MICROSOFT ACTIVE DIRECTORY (AD) is a mission-critical tool for managing systems and identities, yet it also presents enormous security risks. Since AD is the foundation of a vast majority of networks, it “isn’t going away soon,” says Andy Robbins, technical architect at security consulting firm Specter Ops. Therefore, there’s an opportunity for channel pros to help clients better protect their AD framework.
“Active Directory lacks intrinsic security,” says Carolyn Crandall, chief security advocate at security firm Attivo Networks. “It is viewed as a high-value target for attackers because exploiting it can unlock every account, server, and other valuable data.”
Indeed, approximately 95 million attacks on Active Directory occur daily, with privileged access used for 80% of all attacks, Crandall points out. What’s more, Attivo Networks found that fully half of surveyed organizations have experienced an AD attack in the last two years, and 40% of those attacks were successful.
“All of this can disrupt a business’s operations, financials, leadership, and brand,” says Robbins.
A lack of visibility into how privileges are assigned to any principal—including users, computers, and groups—means that insecure configurations are common, and overprovisioning is a chronic problem. “While Azure AD and other Directory Services are available and continue to grow, these too suffer from the same lack of visibility and attack path risk,” Robbins adds. (Attack paths are chains of abusable privileges and user behaviors that indirectly connect computers and users.)
Once an attacker has gained admin rights, they can wend their way through systems because seemingly low-privileged users frequently link to critical assets within the organization. Intruders can then launch ransomware, steal corporate data, and conduct any manner of cyber espionage.
In recent years, AD attacks have become increasingly easy as a result of open-source tools such as Bloodhound and Mimikatz. “Attackers use these tools to identify accounts capable of granting them administrative rights and conduct their attacks in a way that allows them to elevate their privileges,” Crandall explains.
The conventional approach to protecting AD relies on tiered administration and least-privileged access, but that is no longer adequate, Robbins says, because AD is constantly changing, and typical security software only lists misconfigurations rather than fixing anything.
A better approach, Robbins says, involves a framework that continuously maps attack paths to critical assets and identifies choke points that can sever an adversary’s ability to reach critical assets. “The approach can yield a dramatic reduction in exposure to AD attacks,” he says.