Share this article on:
Jim Cook, ANZ regional director at Attivo Networks, examined how cyber criminals are using Active Directory for up to 80 per cent of recent cyber attacks.
During the past few months, a wave of high-profile and damaging cyberattacks has had a detrimental impact on companies and organisations worldwide. In Australia just last month, these have included Parliament House and Nine Entertainment. From small attacks focused on a single target to broad efforts such as the SolarWinds incident and the Exchange attacks, cyber criminals are ramping up their efforts to cause disruption and financial cost to their victims.
The challenge of guarding against these attacks has become more complex due to COVID-19 restrictions. Rather than being protected behind a corporate firewall, personnel are instead having to work from home over inherently insecure network links.
Indeed, the concept of a security perimeter has, in many cases, disappeared altogether. Instead, security teams rely on identity to restrict access and ensure only authorised people can connect with centralised applications and data.
The role of Active Directory
Despite the broad range of different attack types cyber criminals are using, industry research has found a common factor that links more than 80 per cent of them: Active Directory (AD). The Microsoft-developed directory platform is at the heart of more than 90 per cent of Fortune 1000 corporate IT infrastructures and has, over time, become a favoured means for gaining unauthorised access.
The security challenge stems from the fact that some organisations view AD as little more than 'plumbing' to connect infrastructure's various components. As with many operational technologies, the focus is on having it work without service disruption, often to the detriment of its security.
However, in today's world, where remote working has suddenly become the norm, things have changed. The task of managing access is now both more complex and more critical than ever before. As well as centralised resources, organisations must also control access to edge devices and cloud platforms. They require a new and scalable approach.
One approach that growing numbers of security teams are adopting involves automating vulnerability and live attack detection on Active Directory. This strategy is powerful because an undetected exposure can lead to an attacker elevating their privileges, changing security settings, and erasing their tracks. These innovative technologies can detect an attacker's activity during initial observation and discover their presence.
Additionally, because Active Directory is inherently insecure, cyber criminals can use tools to query AD for all the organisation's domain admin accounts. Innovations in Active Directory protection tools can conceal the real AD objects, intercept unauthorised queries, and return deceptive results that misdirect the attacker into a decoy, negating their ability to gather useful data.
From the attacker's perspective, things seem normal, and they may believe they have successfully gained the data they were seeking. However, when the attacker attempts to move laterally through the infrastructure using the fake information they gathered, the security team is prepared for them and ready to watch their next moves.
This approach to AD security is powerful because now the IT security team knows the attacker's tactics, techniques, and procedures (TTPs), and can gather indicators of compromise (IoCs). They can use this intelligence to help prevent future similar attacks.
Active Directory monitoring
Continuous visibility into Active Directory risks and detecting live attacks against it is an essential control for businesses of all sizes. The tools can offer actionable alerting and prompt remediation of dangerous exposures to reduce attack surfaces and lateral attack paths that threat actors could exploit.
The tools also offer live detection for AD attacks such as password spraying, DCSync, DCShadow, Golden Ticket attacks, and other events which are likely to be a sign of an attack on the network. These detections allow security teams to respond to the activities before the attacker can gain access to their chosen goals.
When choosing a tool to deploy that will effectively monitor AD, it's important to look for a range of specific capabilities. These include continuously monitoring AD and providing reliable alerts should it spot any anomalous behaviour.
The tool should also provide actionable alerts for quick remediation of weaknesses before attackers can exploit them, reducing some of the security team's workload and allowing them to focus on urgent activities.
The tool should provide the most effective protection by visibility and monitoring for domain, device, and user exposures across the AD. These will ensure that the security teams spot any attempted attacks as quickly as possible to limit the damage attackers can inflict.
Conclusion
More than 80 per cent of known attacks have leveraged Active Directory. It is possible to monitor and protect AD without having to make changes to the AD infrastructure itself. The two primary ways to do this are by monitoring AD for misconfigurations and attacks in real-time and hiding the information AD contains from attackers who have compromised production systems.
AD and the growing area of cloud entitlements will remain essential IT infrastructure components for many years to come. Therefore, taking time to ensure that identity security is as strong as possible now will help mitigate the risk of attacks in the future.