A guide to combating Active Directory misconfigurations
Microsoft's recent post-mortem guidance to customers following the Solorigate/SolarWinds compromise was telling: protect your identities, especially privileged user accounts.
Unfortunately, active directory (AD) abuse, and the information it provides continues to feature in many such post-incident reports.
Modern ransomware gangs like Ryuk and Maze, for example, query AD to understand what to encrypt and how to access those systems. It enables credential theft and lateral movement and allows the gangs to establish persistence.
In addition, privileged access abuse is estimated to be used in between 74% and 80% of data breaches.
Contrary to some reports, this kind of abuse is not ‘impossible to detect'.
There were at least five instances in the SolarWinds/Solorigate attacks where lateral movement techniques — used to steal credentials, move between systems and escalate privileges to administrator level — could have been found using in-network security controls that look for such activity.
It may not have prevented the initial intrusion — a determined adversary will inevitably find a way into the network — but promptly detecting lateral movement and attempts to exploit privilege can severely limit or mitigate an intruder's impact.
The beating heart
AD has been around since the 90s, and for over 90% of organisations, it has been central to their business. It allows systems and users to talk to each other — and without AD, things start to fail fast. It's also constantly changing as people come and go, systems get implemented and removed, and companies merge and grow.
This can create issues, though, and AD sprawl can lead to vulnerabilities over time.
Continuous checks and visibility
Historically, AD is part of IT rather than security. It is expected to work and requires a lot of specialist attention, which is why it's sometimes overlooked.
The hard part about protecting AD is that it takes more than just doing one or two things right. Implementing current best practices for securing AD — such as patching systems, limiting privileged accounts and maintaining good AD hygiene — is not enough.
Organisations must also harden their AD systems to prevent exposures that leave them open to attack and remediate vulnerable configurations to increase security. That can be challenging as multi-level IT teams often manage AD and can introduce changes without understanding the risk or exposures that these additions can cause.
The only way to truly understand what exposures exist is to conduct systematic assessments and implement a capability to detect live attacks that target AD so that teams can respond quickly.
Tools like Attivo Networks' ADAssessor can run continuously or on-demand, and be used to identify misconfigurations, excessive privileges, data exposures or changes in policies that may introduce weaknesses to attackers.
These tools can also be used for real-time detection of privilege escalation — an early warning system that could limit an attacker's reach, dwell time and blast radius.
If we, as defenders, can disrupt attackers when they conduct surveillance and discovery to mine AD data, then all the downstream attack activities get disrupted as well. If attackers can't attack AD, they can't advance their attack.
To learn more, contact firstname.lastname@example.org.