Justin Kohler: [00:00:00] The BloodHound is used in probably 95% of penetration tests worldwide. It weaves through identities and permissions. It basically is like Google Maps for attacking an organization. A hundred percent of the accounts that we looked at were doing it, and 70% of 'them were doing like the most privileged roles, which is like a huge no-no, but everybody's doing it

Ashish Rajan: game over moment.

Used to be, I have domain admin access. Yep. Because that's still.

Justin Kohler: Yeah, unfortunately you can sprawl out to other systems. You've already satisfied the MFA and if I have access to your system, I can now operate as you. I have no need for your password. I don't need your MFA at all.

Ashish Rajan: Does that mean over 30 years we've also diluted our trust model quite a bit.

Justin Kohler: Good. And a 10,000 identity environment, which is not a lot. You're like looking at an average of 22 million different attack pads. If I phished a random user, I would've a seven or a 10 out of 10 chance to completely taking over their environment. Is everyone this bad?

Ashish Rajan: We have an active directory, yes. 30 plus years, and we still use the active directory in a lot of organizations to manage identities, not just within the environment that is your network ecosystem, but also across [00:01:00] identities of work, employees identities across federated systems that like the SaaS services as well.

This has come a long way. I had a chance to speak to Justin Kohler from a company called SpecterOps which is behind the well-known open source pentesting tool called BloodHound. Now, if you are a pentester or offensive background person, you probably have heard of BloodHound before on how it's been effective on identifying some of the blind spots that most active directory deployments have.

Justin and I unpacked a lot of this in terms of how this has evolved and changed over the years. Specifically how today active directory is a lot more complex from just simply getting a network admin to now potentially getting access to laterally connected systems as well. All that and a lot more in this episode where Justin, if you have been working on the active directory space or probably looking to uplift some of those capabilities on how pen test just may be taking advantage of your active directory, then this is the episode for you or share this for someone who may be looking at the same topic as well.

As always, if you happen listening or tuning into the episodes off. The podcast for a while and have been finding them [00:02:00] valuable. I would really appreciate if you take a quick second to hit the subscribe or follow button on whichever podcast platform you may be listening or watching this on. We are on all platforms, including Apple, Spotify, YouTube, and LinkedIn.

It's a free thing for you to hit the subscribe follow button, but it means a lot to us because it helps spread the word to many more people too. I also wanna say thank you to everyone who came and said hello to us at RSA. It was really great to finally meet a lot of you and also hear the feedback that you had about the work that we do here.

Thank you so much for the love and support. I look forward to seeing you at another event as well. I hope you enjoy this episode with Justin. I'll talk to you soon. Peace.

Justin Kohler: Hello and

Ashish Rajan: welcome to another episode of Traffic b podcast for Justin. Thanks for coming on the show, man.

Justin Kohler: Yeah, thank you for having me.

Ashish Rajan: We to kick things off, if you can share a bit about yourself Yep. And your background as well.

Justin Kohler: Yeah, I'm, uh, so my name is Justin Kohler. I'm the Chief Product Officer at Specker Ops. We're well known for creating the very popular open source product BloodHound. And, uh, we have an enterprise tool called BloodHound Enterprise.

Yeah. Very creatively named, uh, that basically turns problem on its head.

Ashish Rajan: Uh, and what is BloodHound like, and obviously [00:03:00] it's an open source project. Yep. What's, what is blood?

Justin Kohler: Yeah. So BloodHound is, uh, used in probably 95% of penetration tests worldwide. Um, it weaves through identities and permissions.

It basically is like Google Maps for attacking an organization. Yeah. Uh, historically we started it off in active directory 'cause that's the kind of wet, gooey center of most organizations. Yeah. Um, and then after that we bolted on like, uh, EntraID for hybrid environments and then last week we announced a bunch of extensions.

Um, and that's where we're going this year.

Ashish Rajan: Interesting. And wait, so active directory obvious makes me feel really old as I say this. Yes. Is active directory still quite a bit of use, uh,

Justin Kohler: everywhere. Yeah, I, I think a lot of people are very sad that it's still in use. Um, unfortunately it's kind of the backbone of most organizations today.

I mean, even like very modern like cloud native companies. Yeah. Um, or, they'll have some form of like, Entra ID or AWS IAM, right? So like, uh, but active directory I would say is 90, 95% of the enterprises worldwide have it

Ashish Rajan: with active directory. And obviously is it still the same? That it was 30 years ago [00:04:00] or has it changed?

Justin Kohler: No, I mean it's changed over the years for sure. For the better. But you can only patch so much and honestly, the things that BloodHound finds are not patchable. So we're not talking about vulnerabilities necessarily. Yeah. Where you can just push a patch and then it's fixed. Uh, we're talking about like basically people just configuring the system because it's so.

You can customize it so much. And this is, again, no different than A-W-S-I-M or GCP, it's just active Directory's been around for 30 years.

Ashish Rajan: Yeah.

Justin Kohler: And so there's so much technical debt built up.

Ashish Rajan: Mm-hmm.

Justin Kohler: So, uh, you know, some admin that set it up 20 years ago is left. Yeah. And they have no idea why they put that permission there, but it just takes us to find it and exploit it.

Ashish Rajan: Oh. Because to your point about now even cloud native people using it, so we have AWS connectivity, I mean if, or Azure, you're already already on it as well.

Justin Kohler: Yep.

Ashish Rajan: So are there instances where people are a combination of active directory, EntraID?

Justin Kohler: Yes.

Ashish Rajan: And so on.

Justin Kohler: Yeah, I'm, I mean, I'm, I'm making a, I have a presentation today and it's funny 'cause like you see these I am architecture maps that're all very well laid out.

And then in the in [00:05:00] reality it looks like this mess of like, have you ever seen like those. Those, uh, power pole systems where like immensely overloaded with cables running everywhere. That's what it really looks like on the inside. I mean, it's a combination of, you know, identity teams today are probably managing.

