Authored by: Carolyn Crandall, Chief Security Advocate and CMO, Attivo Networks – The new year is in just its third month, but large-scale cyberattacks have already made headlines worldwide. Research continues to reveal new fallout from the SolarWinds attack, and the world is bracing for the full scope of the Microsoft Exchange attack. Cybersecurity professionals and governments have both paid a tremendous amount of attention to these recent attacks—as they should—and particularly to why they continue to be so challenging to avoid, detect, and remediate.
During the recent congressional hearings on the SolarWinds fallout, the testimony from industry leaders has been equal parts enlightening and troubling. They repeatedly discussed topics like lateral movement, privilege escalation, and poor credential management as areas representing a metaphorical Achilles heel for businesses. Failure to adequately protect Active Directory and other vulnerable, high-value network assets has made it easier for intruders to move throughout the network and escalate their privileges. Live attack detection is increasingly critical, and SIEMs and log management are no longer capable of getting the job done on their own.
Understanding How Widespread Attacks Happen
The SolarWinds attack affected more than just SolarWinds. The attack reportedly exposed 18,000 user organizations, which downloaded updates of its Orion software and directly impacted roughly 100 different companies by entering their networks through compromised SolarWinds software. During the Congressional hearings, FireEye CEO Kevin Mandia offered a simple description: the SolarWinds attack was like a burglar who wants to break into a single apartment but manages to turn off the alarm system for every building in the city. It’s a useful metaphor for understanding what happened and how the attack became so widespread. Qualys also suffered a recent ransomware attack. While the impact to its 19,000 customers—many of whom are financial institutions—is not yet fully understood, it further emphasizes the potential for widespread disruption.
Vulnerability exploitation recently overtook phishing as the #1 attack vector, underscoring the need for detecting lateral movement today. NIST has issued guidance on cyber resiliency and updated their cybersecurity framework, much of which centers around instrumenting the network environment to detect these attacks while they are taking place—and before they can do too much damage. Some have described the SolarWinds attack as “impossible to detect.” While we still don’t know precisely how the culprits initially infiltrated the SolarWinds network, the organization could have detected the attack if it could look for signs of lateral movement. Even with backdoors into the systems, organizations can equip themselves with technology to detect lateral movement or signs that an attacker is attempting to escalate their privileges.
Organizations will want to focus on protecting their Active Directory environments, gaining visibility to exposed credentials, as well as vulnerable ports and services. It’s critical to remember that no matter how much an organization invests in preventative cybersecurity measures, a determined adversary will inevitably find a way into the network. Promptly detecting lateral movement and attempts to exploit Active Directory are critical and will mitigate an intruder’s impact.
Protecting Active Directory
Over 90% of F1000 organizations use Active Directory (AD) to control access and deliver services, and with privileged access used in over 80% of attacks, protecting it is essential. Unfortunately, there are many challenges in protecting AD, the first of which is ownership. AD tends to fall under the CIO side rather than the security side, which makes implementing security protocols a challenge—and that’s before even getting into the issue of legacy policies. Unfortunately, AD is a system that people are afraid to make changes to out of fear of impacting operations. Furthermore, common issues like entitlement creep and overprovisioning can be headaches for many different departments, but they all contribute to AD’s vulnerability. Problems like orphaned and otherwise invisible credentials also pose a considerable threat if they fall into the wrong hands. In short, AD is both a high-value target for attackers and an exceptionally vulnerable one—not an ideal combination.
To be effective, AD needs to talk to every application, from API keys and users to the administrators and shares. It needs to know everything about the network environment, and it doesn’t proactively report on potential vulnerabilities. And unfortunately, that makes detecting live attacks difficult for AD. Many of the attack tactics used by adversaries in these large breaches, such as DCSync, DCShadow, or Golden Ticket attacks, are very difficult to detect.
This isn’t to say that maintaining least privileges or monitoring logs isn’t important. The point is that these methods can be error-prone and inefficient and do not detect attacks in real-time. To take a more proactive security posture, organizations will want to add the ability to assess AD continuously. Tools like Attivo’s ADAssessor can provide this visibility without ever touching the AD infrastructure or the domain controllers. It can identify over 70 AD vulnerabilities and misconfigurations while providing a wide range of organized information that allows network security teams to clean up the environment before an adversary can successfully breach it. ADSecure provides complementary capabilities by intercepting AD queries from intruders and responding with disinformation, which both slows down the attack and alerts the defenders to the presence of an intruder. This capability is highly efficient since it works from the endpoint and doesn’t require any elevated privileges. Finally, the ThreatPath component allows defenders to find shadow admins, clean up orphaned and misconfigured credentials, and understand where the adversary could gain Domain access. Now, when an incursion happens, it is easier than ever to detect them and remove them from the network while gaining valuable adversary intelligence.
Moving Forward with AD Security
Organizations expect Active Directory to work and deliver uninterrupted services, which makes it intrinsically insecure. Recent events have highlighted the devastating impact that occurs when adversaries can exploit it to escalate their privileges, change security policies, and download malware for ransomware attacks. By compromising AD, attackers give themselves the keys to the network kingdom. Fortunately, products offered by Attivo have provided defenders with reliable and effective tools to surface vulnerabilities, detect live attacks, and keep AD secure. I encourage you to get a demo to see how easy and effective they are. To date, we have found that every customer trial has surfaced surprises that no other existing tool had been able to uncover.