Written by: Vikram Navali, Senior Technical Product Manager – Over the last couple of months, the news has reported many cyberattacks, a dire warning for organizations to prepare or become victims of a breach. According to the Verizon Data Breach Investigation Report (DBIR), over 80% of hacking-related breaches involve brute force or the use of lost or stolen credentials. It is not altogether possible to prevent credentials from getting compromised. However, understanding the addressable attack surface and implementing security controls is a holistic approach that makes it difficult for an adversary to compromise one’s network.
So, what is an addressable attack surface?
An addressable attack surface is any exposed system an attacker can compromise or exploit to perform lateral movement. It includes vulnerabilities or misconfigurations in member systems of an Active Directory environment. These can include items such as misconfiguration, inadequate access controls, or credential exposures.
To significantly reduce the addressable attack surface available for malicious activity and restrict lateral movement, organizations must answer the following key questions.
Does my organization have visibility into its attack surface?
Better visibility into lateral attack paths results in a smaller attack surface. Many organizations today lack visibility to east-west traffic. Once attackers compromise an endpoint, they can target the organization’s addressable attack surface.
The Attivo Networks ThreatPath solution provides visual graphs to the paths an attacker would traverse through the internal network based on misconfigured systems and misused or orphaned credentials.
Do I know (at this very moment) if my privileged credentials are exposed on systems where they should not be?
The Microsoft Vulnerabilities Report 2021 (published by BeyondTrust) found that privilege escalation accounted for the most significant proportion of total Microsoft vulnerabilities (44%). Privilege escalation is a vital stage of the cyber kill chain and typically involves exploiting a bug, misconfiguration, or poor access control in an operating system or software application.
Attackers gain a higher level of permission and move laterally to access critical organizational data. Attackers query Active Directory from compromised endpoint to extract information on privileged domain accounts and other high-value objects.
The Attivo ThreatPath solution provides continuous assessment of endpoints on the network and alerts security teams on exposed privileged credentials to take appropriate actions.
Do I know exposures related to who has domain credentials and access to the sensitive data?
Once inside the network, attackers move from endpoint to endpoint, gathering valid user credentials using keyloggers, brute force attacks, or stealing memory-resident or stored hashes. Their goal is to escalate their privileges to domain administrator credentials and get complete control of the domain. Organizations must enforce who precisely has the correct permissions to access sensitive data, what they can access, and when.
ThreatPath identifies the exposures and then identifies critical paths based on saved credentials. Understanding exposures, specifically the attacker’s path, is vital to know what impact the attack will have on the organization.
Could someone copy a file and gain access to a high-value asset from a misconfigured network share?
Endpoint misconfigurations are another vulnerability—attackers leverage stored or orphaned credentials to move from a compromised endpoint to other systems in the network. If there are any overlooked misconfigurations, it may result in unnecessary risk and increases the attacker’s likelihood of success.
The ThreatPath solution remediates misconfigurations and exposed credentials by removing the corresponding saved credentials, shared folders, and vulnerabilities.
Has someone in my network modified a configuration for convenience or automation that has introduced risk and created unwanted paths for attackers?
Attackers leverage stored or orphaned credentials or endpoint policy misconfigurations to move from endpoint to endpoint. The Attivo ThreatPath solution provides continuous attack path vulnerability assessment for likely lateral movement avenues that an attacker would take to compromise a network based on misconfigured systems and misused or orphaned credentials. Additionally, organizations can configure policies in the ThreatPath solution to remediate exposed later movement paths to high-value assets.
Could there be service accounts added to Domain Privileged Groups or with delegated admin privileges?
Organizations often mismanage Active Directory permissions and are not always cautious enough to update the necessary Access Control Lists (ACL). One should understand the security implications of assigning the correct privileged permissions in the organization.
Any Administrators, Domain Admins, or Enterprise Admins group members, and Domain Controller computer accounts, can perform a DCSync attack to access credentials and other sensitive information. Every organization must know exactly which service accounts in their network have delegated permissions and take appropriate actions.
Are the access keys to my cloud instances (such as AWS) safe? Could they be on systems susceptible to adversary intrusion or just a hop away from another vulnerable system?
The FireEye Mandiant M-Trends 2020 report found that most AWS intrusions begin with compromised credentials, usually in the form of AWS access keys or identity and access management (IAM) user passwords. Attackers steal AWS access keys from compromised endpoints and break out to the cloud infrastructure. The ThreatPath solution detects AWS access keys stored on endpoints and alerts on potential attack paths.
Cyberattacks are not wholly avoidable, but one can limit the opportunities available to attackers. Preparing to answer the questions outlined above can help every organization build a robust cybersecurity strategy that keeps cybercriminals outside the network’s perimeter.
For additional information, please visit https://attivonetworks.com/product/threatpath-attack-path-vulnerability-assessment/.