It sits at the heart of almost every organisation’s IT infrastructure, yet organisations too often overlook it when implementing effective security.
Organisations use Microsoft Active Directory to support user authentication, identity management, and access control. Many often likened it to the ‘plumbing’ that allows complex infrastructures to function.
Because of its critical role, it has become a favourite target for cybercriminals. They know that achieving access to Active Directory can allow them to traverse infrastructure and gain access to a wide range of resources.
Attackers can use stolen credentials or escalate privileges to move laterally throughout a network. Once an attacker has domain administrator control of Active Directory, an attack becomes highly difficult to stop and can require extreme measures to restore the environment to a non-compromised status.
Unfortunately, effective Active Directory management can become increasingly complex over time, resulting in overprovisioning and configuration errors. The task becomes even more difficult when adding additional factors such as temporary workers, mergers and acquisitions, and third-party vendors that need some level of access.
Also, the number of users, devices, and applications accessing company networks is growing every day, and today’s networks now extend from the endpoint to the cloud.
When mounting an attack, a cybercriminal tends to leverage several things. First, they prey on endpoints and users. Next, they will attempt to compromise the endpoint, then focus on local privilege escalation. Once inside the network, they conduct reconnaissance and then focus on attacking Active Directory.
Attackers are always seeking greater privileges, but many security teams rely on SIEMs and Active Directory monitoring solutions that are inefficient and only useful after an incident has already occurred. Also, while maintaining Active Directory privileges and policies is table stakes, it will not stop an attacker already possessing privileged account credentials from accessing valuable assets.
Effectively defending Active Directory
While perimeter defences such as firewalls and antivirus software remain essential elements of comprehensive network defence, stopping all attacks at the perimeter is impossible with today’s ever-evolving attack surface.
Eventually, an attacker will successfully breach those defences and establish a beachhead within the network from which they can move laterally to escalate their privileges, identify valuable assets and disrupt network operations.
For this reason, security teams must make an effort to secure their Active Directory assets. One of the most effective methods is to improve levels of cyber hygiene.
This process begins with creating an up-to-date inventory of all user and device accounts, group policy settings, and the privileges and entitlements they entail. These accounts should all have a ‘least privilege’ policy per cybersecurity best practices, ensuring that they do not have privileges to access or alter areas of the network they do not need to perform their essential job functions.
IT security teams should also regularly review and assess Active Directory settings and check and patch controllers against known vulnerabilities. These checks should include looking at exposures for the domain, users, and devices and detecting live attacks. These actions can help defenders identify potential vulnerabilities that attackers can leverage to compromise the environment.
Identifying and remediating these vulnerabilities can keep Active Directory better protected and enable defenders to have a more comprehensive understanding of AD risks requiring additional attention or layers of defence.
A second step involves remediating account issues. Continuously auditing account policies and settings is critical, as is having the ability to answer questions about the scope and number of privileged accounts. Determine whether accounts are regularly audited and if they have privileges that exceed what is necessary.
User accounts should have only the privileges they need to accomplish their job functions, especially when it comes to accounts with delegated administrative privileges.
It’s essential to regularly assess password policies and delegations to ensure that they remain appropriate and storage policies for credentials, especially if stored on endpoints. Knowing the privileges that each account should have can help defenders identify anomalous behaviour, potentially tipping them off to the presence of an attacker.
Thirdly, security teams should deploy tools that help to improve their ability to detect an attack. These tools can identify unauthorised queries to Active Directory and provide valuable alerts on live attacks as it identifies them.
Some tools can effectively channel an attacker’s energy against them and return false information when they query AD for information. Security teams can use this capability to trick attackers into revealing themselves, further slowing and derailing attacks.
Audit, audit, audit
Regularly auditing Active Directory changes can reveal activities that may indicate an attack is in progress. For this reason, security teams also need tools that can detect data harvesting activity within the network, especially as it pertains to privileged accounts.
Experience shows that attackers often deploy rogue domain controllers or modify settings with DCSync and DCShadow attacks. Golden and silver ticket attacks can be particularly dangerous, as they gain privileges to make changes and cover their tracks.
Given the recent rise in credential theft attacks, identifying imposters posing as actual employees using valid credentials has become extremely important. It is no longer enough to authorise and authenticate. Defenders must also perform checks to ensure that a given identity is still entitled to its level of access.
Active Directory will remain a crucial element of IT infrastructures for years to come. For this reason, security teams must take all the steps necessary to make it as resilient to attack as possible. Making an effort now can reduce the likelihood of a crippling breach in the future.
