Despite Active Directory’s critical role in today’s IT infrastructure, CISOs rarely list protecting it as a top priority. They assume that policy management and periodic audits are sufficient to cover it, and too often, it fades into the background as part of the plumbing — something they just expect to function as it should. Active Directory (AD) is a solution businesses use to set and control privileges and permissions, which means ease of access and operations are essential. Unfortunately, constant changes and continuing growth make it complex to protect.
By Carolyn Crandall, Chief Security Advocate, and CMO, Attivo Networks
Stolen credentials are on the rise, and privileged access is a factor in the majority of cyberattacks. With more and more cybercriminals looking to move laterally within the network and escalate their privileges, AD represents an increasingly high-value target. The complexity of securing AD and the growing frequency with which attackers target it means that CISOs can no longer view it as a backburner item — its security is now a CISO-level concern.
The Complexity of Securing Active Directory
Over 95 million Active Directory accounts are under attack every day, demonstrating the frequency that cybercriminals attempt to compromise AD to acquire additional permissions and escalate their attacks. AD is a “master key” that manages permissions across the enterprise, and — unfortunately — access control is no simple matter. Overprovisioning is common, especially in group policies, and legacy permissions can be difficult to track. Orphaned credentials are an issue that can be hard to gain visibility into, and mergers and acquisitions can add further complexity, as merging disparate user groups and assets are often challenging. Security teams commonly lack visibility into AD changes, making it challenging to protect what they can’t see.
More than Just Plumbing
More than 90% of Global Fortune 1000 organizations use AD for authentication, identity management, and access control. Unfortunately, AD configurations become increasingly complex over time, resulting in overprovisioning and errors. The addition of temporary workers, mergers and acquisitions, and third-party vendors that need some level of access compounds the situation. In addition, the number of users, devices, and applications accessing company networks is growing every day, and today’s networks now extend from the endpoint to the cloud.
Privileged access covers credentials, databases, infrastructure, and network devices. AD touches all of these areas, which is why attackers see AD as the ultimate prize, granting them access to the rest of the network. Whether they aim to gather passwords via a DCSync attack, push changes to AD ACLs and settings via a DCShadow attack, or create anything with a Golden Ticket attack, AD is a high-value target for attackers.
Given its role in maintaining operations and allowing employees to do their work efficiently, losing control of Active Directory can cause everything from a small to complete disruption of service.
Active Directory Attacks Can Cause Serious Damage
Privileged access abuse is a factor in 80% of known security breaches, including the recent highly damaging SolarWinds and Microsoft breaches. If attackers compromise AD, they can use stolen credentials—or escalate privileges for credentials they already possess — to move laterally throughout the network. Once an attacker has “domain administrator” control of AD, an attack becomes highly difficult to stop and can require extreme measures to restore the AD environment to a non-compromised status.
Third-party attacks like the SolarWinds breach highlight how attackers can bypass perimeter defenses. In this case, modified SolarWinds products provided attackers with a backdoor into numerous company networks — circumventing any perimeter protections those organizations may have in place. Without in-network defenses, there is little to stop attackers from making a beeline for AD — and with the average cost of a data breach now at nearly $4 million, an attack that compromises AD will almost certainly be an expensive one. Payout demands for ransomware breaches, almost all of which use AD as an element of their attack, have climbed to record-breaking heights. In mid-March, PC giant Acer was hit by a $50 million ransomware attack, demanding the highest known ransom to date.
How CISOs Can Change Their Thinking
Identifying the right metrics can be a challenge for CISOs. When talking to a company board, they often feel compelled to focus on metrics like intrusion attempts, incident rates, response times, and other numbers, which, while important, do not tell the whole story. Additional metrics like excess privilege exposures can help contextualize the threat to AD and the network at large. These metrics may take some further explaining, but they provide a more comprehensive picture of network health and security.
Attackers tend to leverage many things during attacks. First, they prey on endpoints and users. They will next attempt to compromise the endpoint, then focus on local privilege escalation. Inside the network, they will conduct network and AD reconnaissance and then focus on attacking AD. Attackers always seek greater privileges, but many security teams rely on SIEMs and AD monitoring solutions, which are inefficient and only useful after an incident has occurred. And while maintaining AD privileges and policies is table stakes, it will not stop an attacker already in possession of privileged account credentials from accessing valuable assets.
Given what we know about how attackers operate, CISOs must pay more attention to lateral movement and identity protection and entitlement than to authentication and authorization. With greater visibility into potential threat paths and exposures, security teams can remediate issues and set traps for would-be attackers by hiding real AD objects and seeding the network with false ones. Rather than identifying signs of an attack after it has taken place, CISOs can enable their security teams to take a more proactive approach, tricking attackers into giving themselves away before they can escalate their attacks.
Making AD a Top-Level Priority
Attackers today view AD as an easy target, in part because organizations consider it protected by the perimeter, policies, and log management, which savvy attackers have proven they can repeatedly defeat. By shifting their attention to vulnerability visibility, lateral movement, and privilege escalation detection, CISOs can make life much more difficult for attackers and prevent minor incursions from becoming full-scale breaches. By recognizing that AD has become an attack vector of choice, CISOs can more effectively protect their networks from today’s most damaging attack tactics.
About the Author
Carolyn Crandall holds the roles of Chief Security Advocate and CMO at Attivo Networks. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate. Crandall has received many industry recognitions including Top 25 Women in Cybersecurity 2019 by Cyber Defense Magazine, Reboot Leadership Honoree (CIO/C-Suite) 2018 by SC Media, Marketing Hall of Femme Honoree 2018 by DMN, Business Woman of the Year 2018 by CEO Today Magazine, Cyber Security Marketer of the Year 2020 by CyberDojo (RSA), and for 9 years a Power Woman by Everything Channel (CRN).
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.