While perimeter defenses like firewalls and antivirus software remain essential elements of comprehensive network defense, stopping 100% of attacks at the perimeter is an impossibility with today’s ever-evolving attack surface. Eventually, an attacker will successfully breach those defenses, establishing a beachhead within the network from which they can move laterally to escalate their privileges, identify valuable assets and disrupt network operations.
One of the first things an attacker will target is Active Directory (AD), which more than 90% of Fortune 1000 organizations use for authentication, identity management and access control. Its operational complexity makes it intrinsically hard to secure and an ideal target for attackers seeking to escalate their privileges. Compromising AD can hand attackers the metaphorical keys to the kingdom, making its protection a high priority for defenders. Fortunately, organizations can dramatically increase the security of AD by improving security in three key areas.
Active Directory is a High-Value Target
One cannot overstate the threat to Active Directory. Microsoft once estimated that 95 million AD accounts are under attack each day—a number that has almost certainly risen in the intervening years. Worse still, red teams are confident that when targeting AD in simulated attacks, they can compromise it every time. In today’s threat landscape, where 80% of all attacks use privileged access, this demands immediate attention.
AD provides authentication and authorization to all enterprise resources, and users throughout the network must access it for daily operations. AD is constantly changing, which makes it increasingly difficult to secure and renders it dangerously vulnerable to attack. Compromising AD allows attackers to escalate their privileges, increasing the attack’s potential scope and damage. To prevent this, organizations must look for ways to secure AD that go beyond traditional policy and log management. They require innovations that will proactively identify risks and gaps and remediate them before an attacker has the opportunity to exploit them.
Improving Cyber Hygiene
When it comes to protecting AD, visibility is key. That starts with an up-to-date inventory of user and device accounts, group policy settings and the privileges and entitlements they entail. These accounts should all have a “least privilege” policy in accordance with cybersecurity best practices, ensuring that they do not have privileges to access or alter areas of the network they do not need to perform their essential job functions.
Organizations should also regularly review and assess Active Directory settings and check and patch AD controllers against known vulnerabilities. These checks should include looking at exposures for the domain, users and devices in addition to live attack detection. These actions can help defenders identify potential AD exposures that attackers will leverage to compromise the environment. Identifying and remediating those vulnerabilities can keep AD better protected and enable defenders to have a more comprehensive understanding of AD risks requiring additional attention or layers of defense.
Remediating Account Issues
To understand the extent to which attackers can exploit a given AD identity, continuously auditing account policies and settings is critical, as is having the ability to answer questions about the scope and number of privileged accounts. Are those accounts regularly audited? Do they have privileges that exceed what is necessary? These are areas that attackers will likely try to exploit, and having a thorough understanding of potential AD attack paths can help defenders deal with threats more effectively.
Accounts should have only the privileges they need to accomplish their job functions—especially accounts with delegated administrative privileges. Organizations should regularly assess password policies and delegations to ensure that they remain appropriate and storage policies for AD credentials, especially if stored on endpoints. Knowing the privileges that each account should have can help defenders identify anomalous behavior, potentially tipping them off to the presence of an attacker in the system before they can do severe damage.
Improving Attack Detection
Not all organizations have the controls they need to detect attack activities like password spraying attacks, data harvesting or privilege escalation that targets AD data. Fortunately, technology innovations enable a more proactive approach, detecting unauthorized queries to AD and providing valuable alerts on live attacks as it identifies them. Some solutions can channel an attacker’s energy against them and can return false information when attackers query AD. Defenders can use this capability to trick attackers into revealing themselves, further slowing and derailing attacks. Solutions that include a decoy engagement environment add the ability to gather intelligence on attackers, including cataloging their tactics, techniques and procedures (TTPs) and indicators of compromise (IoCs). This can help promptly remediate attacks and identify threats.
Regularly auditing AD changes can reveal activities that may indicate an attack is in progress. Defenders need tools to detect data harvesting activity within the network, especially as it pertains to privileged accounts. Attackers often deploy rogue domain controllers or modify settings with DCSync and DCShadow attacks. Golden and silver ticket attacks can be particularly dangerous, as they gain privileges to make changes and cover their tracks. Given the recent rise in credential theft attacks, identifying imposters posing as actual employees using valid credentials has become extremely important. It is no longer enough to authorize and authenticate. Defenders must also perform checks to ensure that a given identity is still entitled to its level of access.
Prioritizing AD Security
Too many organizations remain vulnerable to attacks targeting Active Directory. Without sufficient network visibility, defenders run the risk of allowing attackers to move laterally throughout the system without detection, making it easy for them to target exposed credentials or compromise AD. Improving cyber hygiene, performing regular account audits and implementing security technology capable of detecting and derailing attacks targeting AD is increasingly critical for organizations seeking to prevent privilege escalation and lateral movement.
AD has emerged as an attack vector of choice for 2021, and is likely to remain a high-value target for attackers given the ease of access and the control they gain. It’s time for defenders to think differently and adopt these advanced new tools and tactics to keep attackers at bay and their organizations secure.