For more than two decades, Active Directory (AD) has been the default identity and access management service in Windows networks. As enterprises have shifted to the cloud, Azure AD has been the natural way to extend the AD paradigm and provide organizations with an identity-as-a-service (IDaaS) solution that spans cloud and on-premises applications. Because these solutions are ubiquitous, they are prime targets for attackers who want to compromise an organization’s resources and data.
Unfortunately, AD and Azure AD are not as secure as most organizations assume them to be. Even with a quick web search, you will have no trouble finding security horror stories that lament the lack of security for both solutions. So, are AD and Azure AD poor tools, or are we just not using them correctly? The answer tends to be the latter—most organizations take the security of AD and Azure AD for granted because they have been such staples in networks. Even security teams often assume their security. The issue is how we tend to approach enterprise security, with a laser focus on SOCs, detection and response, incident response and the more headline-grabbing aspects of security. AD and Azure AD need our attention, however, because taking their security for granted can be catastrophic for your organization.
Understanding the Attack Techniques
Malicious actors have developed a bevy of ways to subvert AD and Azure AD’s security. Some of the most common attack techniques include:
- Pass-the-hash/pass-the-ticket: This technique involves stealing the hashed credentials or Kerberos tickets of a user or service account and using them to authenticate to other systems without knowing the password.
- Golden/silver ticket: Hackers will forge a Kerberos granting ticket (TGT) or a service ticket (ST) that gives access to any resource in the domain.
- DCSync/DCShadow: Revolves around mimicking the behavior of a domain controller (DC) to synchronize or modify objects in the AD database, such as user accounts, passwords, group memberships, or security policies.
- Kerberoasting: Hackers will request a service ticket for a service account with a weak password and then crack it offline to obtain the plaintext password, giving them access to the environment.
- Credential dumping: This technique involves extracting credentials from memory, registry, disk or other sources on a compromised system.
While these are just the most common, organizations need to be aware of these approaches as they can often be chained together to achieve lateral movement and privilege escalation. For example, an attacker can use pass-the-hash to access a system where a domain admin has logged on, dump their credentials, and use them to create a golden ticket that grants access to any resource in the domain.
Following Best Practices
To reduce the efficacy of these attacks, organizations can practice several good habits:
- Apply the principle of least privilege: This principle states that users and applications should only have the minimum level of access required to perform their tasks. This can prevent attackers from exploiting excessive permissions or unused accounts to gain access to sensitive resources or data. You should review and audit your user and service account permissions regularly and use tools to grant temporary and time-bound access to privileged roles or resources.
- Don’t use overly complex passwords: Although highly complex passwords are more secure, the trade-off is that they are also hard to remember. These passwords lead to users or admins writing the passwords down, or worse, saving them in something like a Google doc. Instead, a good passphrase generator will allow users to generate a password that is easy for them to remember.
- Segment your network and resources: Network and resource segmentation involves dividing your network and resources into smaller units based on function, sensitivity or risk level. This can limit the lateral movement of attackers within your network and prevent them from accessing critical resources or data.
- Harden your systems and applications: System and application hardening involves applying security patches, updates, configurations, and policies to your systems and applications to eliminate vulnerabilities and reduce attack vectors. It is also key that the systems are monitored regularly for their compliance status
As security professionals, we should never assume the security of any tool or platform we use; doing so only creates blind spots in our security. AD and Azure AD are no exception. In fact, because of the role they play in managing access and identity, organizations should take extra care to ensure they are hardened against attacks.