3 Keys to Defending Active Directory

While perimeter defenses like firewalls and antivirus software remain essential elements of comprehensive network defense, stopping 100% of attacks at the perimeter is an impossibility with today’s ever-evolving attack surface. Eventually, an attacker will successfully breach those defenses, establishing a beachhead within the network from which they can move laterally to escalate their privileges, identify valuable assets and disrupt network operations.

One of the first things an attacker will target is Active Directory (AD), which more than 90% of Fortune 1000 organizations use for authentication, identity management and access control. Its operational complexity makes it intrinsically hard to secure and an ideal target for attackers seeking to escalate their privileges. Compromising AD can hand attackers the metaphorical keys to the kingdom, making its protection a high priority for defenders. Fortunately, organizations can dramatically increase the security of AD by improving security in three key areas.

Active Directory is a High-Value Target

One cannot overstate the threat to Active Directory. Microsoft once estimated that 95 million AD accounts are under attack each day—a number that has almost certainly risen in the intervening years. Worse still, red teams are confident that when targeting AD in simulated attacks, they can compromise it every time. In today’s threat landscape, where 80% of all attacks use privileged access, this demands immediate attention.

AD provides authentication and authorization to all enterprise resources, and users throughout the network must access it for daily operations. AD is constantly changing, which makes it increasingly difficult to secure and renders it dangerously vulnerable to attack. Compromising AD allows attackers to escalate their privileges, increasing the attack’s potential scope and damage. To prevent this, organizations must look for ways to secure AD that go beyond traditional policy and log management. They require innovations that will proactively identify risks and gaps and remediate them before an attacker has the opportunity to exploit them.

Improving Cyber Hygiene

When it comes to protecting AD, visibility is key. That starts with an up-to-date inventory of user and device accounts, group policy settings and the privileges and entitlements they entail. These accounts should all have a “least privilege” policy in accordance with cybersecurity best practices, ensuring that they do not have privileges to access or alter areas of the network they do not need to perform their essential job functions.

Organizations should also regularly review and assess Active Directory settings and check and patch AD controllers against known vulnerabilities. These checks should include looking at exposures for the domain, users and devices in addition to live attack detection. These actions can help defenders identify potential AD exposures that attackers will leverage to compromise the environment. Identifying and remediating those vulnerabilities can keep AD better protected and enable defenders to have a more comprehensive understanding of AD risks requiring additional attention or layers of defense.

Remediating Account Issues

To understand the extent to which attackers can exploit a given AD identity, continuously auditing account policies and settings is critical, as is having the ability to answer questions about the scope and number of privileged accounts. Are those accounts regularly audited? Do they have privileges that exceed what is necessary? These are areas that attackers will likely try to exploit, and having a thorough understanding of potential AD attack paths can help defenders deal with threats more effectively.

Accounts should have only the privileges they need to accomplish their job functions—especially accounts with delegated administrative privileges. Organizations should regularly assess password policies and delegations to ensure that they remain appropriate and storage policies for AD credentials, especially if stored on endpoints. Knowing the privileges that each account should have can help defenders identify anomalous behavior, potentially tipping them off to the presence of an attacker in the system before they can do severe damage.

Improving Attack Detection

Not all organizations have the controls they need to detect attack activities like password spraying attacks, data harvesting or privilege escalation that targets AD data. Fortunately, technology innovations enable a more proactive approach, detecting unauthorized queries to AD and providing valuable alerts on live attacks as it identifies them. Some solutions can channel an attacker’s energy against them and can return false information when attackers query AD. Defenders can use this capability to trick attackers into revealing themselves, further slowing and derailing attacks. Solutions that include a decoy engagement environment add the ability to gather intelligence on attackers, including cataloging their tactics, techniques and procedures (TTPs) and indicators of compromise (IoCs). This can help promptly remediate attacks and identify threats.

Regularly auditing AD changes can reveal activities that may indicate an attack is in progress. Defenders need tools to detect data harvesting activity within the network, especially as it pertains to privileged accounts. Attackers often deploy rogue domain controllers or modify settings with DCSync and DCShadow attacks. Golden and silver ticket attacks can be particularly dangerous, as they gain privileges to make changes and cover their tracks. Given the recent rise in credential theft attacks, identifying imposters posing as actual employees using valid credentials has become extremely important. It is no longer enough to authorize and authenticate. Defenders must also perform checks to ensure that a given identity is still entitled to its level of access.

Prioritizing AD Security

Too many organizations remain vulnerable to attacks targeting Active Directory. Without sufficient network visibility, defenders run the risk of allowing attackers to move laterally throughout the system without detection, making it easy for them to target exposed credentials or compromise AD. Improving cyber hygiene, performing regular account audits and implementing security technology capable of detecting and derailing attacks targeting AD is increasingly critical for organizations seeking to prevent privilege escalation and lateral movement.

AD has emerged as an attack vector of choice for 2021, and is likely to remain a high-value target for attackers given the ease of access and the control they gain. It’s time for defenders to think differently and adopt these advanced new tools and tactics to keep attackers at bay and their organizations secure.

Avatar photo

Carolyn Crandall

Carolyn Crandall is the Chief Deception Officer and CMO at Attivo Networks, the leader in deception for cybersecurity threat detection. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has a demonstrated track record of taking companies from pre-IPO through to multi-billion-dollar sales and held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate. Carolyn is recognized as a global thought leader in technology trends and for building strategies that connect technology with customers to solve difficult operational, digitalization, and security challenges. Her current focus is on breach risk mitigation by teaching organizations how to shift from a prevention-based cybersecurity infrastructure to one of an active security defense based on the adoption of deception technology.

carolyn-crandall has 3 posts and counting.See all posts by carolyn-crandall