GraphConnect

In April of 2015, John Lambert illustrated why hackers consistently defeat network security measures, stating: "Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win." One year later, Rohan Vazarkar, Will Schroeder, and I released BloodHound at the DEF CON 24 hacker convention. BloodHound is a free and open source tool that uses graph theory to show how attackers breach and take over modern corporate network.

Since its release, BloodHound has changed how professional offensive consultants and network defenders view these attack paths, using Neo4j to discover in seconds what used to take days or weeks manually. With some information about the network? Who's logged in where? Who can administer what? Who's in what groups? Who has control over what objects? We can model how attackers choose their targets. The BloodHound attack graph exposes the hidden and often unintended relationships that may lead to Domain Admin, the keys to the kingdom in almost every corporate network in the world.

In this talk, we will show, with live demonstrations, the full history and evolution of BloodHound, starting with the frustrations of hacking without an attack graph, covering the spark that led us to an automated graph theory approach, building upon existing tools and tradecraft to create BloodHound, and capping off with BloodHound's newest improvements, schema additions, and future features. Finally, see how defenders use BloodHound to gain critical insights from the attack graph were the good guy kind of hackers after all.