MICROSOFT ACTIVE DIRECTORY (AD) is a mission-critical tool for managing systems and identities, yet it also presents enormous security risks. Since AD is the foundation of a vast majority of networks, it “isn’t going away soon,” says Andy Robbins, technical architect at security consulting firm Specter Ops. Therefore, there’s an opportunity for channel pros to help clients better protect their AD framework.
“Active Directory lacks intrinsic security,” says Carolyn Crandall, chief security advocate at security firm Attivo Networks. “It is viewed as a high-value target for attackers because exploiting it can unlock every account, server, and other valuable data.”
Andy Robbins
Indeed, approximately 95 million attacks on Active Directory occur daily, with privileged access used for 80% of all attacks, Crandall points out. What’s more, Attivo Networks found that fully half of surveyed organizations have experienced an AD attack in the last two years, and 40% of those attacks were successful.
“All of this can disrupt a business’s operations, financials, leadership, and brand,” says Robbins.
A lack of visibility into how privileges are assigned to any principal—including users, computers, and groups—means that insecure configurations are common, and overprovisioning is a chronic problem. “While Azure AD and other Directory Services are available and continue to grow, these too suffer from the same lack of visibility and attack path risk,” Robbins adds. (Attack paths are chains of abusable privileges and user behaviors that indirectly connect computers and users.)
Once an attacker has gained admin rights, they can wend their way through systems because seemingly low-privileged users frequently link to critical assets within the organization. Intruders can then launch ransomware, steal corporate data, and conduct any manner of cyber espionage.
In recent years, AD attacks have become increasingly easy as a result of open-source tools such as Bloodhound and Mimikatz. “Attackers use these tools to identify accounts capable of granting them administrative rights and conduct their attacks in a way that allows them to elevate their privileges,” Crandall explains.
Getting Defensive
The conventional approach to protecting AD relies on tiered administration and least-privileged access, but that is no longer adequate, Robbins says, because AD is constantly changing, and typical security software only lists misconfigurations rather than fixing anything.
A better approach, Robbins says, involves a framework that continuously maps attack paths to critical assets and identifies choke points that can sever an adversary’s ability to reach critical assets. “The approach can yield a dramatic reduction in exposure to AD attacks,” he says.
Crandall suggests elevating AD to a top-of-list security item. This means moving beyond periodic audits and point-in-time snapshots and gaining real-time visibility into the network. “Trying to do this through logs and a SIEM will be a significant resource drain and generate too many false positives to be effective. Relying only on built-in tools from Microsoft is also bound to leave your organizations with blind spots for attackers to leverage,” she says.
Instead, Crandall recommends a three-pronged approach: Identify overprovisioning of entitlements to users and nonhuman users; find and remediate privileged account exposures, including orphaned accounts with administrative credentials; and adopt technology that delivers an alert when live attack activity is occurring on AD.
This three-pronged framework will ensure that the organization will receive alerts on mass account lockouts, disables, and deletions; suspicious password changes on service or sensitive accounts; and suspicious password changes related to mass password resets and changes, Crandall says. “It will also detect brute force password spray attacks, suspicious service creation on a domain controller, and DCShadow attacks [when intruders register a rogue AD domain controller to inject malicious objects to other domain controllers that are part of the same AD infrastructure] that can be very difficult to spot.”
For channel pros seeking to help customers protect AD, Crandall has some advice: “Businesses truly looking to cover this security gap will need to look beyond endpoint detection [and] response in order to elevate their defense.”
Image: iStock
