Written by: Marc Feghali, VP of Product Management – Microsoft launched Active Directory (AD) in the late 90s, and it quickly became the standard in the identity management market. For any company, AD is the crown jewels of its IT infrastructure, as inside AD resides a complete list of all the users, machines, logical grouping, and privileges. This confluence of information is compelling, and it enables modern operations and user experiences at work, in transit, or at their home offices. Also, other programs leverage AD to determine access and level of privilege to the users.
By design, AD holds and shares information on the network to regulate users and machines accessing the company’s resources. It is also vital to remember that every computer on the company’s network can talk (has access) to the AD, making it a common target for attackers. Once attackers have access to AD, they can quickly identify which endpoints to target and compromise that have access to information of interest.
The race started to compromise any machine inside the network to use as a pivot point against AD, and the techniques of initial compromised evolved from worms to targeted phishing attacks. The goal remained the same, to use the initially compromised system to move laterally to compromise the AD and from there get the proverbial “keys to the kingdom.” The challenge of securing AD is further complicated when considering Insider attacks…
Even after implementing best practices to secure AD, and layering security solutions to address different attack vectors and methods, attackers can still compromise networks and get to sensitive data. Every security practitioner’s nightmare is to have a vulnerable/compromised AD, which explains why almost every red team test includes trying to access it.
Beside implementing best practices, running red team exercises, making sure one has implemented the “right” security solutions, and maintained the network and security hygiene up to date, what else is there to do?
Well, how about implementing a foundational technology that turns the tables on the attackers and exposes them at the very beginning stages of an attack? What if this solution can detect the initial query against AD, block it, and feed the attacker false data? What if the solution can do that without ever touching the production AD? What if the solution can present the attacker with machines to infect safely away from the network and capture their signatures and intent? What if this solution is entirely invisible to the production network and does not interfere with regular operations? Such a solution exists today with the Attivo ThreatDefend® and EDN solutions.
The solution proved itself during a test at a multinational bank that was running a third-party red team test. Typically, the customer would have some uncomfortable conversations at the end of previous exercises, so they deployed the Attivo solution for their most recent evaluation to better their odds of a successful result. After three days of the red team thinking they had compromised the production AD, the bank had to step in and tell them to stop wasting their time and focus on something else. The Attivo deception fabric ensnared the red team from the very start of the attack. Needless to say, the bank was more than satisfied with their evaluation results.
To learn more of this about this instrumental solution, please contact us at https://attivonetworks.com/contact/ or request a demo here: https://attivonetworks.com/request-demo/.