Oh God, at least probably 10 different, uh, identity systems. Right? Like when you think about the directory, they're gonna manage active directory for sure. They're gonna, man they're probably gonna be in hybrid environment, so they have some form of inter id. Even if they don't host workloads in Azure.

Ashish Rajan: Yeah.

Justin Kohler: Then they'll probably connect to AWS and GCP. Whenever I talk to customers, I'm like, where are your workloads? Hosted, are they in AWS or GCP or Oracle or whatever, and like, eh, we get like a little bit of everything.

Ashish Rajan: Yeah.

Justin Kohler: So that just like compounds the situation. And then you have again, like, SaaS or uh, CICD or developer systems.

So like, you'd be in like GitLab or GitHub or so it's just like this combination of mess. Uh,

Ashish Rajan: but does that mean, 'cause you know how, um, at least when I started my career in identity, the whole idea was that a single source of truth for identity that was acted directly. 'cause the whole [00:06:00] idea, I remember used to be that.

The game over moment used to be I have domain admin access.

Justin Kohler: Yep, yep.

Ashish Rajan: So is that still a thing?

Justin Kohler: Yeah. Oh. So if you reach domain admin in an active directory context, typically you can do whatever you want and unfortunately you can sprawl out to other systems. So usually, well, Microsoft tells you not to do it, but everybody does.

When you have a hybrid environment, you'll have like an Azure only account, and you'll have a active directory on prem account and you're not supposed to sync privilege roles. And we created this like two years ago. We developed the visibility to see if you're syncing roles.

Ashish Rajan: Yeah.

Justin Kohler: And literally a hundred percent of the accounts that we looked at we're doing it and 70% of 'em were doing like the most privileged roles, which is like a huge no-no.

But everybody's doing it. So if you, usually, if you compromise active directory, you're gonna get into the management plane of something else too. Yeah. We've seen that with like jam for managing Mac fleets. We've seen that with, uh, Okta for sure. It's kind of the, yeah.

Ashish Rajan: So mean. So I guess to your point then, [00:07:00] uh, I do, when you say that, my question then goes with the so does that mean over 30 years we've also diluted our trust portal quite a bit.

In terms of that, it's not just my active directory, it's a source of truth, but I also have Okta.

Justin Kohler: Oh yeah. Oh yeah. It, it's funny because, uh, it's, so even in active directory, there are things that you wouldn't think would be the case and they're totally not. So, for example, in active directory, a domain controllers seen as the source of truth of, of all that is organized, right?

Yeah. But it's not, uh, so on a win on a Windows host and deployed in an active directory environment. The internal permission set can be wildly different than what you, if you were just an interrogated domain controller, the internal permission set of that computer can be wildly different, which is bananas.

The first time I saw that, I was like, there's no way that, that's a thing. And then if there, there is no source of truth. And unfortunately in things like Azure or AWS or GCP, the amount of services that they have within there,

Ashish Rajan: yeah,

Justin Kohler: you can have conflicting. [00:08:00] Sources of truth. So like in Azure today, we, we read Resource Manager Azure, uh, EntraID and graph API because each of those three can cascade and it like basically break each other.

Does that make any sense?

Ashish Rajan: Yeah.

Justin Kohler: Wow. So I can be an admin in, in, in or a non non admin in EntraID, but I could have a graph rule that allows me to grant basically the same thing.

Ashish Rajan: Oh, so there's a cross hold of permission?

Justin Kohler: Yes. Yeah. And AWS is the same way. Yeah. So you have to kind of know everything.

Ashish Rajan: But So what about, I mean, as, as much obviously being that old, it may have tech debts as well, but over time they've kind of gone down, built defenders and there's a lot of like a lot of people E five, E seven licenses.

Yeah. They all are being told that we have security products and Oh yeah, you got this and blah, blah. Is there like a gap in the identity component or I guess may, I'm going with this, is that a lot of people I work with in the advisory board as well, just by, I've got Microsoft tool set. Yeah. I'm a full Microsoft shop.

Justin Kohler: Yep.

Ashish Rajan: [00:09:00] I've got defender, I've got Central, I've got everything else. Is that not a true pitch? Because to what I hear and what I hear other pen talk about is like, is great for finding all these I mean it doesn't have to be just apprentice. I could be someone who's a security engineer in an organization.

Just curious about how, I wonder how exposed I am.

Justin Kohler: Yeah.

Ashish Rajan: So putting that lens onto this is, uh, is the reality of active directory today, uh, a be better with Microsoft tooling? Or is it actually I, I don't know where, where am I standing with this? 'cause I feel, is there a blind spot here that, am I trusting too much on the fact that if I have Microsoft tooling for security, is that enough?

Justin Kohler: I that is a great question. I think Microsoft does a lot of good work, just like the other major, like hyperscalers to pro hopefully prevent people from foot gun themselves.

Ashish Rajan: Yeah.

Justin Kohler: Um, so like, are they blanket applying to FA or MFA? Are they like in Azure, they learned some of their lessons from active [00:10:00] directory and they made it so that like, as a non admin, you couldn't take over an admin.

So there are good things to be supplied by the hyperscalers, but I'd say like two different things. One, um, you, you kind of want an external validation of that. It's kind of like having your, uh, there's like an analogy somewhere about like having the same people who write your paycheck, do your taxes.

You know what I mean? It's, I know. It's like, how much do you know? You're saying the thing that you built is good and I should trust

Ashish Rajan: you. I'll audit how secure I am.

Justin Kohler: Exactly. Exactly. Beyond that though, I, I'd say that they're always only gonna be able to give you a portion of the picture. Yeah. So, like Microsoft is, it may know everything there is to know about their internal systems, but they don't know how it bolts onto something else.

