Proactivity is key in Active Directory security
Attivo Networks Blogs

Proactivity is key in Active Directory security

By Carolyn Crandall, Chief Security Advocate, Attivo Networks.

Reports of new ransomware attacks are filling the news on a daily basis. What is less commonly promoted is that they all have one common element: the leverage of Active Directory (AD).

This technology is responsible for critical authentication and authorisation processes across enterprise resources and it can be considered the technical ‘spine’ of an organization. AD is used by 90 percent of Fortune 1000 companies and organisations need to prioritize protecting it to have the best chance against this onslaught of attacks.

Threat actors consider AD a primary target, because it contains the information and privileges that are needed to advance their attack. Attackers also know that AD is intrinsically insecure and traditional security controls are simply not designed to provide visibility to inherent risks or real-time detection of attack.

Periodic audits and monitoring of logs are unquestionably ineffective, and businesses need to seek out new cyber-security innovations that provide visibility to exposures and entitlement risks from the endpoint, through AD, and into multi-cloud environments. Without using identity-based security controls, organisations are likely to only become aware of a ransomware attack after the breach has taken place and they have been served.  

The rise in ransomware exploiting AD

Most widescale ransomware attacks require AD control to create new objects, install backdoors, and distribute malware to other systems. The rise of Ransomware 2.0 has led to a decline in traditional ‘smash and grab’ attacks and an increase in extortion tactics.

Previously, attackers would need access and time to exfiltrate and encrypt data. However, more recent attacks have been far more deliberate, moving quickly throughout the network and with an intent to gain control, which can be used for disruption of service leverage.

To acquire the control needed, ransomware attackers will take advantage of any exposures and vulnerabilities they come across. This can be from misconfigurations or vulnerabilities that can be exploited before the company has the knowledge of or time to patch the issue.

A recent example is the Microsoft Exchange zero-day vulnerability, which the state-sponsored hacking group Hafnium exploited. In this case, attackers became aware of the vulnerability in advance of the patch, which provided plenty of time for other threat actors to install back-doors, gain persistence, and conduct ransomware attacks.

Another example is the Ryuk group attack in 2020, which went from a single email to domain-wide ransomware infections in just over a day. The group then demanded over $6 million to unlock the systems. The attack started with an initial infection of the Bazar malware loader. The attackers conducted reconnaissance over 26 hours, and once they managed to execute the ransomware payload on the Domain Controller, they infected the rest of the network.

The limitations in AD security

The very nature of AD means it is easily accessed across an enterprise, making it far more susceptible to attack due to how complex it is to secure. If successful, attackers could manipulate the AD to change group membership, permissions, security policies, and access control lists (ACLs). Once inside, they would have free reign to move laterally through the network by changing user rights and impersonating employees.

Given that the general view of AD focuses on service availability rather than security, it is not surprising that the protection side is lacking. These attitudes need to change, however, as vulnerabilities can lead to attackers gaining access to critical privileged access and control, in addition to the ability to move discreetly throughout the network.

Traditional AD protection has focused primarily on controlling vulnerabilities by patching, adhering to the principle of least privileges, and tiered administration policies. While these measures are essential, they are no longer sufficient by themselves, tying back to the issue around reactivity versus proactivity.

An organisation can only patch a vulnerability after it is known, and even log analysis combined with SIEM correlation centres on post incident detection rather than prevention. To get ahead of this, businesses need to put the reactive approaches behind them and move into a proactive future where they can both prevent attacks on Active Directory as well as detect attacks being conducted.

Strengthening defences

When it comes to tackling AD exposures and vulnerabilities, visibility is crucial. One of the central undertakings is to regularly validate AD accounts and objects and maintain an updated list of permissions and privileges.

Frequently assessing settings and configurations can limit vulnerabilities, including account exposures, overlooked permissions, and excessive entitlements. Attackers target accounts with delegated admin or shadow admin permissions, but these regular assessments can restrict unnecessary credentials or access rights that create attack paths within AD. 

Businesses must implement improved attack detection, which happens earlier in the attack life-cycle and can pick up activities like password spray attacks or mass account lockouts or changes.. Attack tactics such as Ransomware 2.0 are dependent on the attacker’s ability to move laterally throughout the network and identify valuable assets and to elevate their privileges.

