Attivo Networks Blogs


By Jim Cook, ANZ regional director, Attivo Networks

Jim Cook from Attivo Networks explains how organisations can mitigate risks associated with an increase in Active Directory attacks.  

Of all the targets in the sight of cyber criminals today, they don’t come much bigger than Active Directory (AD).

The number of attacks against AD has increased dramatically in recent years. Microsoft revealed that in 2021, Azure Active Directory alone saw more than 25.6 billion brute force attacks.

One does not have to look far to see why AD is so attractive to attackers. An AD server sits at the heart of an organisation’s IT infrastructure and handles all identity and authentication services. Compromising AD can give attackers a skeleton key to the entire network.  

On the rise

AD provides authentication and authorisation to all enterprise resources – devices, applications and web access, and is, therefore, a prime target for cyber attacks. Traditional security approaches such as periodic AD assessments and constant log analysis combined with SIEM correlation are costly and complex.

Thankfully, IT security teams have modern solutions to help with these challenges. Many organisations are taking advantage of identity protection tools such as those in the emerging identity threat detection and response (IDR) category, which helps them detect and deflect adversaries before they can escalate their attacks.

Credential-based attacks 

Credential-based cyber attacks have continued to increase in recent years. According to the Verizon Data Breach Investigations Report, 61 per cent of all attacks involve credential data.

Although this finding is concerning, it makes sense that if a user accesses the network using a valid username and password, most defences have no reason to suspect credential misuse.

Cyber criminals can inflict significant damage with a valid set of credentials. For example, they could use them to gain access to specific resources, reset other passwords, request short-term tokens, request API tokens, or conduct other attack activities.

Unfortunately, many organisations often store credentials in places that cyber criminals can readily access. For example, many passwords live on client devices, network passwords reside in memory, and browsers, email, and other applications store various passwords.

An attacker who compromises a workstation or user account will often have little difficulty gaining access to stored credentials, some of which may even have administrator-level authority. Once inside the network, an adversary with a working set of credentials can often move about its network unnoticed if there are no mechanisms to identify abnormal behaviour patterns.  

From there, it’s a straight line to Active Directory, where they can escalate these privileges and gain access to on-premises groups, applications and file storage.  

Spotting an AD attack 

For IT security teams, gaining visibility to weaknesses that could allow attackers access to Active Directory is the best place to start. If a team can find identity exposures, they can expect that attackers could use these to escalate their attack. Stopping AD attacks requires visibility across the entire network, starting at the endpoints where adversaries steal credentials.

Security teams also need visibility into vulnerabilities such as admin credential exposures, potential attack paths, and shadow admin accounts. Restricting and alerting unauthorised access to credentials stored on endpoints and reducing the attack surface are critical.

One should also remember that AD attacks can happen very quickly. For this reason, an organisation needs to have live attack detection, and actions like mass account lockouts or deletions should raise immediate alerts.

Other suspicious activities to look for include password changes on sensitive accounts or mass password resets. Other signs of an AD attack are suspicious service creation on a domain controller, using a default administrator account, or reactivating previously disabled privileged accounts.

Making use of interception strategies

Security teams should also consider strategies designed to intercept and trick attackers before they can reach their goal.

Dubbed defence-in-depth, they can achieve this by deploying tools capable of hiding actual AD objects from attackers, intercepting uncategorised queries, and manipulating results with false information. Security teams can also seed their networks with “admin” credential lures and AD decoys designed to trick adversaries into giving away their presence.

An organisation taking this approach has both active and passive protective measures for AD. Together, these make it difficult for attackers to see the network accurately and keep their presence a secret.

An ongoing challenge

One should remember that AD remains challenging to secure and should therefore regard it as a top priority in securing the enterprise. Security teams can implement measures to allow early detection and rapid response by taking a defence-in-depth approach, allowing AD to remain a valuable part of an organisation’s IT infrastructure with the protection it needs to defend the enterprise against cyber attacks.

Read the original article on Cybersecurity Connect.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

9 − 6 =

Ready to find out what’s lurking in your network?

Scroll to Top