And, and we've, we've seen historically people massively under think. The attack path problem. Yeah. And why it was so valuable for penetration testers early on and why BloodHound Enterprise is kind of like this eye-opening thing.

Ashish Rajan: Yeah.

Justin Kohler: I mean, we got, one of our customers were saying like, God, active Directory should have just shipped with BloodHound like 10 years ago.

Uh, because it [00:11:00] really just shows you like I configured all these things. What is the net result of all

those

Ashish Rajan: things? But what about people thinking that I've got federation, single sign everywhere. Yeah. And you, you said MFA as well.

Justin Kohler: Are

Ashish Rajan: those controls enough

Justin Kohler: for? Yeah. Uh, so, yeah, this is where I'm probably gonna depress people.

Uh, MFA and single sign-on are amazing technologies and they were presented to solve a certain problem, right? So like I'm, I don't wanna have a bunch of like, simple passwords and I want to be able to. Not enter a password in every five minutes to access some other thing. And for MFAI, you know, I, I, you know, brute force password spraying, it's gonna prevent against that.

'cause then I have to satisfy a second factor. And everybody believes, everybody believes that that's the end of the story. Unfortunately, especially with like, we'll start with MFA. When mf, when you satisfy MFA, what happens is there is some method of like a token or there's an authorization like piece that's dropped onto your system.

So it could be in the case of a browser, it's a cookie, right? Or in the case of active directory, it could be a token or a ticket [00:12:00] or whatever. There's post authentication material. And typically, most or most attackers are abusing the post authentication material.

Ashish Rajan: Oh.

Justin Kohler: So it makes it actually really frustrating.

Like you, we've solved or we've, we are making it harder for attackers just to come in the front door and get their initial access.

Ashish Rajan: Yeah.

Justin Kohler: But let's say they do get their initial access. You've already satisfied the MFA and if I have access to your system, I can now operate as you. I have no need for your password.

I don't need your MFA at all. Like I can just ride your authentication. And we've seen that with like a bunch of attacks. Like there was a really cool one out of, uh, Microsoft actually. They got, uh, they were talking about how somebody pivoted from on-prem and then took over the Azure systems. And they did that because they were, they were satisfying conditional access.

'cause they were just routing to the cus the computer that the admin was using to satisfy conditional access. Oh. So they just rode his system to route up to the cloud, which is pretty nasty. And then single sign on, it's kind of the same, same concept, right? So, [00:13:00] again, if you're thinking that in a post authentication context, I already have access to like I, I satisfied through Okta.

So now I can access GitHub, I can access AWS, I can access this and this and this. And one of our. Big banking customers was, that's a huge fear of theirs.

Ashish Rajan: Yeah.

Justin Kohler: Is they have all these like developers or identity teams making these individual decisions about, well, let's trust this in, whether it be through SSO or skim or whatever it is, and they make all these individual decisions.

They don't understand the ramifications of that.

Ashish Rajan: Yeah.

Justin Kohler: Like the downstream effects. Yeah. Again, not to say that anything's wrong with SSO, but you are connecting things in ways that you don't understand yet.

Ashish Rajan: And you don't understand the full picture of it.

Justin Kohler: Yes. Yeah.

Ashish Rajan: But does that, I mean, I guess it's, I'm sure people would be already thinking about this, but maybe least privilege

Justin Kohler: Yeah.

Ashish Rajan: Is, yeah. As vague as the word yeah. Least privilege is, does that help in this?

Justin Kohler: Um, least privilege. Again, I think. Uh, it's hard for me to throw shade at a term that was created like 50 years ago. So last year was the 50 year anniversary of Really? [00:14:00] Yeah. Yeah. It was created in the seventies.

Ashish Rajan: I mean, east you're older than active directory.

Justin Kohler: Oh yeah, yeah, yeah. And least privilege is great. And, but I think the true intent of least privilege is to prevent the type of attack has that blood hung, uncovers

Ashish Rajan: right.

Justin Kohler: Now here's the problem though, is everybody only analyzes least privilege from the context of a single identity.

I am a user in a system. I have access to these resources. Yeah. I use these resources to do my job. Is that more or less than what I should have? That's usually how people think about it, right? So I I either directly have access to like a finance system or I'm a, I'm a part of the development team.

So then. That group gives me access to, to, submit code. Like pull requests, right?

Ashish Rajan: Yeah, yeah, yeah.

Justin Kohler: The problem is they don't see the connecting tissue on the other end. So I'll give you an example. Let's say I have the ability to reset your account. Mm-hmm. Right? You're in different user. Yeah. My, my access doesn't stop.

I now have all of your access.

Ashish Rajan: Yep.

Justin Kohler: And all of your access to every person resource you can manipulate and so on. Yeah. So if you can, like, let's say for some reason you have [00:15:00] the ability to, we see this in actually we just saw this in a GitHub. GitHub environment we could push a pull request to a branch in GitHub and actually assume the AWS role on the other end of the CICD system.

Ashish Rajan: Mm.

Justin Kohler: So my access doesn't stop at GitHub anymore. Now I can go through AWS and it was pretty nasty. I mean, we went from no privilege in GitHub. Literally zero privilege. Yeah. Just the ability to push code. And to full control could have deleted the customer's AWS tenant and shipped malicious code out through their S3 bucket to all their customers.

Wow. So it's like. Least privilege is an amazing thing to do. Yeah. But I think it's incomplete and it's, it's also kind of saying like, boil the ocean. Maybe you'll fix the problem. Versus look at the problem of like attack paths and focus on that. Like what are you trying to like, okay, Sally shouldn't have access to the system, or John shouldn't have access to the finance system.

Well, let's try to figure out what the culmination of all those attack paths are. Yeah. And then [00:16:00] shut 'em down. And that's kind of what we do for our enterprise

Ashish Rajan: clients. But do you find that. 'cause obviously it's not just a regular user like you and I, but they're also system users. Oh yeah. So how, what, how different would that be?

