Attack Paths are chains of abusable privileges and user behaviors that create direct and indirect connections between computers and users. They exist due to years of misconfigurations and a lack of visibility into how privileges are applied. Attack Paths cannot be patched through traditional methods because they are misconfigurations, not vulnerabilities.SpecterOps built BloodHound Enterprise following the principles of Attack Path Management (APM). The primary goal of APM is to solve the Attack Path problem directly. APM is a fundamentally different, unique methodology designed to help organizations understand, empirically quantify the impact of, and eliminate Attack Path risks.
Customer Data Residency and SubprocessorsCustomers may request that their tenant reside within one of the supported AWS regions below. Existing customers may request migration to an alternate region should residency needs demand.
United States: US-EAST-1 (Northern Virginia)
Canada: CA-CENTRAL-1 (Montreal)
Europe: EU-CENTRAL-1 (Frankfurt)
United Kingdom: EU-WEST-2 (London)
Australia: AP-SOUTHEAST-2 (Sydney)
Middle East: ME-CENTRAL-1 (UAE)
Additionally, BloodHound Enterprise utilizes Pendo to provide in-product tours and behavior monitoring. Customer data is not sent to Pendo. More information on Pendo’s data privacy, security policies, and certifications is available here.
BloodHound Enterprise is hosted within AWS, which touts a litany of security certifications and is subject to regular audits and certifications. Certifications for AWS include ISO 27001, SOC 1 and 2, etc.
BloodHound Enterprise is deployed in a single-tenancy model within AWS. Each customer environment is configured with its own database, API, and UI servers, and data is not commingled between customers.Each tenant has unique authentication keys defined for authentication between services within the overall system.
Data backup occurs via Amazon EBS and Amazon RDS backup functionality. All backups are encrypted using the methods listed below in the Customer Data Security section.All backups are retained for seven (7) days.
BloodHound Enterprise uses available Amazon encryption functionalities to encrypt all data using AES-256 with an Amazon-managed key. This applies to all servers in the BloodHound Enterprise infrastructure. Backup snapshots utilize the same encryption mechanisms.AWS security groups isolate all BHE installations. They do not have permission to reach other customer assets.More information on EBS volume encryption can be found here.
Information specific to RDS volume encryption can be found here.
BloodHound Enterprise uses a shared AWS Application Load Balancer. The load balancer policy has been set to ELBSecurityPolicy-TLS13-1-2-2021-06. With this policy, BloodHound Enterprise:
Does not support SSL renegotiation for client or target connections.
The Amazon certificate authority provides customer-facing TLS certificates. This CA is trusted by all major browsers and operating systems and includes:
RSA 2048 public key.
Automatic renewal on an annual basis.
Private keys are never exposed to SpecterOps. Amazon retains full control.
More information about the TLS certificates we use can be found here.
BloodHound Enterprise provides built-in authentication via username and password, with the option to enable TOTP-based multi-factor authentication.Customers may additionally choose to enable SAML 2.0-based Single Sign-On to control authentication through an external, third-party provider such as Azure AD SAML, ADFS, or Okta. User access and role assignment are controlled within the BloodHound Enterprise product, and both SP- and IDP-initiated authentication flows are supported.
Although BloodHound Enterprise does not lock a user out from attempted brute forcing, API calls against the BloodHound Enterprise authentication API are limited to one call per second, making a successful brute force attack impossible before a password rotation occurs.All other API endpoints are limited to 55 calls per second.
All passwords are hashed utilizing the Argon2id key derivation function with a unique 16-byte salt length per Argon2id recommendations. For more information on Argon2, see here.
BloodHound Enterprise undergoes annual penetration tests at a minimum.Results from these tests can be made available upon request under NDA. All critical-, high-, and medium-risk findings have been remediated.
Operating system security patches are fetched daily and applied automatically. The rest of the BloodHound Enterprise infrastructure utilizes Amazon-provided services, and Amazon performs security patching automatically.We follow security mailing lists, RSS feeds, etc., and periodically review for CVEs in supporting software we use in BHE environments.
Only the BloodHound Enterprise infrastructure engineers maintain persistent access to BHE environments. All SpecterOps employees must pass criminal background checks as a condition of employment.In some instances, select developers are provided temporary access to systems for debugging purposes. This activity is monitored and logged. Access is revoked at the end of the event.