By Carolyn Crandall, chief security advocate at Attivo Networks
Nine out of ten businesses in the Global Fortune 1000 use Microsoft’s Active Directory (AD), which launched in the late 90s and is now the standard in identity management. Yet AD has been described as a CISO’s “Achilles Heel” because attackers target AD in practically every cyber-attack, it is intrinsically insecure, and protecting it is complicated.
So, how can organisations check their AD is in a healthy state and address any issues that might compromise its security?
Securing AD isn’t a simple task because it is constantly changing, and multiple organizations are often responsible for managing different aspects of it. As AD grows, an admin’s job is to make sure it operates efficiently. If you ask an AD admin what a “healthy AD” is, they will say it must function well, with all systems getting online and users getting validated.
For most organisations, the priority is making sure AD stays up and is properly functioning. However, this fails to consider that it changes all the time: New users get added constantly, systems get taken down, and admins create access while provisioning multiple objects simultaneously, all set against a backdrop of increased remote working fueled by the Covid-19 pandemic.
Conversely, from a security standpoint, a healthy AD is regularly patched, with audits performed on policies and security risks, and is secure both on-premises and in the cloud. Security teams need to know if anyone has made changes to settings or exposures that could leave them open to attacks. Ideally, there will be limited access and the bare minimum number of admin accounts. Unfortunately, the use of group policies and overlapping trusts makes managing to least privileges challenging.
With rapidly evolving attack surfaces, there really is no such thing as a purely “healthy AD” from a security standpoint. It’s always a work in progress.
A complex process
Securing AD is a complex process. It’s important to patch, but CISOs must also check AD for the exposures and settings that make it vulnerable to attack. Ensuring one has the right settings, policies, and configurations will help prevent threats such as Kerberoasting – an Active Directory attack that exploits weak encryption and poor service account password hygiene.
It is also a good idea to examine and limit the number of permissions and delegated administrators known as “shadow admins”. As part of this effort, CISOs must understand the web of permissions and authorisations they have enabled and the entitlements around them.
Securing AD is not simply about asking who a member of which security group is. In AD, every object has an access control list to which one can add user accounts. Admins can assign something as simple as the ability to change someone’s password to a specific user, but it won’t necessarily show up in a group. With this in mind, it’s essential not to forget exposures such as overlapping permissions and other settings that could open up the organisation to attack.
Yet all these measures may be futile unless the organisation can also detect a live attack targeting Active Directory. Unfortunately, these activities are not easy to discover through logs or periodic assessments.
Attackers often try to gain AD admin rights using open-source tools such as Bloodhound to discover the primary leverage point to access a firm’s critical resources. Taking techniques such as this into account, tell-tale signs that businesses can look for include mass changes to AD settings. Things like many passwords getting reset or people getting locked out are likely indicators of a brute force or password spray attack. Using traditional controls to look for such activity is not easy and can be very time-consuming.
Proactive Derailment
Organisations can significantly mitigate the impact of an attack on AD if they discover it early. They can’t afford to wait until a security control detects anomalous behaviour to trigger an alert, such as the attacker obtaining the information needed to change a security setting. The adversaries will have already traveled further downstream and will be able to do much more – including setting up backdoors.
It, therefore, makes sense to try to prevent adversaries from accessing AD in the first place. Recent innovations in Active Directory defense will provide concealment technology to hide and deny access to AD objects. Disinformation can also be used to trick adversaries into decoys, diverting the attacker’s attention to an environment where the security team can gather information for fortifying their defences.
Protecting AD by enforcing least privileges and tiered admin, are no longer sufficient – this approach simply doesn’t scale. Especially when one adds in elements such as M&A, cloud adoption, and transient workers, AD becomes a giant hairball that’s impossible to unravel.
While it’s true that there’s no such thing as a completely “healthy” AD, organisations can take steps to protect their environments. In an age of increasingly sophisticated cyber-attacks organisations should adopt new tools that can identify vulnerabilities and perform AD pen tests continuously. Firms must also go beyond audit logs to identify vulnerabilities and modernize their security programs with controls for live attack detection.
Securing AD isn’t easy because it involves people, processes, and products. However, with the right tools, complexity can be significantly decreased, detections made earlier, and resource needs to be reduced. A traditional approach won’t get you there, but that is where recent security innovations have come into play.