I guess

Justin Kohler: system users

Ashish Rajan: as in like your non-human identities.

Justin Kohler: Yeah. Acquired,

Ashish Rajan: yeah.

Justin Kohler: Well that's, uh, so it's funny because people ask us, you know, what do you do for non-human identities? And I'm like, well, it's just an identity to us. Like we don't, we never discerned between a human or non-human identity.

They're always just an identity. And it's funny because. I'm gonna probably confuse people a little bit here, but, uh, identity itself is a little bit of an abstraction. And what I mean that is, it's like when people think identity, think they user or a, or a, uh, or it could be some automation account, right?

Yeah. But it's just really at the end of the day, it's just an entity that has permissions over something else. Yeah, yeah, yeah. That's, that's all it is. So like a computer has a, uh, like an active directory. Computer is an identity in itself. You can permission a computer to have. Permissions to do something else.

Ashish Rajan: Yep.

Justin Kohler: With, uh, completely unassociated with a user. [00:17:00] And the same thing like, I mean, when you when you get into any, especially cloud system you're creating just tons of non-human identities. And we don't discern between a human or a non-human identity. And actually we find that it's the abuse of the non-human identity that's, that leaves the worst outcome.

Ashish Rajan: Oh, right. Oh, that's the worst case scenario.

Justin Kohler: Yeah, because then you're gonna you can do a simple example in active directory. You take like control of a backup account and you can back up like, you know, all these backup accounts. Like, that's just like taking backups or snapshots of all these systems, right?

Yeah. Um,

Ashish Rajan: or them as well. If you want, you can just cut up the entire backup if you

want.

Justin Kohler: Yeah. Or like, um, like an SSCM admin, like you just, you can take, you can push changes across the fleet. As a SCCM account. Yeah. So like I, that's, I just wanna take over the management plan of this thing, and then in like, you know, GitHub or in that AWS example, if I just take over the CICD system, I can then route through AWS so yeah.

Ashish Rajan: So with the, because it's interesting 'cause we spoke about least privileges, we spoke about the fact that obviously active directory controls are probably not. [00:18:00] Wholesome, for lack of a better word, you still need like an additional verification on your part to continuously have a, have an eye on this.

Justin Kohler: Yeah.

Ashish Rajan: Does it like, obviously now we are in this world with uh, non-human identities are getting a lot of attention. AI agents are getting a lot of attention as well. Privilege, and I'm sure these identities are all, like the AI agent identities may also be an active directory because it's using my credentials.

Justin Kohler: Yep.

Ashish Rajan: How do you see, and people who maybe are more on the technical side or have people in their teams who are a bit more technical. Like using things like active continuous verification. I don't know what the right word would be, but more like, is that where we are heading towards this? Like, I think it's no longer enough for me to just rely on my defender or central logs to

Justin Kohler: Oh, no, I

Ashish Rajan: ping me when the alert comes in is I should be more continuous now.

Justin Kohler: Yeah. I, uh, I would say that we saw this last year actually around this time especially like, uh. People are getting spooked to the point where, you know, defense is only gonna be able to do so much. And I think we've been, we've overloaded defense, like as in detection and response. Yeah. We've [00:19:00] overloaded detection.

I mean, I don't think an, I don't think any organization right now wants another alert. Mm-hmm. Right. The problem is, especially with with ai. You can do two different things. I think everybody's really fearful of the really, really advanced attack where a normal human operator might get, might lose interest in, you know, on the low and slow type attack or some super interesting, like, only a machine could be sift through that data.

Some, sometime a wild attack, right? So that's like everybody's fear. I think the other fear. And more. The fear that we'll see over the next year is the just launching of mediocre attacks to like create a fire over here and then I can go here, if that makes any sense. Oh, right. So I'm gonna launch 2000 attacks because I can spin up a bunch of agents then and just overload your systems.

And then I'm just gonna go here.

Ashish Rajan: Oh okay. Yeah. I love It's like a distraction Yeah. In the military. Yeah.

Justin Kohler: And so, so let's say that even, when you're combine, when you're combating like a normal human adversary on the other end, maybe you can keep up Yeah. Because you're human versus human, but now you can't.

Right. [00:20:00] Like, and I don't think. It was always a challenge to get like a detection event and be able to respond properly. Yeah. Um, I used the analogy for too long we've, treated our, our environments like a house with no doors and we put a bunch of ring cameras all over, you know, the exteriors and we're saying like.

Well, I don't need a door because I have a ring camera. So like as soon as somebody walks in, I'll be able to catch them. And it's like, well, just saying that just sounds stupid. Why don't we, why don't we close the door?

Ashish Rajan: Yeah.

Justin Kohler: And that's what we're saying with attack paths is when you know what to look for, it's very, very obvious.

I mean, we're talking about a minor amount of permissions to shut off millions, literally millions of attack paths. Yeah. And until you see it. You're gonna be just kind of fighting noise.

Ashish Rajan: I, I love the ring camera analogy as well. I'm pretty sure for people who use some of those cameras, probably know that unless person is standing there for a second Yep.

Outside the door waiting for it to be captured. Yeah. You can walk straight in. It doesn't even pick you up as well sometimes.

Justin Kohler: No,

Ashish Rajan: it's the same with [00:21:00] environments as well.

Justin Kohler: Oh, yeah. I mean, I, and I'll, I'm guilty of this too. I have cameras all over my house. Right. And I, like, I get an alert. I don't even look at it anymore.

Right. Because like, unless something really, truly bad happens.

Ashish Rajan: Yeah,

Justin Kohler: Yeah. I don't go back through the feed.

Ashish Rajan: That's right. Yeah, yeah, yeah.

Justin Kohler: Right. So, uh, so this, and what we're saying is just take the opportunity away. And most people, when we say take the opportunity away, what we're talking about is put in the separation that you think you're, you put in.

