Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

In the Hacker’s Crosshairs: Active Directory

Organizations Need to Adjust Their Security Strategies to Match Modern Threats 

Organizations Need to Adjust Their Security Strategies to Match Modern Threats 

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, which provides the intruder with “the keys to the kingdom”. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks (e.g., CryptoForHealth Twitter hack) are front ended by phishing campaigns. In fact, nearly one third of all breaches in the past year involved phishing, according to the 2020 Verizon Data Breach Investigations Report. Once inside the target environment, hackers perform reconnaissance to identify regular IT schedules, security measures, network traffic flows, and scan the entire IT environment to gain an accurate picture of the network resources, privileged accounts, and services. Domain controllers, Active Directory, and servers are prime reconnaissance targets to hunt for additional privileged credentials and privileged access.

The Keeper of the Crown Jewels: Active Directory

90 percent of organizations use Active Directory (AD) as their primary store for employee authentication, identity management, and access control in their on-premises environments. However, even for those organizations that have moved their workloads to the cloud, it’s important to understand that cloud identities still depend upon the integrity of on-premises AD, as it is often used as a source to sync to other identity stores. Therefore, an AD compromise can cause a devastating ripple effect across an organization’s identity infrastructure. For example, modifications applied by a treat actor to an on-premises AD can subsequently grant access to much more than just local resources, as the on-premises AD often federates with cloud applications via an external identity provider (e.g., Microsoft® Azure AD), automatically propagating those changes throughout the cloud environment also.

Ultimately, for attackers, AD is the safe that contains the crown jewels. When threat actors compromise a network, they typically try to elevate their privileges so they can move to more critical systems, access sensitive data, and gain a broader foothold in the environment to maintain persistence. As a result, attacking AD and obtaining administrator-level access is one of the attackers’ chief goals. This is typically done by using tools such as Bloodhound, an open-source application used for analyzing the security of Active Directory domains and identifying avenues for escalating access entitlements. Once cyber-attackers have uncovered hidden or complex attack paths that can potentially compromise the security of the network, they often use tools such as Mimikatz to steal the necessary credentials.

Cyber-attacks typically involve more than one compromised credential and often many modifications to AD. However, the end result is often the same – the threat actors gain access to resources anywhere within the logical environment, no matter where it resides. The SolarWinds supply chain attack is a good example of AD’s dual role in protecting an organization’s assets but also providing a launchpad for threat actors at the same time. While AD was not the main vector, several common AD reconnaissance techniques were used to extend the reach of the cyber-attackers.

Protective Measures

Creating a solid perimeter and investing in a well-built security team is still important, but organizations need to adjust their security strategies to match modern threats and focus on identity and credentials. In the context of threat actors exploiting AD to extend their reach into their victim’s network, security practitioners should establish security controls to monitor for and prevent unsanctioned changes within AD itself. The targeting of AD by attackers makes privileged access management (PAM) a vital part of enterprise security. With PAM best practices in place, organizations can use session monitoring, granular access controls, and password vaulting to provide an extra layer of protection for privileged accounts. These protections should be part of a layered approach to security that also involves continuous monitoring of AD for suspicious activity. 

Advertisement. Scroll to continue reading.

To achieve this, it is imperative that organizations:

• Apply a Zero Trust Approach: This assumes that attackers are already inside the network, and therefore no user or request should be trusted unless fully verified, and then only be granted least privilege access. Security architectures must be structured to address this. 

• Establish Multi-Factor Authentication Everywhere: Multi-factor authentication is low-hanging fruit, and should be used everywhere privilege is elevated, with access zones reinforcing this defense. 

• Utilize Machine Learning for Real-Time Risk Awareness: Machine learning algorithms can monitor privileged user behavior, identify abnormal and high-risk activity, and create alerts to investigate and stop suspicious activity.

Since AD and similar directory services such as IBM Red Hat Directory Server, Apache Directory, and OpenLDAP are prime targets for cyber-attackers trying to steal credentials and deploy ransomware across the network, protecting and monitoring changes to these identity and access management systems should be a priority.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...