AD protection tools and strategies include real-time detection, identifying and remediating exposed credentials on the endpoint, detecting unauthorised AD queries, and hiding and denying access to sensitive or privileged AD objects. These approaches can restrict unauthorised visibility to data and prevent attackers from gaining accurate information when querying AD.  These controls quickly alert on attack activities like brute force attempts, password spray attacks, and other tactics targeting AD objects.

By mitigating AD vulnerabilities, security teams can stop ransomware attackers before they get the chance to access and leverage AD. Today’s advanced cyber-security tools make it easier for organisations, large and small, to enhance their defences and protect their credential identities and privileges effectively.

In a world where cyber pathways are abundant, businesses must protect against and counter those wishing to take advantage of inherent directory services and over provisioning weaknesses. Given how accessible AD is across an organisation and the consequences if compromised, its security must be viewed as a top priority.

Taking a more proactive approach to AD cyber-security will strengthen a business’s position moving forward and will help ready the organization for future growth and inevitable expansion into multi-cloud environments.

The limitations in AD security

The very nature of AD means it is easily accessed across an enterprise, making it far more susceptible to attack due to how complex it is to secure. If successful, attackers could manipulate the AD to change group membership, permissions, security policies, and access control lists (ACLs). Once inside, they would have free reign to move laterally through the network by changing user rights and impersonating employees.

Given that the general view of AD focuses on service availability rather than security, it is not surprising that the protection side is lacking. These attitudes need to change, however, as vulnerabilities can lead to attackers gaining access to critical privileged access and control, in addition to the ability to move discreetly throughout the network.

Traditional AD protection has focused primarily on controlling vulnerabilities by patching, adhering to the principle of least privileges, and tiered administration policies. While these measures are essential, they are no longer sufficient by themselves, tying back to the issue around reactivity versus proactivity.

An organisation can only patch a vulnerability after it is known, and even log analysis combined with SIEM correlation centres on post incident detection rather than prevention. To get ahead of this, businesses need to put the reactive approaches behind them and move into a proactive future where they can both prevent attacks on Active Directory as well as detect attacks being conducted.

Strengthening defences

When it comes to tackling AD exposures and vulnerabilities, visibility is crucial. One of the central undertakings is to regularly validate AD accounts and objects and maintain an updated list of permissions and privileges.

Frequently assessing settings and configurations can limit vulnerabilities, including account exposures, overlooked permissions, and excessive entitlements. Attackers target accounts with delegated admin or shadow admin permissions, but these regular assessments can restrict unnecessary credentials or access rights that create attack paths within AD. 

Businesses must implement improved attack detection, which happens earlier in the attack life-cycle and can pick up activities like password spray attacks or mass account lockouts or changes.. Attack tactics such as Ransomware 2.0 are dependent on the attacker’s ability to move laterally throughout the network and identify valuable assets and to elevate their privileges.

AD protection tools and strategies include real-time detection, identifying and remediating exposed credentials on the endpoint, detecting unauthorised AD queries, and hiding and denying access to sensitive or privileged AD objects. These approaches can restrict unauthorised visibility to data and prevent attackers from gaining accurate information when querying AD.  These controls quickly alert on attack activities like brute force attempts, password spray attacks, and other tactics targeting AD objects.

By mitigating AD vulnerabilities, security teams can stop ransomware attackers before they get the chance to access and leverage AD. Today’s advanced cyber-security tools make it easier for organisations, large and small, to enhance their defences and protect their credential identities and privileges effectively.

In a world where cyber pathways are abundant, businesses must protect against and counter those wishing to take advantage of inherent directory services and over provisioning weaknesses. Given how accessible AD is across an organisation and the consequences if compromised, its security must be viewed as a top priority.

Taking a more proactive approach to AD cyber-security will strengthen a business’s position moving forward and will help ready the organization for future growth and inevitable expansion into multi-cloud environments.

Read the original article on Teiss.


Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free

FAST AND EASY

Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial

GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY

  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise

RSS

Leave a Comment

Your email address will not be published. Required fields are marked *

five × 3 =

Ready to find out what’s lurking in your network?

Scroll to Top