THE CHALLENGE OF PREVENTING AD ATTACKS
By Jim Cook, ANZ regional director, Attivo Networks
Jim Cook from Attivo Networks explains how organisations can mitigate risks associated with an increase in Active Directory attacks.
Of all the targets in the sight of cyber criminals today, they don’t come much bigger than Active Directory (AD).
The number of attacks against AD has increased dramatically in recent years. Microsoft revealed that in 2021, Azure Active Directory alone saw more than 25.6 billion brute force attacks.
One does not have to look far to see why AD is so attractive to attackers. An AD server sits at the heart of an organisation’s IT infrastructure and handles all identity and authentication services. Compromising AD can give attackers a skeleton key to the entire network.
On the rise
AD provides authentication and authorisation to all enterprise resources – devices, applications and web access, and is, therefore, a prime target for cyber attacks. Traditional security approaches such as periodic AD assessments and constant log analysis combined with SIEM correlation are costly and complex.
Thankfully, IT security teams have modern solutions to help with these challenges. Many organisations are taking advantage of identity protection tools such as those in the emerging identity threat detection and response (IDR) category, which helps them detect and deflect adversaries before they can escalate their attacks.
Credential-based cyber attacks have continued to increase in recent years. According to the Verizon Data Breach Investigations Report, 61 per cent of all attacks involve credential data.
Although this finding is concerning, it makes sense that if a user accesses the network using a valid username and password, most defences have no reason to suspect credential misuse.
Cyber criminals can inflict significant damage with a valid set of credentials. For example, they could use them to gain access to specific resources, reset other passwords, request short-term tokens, request API tokens, or conduct other attack activities.
Unfortunately, many organisations often store credentials in places that cyber criminals can readily access. For example, many passwords live on client devices, network passwords reside in memory, and browsers, email, and other applications store various passwords.
An attacker who compromises a workstation or user account will often have little difficulty gaining access to stored credentials, some of which may even have administrator-level authority. Once inside the network, an adversary with a working set of credentials can often move about its network unnoticed if there are no mechanisms to identify abnormal behaviour patterns.
From there, it’s a straight line to Active Directory, where they can escalate these privileges and gain access to on-premises groups, applications and file storage.
Spotting an AD attack
For IT security teams, gaining visibility to weaknesses that could allow attackers access to Active Directory is the best place to start. If a team can find identity exposures, they can expect that attackers could use these to escalate their attack. Stopping AD attacks requires visibility across the entire network, starting at the endpoints where adversaries steal credentials.
Security teams also need visibility into vulnerabilities such as admin credential exposures, potential attack paths, and shadow admin accounts. Restricting and alerting unauthorised access to credentials stored on endpoints and reducing the attack surface are critical.
One should also remember that AD attacks can happen very quickly. For this reason, an organisation needs to have live attack detection, and actions like mass account lockouts or deletions should raise immediate alerts.
Other suspicious activities to look for include password changes on sensitive accounts or mass password resets. Other signs of an AD attack are suspicious service creation on a domain controller, using a default administrator account, or reactivating previously disabled privileged accounts.
Making use of interception strategies
Security teams should also consider strategies designed to intercept and trick attackers before they can reach their goal.
Dubbed defence-in-depth, they can achieve this by deploying tools capable of hiding actual AD objects from attackers, intercepting uncategorised queries, and manipulating results with false information. Security teams can also seed their networks with “admin” credential lures and AD decoys designed to trick adversaries into giving away their presence.
An organisation taking this approach has both active and passive protective measures for AD. Together, these make it difficult for attackers to see the network accurately and keep their presence a secret.
An ongoing challenge
One should remember that AD remains challenging to secure and should therefore regard it as a top priority in securing the enterprise. Security teams can implement measures to allow early detection and rapid response by taking a defence-in-depth approach, allowing AD to remain a valuable part of an organisation’s IT infrastructure with the protection it needs to defend the enterprise against cyber attacks.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise