Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Five Eyes Agencies Release Guidance on Detecting Active Directory Intrusions

Five Eyes cybersecurity agencies have released joint guidance on identifying Active Directory compromises.

Government agencies from the Five Eyes countries have published guidance on techniques that threat actors use to target Active Directory, while also providing recommendations on how to mitigate them.

A widely used authentication and authorization solution for enterprises, Microsoft Active Directory provides multiple services and authentication options for on-premises and cloud-based assets, and represents a valuable target for bad actors, the agencies say.

“Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships, and permissions; support for legacy protocols and a lack of tooling for diagnosing Active Directory security issues. These issues are commonly exploited by malicious actors to compromise Active Directory,” the guidance (PDF) reads.

AD’s attack surface is exceptionally large, mainly because each user has the permissions to identify and exploit weaknesses, and because the relationship between users and systems is complex and opaque. It’s often exploited by threat actors to take control of enterprise networks and persist within the environment for long periods of time, requiring drastic and costly recovery and remediation.

“Gaining control of Active Directory gives malicious actors privileged access to all systems and users that Active Directory manages. With this privileged access, malicious actors can bypass other controls and access systems, including email and file servers, and critical business applications at will,” the guidance points out.

The top priority for organizations in mitigating the harm of AD compromise, the authoring agencies note, is securing privileged access, which can be achieved by using a tiered model, such as Microsoft’s Enterprise Access Model.

A tiered model ensures that higher tier users do not expose their credentials to lower tier systems, lower tier users can use services provided by higher tiers, hierarchy is enforced for proper control, and privileged access pathways are secured by minimizing their number and implementing protections and monitoring.

“Implementing Microsoft’s Enterprise Access Model makes many techniques utilized against Active Directory significantly more difficult to execute and renders some of them impossible. Malicious actors will need to resort to more complex and riskier techniques, thereby increasing the likelihood their activities will be detected,” the guidance reads.

Advertisement. Scroll to continue reading.

The most common AD compromise techniques, the document shows, include Kerberoasting, AS-REP roasting, password spraying, MachineAccountQuota compromise, unconstrained delegation exploitation, GPP passwords compromise, certificate services compromise, Golden Certificate, DCSync, dumping ntds.dit, Golden Ticket, Silver Ticket, Golden SAML, Microsoft Entra Connect compromise, one-way domain trust bypass, SID history compromise, and Skeleton Key.

“Detecting Active Directory compromises can be difficult, time consuming and resource intensive, even for organizations with mature security information and event management (SIEM) and security operations center (SOC) capabilities. This is because many Active Directory compromises exploit legitimate functionality and generate the same events that are generated by normal activity,” the guidance reads.

One effective method to detect compromises is the use of canary objects in AD, which do not rely on correlating event logs or on detecting the tooling used during the intrusion, but identify the compromise itself. Canary objects can help detect Kerberoasting, AS-REP Roasting, and DCSync compromises, the authoring agencies say.

Related: US, Allies Release Guidance on Event Logging and Threat Detection

Related: Israeli Group Claims Lebanon Water Hack as CISA Reiterates Warning on Simple ICS Attacks

Related: Consolidation vs. Optimization: Which Is More Cost-Effective for Improved Security?

Related: Post-Quantum Cryptography Standards Officially Announced by NIST – a History and Explanation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.