Uh, initially, yeah. So we've talked for years about separating our users you know, whether they're human or non-human.

Ashish Rajan: Yeah.

Justin Kohler: They're privileged accounts versus unprivileged accounts, and, but nobody's doing that and nobody can see that they're not doing that. That's what BloodHound is really uncovering.

Ashish Rajan: Right. But is it because there, the, the lines of who owns this risk is blurry.

Justin Kohler: So I, that's, that comes to fixing the problem. Okay. When the lines line, that's the lines that are blurry. I think initially the systems AWS, Microsoft, GCP, it doesn't matter what it is. The systems for how you can configure [00:22:00] access or the ability to execute a privilege Yeah.

Are so complex. Like, I think, think of it this way. Uh, if you had 10 people in your company and you said, you get access to this and you get access to this, and so on and so forth, you could probably keep that straight in your head. Yeah. Once you get up to a thousand or 10,000 or a hundred thousand, that just balloons like crazy.

Ashish Rajan: Yeah.

Justin Kohler: It becomes this really ridiculous, like, I mean honestly it's a graph problem that's like how, where blood on his face when you talk about blurred lines of shared responsibility. That's definitely on the fixing side.

Ashish Rajan: Yeah.

Justin Kohler: Yeah. 'cause then it's like, here's a problem. And unfortunately it's not a, a vulnerability with a CVE that you can just like, okay, we're just gonna patch this based on our, our, you know, our resolution windows.

Yeah. It's, we configured this system 10 years ago.

Ashish Rajan: Yeah.

Justin Kohler: To some, someone remember why we did that?

Ashish Rajan: And Joe left already.

Justin Kohler: Oh yeah. Joe's gone. Joe's gone. So what really important part of that is to be able to clearly articulate the risk of that configuration, not just. An attacker could use this, but how, like how much of the [00:23:00] environment is exposed to this risk?

Ashish Rajan: Yeah. Actually in a way, maybe something that we blamed also is the fact that the way we, as much as we all love technology, a lot of people like to move to new technology really quickly as well. Yes. Because once you've done active directory, I remember these things. There used to be nested loops.

Justin Kohler: Yeah.

Oh yeah.

Ashish Rajan: And I remember coming across this first time and going, this is gonna be a mess. But and to your point. In an organization which is 10 people that you can still work with, the more you go 10,000. 20,000.

Justin Kohler: Oh yeah.

Ashish Rajan: Or a hundred thousand. Now you're like, okay, I have no idea what this is gonna unravel.

I don't want to be the person who does it.

Justin Kohler: No.

Ashish Rajan: I'm gonna go on this exciting cloud thing over here, work on my cloud. Im roles. Yep. What? That's so exciting. That's my future going forward. I'm just gonna lead the, I think you called it, we were, when we were talking about, you called it messy middle as

Justin Kohler: well.

Yeah. Messy middle. Oh yeah. So that's our favorite term these days is like, let's say for example for in, in some world where an active directory admin has their hands on the security of just their domain or their forest. And then a, the EntraID person has, their [00:24:00] thing configured properly and GitHub and AWS and so on and so forth.

The problem that we see now is, and when you connect the two things together. You can actually do really good things in those two separately, but when you connect them, you undo all of that work. So I mentioned the GitHub to AWS thing. AWS was trusting this GitHub, action on the other end.

Ashish Rajan: Yeah.

Justin Kohler: They had no idea that it's completely exposed on the GitHub side, but that allows us to go route through AWS.

And that messy middle, like who's responsible for that? Yeah. I mean, ultimately it's like the cso, but like, no we have not found a lot of people who understand that messy middle risk.

Ashish Rajan: Yeah. Yeah.

Justin Kohler: Um, and it, it's really interesting. We saw, I was actually talking to one of our researchers yesterday about this, where.

Hopping between Jamf and GitHub, or sorry, Jamf and Okta.

Ashish Rajan: Oh,

Justin Kohler: he just kept going back and forth. Right. So I was this privileged and Okta, uh, Jamf, I'll go to Okta and I'll keep going back and forth.

Ashish Rajan: Yeah.

Justin Kohler: And at the end he not only had full control over the jam fleet. Yeah. But, uh, it was an Okta super admin too.

Ashish Rajan: Oh,

Justin Kohler: [00:25:00] really? So, yeah, it was, it, I was like, what? And he's like, and I didn't exploit anything.

Ashish Rajan: It just, oh, wow. Yeah. And to your point, these days, environments also have, c, CD pipeline is not, and you mentioned GitHub. But then you could be using a repository which is in cloud.

Yes.

Ashish Rajan: And now you're in this mixed land of a cloud owner is different. The active directory owner is different. It's corporate IT problem versus cybersecurity problem. Yep. Because there's a head of it. Then there's a ciso. Did Boxy have different reporting lines?

Is this

Justin Kohler: Yeah, and I think we see a lot of the organizations who have identity under the ciso seem to have the easiest method for fixing these quickly,

Ashish Rajan: right?

Justin Kohler: Like we see the resolutions of findings drops significantly when you have the identity team under to ciso. Um, and I think that's just because they have the they own the risk and they own the resources to fix it.

Ashish Rajan: Yeah. And I guess to your point, if you are, because. The blurry line. The blurry line also comes in when you have provisioning, de provisioning done by another team.

Justin Kohler: Yes.

Ashish Rajan: Which is, to your point, going back to what you were [00:26:00] saying earlier, I went and asked for a permission, but say six months later, I come back and ask for another permission from another member of the team.

Justin Kohler: Yep.

Ashish Rajan: There is no way for them to map that out for, Hey, why do you need that new permission? Should we undo something that we had done before and

Justin Kohler: Each of those requests. In isolation are totally fine. Yeah. Like you think of like an identity person, like reviewing access requests or whatever, or a system that's handling that automatically.

