Security Experts:

In the Hacker's Crosshairs: Active Directory

Organizations Need to Adjust Their Security Strategies to Match Modern Threats 

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, which provides the intruder with “the keys to the kingdom”. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks (e.g., CryptoForHealth Twitter hack) are front ended by phishing campaigns. In fact, nearly one third of all breaches in the past year involved phishing, according to the 2020 Verizon Data Breach Investigations Report. Once inside the target environment, hackers perform reconnaissance to identify regular IT schedules, security measures, network traffic flows, and scan the entire IT environment to gain an accurate picture of the network resources, privileged accounts, and services. Domain controllers, Active Directory, and servers are prime reconnaissance targets to hunt for additional privileged credentials and privileged access.

The Keeper of the Crown Jewels: Active Directory

90 percent of organizations use Active Directory (AD) as their primary store for employee authentication, identity management, and access control in their on-premises environments. However, even for those organizations that have moved their workloads to the cloud, it’s important to understand that cloud identities still depend upon the integrity of on-premises AD, as it is often used as a source to sync to other identity stores. Therefore, an AD compromise can cause a devastating ripple effect across an organization’s identity infrastructure. For example, modifications applied by a treat actor to an on-premises AD can subsequently grant access to much more than just local resources, as the on-premises AD often federates with cloud applications via an external identity provider (e.g., Microsoft® Azure AD), automatically propagating those changes throughout the cloud environment also.

Ultimately, for attackers, AD is the safe that contains the crown jewels. When threat actors compromise a network, they typically try to elevate their privileges so they can move to more critical systems, access sensitive data, and gain a broader foothold in the environment to maintain persistence. As a result, attacking AD and obtaining administrator-level access is one of the attackers’ chief goals. This is typically done by using tools such as Bloodhound, an open-source application used for analyzing the security of Active Directory domains and identifying avenues for escalating access entitlements. Once cyber-attackers have uncovered hidden or complex attack paths that can potentially compromise the security of the network, they often use tools such as Mimikatz to steal the necessary credentials.

Cyber-attacks typically involve more than one compromised credential and often many modifications to AD. However, the end result is often the same – the threat actors gain access to resources anywhere within the logical environment, no matter where it resides. The SolarWinds supply chain attack is a good example of AD’s dual role in protecting an organization’s assets but also providing a launchpad for threat actors at the same time. While AD was not the main vector, several common AD reconnaissance techniques were used to extend the reach of the cyber-attackers.

Protective Measures

Creating a solid perimeter and investing in a well-built security team is still important, but organizations need to adjust their security strategies to match modern threats and focus on identity and credentials. In the context of threat actors exploiting AD to extend their reach into their victim’s network, security practitioners should establish security controls to monitor for and prevent unsanctioned changes within AD itself. The targeting of AD by attackers makes privileged access management (PAM) a vital part of enterprise security. With PAM best practices in place, organizations can use session monitoring, granular access controls, and password vaulting to provide an extra layer of protection for privileged accounts. These protections should be part of a layered approach to security that also involves continuous monitoring of AD for suspicious activity. 

To achieve this, it is imperative that organizations:

• Apply a Zero Trust Approach: This assumes that attackers are already inside the network, and therefore no user or request should be trusted unless fully verified, and then only be granted least privilege access. Security architectures must be structured to address this. 

• Establish Multi-Factor Authentication Everywhere: Multi-factor authentication is low-hanging fruit, and should be used everywhere privilege is elevated, with access zones reinforcing this defense. 

• Utilize Machine Learning for Real-Time Risk Awareness: Machine learning algorithms can monitor privileged user behavior, identify abnormal and high-risk activity, and create alerts to investigate and stop suspicious activity.

Since AD and similar directory services such as IBM Red Hat Directory Server, Apache Directory, and OpenLDAP are prime targets for cyber-attackers trying to steal credentials and deploy ransomware across the network, protecting and monitoring changes to these identity and access management systems should be a priority.

view counter
Torsten George is currently a cyber security evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).