Defining Tier 0
Nov 18th, 2017 by Jesper Kråkhede
Credential Theft is a bid problem today. Many of the attacks we see are targeting accounts rather than the individual computers. This is due to the cost of exploiting. As soon as you have a valid account it is much easier to travel around and try to find a domain admin account. As soon as you have domain admin you have it all (this goes for root etc. as well).
One of the problems I´m challenged with is the definition of Tier 0. What is this then? How do you define Tier 0. The simple definition is: Every computer that either define or manages domain administrator accounts or can managed those computers in such a way that they either have physical access or administrator access on the computers. Compare with the PCI DSS definition of system components.
This for example means that any computer where a domain admin has logged in to recently or where a service account is run with domain admin privileges is also part of Tier 0. At a sales call recently after a brief chat we identified that the client had 2/3 of their computers part of Tier 0.