It's like, well, yeah, that's fine. Yeah. You know, but you don't, you don't get the full path of like, this person can go from zero to deleting our AWS tenant because of these 10 different questions these he's asked us over the years.

Ashish Rajan: Yeah. Do, do you find, obviously we are at RSA and a lot of people are working on security programs for the rest of the year, or, yeah.

Maybe doing it for five years doesn't make sense. But perhaps I'll just say for the 2026 code. 2026 Peter. 'cause AI is kinda changing a lot of things.

Justin Kohler: Sure. Yeah.

Ashish Rajan: So for people who are applying their security programs, where do you see are some of these legacy blind spots that they may be ignoring and what they should be thinking about?

There's a lot of pressure on [00:27:00] CISOs to be very AI forward as well. At the same time, there are obviously this tech debt that they're carrying for a while.

Justin Kohler: Yeah.

Ashish Rajan: What's your recommendation for people who are trying to uplift a security program who probably have an active directory, have intra have, I don't know, another identity provider and stuff as well?

Yeah. What, where do you, what's your recommendation to them at the moment?

Justin Kohler: Well now I'm gonna be admittedly very biased here. Um, I think that if, I think every CISO who has not seen a BloodHound view of their environment lives in a certain amount of fear. Mm-hmm. That it's, it's a, uh, it's a matter of time before something's gonna strike us.

And I don't know how that will happen. I think a lot can come from just seeing if the reality Yeah. And making sense of that. There are I am a firm believer that you can remove any attack path, but that may not. And we have customers that get to zero, which is awesome. But not every big customer needs to get there.

And so there's a diminishing returns, right? So like if, if a hundred percent of our environment has access to, you know, delete or, you know, brick, our active directory environment or delete our [00:28:00] IWS tenant, that's not good. Yeah. But what is an acceptable threshold? Maybe it's 5% or 10%. You kind of need to know where you sit right now to.

To see what type of shaky ground you're building, the rest of these, you know, fundamental capabilities. It's like, have you seen the, have you seen the, like, the funny meme of like when the SSH vulnerability came out and it's like there's all this like super cool stuff that we're building and there's like tiny, tiny little block of like an open source.

It's like, you know, and that's honestly like, that's the fear is you don't want those really cool things you want to pursue to get knocked off. Because somebody created a fax machine account 20 years ago that some attacker's gonna find in,

Ashish Rajan: but

Justin Kohler: abuse. But does that

Ashish Rajan: mean people should stop over indexing on active director security?

Or maybe, maybe they're not even indexing on active vector security. They've moved on to new things,

Justin Kohler: I think. I think yeah, act, I think people, oh God, that's a really good question over indexing on active directory security. I think people need to understand that there is a backbone of their environment that lives in active directory probably, and they need to [00:29:00] understand what that means to their organization.

I think hyper focusing on it especially when we're putting a lot of workloads into the cloud probably isn't the right way. I wouldn't want to just focus on active directory. It needs to be like an a consideration. 'cause again, it is the backbone of so many identities today.

Ashish Rajan: Yeah.

Justin Kohler: But. Really, you need to be able to see the risk across these different platforms and how they connect.

Ashish Rajan: Mm-hmm.

Justin Kohler: Again, not just individually, what is the security of my active directory domain versus what is the security of my AWS environment? It's how have I connected the two and maybe in weird ways that I understand.

Ashish Rajan: Yeah, I, so would you say, 'cause I, I imagine people who are coming from the active directory land.

They cannot really rebuild that entire identity structure anyways, is that that ship has already sailed.

Justin Kohler: Yeah.

Ashish Rajan: So is the approach then, and, 'cause I gonna actually maybe I thought about this earlier and worthwhile asking, 'cause obviously we started talking about BloodHound as a great pen testing tool.

Justin Kohler: Mm-hmm.

Ashish Rajan: If, for people who are obviously building a security program, they hear us talk [00:30:00] about this like, oh yeah. Is open source, but I guess it's for pen testers.

Justin Kohler: Yes.

Ashish Rajan: Can I, as someone who probably is a wannabe pen test maybe. Yeah. Or, or a someone who's. Technical enough.

Justin Kohler: Yeah.

Ashish Rajan: Can I still use BloodHound to run it assessment on my active directory without being a pen tester?

Because I imagine, of course, is there like a knowledge thing

Justin Kohler: that Yeah, absolutely. So like, uh, if you've never played with BloodHound before, uh, you can download it from our GitHub for free. We have example data sets too for active directory. EntraID, and we're gonna be hosting Jam, Okta, and GitHub example data sets.

And we have this kind of really cool range where they're all connected. Yeah, we had to build the same thing internally so that we could like show people what it looks like when you hook all these things together. Uh, so those example data sets, or you could run it against your own environment if you do, if you are a security person at a company and if you're planning on running this at your company, make sure you have permission.

'cause it's gonna light up every alert in the world. But it will, it will uncover a lot. There's a lot of built-in queries. And it can kind of just show you what is brass tacks like how would somebody with. I think the favorite [00:31:00] thing that people do is like, if I'm an employee at an organization, I search for my account and then I see, okay, can I get to like full control of the environment?

And 99% of the answer is, yes you can. And here's how you would do it. And it's shorter than you think, which is kind of sad. For enterprise accounts that want to, like, that's what people have been doing for, honestly, I mean, blood hunt's 10 years old. Yeah. This year. And it's, it's, it's evolved considerably.

But the practice of finding an attack path one by one and trying to fix them is the, is you're really not gonna make any progress that way. That's actually why we created BloodHound Enterprise. To give you kind of some statistics, we have like an a 10,000 identity environment, which is not a lot.

Uh, you're like looking at an average of 22 million different attack paths, so you can't fix those one by one. That was the whole problem. Yeah, it's bananas. I mean, we did this analysis last year across like, uh, all of our customers just to see the size, sense of scale. Yeah. Yeah. Today we look at 650 plus billion attack paths across all of our [00:32:00] customers.

