Amid Today’s Threat Landscape, Protecting Active Directory is a CISO-Level Concern - Attivo Networks
Attivo Networks Blogs

Amid Today’s Threat Landscape, Protecting Active Directory is a CISO-Level Concern

Despite Active Directory’s critical role in today’s IT infrastructure, CISOs rarely list protecting it as a top priority. They assume that policy management and periodic audits are sufficient to cover it, and too often, it fades into the background as part of the plumbing — something they just expect to function as it should. Active Directory (AD) is a solution businesses use to set and control privileges and permissions, which means ease of access and operations are essential. Unfortunately, constant changes and continuing growth make it complex to protect.

By Carolyn Crandall, Chief Security Advocate and CMO, Attivo Networks

Stolen credentials are on the rise, and privileged access is a factor in the majority of cyberattacks. With more and more cybercriminals looking to move laterally within the network and escalate their privileges, AD represents an increasingly high-value target. The complexity of securing AD and the growing frequency with which attackers target it means that CISOs can no longer view it as a backburner item — its security is now a CISO-level concern.

The Complexity of Securing Active Directory

Over 95 million Active Directory accounts are under attack every day, demonstrating the frequency that cybercriminals attempt to compromise AD to acquire additional permissions and escalate their attacks. AD is a “master key” that manages permissions across the enterprise, and — unfortunately — access control is no simple matter. Overprovisioning is common, especially in group policies, and legacy permissions can be difficult to track. Orphaned credentials are an issue that can be hard to gain visibility into, and mergers and acquisitions can add further complexity, as merging disparate user groups and assets are often challenging. Security teams commonly lack visibility into AD changes, making it challenging to protect what they can’t see.

More than Just Plumbing

More than 90% of Global Fortune 1000 organizations use AD for authentication, identity management, and access control. Unfortunately, AD configurations become increasingly complex over time, resulting in overprovisioning and errors. The addition of temporary workers, mergers and acquisitions, and third-party vendors that need some level of access compounds the situation. In addition, the number of users, devices, and applications accessing company networks is growing every day, and today’s networks now extend from the endpoint to the cloud.

Privileged access covers credentials, databases, infrastructure, and network devices. AD touches all of these areas, which is why attackers see AD as the ultimate prize, granting them access to the rest of the network. Whether they aim to gather passwords via a DCSync attack, push changes to AD ACLs and settings via a DCShadow attack, or create anything with a Golden Ticket attack, AD is a high-value target for attackers.

Given its role in maintaining operations and allowing employees to do their work efficiently, losing control of Active Directory can cause everything from a small to complete disruption of service.

AD Attacks Can Cause Serious Damage

Privileged access abuse is a factor in 80% of known security breaches, including the recent highly damaging SolarWinds and Microsoft breaches. If attackers compromise AD, they can use stolen credentials—or escalate privileges for credentials they already possess — to move laterally throughout the network. Once an attacker has “domain administrator” control of AD, an attack becomes highly difficult to stop and can require extreme measures to restore the AD environment to a non-compromised status.

Third-party attacks like the SolarWinds breach highlight how attackers can bypass perimeter defenses. In this case, modified SolarWinds products provided attackers with a backdoor into numerous company networks — circumventing any perimeter protections those organizations may have in place. Without in-network defenses, there is little to stop attackers from making a beeline for AD — and with the average cost of a data breach now at nearly $4 million, an attack that compromises AD will almost certainly be an expensive one. Payout demands for ransomware breaches, almost all of which use AD as an element of their attack, have climbed to record-breaking heights. In mid-March, PC giant Acer was hit by a $50 million ransomware attack, demanding the highest known ransom to date.

How CISOs Can Change Their Thinking

Identifying the right metrics can be a challenge for CISOs. When talking to a company board, they often feel compelled to focus on metrics like intrusion attempts, incident rates, response times, and other numbers, which, while important, do not tell the whole story. Additional metrics like excess privilege exposures can help contextualize the threat to AD and the network at large. These metrics may take some further explaining, but they provide a more comprehensive picture of network health and security.

Attackers tend to leverage many things during attacks. First, they prey on endpoints and users. They will next attempt to compromise the endpoint, then focus on local privilege escalation. Inside the network, they will conduct network and AD reconnaissance and then focus on attacking AD. Attackers always seek greater privileges, but many security teams rely on SIEMs and AD monitoring solutions, which are inefficient and only useful after an incident has occurred. And while maintaining AD privileges and policies is table stakes, it will not stop an attacker already in possession of privileged account credentials from accessing valuable assets.

Given what we know about how attackers operate, CISOs must pay more attention to lateral movement and identity protection and entitlement than to authentication and authorization. With greater visibility into potential threat paths and exposures, security teams can remediate issues and set traps for would-be attackers by hiding real AD objects and seeding the network with false ones. Rather than identifying signs of an attack after it has taken place, CISOs can enable their security teams to take a more proactive approach, tricking attackers into giving themselves away before they can escalate their attacks.

Making AD a Top-Level Priority

Attackers today view AD as an easy target, in part because organizations consider it protected by the perimeter, policies, and log management, which savvy attackers have proven they can repeatedly defeat. By shifting their attention to vulnerability visibility, lateral movement, and privilege escalation detection, CISOs can make life much more difficult for attackers and prevent minor incursions from becoming full-scale breaches. By recognizing that AD has become an attack vector of choice, CISOs can more effectively protect their networks from today’s most damaging attack tactics.

Read the original article at CISO MAG.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published. Required fields are marked *

three × 5 =

Ready to find out what’s lurking in your network?

Scroll to Top