Written by: Tony Cole – CTO, Attivo Networks – When you built your security strategy was Active Directory a critical component of it? If not, you’re likely part of the majority and not the minority.
Active Directory (AD) is a primary source of entry for attackers, The reason? It’s an easy target. In fact, earlier this year Mandiant reported that 90% of the attacks they investigate involved AD in some fashion. That’s a scary number since AD is also reportedly used by over 90% of enterprises across the globe. So, AD is widely used by organizations and is also widely used by attackers. Then why aren’t more security teams laser-focused on this challenge? That’s a good question. Let’s break it down.
Why is AD a frequent target of attackers? Of course, one of the primary reasons is that enterprise environments often standardize on Microsoft Windows systems. AD is out there in those environments most of the time. It is also typically massive in size, extremely complex, and requires significant expertise to manage and run this identity system. AD is also critical to companies that utilize it since it is their map and global positioning system for finding and authenticating to most resources. It also provides identities for users, non-users, and anything requiring an identity in the enterprise. Many enterprises simply consider AD as plumbing, something critical that you put in place and then never mess with for fear of breaking something. You can likely already see why attackers go after it frequently. If an attacker can get onto an endpoint and capture the credentials, they can use them to search for resources across the enterprise such as computers, servers, printers, files, applications, shares, and much more.
What we often see is an attacker breaks into an initial endpoint and then uses the stolen credentials to find more stored credentials allowing them to move laterally without detection. Quite often they query AD to find out who the domain administrators are and then begin their work to elevate their privileges to the level needed to exfiltrate the data they seek. In the case of ransomware, they also want to ensure they encrypt the most important systems to ensure the victim is willing to pay up to get their keys to the castle back. What happens if an attacker takes over a domain controller? It’s game over for the targeted enterprise.
What can we do about it?
First, put AD into your list of high value assets if it isn’t already on that list. Those crown jewels should be your highest priority to protect since most enterprises can’t operate without them. If you don’t own identity you need to tackle that problem. Identity should be a critical component of your security strategy so if you can’t move it into your area of responsibility, then ensure you build a solid relationship with the team that does own it and help advise them on keeping it locked down and as secure as possible.
Second, your security controls should carry a focus on AD. You need security controls that help monitor AD looking for the creation of new accounts, the escalation of privileges of existing accounts, and activity that isn’t normal for your users.
Third, monitor AD for security misconfigurations and potential attack paths. Looking inside AD frequently for these issues allows you to clean up any bad misconfigurations and often shows attack paths the adversary could take through AD.
Fourth, look for over-provisioning of entitlements to users and non-users alike. Many AD structures have given unneeded and unused entitlements to most employees. They may not even know about their own permissions. Unfortunately, that doesn’t matter if an attacker steals that users’ credentials. Once they break in, they will quickly determine what they have for entitlements with the stolen credentials and determine based on that information what else they need to accomplish their goal. Then it’s on to AD to elicit more information.
Fifth, add AD to your cybersecurity hygiene program. Once you get it cleaned up, AD must be maintained to ensure you provide as small an attack surface to an adversary as possible.
These steps will get you on your way to cleaning up AD hopefully before any attack. If you don’t own AD, then build the relationships with the business unit owner that does own it and advise them on how to lock it down.
Is this problem difficult to solve? Not really. New tools have started to have a significant impact on reducing threats to AD by leading attackers away from it and capabilities to clean it up and keep it that way. Identity Detection and Response (IDR) is a good way to categorize this effort. Our Attivo Networks solutions in this space leveraged our deep experience in privilege escalation and lateral movement to add additional capabilities around identity. Today we offer:
- ThreatStrike for protection against credential theft and misuse
- ThreatPath for attack path visibility and attack surface reduction
- ADSecure for detection of unauthorized activity and attacks on Active Directory
- ADAssessor for continuous visibility to exposures with Active Directory and activities that would indicate an attack
- IDEntitleX for end-to-end visibility to cloud entitlement (CIEM) exposures
This set of solutions can help take you a long way towards minimizing your attack surface and help your team better understand the criticality of protecting identities across the enterprise.
Come listen to a fireside chat with Chipotle CISO, Dave Estlick, and me at the Retail & Hospitality ISAC Summit on September 28th where we’ll discuss ‘Looking Through the Eyes of an Attacker: Targeting Active Directory in the Retail Industry’.