Ashish Rajan: Oh my God.

Justin Kohler: But like, that's kind of dumb. Like, just to be clear, there's no value in that number. The only value is to figure out where you can shut multiple down at one time. So think of it like this, like my environment is this messy, connected. Smorgasbord of identity systems and think of it like a map of the United States.

We've used this analogy for years, and it is super helpful. The critical things in my environment, let's say are, are represented by an island of Manhattan.

Well, in that, in that analogy, who cares about any road across the United States? I only care about the bridges to Manhattan.

Ashish Rajan: Yeah, yeah.

Justin Kohler: So I can cut off all of this axis by just separating that, and that doesn't mean breaking my company in the process. Mm-hmm. I'm talking about putting in the separation between. Privileged and non-privileged identities Yeah. That people have been saying we should do for 20 years, but they could never have the visibility to do.

Ashish Rajan: Is that because it's, and to your point, maybe it goes back to the messy middle as well, because there is a, there is a technology part where you can use open source tools to identify how exposed I am.

Justin Kohler: Yeah.

Ashish Rajan: But on the, on the flip of it, [00:33:00] there also opens up the conversation for people who are trying to build security programs for.

Do I need someone responsible for this? Yes. Do I need someone who is ongoing? You do this as well.

Justin Kohler: Yeah. And that's, uh, I think the interesting thing is like vulnerability management has been very focused on hosts and, uh, systems, right? Yeah. And CBEs what we're doing with attack paths is like the identity, half of vulnerabilities.

Ashish Rajan: Yeah.

Justin Kohler: And if only, if people are only looking at one, they're kind of. F they're not looking at how attackers are taking over, uh, companies today. Personally, like, the Specter ops, the other half of our company is all red team pen testing, right? Like we're the red team for Palantir for open ai.

Uh, so we have a lot of experience in attacking organizations. I think it's, I think it's been 10 years since we've like consistently thrown exploits. Yeah.

Ashish Rajan: Yeah.

Justin Kohler: Because it, it'll just get us caught. And it's not the easiest way to attack an organization. It's usually through the identity.

Ashish Rajan: To your point, it goes back to the Manhattan example, you said, if you are able to kind of find one of these, it doesn't have to be 22 million.

Yeah. But even if you find four

Justin Kohler: Oh yeah.

Ashish Rajan: That reduces the [00:34:00] exposure, I don't know, by 25%. Oh yeah. That's still a big win.

Justin Kohler: Yeah. Oh yeah. Like, um, so one of my favorite stats is usually when we deploy into an organization we, they're exposed between 70 and a hundred percent, which means. If I phished a random user, I would have a seven or a 10 out of 10 chance of tick completely ticking over their environment within some amount of time, which is pretty bananas.

And I actually, early on, I wrote this blog post where I was titled, is Everyone This Bad? Because I would get that question all the time like, is everybody this bad? And I was like, yeah, unfortunately. Yeah.

Ashish Rajan: I mean, yes, that's not saying the same thing as well.

Justin Kohler: But the good thing is people can make quick work of this once they will understand where to focus.

Our average right now is around 30%. Within the first 30 to 60 days. You drop that significantly, and that's usually a combination of like low hanging fruit and old things that people didn't know they were doing.

Ashish Rajan: Yeah. I think the way I, I'm listening to this is that if I am, say CSO concerned about AI and explosion of AI, identity is still a big piece there.

Justin Kohler: Oh yeah.

Ashish Rajan: And having some analogy, or [00:35:00] at least some comparison for. How exposed am I from an identity perspective before I kind of deep dive into it?

Justin Kohler: Yes.

Ashish Rajan: I think that could be a good part, part of that as well. Yeah.

Justin Kohler: I, I mean, so I, we talked about how AI is going to make tax, um, like we're already using it to it's like nation state label trade craft for everyone, right?

Is the way we say it. And also you can just launch more attacks, but there's also the inherent risk of creating the AI and giving it access to do something. It will have an identity to do that. Whether it's a static identity that's created just for the agent it's acting on behalf of the user who's using the, the agent.

Or some type of just in time provisioning. I was actually talking to a customer yesterday who was talking about how their agents are gonna try to basically just in time grant, you know, give role. Oh, what? Give the access, right? And I was like, well, how are you gonna tell if those rules are ever revoked?

Yeah. Yeah. And he's like, yeah. Yeah.

Ashish Rajan: And this should still be. Kept the same or changed.

Justin Kohler: Right. And you know, again, just like a user can access, can request access to some [00:36:00] resource to do their job, and agent's gonna request access and, anything that's reviewing that is gonna do it in a very siloed way.

Yeah. And not see the downstream exposure of that identity. So yeah, there's a lot of like, yeah, AI is going to make this problem very interesting over the next year.

Ashish Rajan: No, I mean, that's all the technical questions I had. Thank you for sharing those. I've got three fun questions as well. Oh yeah.

So that, for that fun section, I've got, uh, I've got the, uh, the popular snack war thing going on. So obviously as I mentioned, this is the Australian and the British version. Which one were you gonna go for?

Justin Kohler: So I saw Vegemite earlier, so I have to try that. Yeah,

Ashish Rajan: sure.

Justin Kohler: I don't have to pound the whole bag.

Right. You don't have to have the whole thing if you want try one. It's been probably, I dunno, 10 years since I had vegemite.

Ashish Rajan: Oh really? Yeah. Oh, well I'll be wonder if still there still the same, like I would be like a mellow down version. It would not be. Oh,

Justin Kohler: way more mellow.

Ashish Rajan: Yeah, yeah, yeah. I mean, I was expecting like a, like a strong vegemite actually.

I don't think it will have that.

Justin Kohler: No. My [00:37:00] kids would plow these. It's just like a cheezit basically. No, those are great.

Ashish Rajan: Did you still want try a crocodile as well?

