Written by: Kevin Finch, Global Security Strategist, WWT and Tony Cole, Chief Technology Officer, Attivo Networks
Microsoft Active Directory (AD) is adopted by more than 90% of Fortune 1000 customers today. The role that Active Directory plays within the Enterprise Architecture can range from Domain Services to Rights Management with several other roles in between. The portfolio of services offered by Active Directory for our customers today is key to enabling the appropriate access to business-critical assets. AD has served as a core component “center gear” for many Enterprises to authenticate and provide rights to users and applications. As customers embrace and accelerate their journey to the cloud, Azure AD will be seen as a critical component for web-based services making up a much broader architecture.
The argument can be made that Active Directory Domain Services is equivalent to your personal contact list on your mobile device. Take a moment to ask yourself what would happen if the integrity or availability of that information was compromised? This would be pretty disruptive to your productivity and how you work if this happened to you personally. Much like our personal contact list example, many systems are heavily dependent on Active Directory & Azure AD. To have this environment compromised or exposed could lead to some very dire outcomes such as access to privileged credentials, unauthorized access to critical systems or the loss of critically sensitive data. Given the importance of Active Directory and Azure AD, there has been a rise in the number of cyberattacks targeting a company’s Active Directory environment.
From reconnaissance to discovery, enterprises are faced with protecting and securing their Active Directory environment. As we can imagine, AD security doesn’t always make its way to the top of the priority list for security teams. Over the last two decades, security has changed dramatically from Microsoft’s release of Active Directory in 2000. The question now becomes what an effective security strategy looks like for an Enterprise’s Active Directory environment.
Attivo’s Tony Cole:
Active Directory attacks really are all the rage now. If you look at the last few years, some of the largest publicly disclosed attacks worldwide have involved AD in some fashion. Take NotPetya, for instance, when it had a significant impact on companies around the globe, especially some well-documented cases where it caused companies to come to a complete halt, such as a well-known business conglomerate in the transport, logistics and energy sectors. After finding credentials stored in memory during the initial phases of the attack, it used the information in AD to spread quickly and encrypted AD as well as wiping boot records on endpoints. It completely put the network out of service and stopped all IT operations. This attack literally put a fifth of the world’s shipping capacity out of service. Losses were estimated at $1.3 Billion. This was only one company out of many affected by this attack.
AD credential theft and then related AD enumeration are common components of attacks that are used by criminals and nation-states alike and require additional protection. Even AD misconfigurations can lead to an open door for attackers. Attacks from APT actors 28, 29, 32, and 33, just to name a few, all involved AD.
So what can we do? Enter the Attivo Network ADSecure solution.
ADSecure is actually an easy-to-understand defense capability, as it sits at every endpoint and responds to queries that are attempting to harvest AD data from an unauthorized system. The solution counters the AD attack by replying with deceptive data, hiding the privileged credentials, and altering real credentials values. This leads the attacker into the Attivo Networks deception environment where the system safely studies the attack and collects threat intelligence. Now with ADSecure, organizations can efficiently misinform even advanced attacks (APTs) and divert their lateral movement at the endpoint to decoys. Utilizing the ThreatDefend platform can also allow for a study of the attack safely where you gather Tactics, Techniques, and Procedures (TTPs), along with specific attack related threat intelligence to be used throughout your enterprise. A game-changer.
There is no debate on the importance of Active Directory and Azure AD. The absence of these services affects the availability of all the other IT services around it. The conversation now has to be what is the right approach to secure this environment.
The World Wide Technology & Attivo Networks partnerships allow our customers to answer these types of questions. The WWT Advanced Technology Center (ATC) can be used to expose next-generation technology, such as Attivo’s ADSecure technology, as a logical place to start the conversation. WWT also has the ability to work with Attivo Networks to demonstrate the entire Deception platform. Visit the WWT Attivo Networks Deception lab to learn more.