Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Five Eyes Agencies Release Guidance on Detecting Active Directory Intrusions

Five Eyes cybersecurity agencies have released joint guidance on identifying Active Directory compromises.

Government agencies from the Five Eyes countries have published guidance on techniques that threat actors use to target Active Directory, while also providing recommendations on how to mitigate them.

A widely used authentication and authorization solution for enterprises, Microsoft Active Directory provides multiple services and authentication options for on-premises and cloud-based assets, and represents a valuable target for bad actors, the agencies say.

“Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships, and permissions; support for legacy protocols and a lack of tooling for diagnosing Active Directory security issues. These issues are commonly exploited by malicious actors to compromise Active Directory,” the guidance (PDF) reads.

AD’s attack surface is exceptionally large, mainly because each user has the permissions to identify and exploit weaknesses, and because the relationship between users and systems is complex and opaque. It’s often exploited by threat actors to take control of enterprise networks and persist within the environment for long periods of time, requiring drastic and costly recovery and remediation.

“Gaining control of Active Directory gives malicious actors privileged access to all systems and users that Active Directory manages. With this privileged access, malicious actors can bypass other controls and access systems, including email and file servers, and critical business applications at will,” the guidance points out.

The top priority for organizations in mitigating the harm of AD compromise, the authoring agencies note, is securing privileged access, which can be achieved by using a tiered model, such as Microsoft’s Enterprise Access Model.

A tiered model ensures that higher tier users do not expose their credentials to lower tier systems, lower tier users can use services provided by higher tiers, hierarchy is enforced for proper control, and privileged access pathways are secured by minimizing their number and implementing protections and monitoring.

“Implementing Microsoft’s Enterprise Access Model makes many techniques utilized against Active Directory significantly more difficult to execute and renders some of them impossible. Malicious actors will need to resort to more complex and riskier techniques, thereby increasing the likelihood their activities will be detected,” the guidance reads.

Advertisement. Scroll to continue reading.

The most common AD compromise techniques, the document shows, include Kerberoasting, AS-REP roasting, password spraying, MachineAccountQuota compromise, unconstrained delegation exploitation, GPP passwords compromise, certificate services compromise, Golden Certificate, DCSync, dumping ntds.dit, Golden Ticket, Silver Ticket, Golden SAML, Microsoft Entra Connect compromise, one-way domain trust bypass, SID history compromise, and Skeleton Key.

“Detecting Active Directory compromises can be difficult, time consuming and resource intensive, even for organizations with mature security information and event management (SIEM) and security operations center (SOC) capabilities. This is because many Active Directory compromises exploit legitimate functionality and generate the same events that are generated by normal activity,” the guidance reads.

One effective method to detect compromises is the use of canary objects in AD, which do not rely on correlating event logs or on detecting the tooling used during the intrusion, but identify the compromise itself. Canary objects can help detect Kerberoasting, AS-REP Roasting, and DCSync compromises, the authoring agencies say.

Related: US, Allies Release Guidance on Event Logging and Threat Detection

Related: Israeli Group Claims Lebanon Water Hack as CISA Reiterates Warning on Simple ICS Attacks

Related: Consolidation vs. Optimization: Which Is More Cost-Effective for Improved Security?

Related: Post-Quantum Cryptography Standards Officially Announced by NIST – a History and Explanation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.