Justin Kohler: Oh, yeah. Yeah.

Ashish Rajan: Why? Why not?

Justin Kohler: Yeah,

Ashish Rajan: because I'll be curious to see. Oh, wait. Have you had a crocodile before?

Justin Kohler: I have, but not in jerky form. Oh, okay.

So when I was in Australia, too. Oh,

Ashish Rajan: right. There you go. I'll be curious as to if you find that this is, is it already you expected it to be?

Because some people said like chicken.

Justin Kohler: Mm-hmm. I remember that when it was like li okay. There's a reason they don't make chicken jerkies.

Ashish Rajan: Yeah. Say segwaying by the fun question first one being, what do you spend most time on when you are not trying to solve the I guess the Windows BloodHound active directory problems in the world?

Justin Kohler: Oh man. Well, I have four kids and a puppy, so that's literally all of my time. I also really like, anything like completely analog, so like woodworking and stuff. Oh, nice. Yeah. Yeah, I think, I think everybody in computers has some form of like, I don't want to plug this thing in. It doesn't have a signal.

Like some, some [00:38:00] detachment.

Ashish Rajan: Right. It's not gonna electrocute me as well.

Justin Kohler: No.

Ashish Rajan: The second question I have is, what is something that you're proud of that is not on your social media?

Justin Kohler: Oh, man, that's a good question. First I can, like, I, I don't really have social media. I mean, like I have a Twitter and a LinkedIn account.

Gosh, what am I proud of? I'm gonna say that anybody with multiple kids, I'm just gonna, I'm just gonna fall back to my kids. I'm super proud of 'em. Like yeah, they're, they're already so much smarter than I'm, and it's awesome.

Ashish Rajan: Yeah, I, it, it's an amazing, I think I used to hear earlier people talk about how the.

Younger generation is always smarter than you are. Yeah, and I think I, as a young person, I would never should believe it, but now I'm a bit older, I'm like. There is some truth to that for sure.

Justin Kohler: I, I mean, I was hoping my daughter do math homework last night, and she's 10 for reference, and I was like, oh yeah, I got this.

You know, like I was great at math. Yeah. So I sit down with her and, and I'm ready to help her, and she's like, oh, I don't need help with that yet. Oh, wow. I was like, yeah. And I was like, well, what do you want me to help? And she's like, I just wanna show you.

Ashish Rajan: Yeah, yeah. Oh wow. [00:39:00] Can you verify my work instead?

I'm like,

Justin Kohler: pretty much. Wow.

Ashish Rajan: Uh, third and final question. What's your favorite restaurant cuisine you can share with? This,

Justin Kohler: oh cuisine Mexican. Hands down.

Ashish Rajan: Wait, is it north Mexican or Apparently, I did not know this, but someone said that she is a Mexican, Mexico is a big country, and so there's like different, have you got fond oca?

Justin Kohler: Like to very specifically Oaxacan

Ashish Rajan: Oaxaca?

Justin Kohler: Yeah.

Ashish Rajan: What, what are they, is that still tacos or what is that like?

Justin Kohler: Um, yeah, they have this amazing cheese that's kind of like string cheese, but way better. Like Oaxacan food is just amazing.

Oh,

Ashish Rajan: okay. I think so. Is that the one which is more north of Mexico?

Justin Kohler: I think it's like, uh, no.

Gosh, no. You'd embarrass me if I get this wrong. I think like northwest.

Ashish Rajan: Oh yeah. Somewhere in the north. Somewhere in the north. Let's just say north somewhere.

Justin Kohler: Yeah.

Ashish Rajan: Okay, cool. I, I think that my, my. I think that's about, maybe that was the same one, but obviously my geography is pretty bad as well, which is not like, I guess it's on that side.

But I mean people, I'm sure people can connect us in the comment section, but where can people learn more about Specter ops and [00:40:00] Yeah, connect with you guys as well?

Justin Kohler: Yeah, so Specter ops.io. If you just look in BloodHound too, I mean, once you get past the dogs, you'll find you looking BloodHound and attacking or BloodHound and, you know, active directory or AWS or GM or whatever, you'll find it.

Uh, yeah, reach out to us. We, we put out a considerable amount of training. So we like to be a very big share of information. That's actually how we got our start. We, uh. We just blogged and tweeted about everything just to, we have a certain amount of customers and we, uh, are lucky enough to support those.

Um, but that doesn't mean that we can't support everybody else.

Ashish Rajan: Yeah. Yeah. Awesome. And, uh, you said you have LinkedIn, so I'll put your LinkedIn information as well. Yeah. So we can connect with you and, yeah.

Justin Kohler: Yeah. I'm at Justin Kohler 10 because for some reason I grab the Justin Kohler on, on X.

Ashish Rajan: There were nine more before you.

Justin Kohler: Yeah, there was nine more. Yeah. Yeah,

Ashish Rajan: I feel for number 11 coming after us after this.

Justin Kohler: Yeah. Yeah, exactly. But

Ashish Rajan: this was amazing.

Justin Kohler: Thank you so much. Yeah, thank you so much. Thank you.

Ashish Rajan: Thanks very much. Tuning it as well. Thank you for listening or watching this episode of Cloud Security Podcast. This was brought to you by Tech [00:41:00] riot.io.

If you are enjoying episodes on cloud security, you can find more episodes like these on Cloud Security Podcast tv, our website, or on social media platforms like YouTube, LinkedIn, and Apple, Spotify, in case you are interested in learning about AI security as well, do check out a sister podcast called AI Security Podcast, which is available on YouTube, LinkedIn, Spotify, apple as well, where we talk.

To other CISOs and practitioners about what's the latest in the world of AI security. Finally, if you're after a newsletter, it just gives you top news and insight from all the experts we talk to at Cloud Security Podcast. You can check that out on cloud security newsletter.com. I'll see you in the next episode, pleast.

‍