand every nook and cranny of the territory to really map this out.
And so probably the coolest one is we were engaged by a company to understand their CICD pipeline.
And we found that there was a relationship between GitHub and the way that they had configured OIDC into AWS.
And we found that we were able to use the GitHub graph.
to represent what users in their GitHub organization,
and it actually extended into Octa,
had access to GitHub repositories.
But then the thing that the Red Teamers found
was that if you have the ability,
based on AWS policies,
you were able to,
that access to those GitHub repositories
would allow you to assume roles
in the context of AWS.
And so we're able to draw those relationships
and say,
these 20 users have the ability to take over,
to gain,
these roles in AWS across like four or five different AWS accounts. And it was, like, it was
extensive, the amount of access that you can get as a result of that. So it's all about kind of that
utilitarian. It's like, I have this target. Let me, I try to figure it out manually of how I would get
there. And then it's like, let me go back because I only found one example, right? But there's almost
always more than one example. And so it's like, let me go back and actually build that out and see
what it looks like when I do a comprehensive look at what's going on. And so this is, and then that kind of
allows us to extend, extend those extensions, I guess, as based on real life experience. Like,
when I built out the GitHub extension, I had no idea that you could even do this configuration with
AWS. And I would have never figured it out because I was looking at GitHub kind of in a silo.
Well, that's the thing. And that's what I was just about to butt in there and say, which is that,
you know, you can't just surface these types of configuration issues without a graph
because there's nowhere to see them.
That's right.
You know, which is interesting.
But it's, you know, I mean, you do sort of rub your temples a little bit when you realize
that these sort of problems can exist.
That's right.
Yeah, it's one of those things to where we now, I think we have like more than 20 extensions
and as you start to see these things kind of like come together, we're really interested in
the hybrid aspects.
So it's like how are these things tied together?
And it's a little terrifying.
It makes me definitely, you talked about SSO.
It makes me second guess whether SSO is a good thing for security
because once you start seeing how everything is tied in,
you're like, oh boy, that's not, that's a little scary.
Well, don't forget the problems that we've solved, right, with orphaned accounts.
And like, it was, it's just a new type of horrible, right?
That's right.
But I mean, my question too is like, you know,
there must be cases where you've seen an attacker land on a box.
And they've had these amazing paths and they just haven't been able to figure them out because maybe they're not using Bloodhound.
But like this happens all the time.
It's a story I tell like basically every single time I talk to you guys, which is I know someone who was Ophay with a incident response on a major organization where they discovered that every single entry user had intune admin rights.
Oh boy.
Across the whole log.
And that wasn't actually what got them owned.
It was something.
Yeah.
And there, you know, there's certain primitives, I guess, that are more familiar to people, right?
And so people are going to tend to use those well-trodden paths.
So, like, I made a comment about the interstate, right?
Imagine that there's dirt roads as well.
And so, like, the interstate is the thing that most attackers are probably going to use because
they built it in their toolkit.
It's wide open, right?
And then there's going to be certain targets that attackers or red teamers are going after
that caused them to change their tradecraft,
or maybe as you start to eliminate those interstates,
they're going to have to find new tradecraft as a result of that.
But yeah, there's almost always, like,
we're never going to be comprehensive.
That's just the nature of the beast, right?
We're trying to show as many of these attack paths as we possibly can,
and hopefully people will remediate those.
We give them instructions on what they can do to remediate them.
We show them where the biggest bang for your buck is
as far as like that effort that you can spend.
But yeah, over time, like when an attacker has access to a computer,
there's probably, there are almost 100% ways for them to gain access to systems
that they don't know about, we don't know about,
that are just sitting there staring them in the face,
and they're yet to be discovered.
Yeah.
But they can use bloodhound.
And speaking of, that's the last thing I just wanted to ask, right?
So you've got, you know, your open source version of Bloodhound,
which a lot of red team is and whatnot use.
Then you've got the sort of more.
enterprise-y platform type of Bloodhound, which is the more commercial product.
OpenGraph, I'm guessing, it's in both. Is that right? Yeah, so currently, kind of like the
minimum viable product of OpenGraph is really targeted at the open source version, although it
works in both. The distinction there is that it gives you the ability to put data into the
graph and then run cipher queries across that data. So you can start to ask questions like,
I have control of this user account and GitHub, what repositories do I have right access to?
So you could ask that question.
One of the problems is that Cipher tends to be more of like an expert kind of tool, right?
So a lot of people don't have expertise with Cipher.
And so asking those questions becomes a little bit difficult if you're not familiar with it.
There is an effort currently to expand Open Graph to support things like findings, which are an enterprise-only feature, the ability to expand it to do
pathfinding, which is like the point A to point B, show me the shortest path type approach.
So right now it's limited to that cipher query capability, which is mainly a feature of the
open source product, but it also is present in the enterprise product, although it's not the focus
of the enterprise product. But over time, and probably about the next six months or so, we expect
to have like a full complement to where you could do the enterprise level remediation of GitHub,
for instance via OpenGraph without using well using the enterprise product yeah excellent
all right Jared Atkinson fantastic conversation about OpenGraph I have a feeling that um yeah a lot of
people are going to wind up using this I should also point out too that um you know it's something
I've said before when we've had spectroops people on the show this stuff is actually reasonably
priced right considering the bang for buck you get going through some bloodhounding if you are a
organization of any sort of scale you're kind of nuts if you're not doing this because it will it
will help tighten things up in a way that could save your bacon so Jared Atkinson thank you
very much for joining me to talk through all of that it was very very interesting cheers
thank you pat great talking with you as well thank you everybody