MY TAKE: Microsoft’s Active Directory lurks as a hackers’ gateway in enterprise networks

Many of our online activities and behaviors rely on trust. From the consumer side, for example, we trust that the business is legitimate and will take care of the sensitive personal information we share with them. But that level of trust goes much deeper on the organizational side.

Related: The case for ‘zero-trust’ authentication

Employees are given credentials that allow them authorized access to corporate networks and databases. IT leadership has to trust that those credentials are used properly.

That need for trust also make credentials one of the most difficult areas to secure. When someone is using the right user name and password combination to gain access, it is very difficult to tell if the user is legitimate or a bad guy. It is why credential theft has become a lucrative attack vector for cybercriminals, with credential stuffing attacks compromising billions of accounts last year.

Credential theft has led to a rise in attacks on tool that’s pervasively used in companies running Microsoft Windows-based networks. That tool is Active Directory. And because Active Directory is an almost universally-used tool in enterprise settings, it has, quite naturally, emerged as a favorite target of threat actors.

I had the chance to sit down with Rod Simmons, vice president of product strategy at STEALTHbits Technologies, a Hawthorne, NJ-based supplier of systems to protect sensitive company data, to discuss this at RSA 2019. For a full drill down, listen to the accompanying podcast. Key takeaways:

Networking enabler


Active directory provides two key networking enablers to an organization: authentication, or the ability to log on to gain access to business systems, and authorize specific tiers of access. Perhaps the biggest selling point for this popular tool is its ability to enable single sign-on across the enterprise. An employee can log in one time to Active Directory and have full access to organizational resources.

Why Active Directory is a Microsoft tool that’s been around for two decades. So why are we hearing more about the risks to Active Directory now? It’s all about market penetration now, said Simmons. So many organizations use the application, which controls the access points to the corporate crown jewels: sensitive data.

Attackers dream about manipulating Active Directory in order to access user names and password combinations that provide the key to everything in an organization.

Many attackers want to find ways to exploit the key security mechanism of Active Directory, the authentication protocol known as Kerberos. They want to find that key to get into the system so they can move around laterally and without detection.

But that’s only the key that unlocks the front door. Simmons said that once inside, the bad guys need to gain access to the permissions that allow for privileged access. Once inside the network, the attacker will need to do a lot of reconnaissance work to learn more about the organization.

“Look at it as a blue print,” said Simmons. “Attackers are leveraging active directory to map out the organization.”

The Challenge

Although most organizations are aware of the threat potential to their Active Directories, detecting those threats isn’t easy. It comes down to the ability to identify the attack, which continue to stealthier by the day. And then when you identify the attack, you have to have the right type of response in place to mitigate it.

It all comes back to securing credentials as a fundamental step to securing data. It’s about identifying not just the attack itself, but how those attackers are getting at the data. Organizations need to address the habitual offenders of weak credentials inside the company, as well as set up tools that can identify and stop malicious behavior while letting good behavior continue.

“Each type of attack requires a different response,” said Simmons. “It’s all about empowering organizations so that they can properly respond to an attack.”

Locking down Active Directory without unduly constraining users’ experience is one of the fundamental steps to baking-in security that any organization using a Micosoft-centric network must do. The sooner the better. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Last Watchdog’s Sue Poremba contributing.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: