Attivo Networks Blogs

Ransomware Survey Says… Active Directory is Under Attack and Needs Attention

Ransomware Survey Says… Active Directory is Under Attack and Needs Attention

Authored by: Carolyn Crandall, Chief Security Advocate – CyberRisk Alliance (CRA) published a new report titled “State of Ransomware: Invest now or pay later.” The report highlighted new findings from a January 2022 research study on the continuing escalation of ransomware attacks and what organizations are doing about it. The report states that ransomware gangs are becoming “increasingly brazen,” due in no small part to the fact that attackers are finding it easier than ever to access networks via compromised credentials. The findings note that employees can “easily be tricked into clicking on links that provide attackers with a way in” and that once inside the network, they often find it “easy to move internally, either by identifying exploitable systems or by swiping user credentials.”

Most startling of all, the report indicates that 95% of attacks involve Windows Active Directory (AD), which serves as the primary identity solution for most organizations. Protecting AD must be a priority for today’s organizations—and the rest of the CRA report underscores the danger for those who neglect to do so.

With Attivo Networks as a sponsor of the report, I took the liberty to extract and drill down into the data specific to credential and Active Directory risks. The full report can be found here.

Directory Services Face Significant Risk

“Organizations are vulnerable at their endpoints,” stresses the report. Attackers have identified credential theft as a highly successful attack vector, whether by tricking employees into revealing their passwords via social engineering or compromising credentials stored on an endpoint. The CRA report is not the first to notice this trend. The most recent Verizon Data Breach Investigations Report notes that 61% of all breaches now involve credential data, and it highlights that “despite efforts to bolster defenses, many [organizations] continue to struggle at detection and response.”

Asked by CRA what they were most concerned about, 70% of respondents mentioned losing access to their organization’s sensitive data, while another 58% mentioned stolen data sold on the dark web. The subsequent two concerns related to Active Directory weighed in at 54% each –  “ransomware gangs gaining privileged access and/or controlling directory services.” While it is encouraging to see over half of respondents recognize that protecting Active Directory is a significant concern, I am surprised that it didn’t rank higher on the priority list. After all, compromising AD gives the attacker the keys to the kingdom—meaning it can lead directly to the very situations that respondents listed as most concerning.

The Vulnerability of Active Directory

The survey also captured that Active Directory was involved in 95% of attacks, which is very consistent with the statements made by Mandiant in their Ransomware Preparedness Training. Within that session, they pointed to exposures in Active Directory as the root cause of why ransomware criminals continue to be successful. The CRA report investigated how attackers penetrated deeper into the network once inside and found that 63% of the time, they exploited a vulnerability on another system and moved laterally. Other common initial infection points [MP1] included privilege escalation (34%), credential exfiltration (32%), and traverse mapped shares (25%). The report also looked at the initial infection point for attacks targeting AD and found similar results: in 62% of cases, the exploitable vulnerabilities were listed as the infection point, followed by changed security policies (40%), distributed ransomware (37%), and escalated privileges (36%). The message is clear: misconfigurations, exposures, and lack of detection capabilities have allowed attackers to target AD with an unacceptable success rate.

While 62% of respondents indicated that they would increase spending to combat ransomware in 2022, the specifics of that spending leave room for concern. Asked what steps their organization has taken to harden its systems to prevent future ransomware attacks, the most frequent answers included educating employees to protect endpoints (71%) and changing passwords (70%). These two steps, while important, are nowhere near enough to solve today’s security problems. Just 41% said they had added Active Directory to their monitoring program. I believe a lack of awareness is driving this prioritization of new tools that would help organizations achieve continuous monitoring of exposures as well as indicators of attack and live attack detection. The organizational structure could also be a factor where the identity, security, or risk groups could be responsible for the spending.   Notably, in the EMA Active Directory is Under Siege Report, 86% of respondents stated that they planned to increase their spending on Active Directory protection. With so many attacks leveraging AD, I suspect this number will also shift substantially in 2022.

Comprehensive Protection Is Necessary

There is no easy, “one-size-fits-all” solution to protect against ransomware, and the problem is unlikely to go away anytime soon. However, perhaps the most important thing for an organization to do is to understand the ransomware attack cycle and protect Active Directory privileges from falling into their hands.

Attivo offers a portfolio of solutions for protecting Active Directory. These software licenses can often be purchased standalone or as part of an overall bundle.

  • ADAssessor for understanding Active Directory vulnerabilities and quickly detecting Indicators of Attack
  • ADSecure- EP for detecting unauthorized queries from an endpoint, hiding the AD objects, and returning fake data for elicitation to gather TTPs and IoCs
  • ADSecure-DC protects domain controllers from attacks from Windows, Mac, Linux, IoT, OT devices and adds deep packet inspection and behavior correlation of logs
  • ThreatPath identifies and remediates at-risk stored administrator credentials, deactivated MFA, delegated administrators, and orphaned or duplicate credentials at the endpoint

These solutions provide a layered defense, making it exponentially harder for an attacker to successfully leverage AD as part of their malicious or ransomware attack. Given AD’s high value to attackers and the regularity with which they can compromise it, these tools are no longer “nice to have” solutions—they are essential elements for every security stack.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

seven + ten =

Ready to find out what’s lurking in your network?

Scroll to Top