The challenges of securing Active Directory [Q&A]

As we saw in the recent SolarWinds attack, Active Directory can be exploited as a means of attacking corporate networks.

But why is AD such an attractive target? And why are companies struggling to secure it even though it's hardly a new technology? We spoke to Carolyn Crandall, chief security advocate at AttivoNetworks to find out.

BN: Why is Active Directory difficult to secure -- even though it's been around for decades?

CC: Active Directory (AD) protection is hard to accomplish because the environment is ever-changing. There are so many things IT and security teams must do to secure it, from patching and hardening to cleaning up settings and parameters to reduce exposures. It is a critical part of an organization's network, often described as a CISOs Achilles Heel. Protecting AD is a high-stakes game because any attacker who gains access can cause significant damage, meaning that AD security is a non-optional activity in today’s threat landscape.

Since AD constantly changes, there is no easy way to fully understand or keep up with every vulnerability or misconfiguration. The scale of AD is another problem with maintaining its security, but there is also organizational complexity. When determining if an enterprise's AD is healthy, AD admins tend to focus on AD working well in operational terms but may not secure the servers beyond following current best practices.

BN: Why do attackers target AD?

CC: For nine out of ten Fortune 1000 companies, Active Directory is the key to their kingdom. AD is one of the most critical items to prioritize in the quest to protect identities, privileges, and access. CISOs and other security leaders tend to consider AD performance by evaluating whether it delivers accurate and uninterrupted service. They often consider hardening the servers and protecting other aspects of the perimeter as securing AD -- and attackers know this. They also know that AD is the enterprise’s primary authentication and authorization mechanism, making it a high-value and high-priority target.

For a wide-scale attack, cybercriminals need AD control to create persistence or install new objects and backdoors. They can even encrypt AD as a part of a ransomware attack, demanding money in return for normal operations. A majority of ransomware, insider, and advanced attacks now include some form of AD exploitation. Privileged access exploitation is an element in 80 percent of known security breaches.

BN: What is ransomware 2.0, and why is it a threat?

CC: Human-operated 'Ransomware 2.0' attacks are more advanced and complex than standard ransomware. They bypass traditional security controls to gain an initial foothold, conduct network discovery, search AD, move laterally, and identify high-value assets to target by encrypting critical data or taking control of other assets. Detecting this movement is challenging, and many enterprises struggle to detect this covert activity.

As this type of ransomware is human-operated, the attackers can evade traditional endpoint protection or endpoint detection and response products that work by signature matching or behavioral anomaly detection. Once attackers have made it past these defenses, they will have a free run of the network.

BN: How can organizations spot attacks before AD is compromised? How can they take pre-emptive action to guard AD?

CC: The most effective way to prevent criminals from accessing AD is by first removing any exposures or vulnerabilities they can exploit. Organizations can also apply cyber cloaking, misdirection, and deception to derail attackers efficiently during the discovery phase of an attack. Businesses can use advanced concealment technology to cloak AD objects, credentials, files, folders, and shares, therefore denying an attacker from finding and accessing data. They can replace actual data with false replicas, directing attackers into an engagement server for threat intelligence gathering.

Additionally, if an organization creates decoy environments or assets, it can fool attackers into engaging with them rather than production assets. Once the decoy environment traps the adversaries, organizations can analyze their behavior and gain valuable intelligence to defend against future attacks. This capability makes it an ideal technology to augment any enterprise’s security setup -- and with more users than ever working from home, these capabilities to detect in-network lateral movement are only growing more critical.

BN: What can organizations do to protect AD?

CC: The first step to building a secure AD is to follow all current best practices -- keeping up with patching, hardening controllers, establishing secure AD policies, etc. CISOs must also check AD for exposures and settings that make them vulnerable to attack. Ensuring one has the correct settings, policies, and configurations will help reduce the risk of successful attacks, such as Kerberoasting -- an AD attack that exploits weak encryption and poor service account password hygiene.

It is also sensible to limit the number of permissions and delegated administrators known as shadow admins, privileged users who are not part of an AD security group and can operate with relative discretion. Identifying and locking down shadow admin accounts and privileged account exposures is essential because they are preferred targets for attackers and can grant criminals the ability to extend their attack while evading detection.

CISOs must also understand the web of permissions and authorizations they have enabled and the entitlements around them. In AD, every object has an access control list to which one can add user accounts. Admins can assign something as simple as the ability to change someone's password to a specific user, but it will not necessarily show up in a group. If attackers gain access to an account with enough permissions, they can elevate their privileges and cover their tracks. It becomes essential to gain visibility of users who have such permissions and limit these accounts to as few as reasonably possible.

Organizations should protect against and detect Golden and Silver Ticket attacks, another path for an attacker to gain domain control. Additionally, they will want to protect against Kerberoasting, DCSync, and DCShadow attacks that are also difficult to identify but have material consequences if they don't prevent or stop them quickly.

Image Credit: donscarpo / depositphotos.com