As we saw in the recent SolarWinds attack, Active Directory can be exploited as a means of attacking corporate networks.
But why is AD such an attractive target? And why are companies struggling to secure it when it is hardly a new technology? We spoke to Carolyn Crandall, chief security counsel at AttivoNetworks to find out.
BN: Why is Active Directory difficult to secure, even though it has been around for decades?
CC: Active Directory (AD) protection is difficult to achieve because the environment is constantly changing. There are so many things IT and security teams need to do to secure it, from patching and hardening to cleaning up settings and settings to reduce exposures. It is a vital part of an organization’s network, often described as the Achilles heel of CISOs. Protecting AD is a high-stakes game, as any attacker who accesses it can cause significant damage, which means AD security is a non-optional activity in today’s threat landscape.
Since AD is constantly changing, there is no easy way to fully understand or track every vulnerability or misconfiguration. Ladder of AD is another issue with maintaining its security, but there is organizational complexity as well. When determining whether a company’s AD is healthy, AD admins tend to focus on making AD run smoothly in operational terms, but may not secure servers beyond following current best practices. .
BN: Why are the attackers targeting AD?
CC: For nine out of ten Fortune 1000 companies, Active Directory is the key to their kingdom. AD is one of the most critical items to prioritize in the quest to protect identities, privileges, and access. CISOs and other security managers tend to view AD’s performance in assessing whether it is providing accurate and uninterrupted service. They often think of hardening servers and protecting other aspects of the perimeter as securing AD – and attackers know that. They also know that AD is the primary authentication and authorization mechanism for the business, making it a high-value, high-priority target.
For a large-scale attack, cybercriminals need AD control to create persistence or install new objects and backdoors. They can even encrypt AD as part of a ransomware attack, demanding money in return for normal operations. The majority of ransomware, insiders, and advanced attacks now include some form of AD exploitation. The exploitation of privileged access is an element in 80% of known security breaches.
BN: What is ransomware 2.0, and why is it a threat?
CC: Human-made “Ransomware 2.0” attacks are more advanced and complex than standard ransomware. They bypass traditional security controls to take root initially, perform network discovery, search AD, move sideways, and identify high-value assets to target by encrypting critical data or gaining control of other assets. Detecting this movement is difficult and many companies struggle to detect this covert activity.
Because this type of ransomware is human operated, attackers can evade traditional endpoint protection or endpoint detection and response products that work by signature match or behavioral anomaly detection. Once the attackers have passed through these defenses, they will have free access to the network.
BN: How can organizations detect attacks before AD is compromised? How can they take preventative measures to protect AD?
CC: The most effective way to prevent criminals from gaining access to AD is to first remove any exposures or vulnerabilities they can exploit. Organizations can also apply cyber blackout, misdirection, and deception to effectively derail attackers during the discovery phase of an attack. Organizations can use advanced concealment technology to hide AD objects, credentials, files, folders, and shares, preventing an attacker from finding and accessing data. They can replace real data with bogus replicas, directing attackers to an engaging server for threat intelligence collection.
Additionally, if an organization creates decoy environments or assets, it can get attackers to engage with them rather than production assets. Once the decoy environment traps adversaries, organizations can analyze their behavior and gain valuable information to defend against future attacks. This capability makes it an ideal technology for increasing the security configuration of any business – and with more users than ever working from home, these lateral motion detection capabilities in the network are only becoming more and more important. reviews.
BN: What can organizations do to protect AD?
CC: The first step in creating a secure AD is to follow all the current best practices: track patches, strengthen controllers, establish secure AD policies, etc. CISOs should also search AD for exposures and settings that make them vulnerable to attack. Ensuring that you have the correct settings, policies, and configurations will help reduce the risk of successful attacks, such as Kerberoasting, an AD attack that exploits weak encryption and poor password hygiene for service accounts.
It is also a good idea to limit the number of permissions and delegated administrators called phantom administrators, privileged users who are not part of an AD security group and can operate with relative discretion. Identifying and locking out shadow administrator accounts and privileged account exposures are essential as they are prime targets for attackers and can give criminals the ability to expand their attack while evading detection.
CISOs also need to understand the network of permissions and permissions they have enabled and the rights that surround them. In AD, each object has an ACL to which user accounts can be added. Administrators can assign something as simple as the ability to change someone’s password to a specific user, but that won’t necessarily show up in a group. If attackers gain access to an account with enough permissions, they can elevate their privileges and confuse the issue. It becomes essential to gain visibility on the users who have such permissions and to limit these accounts to the fewest number reasonably possible.
Organizations need to protect themselves and detect Golden and Silver Ticket attacks, another way for an attacker to gain domain control. Additionally, they will want to protect themselves against Kerberoasting, DCSync, and DCShadow attacks which are also difficult to identify but have material consequences if they don’t prevent or stop them quickly.
Image credit: donscarpo / depositphotos.com
