Written by: Joseph Salazar, Technical Marketing Engineer – As organizations transform to take advantage of new cloud offerings and remote work increasingly becomes the norm, it is no surprise that many are choosing to host their Active Directory (AD) infrastructure in the cloud. AWS, Azure, and Google Cloud Platform all offer hosting services for AD. These options allow organizations to authenticate remote and on-premises users, using their enterprise infrastructure for federated authentication and authorization. What’s more, cloud-hosted AD makes it easier for organizations to manage single-sign-on authentication and authorization for both enterprise and cloud-based applications.
Organizations host AD in the public cloud for various reasons ranging from providing virtual desktops to addressing remote workforce, domain services to Windows Servers in the cloud, deploying domain-joined RDP jump servers in the cloud, and many more. Hosting AD in the cloud does not reduce the security risks that organizations must address to protect their enterprise networks. Therefore, they should implement reliable cloud-specific security controls, such as Cloud Access Security Brokers, Cloud Workload Protection Platforms, or Cloud Security Posture Management, on top of the traditional AD security measures they already employ. However, while these secure the infrastructure, they do not necessarily protect the AD data that threat actors target.
AD is the primary source of information for all enterprise resources and provides seamless integration across business applications. As such, it is a primary target for attackers that have infiltrated the network. It authenticates users and services and contains all the required information that attackers need to expand their access, establish persistence, elevate privileges, move laterally, and identify targets to attack.
To protect against such attack activities, organizations need a solution that can detect malicious queries and derail the attackers. The Attivo Networks ADSecure solution addresses this specific need.
How attacks on Active Directory are conducted:
- Attackers generally begin by gaining an initial foothold on a single internal system to establish a beachhead.
- They then check the local host for useful data and conduct reconnaissance and discovery activities to gather intelligence.
- They query AD, check for user privileges, identify net sessions to high-value targets, and look for paths to high-privileged users, collecting the information they can use to progress their attacks. Any domain-joined system can query AD, regardless of whether it is on-premises or in the cloud.
- Attackers extract sensitive or essential objects, such as domain administrator accounts, service accounts, or domain controller information, to exploit.
- They can pull Kerberos ticket information to conduct golden ticket attacks, silver ticket attacks, or Kerberoasting activity.
- They can query for service principal names to target particular servers and services.
- They can enumerate the members of security groups, such as Domain Administrator accounts, as likely targets to escalate their privileges.
- Then they move laterally to a domain administrator’s system to steal domain administrator credentials and then move on to the domain controller, where they often create other high-privileged accounts with access to maintain persistence.
- From there, they can move laterally to exploit high-value targets.
With the Attivo Networks ADSecure solution, organizations gain security for cloud-hosted and on-premises AD without interfering with the production domain controllers.
- The solution looks for unauthorized AD queries that indicate an attack, or at the very least unauthorized activity.
- When the solution detects such activities, it hides the sensitive or critical AD objects.
- It then returns fake object information that misdirects the attackers away from those vital assets while generating an alert on their activities.
Organizations gain the power to conceal valuable enterprise resource information, the insight to reduce the attack surface, and the control to alter what the attacker sees as a means to slow and deter attacks. When used in conjunction with a ThreatDefend platform decoy deployment, the fake data misdirects the attackers to an engagement environment with decoy systems for interaction, giving defenders the ability to control their paths. The decoys then gather attack activity (Tactics, Techniques, and Procedures – TTPs) and company-specific threat intelligence to accelerate incident response.
Losing control of AD to attackers is a devastating scenario for any organization. While moving AD to the cloud increases flexibility, it also increases the attack surface and provides attackers with the opportunity to access the AD controllers hosted there. Organizations that wish to take advantage of this flexibility should look at the ADSecure solution from Attivo Networks to effectively and reliably protect their cloud AD deployment.