How to spot an attack against Active Directory
By Jim Cook, ANZ regional director, Attivo Networks
GUEST OPINION: When using modern software applications, most users don’t spend time considering all the components that make them work.
The networks, servers, operating systems, and client devices that mesh together to allow applications to function go largely unnoticed. End users tend to view information as a utility in much the same way as power or water supplies.
However, having a deeper understanding of IT infrastructure mechanics is vital to creating effective security. One element that needs closer attention is Active Directory (AD).
Developed by Microsoft, AD manages directory-based identity-related services. An AD server authenticates and authorises all users and devices on a network, forming a core part of the overall infrastructure.
Because AD plays such a critical role, cybercriminals looking to gain access and cause disruption or damage have increasingly targeted it. For this reason, organisations need the ability to spot when their AD has become compromised.
The growing risk of credential-based attacks
According to the Verizon Data Breach Investigations Report, 61% of cybersecurity breaches now involve credential data.
Gaining possession of credentials makes an attacker’s job much easier as it can provide them with the privileges they need to move about within an IT infrastructure. These stolen credentials allow them to scope out potential data for theft, undertake a ransomware attack, or install backdoors they can use later.
Because AD needs to have access to all parts of the infrastructure, it is challenging to secure but often the first thing an attacker will target. For this reason, preventing a cybercriminal from gaining access to AD with compromised credentials must be a top priority for IT security teams.
Spotting an AD attack
A key challenge is that most attacks against AD can be difficult to spot. The subtle nature of the techniques used means that if teams are not proactively watching for them, they may go unnoticed.
Successfully protecting against AD attacks requires security teams to adopt a holistic approach to their monitoring and defences. Some people liken this to how a doctor diagnoses a medical condition. While they may have numerous symptoms to consider, it can often be challenging to bring them together to form an accurate diagnosis.
For this reason, an IT security team must have a clear understanding of the tell-tale signs of an AD attack. These can vary widely in nature, but there are some that cybercriminals use regularly.
Some potential attack indicators affect numerous accounts within the network, such as a mass password change that alters large numbers of user credentials, account lockouts, or unexpected changes to security settings.
There are also even more subtle things that security teams need to watch for. These include such events as an account suddenly appearing in a group without a good reason or a new service account popping up with no apparent authorisation.
Overcoming the challenge of spotting an attack
Despite the considerable challenges around spotting AD compromises, there are several steps that security teams can take.
The first is to continually monitor privileged groups for new users to see when a user identity gets created or added to a group. In addition to new account creations and membership changes, security teams should monitor for password changes on privileged accounts, changes to critical objects, the use of SIDs from disabled accounts, and Access Control List (ACL) changes.
These events are subtle and could easily go unnoticed unless the team actively watches for them. For this reason, many organisations choose to set up SIEM rules to look for specific line items in an audit log and then raise an alert when spotting suspicious activity.
Alternatively, the security team can take advantage of an array of modern assessment and attack detection tools that are currently on the market to enhance their security posture. These tools can automatically increase visibility into potential exposures and monitor for known warning signs to mitigate attacks before they occur.
This approach reduces the workload for security team members. As modern networks become increasingly complex and the number of human and machine identities skyrocket, automation is fast becoming the only practical and reliable way to protect AD.
An organisation can identify an AD attack early in the process by implementing identity exposure visibility and monitoring tools and taking an automated approach to detection. There is always the risk of an attack, but these tools reduce the attack surface, close exposure gaps, and significantly enhance a security team’s ability to respond effectively.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise