Attivo Networks Blogs

How to Generate CISO Buy-In For Active Directory Protection

By Carolyn Crandall, Chief Security Advocate, Attivo Networks.

Generating CISO buy-in for Active Directory Protection ranks high in a company’s success against ransomware attacks. Active Directory (AD) sits at the heart of almost every enterprise network, with more than 90% of businesses using it as their identity management system. It serves as the central repository for identity information, including credentials, user accounts, individual devices, applications, and more, making it incredibly important—and an obvious target for cybercriminals.

Despite this, AD isn’t always front-of-mind for organizational decision-makers. AD isn’t something most executives consider a major concern—it’s something they expect to work. However, Microsoft once estimated that more than 95 million AD accounts come under attack every day—and that number has almost certainly grown. New research conducted by Enterprise Management Associates (EMA) further indicates that 50% of organizations studied experienced an attack on AD within the past one or two years. Attackers know that gaining control of AD is a kingpin; they can see that AD is vulnerable, targeting it with increased frequency. For organizations that wish to remain secure, it is time to elevate AD security to not only a CISO-level concern but one that executives review in the context of business continuity and company welfare.

Active Directory Protection Challenges

Because Active Directory is responsible for authentication throughout the enterprise, every identity within an organization needs to connect to AD somehow. AD needs to be accessible—which is a significant reason it is intrinsically insecure. Credential theft is an increasingly common attack tactic among today’s attackers, and just one stolen, exposed, or weak password can open the door to exploiting Active Directory. This year’s Verizon Data Breach Investigations Report (DBIR) indicates that 61% of all breaches now involve credential data, and attackers often use those valid credentials to circumvent perimeter defenses.

Using valid credentials helps attackers avoid setting off the usual alarm bells. They will almost always leverage that advantage to move laterally throughout the network to identify valuable data to steal or encrypt. They will almost always target AD to acquire additional admin-level credentials that will allow them to escalate their privileges and expand the scope of their attacks. And unfortunately, once an attacker has compromised AD, they can erase their tracks and become extremely difficult to remove from the system. They will essentially have the keys to the castle.

The consequences that stem from the exploitation of Active Directory are broader than many realize. A major breach or loss of domain control can have substantial downstream effects, whether the attacker is a cybercriminal running a ransomware attack, a nation-state threat actor conducting espionage, or an activist interfering with business. Think of it this way—if an attack disrupts a manufacturing line, it may be bad, but it’s fixable. That same attack might also disrupt shipping, purchasing, and other areas that can grind business to a halt, not just for one enterprise but also for the partners and customers that rely on it.

Think about the implications of one component shortage and how it could stop the assembly line on a car, a refrigerator, or computer. Worse still, in areas like utilities and critical infrastructure, security failures can and have put lives at risk. For proof, look no further than the Oldsmar, FL water system attack or recent Ponemon research indicating that ransomware-related shutdowns in the health care industry directly impact patient safety, data, and overall care availability.

The Cost of Poor Active Directory Protection

The threat of a breach concerns every organization, and most have made strides in improving their preparedness related to security hygiene and posture management. However, given the implications, the relative lack of focus on AD is a problem that needs addressing. Regulatory and compliance standards are undoubtedly moving in this direction, but they are currently vague about what it means to “protect data and personal information.” Other advisory bodies have been much more direct in their recommendations, like the National Institute for Standards and Technology (NIST) and MITRE.  Both have issued guidance for organizations to help them specifically protect AD—and no one should be surprised when governments begin to follow suit.

Cyber insurance is another fast-growing industry, and insurers closely monitor developments within the threat landscape. Cyber insurers want to ensure that their clients take reasonable precautions to protect themselves from risk, as with any insurance company. With 61% of attacks involving credential data, they will be reticent to issue payouts to organizations that have not taken the appropriate steps to protect themselves. Insurers today almost always mandate using multi-factor authentication (MFA), but it is not enough. With credential-based attacks continuing to rise, cyber hygiene and posture management will need to expand identity security to defend against credential misuse or privilege escalation and protect directory services management systems like Active Directory.

These factors can significantly impact an enterprise’s risk profile and, ultimately, their coverage. Cyber insurance is a must in today’s threat environment, and the potential for regulatory action will only loom larger as the issue of credential-based attacks continues to grow. With Active Directory now a priority target for attackers, organizations that do not prioritize the visibility needed to assess and measure AD vulnerabilities accurately could find themselves in hot water. The days of periodic audits and log monitoring are over—they are no longer enough. Today’s organizations need to identify exposures and misconfigurations related to credentials and AD continuously and in real-time—anything less, risks the enterprise being dangerously exposed to attackers and regulatory and liability concerns. Thus, making Active Directory Protection an area of interest for businesses and threat actors alike.

CISO Support Is Critical

Now more than ever, organizational leaders need to elevate cybersecurity to a Board-level discussion.  This conversation must go beyond user and device hygiene and expand into protecting credentials, privileges, and the Active Directory systems that manage them. Ransomware is clearly on every company’s list of top concerns, and they need to understand that its continued success is a result of Active Directory-related exposures. CISOs can help connect the dots by improving cyber hygiene and reducing risks, taking steps including controlling privileged credentials, gaining visibility into when privileged accounts get used, and ensuring that detection for live attacks on Active Directory is in place.

Read the original article in CISO Mag.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

6 + eleven =

Ready to find out what’s lurking in your network?

Scroll to Top