Adaptive Wizard for Removing Cross-Tier Misconfigurations in Active Directory

TL;DR

This paper introduces an adaptive wizard system to efficiently guide IT admins in removing cross-tier misconfigurations in Active Directory, reducing manual effort and interaction steps through optimized algorithms.

Contribution

It formulates the Adaptive Path Removal Problem, proves its computational hardness, and proposes algorithms including a scalable heuristic that outperforms existing methods.

Findings

The problem is -hard, indicating computational complexity.

The DPR heuristic effectively handles large graphs.

Algorithms reduce manual effort in security vulnerability mitigation.

Abstract

Security vulnerabilities in Windows Active Directory (AD) systems are typically modeled using an attack graph and hardening AD systems involves an iterative workflow: security teams propose an edge to remove, and IT operations teams manually review these fixes before implementing the removal. As verification requires significant manual effort, we formulate an Adaptive Path Removal Problem to minimize the number of steps in this iterative removal process. In our model, a wizard proposes an attack path in each step and presents it as a set of multiple-choice options to the IT admin. The IT admin then selects one edge from the proposed set to remove. This process continues until the target $t$ is disconnected from source $s$ or the number of proposed paths reaches $B$. The model aims to optimize the human effort by minimizing the expected number of interactions between the IT admin and the security wizard. We first prove that the problem is $\mathcal{\#P}$-hard. We then propose a set of solutions including an exact algorithm, an approximate algorithm, and several scalable heuristics. Our best heuristic, called DPR, can operate effectively on larger-scale graphs compared to the exact algorithm and consistently outperforms the approximate algorithm across all graphs. We verify the effectiveness of our algorithms on several synthetic AD graphs and an AD attack graph collected from a real organization.