Real-Time Auditing of the Classic Insider Threat
A Russian Nesting Doll? What a bizarre choice of image to accompany a technology blog, you may think. In the same way that you can’t determine what is contained within a nest of Russian Dolls, without opening them up, Active Directory doesn’t reveal exactly who is a member of a group if that membership is through group nesting.
StealthINTERCEPT 4.0 gives you the ability to peel away the layers and monitor nested group membership and any changes that may occur.
What is a nested group?
Active Directory allows certain types of groups to be nested within other groups. The primary reason is to simplify the process of giving access to resources. It allows an administrator to make permissions more granular and assign groups where appropriate.
This diagram illustrates a simple series of nested groups: Group4 nested into Group3. Group3 nested into Group2. Group2 nested into Group1.
Even though Microsoft recommends nesting doesn’t go beyond two levels, at STEALTHbits we often see our customers with group nesting as far down as 15 levels.
The deeper the nesting, the harder it is to track changes to effective membership and the larger the risk of ‘Circular Nesting’, which is when a group inadvertently becomes a member of itself – something StealtAUDIT can highlight.
Effective membership is the sum of all users in all groups within the nesting hierarchy.
Challenges and Risk of Nesting Groups
As mentioned, nesting groups can spiral out of control and if not managed well can become an unwieldy mess. This leads to losing one’s grip on who has access to what – which ironically, is the exact challenge addressed by using groups in the first place.
This illustration demonstrates a simple use of nested groups. ‘Admin Group’ has been applied to the ACL on three sensitive Data folders.
With just one group applied you can natively determine effective access to the data relatively easily. However, when you start to nest groups into the ‘Admin group’, you need to use a tool such as StealthAUDIT to determine Effective Access to the sensitive data.
If a user is added or removed from the ‘Admin Group’ you can still determine Effective Access to the sensitive data.
However, and here is the compliance (and operational) headache – what if the membership of the ‘Nested Group’ changes? Natively you cannot determine effective access to the data. With other vendors you need to periodically consolidate all changes to groups, assess group nesting and then determine effective access – all reactive and far from real-time.
StealthINTERCEPT 4.0 provides insight into the invisible
This brings us to the crux of the blog (the tricky bit).
StealthINTERCEPT 4.0 monitors all changes to groups and those nested within – to any level. Therefore, if a user is added to the ‘Nested Group’, a real-time alert is triggered.
As you can see in this screenshot, StealthINTERCEPT is monitoring a group called ‘Nested Group 01’. An alert has been received to say that the effective membership has changed as user ‘User Level 05’ has been added to ‘Nested Group 03’.
Even though ‘Nested Group 03’ is not directly nested into ‘Nested Group 01’, its membership does impact the effective membership of ‘Nested Group 01’.
Still with me?
So, the impact is that ‘User Level 05’ now has every access that has been granted to ‘Nested Group 01’.
Three question you should always ask are
- Do I really want to grant this user all of those privileges assigned to ‘Nested Group 01’?
- Does the user require access to all the resources assigned to ‘Nested Group 01’?
- What is the risk of this user having access to all of the resources granted by ‘Nested Group 01’?
What I’ve outlined here is a scenario with one group and one user. Now, multiply this times an enterprise number of groups and users, maybe even cross domain nesting. You aren’t dealing with a single Russian Doll, but a warehouse full of Russian Dolls!
The Risks – In plain English
- Access sprawl – Too many people are granted too much access to too much data
- Ransomware – The more people that have access to data, the more entry points Ransomware has to data. The more likely you are to become victim
- Manageability – If you have no visibility, how can you manage?
- Rogue Administrator – An administrator could circumvent native, or other vendor auditing solutions, simply adding users into nested groups, to surreptitiously gain access to data undetected
- Compliance Audit – Can you tell who effectively has access to data and how that access is granted if asked? You can with StealthAUDIT and if that changes, you know in real-time with StealthINTERCEPT
Can your business afford NOT to monitor (in real-time) all effective membership changes to groups?
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Mark Wilson is a Director of Product Management at STEALTHbits Technologies.
He is lead Pre-Sales consultant in the EMEA region and a key member of the global Product Marketing team.
Mark has 18 years’ experience working in virtually all technical support and consulting roles across both public and private sectors in the UK, EMEA and Globally.
Areas of specialism include compliance, data governance, IAM, migrations and consolidations.