Attivo Networks Blogs

What’s Buried in Every Breach Report That No One is Talking About

Buried in Every Breach Report

Written by: Carolyn Crandall, Chief Security Advocate – Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and co-founder of Krebs Stamos Group, is a prolific speaker and we had the pleasure of having him join Tony Cole, Attivo Networks CTO for a recent webinar.  The November 3rd event was well attended with hundreds of professionals from around the world tuning in.  The discussion was fantastic and offered may soundbites to reflect back upon. This blog definitely won’t replace listening to the session, but will give a recap of the event and some of the points that stood out to me.

During the webinar, Krebs and Cole weighed in on what organizations are experiencing today, and the changes needed to combat the highly effective attacker tactics that cause mass service disruption and unprecedented ransomware payouts. They also discussed the root causes of breaches and why they continue to occur.

Ransomware Attacks Are Profitable for Threat Actors

“We have to continue moving out of that posture where everything’s about prevention, prevention, prevention. Resilience is the key to adaptable, flexible, successful organizations. It’s really about reducing blast radius. If you get a ransomware event, you lose one credit, you lose one box, it doesn’t spread across the entire enterprise. You want to really make sure you have that ability to lock it down as quickly and thoroughly as possible, you know, flatten that box and bring it back up.” –Chris Krebs

Three key factors are motivating today’s ransomware attacks. According to Krebs, the first driver is “that very target-rich permissive environment out there in the install base – the deployed systems that drive our businesses and government agencies.”

Second, ransomware attacks are very lucrative for threat actors. Krebs mentioned Evil Corp., a Russian threat group, pocketing an enormous $40 million ransomware payout after taking over CNA Financial’s network earlier this year.

The third driver is related to culpability. Actors have yet to feel the actual penalties for their crimes. “Until you impose costs, until you make them feel a little pain, they’re going to keep doing it,” says Krebs.

Cybersecurity is a journey, and there are a lot of organizations that haven’t thought about security. They don’t think Russia or China is thinking about them, says Krebs. “I think it goes back to that early ransomware conversation. If you’re connected to the internet in any way, if you’re using email, you are on the playing field.”

Organizations prioritizing Active Directory (AD) protection will be able to mitigate the success of these ransomware attacks.

Identity & Credentials are the Crown Jewels

“So, you see, we’re shifting away from bolt-on security tools to more security-oriented capabilities that rather than start from the perimeter and work in, you start from the crown jewels and work out…we know they’re going after AD…we have to get in a position where we have AD focus tools and capabilities, and then work our way out to the users.” –Chris Krebs

Identity and credentials are an enterprise’s crown jewels. They govern access to the network, critical systems, and sensitive data. It is no surprise that credential theft and privilege escalation play a key role in almost every cyber-attack, and why an attacker’s primary target is AD.

Mandiant reported that 90% of the cyberattacks they investigate involved AD. Krebs goes on to note that knowing what we know about how the adversary is targeting AD, organizations will ‘want as much access and visibility over those capabilities as possible so they can detect, investigate and mitigate.

Identity Lifecycle Management is more than MFA. It is Bigger Than That.

“It is about identity lifecycle management. It’s about good hygiene steps; it’s about detection, response, and cultivating the identity from the cradle to the grave. You don’t want to be the Ronco oven of security services. It’s not ‘set it, forget it.’ It’s constant monitoring, detection, and management of identity.” –Chris Krebs

Gartner reported Identity-First Security as one of the top security and risk management trends for 2021, yet we see many CISOs only talking about multi-factor authentication (MFA) as the solution to any identity challenge.

While organizations should implement MFA and Single Sign-On (SSO), the pair cited that these are not the end-all, be-all solutions to achieve excellent security. These methods help stop attackers from initially accessing an endpoint, but a determined adversary will eventually win.

Krebs and Cole agreed that while protecting, detecting, and managing identity-based attacks is just as crucial as MFA, organizations still need further education on the identity life cycle. “The first step towards a more secure, identity-centric security posture is to create more outreach and engagement on the topic,” says Krebs.

And a bit of a spoiler alert, the thing that is buried in every breach report but not talked about is the exploitation of Active Directory. Every major ransomware attack has involved credential misuse and the compromise of Active Directory. As part of every organization’s ransomware preparedness program it is critical that organizations include protection of their directory services and add live attack detection so that any attempt to gain Domain control is not missed.

Click here to watch the recording.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

fourteen − 8 =

Ready to find out what’s lurking in your network?

Scroll to Top