Relief for the Defender: Immediate Protection for Active Directory
Attivo Networks Blogs

Relief for the Defender: Immediate Protection for Active Directory

Relief for the Defender: Immediate Protection for Active Directory

Written by: Juan Vazquez, Regional Sales Director, and Vikram Navali, Senior Technical Product Manager – Protecting Active Directory (AD) is more than just securing its infrastructure, users, and computer objects. AD security goes far beyond implementing best security practices, endpoint solutions installation, or updating Domain Controllers with the latest level of patches. According to an Enterprise Management Associates (EMA) research report, 50% of organizations experienced an attack on AD, with more than 40% indicating the attack was successful. It can be challenging for security teams to identify all AD objects that have provisioned user, computer accounts, or groups over time. At the same time, it can also be complex to protect from bad cyber hygiene habits.

When talking about fixing or remedying a security breach, defenders are very accustomed to applying a patch available to close defects or, in some cases, changing the configuration that mitigates that risk. For example, in the case of PrintNightmare vulnerability, these steps can resolve security gaps. However, the bulk of the exposures identified require a fine adjustment in the configuration at the level of permissions, memberships of erroneous groups, or weak policies.

A Relief for the Advocate: ADAssessor + ADSecure

Keeping the security of the AD up to date must be a continuous improvement activity. The first step is to know the health of the AD. The Attivo Networks ADAssessor solution gives the security and infrastructure teams the constant visibility to identify the exposures on AD that are vulnerable to some attack technique. The ADAssessor solution identifies and provides remediation guidance for proven vulnerabilities at the domain, user, and computer equipment level to reduce the attack surface. The technology prioritizes risk levels according to different criteria executed behind the scenes, but defenders must analyze and correct an exposure classified as very high severity as soon as possible.

The good news is that the ADSecure solution allows organizations to improve protection immediately. This feature will enable security administrators to hide AD objects related to vulnerabilities (exposures) reported by ADAssessor. The solution detects unauthorized queries to the AD at its most basic level. It reduces the risk posed by those queries by presenting misleading information to attackers to protect legitimate AD objects from exposure and compromise. Ultimately, it can reduce the AD’s attack surface.

For example, in a DCSync attack, attackers and penetration test teams try to access credentials by taking advantage of a design gap. Security administrators must correct this gap by removing unusual accounts configured with replication or denying permissions for the associated user accounts to correct that potential attack path.

Is it simple? Of course not, because typically, the security personnel does not know the details of the AD objects. The responsibility falls on infrastructure and operations personnel that get their hands on the AD daily.

The ADAssessor solution detects unusual accounts set with “Replicate Directory” permissions. The solution alerts the potential DCSync attack that can lead attackers to take complete control of an organization’s AD infrastructure. It reports exposure with all affected objects and steps to mitigate.

By deploying the ADSecure solution, the organizations can prevent attackers from exploiting user or service accounts with “Replicate Directory Changes” permissions.

Since its launch in 2020, ADSecure has brought together numerous security capabilities to protect AD from compromise.

Organizations can use Attivo’s technology in the SaaS model and benefit from these capabilities immediately. Through a simple 3-step wizard, the analyst can identify vulnerable AD objects, select those to hide through an existing protection policy, and apply directly to computers that have the ADSecure solution in production.

Conclusion 

Attackers can’t compromise what they can’t see, and the ADSecure solution natively makes it easy by protecting high-value users and system accounts from them. With the ADAssessor and ADSecure solution deployments, organizations can continuously assess AD and take remedial actions when exposures occur on unauthorized AD accounts.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free

FAST AND EASY

Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

ADSecure 90-Day Free Trial

GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY

  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise

RSS

Ready to find out what’s lurking in your network?

Scroll to Top