The threat of ransomware through Active Directory [Q&A]
Ransomware has hit the headlines in recent months with attacks on infrastructure and supply chains closing down operations. But ransomware has the potential to be even more devastating if it’s spread via Active Directory, as demonstrated by the SolarWinds attack.
We talked to Derek Melber, chief technology and security strategist of Tenable to find out more about AD attacks and how to combat them.
BN: Why is gaining access to AD so potentially devastating?
DM: Active Directory is used by almost every major enterprise (90 percent of the Fortune 1000) to authenticate employees' entry into company networks and manage access and privileges internally. It is also the cornerstone of cloud adoption: Covid-19 has dramatically increased the pace of enterprise cloud adoption, and at the center of these initiatives is AD. The typical AD environment includes thousands of potential permissions and configurations, many of which might be misconfigured, for every individual user in an enterprise, meaning at scale, it's near-impossible to secure AD manually.
That's why the largest recent security incidents (SolarWinds, MSFT Exchange, the Zerologon and ProxyLogon vulnerabilities) all have one common denominator: Active Directory. It has proven to be a popular attack vector for threat actors who leverage it to gain entry into corporate networks, move laterally, and escalate privileges, eventually owning and wreaking havoc on an organization's entire IT infrastructure. With AD, bad actors don't just gain the keys to the kingdom -- they're given the full blueprint.
With this blueprint, adversaries can elevate privileges, move laterally, install malware, exfiltrate data, establish persistent backdoor access and more. Even further, attackers only need to compromise one machine in a network to have the ability to enumerate Active Directory. From there, they can leapfrog between accounts until they get administrative privileges, and then pose as legitimate IT users, authenticate using valid credentials, create new accounts and change user access controls -- all without being detected because they appear to be legitimate, trusted users.
BN: How do ransomware attacks escalate when Active Directory is involved?
DM: Regardless of the entry point being targeted, Active Directory is almost always involved as a next step in a ransomware attack. Time after time, we see Active Directory leveraged to move laterally and gain privileges in order to deploy ransomware. We see, in many cases, that the attacks will ensure AD is involved, if it is not, the attack will look for devices that are included in AD. For example, RYUK and XingLocker (a variant of MountLocker) specifically need Active Directory in order to be deployed. Attackers know how to analyze Active Directory, and therefore rely on it for a successful breach or malware deployment. We saw this play out with the Norsk Hydro cyberattack in 2019, when ransomware started in a US plant spread to other facilities, forcing a switch to manual processes. The aluminum giant estimated losses at somewhere between $90 and $110 million.
BN: Why does Active Directory get overlooked as a threat vector, and why is it so difficult to secure?
DM: Despite AD attacks peaking in popularity, AD isn't widely on CISOs' radars because it's generally viewed as part of the IT domain rather than security. In addition, Active Directory is incredibly complex and typically under-managed as a result. It’s a herculean task to keep on top of all the administrators, systems, user and email accounts, groups and trust relationships. The directory also is constantly changing through day-to-day operations, making it even harder to manage. Even further, small organizations may not have the resources or know-how to keep pace with Active Directory security, while larger organizations are overwhelmed by the size of AD itself.
BN: What are the common types of AD misconfigurations typically found in organizations?
DM: Configuration issues and common security issues are the two main AD risks in most organizations. Some of these common misconfigurations include:
• Too many users assigned to privileged groups -- One of the most common mistakes affecting AD is when administrators add users to privileged groups. With Domain Admin privileges, a user can modify settings in AD, including adding and removing users, as well as modifying account permissions. But even deeper, tracking down nested groups and what privileges each level has along the way can be very complex, if not impossible.
• Service accounts configured as Domain Admins -- An administrator is unlikely to review logs to track the use of a service account, meaning an attacker who successfully compromises a service account may be able to infiltrate a network for weeks or months before suspicious activity is ever discovered.
• Password policy issues -- These configurations can be abused through password spraying attacks, in which an attacker attempts to obtain users' passwords using a small list of common passwords against every account.
• Weak password encryption -- An attacker with the ability to access an Active Directory Database file located on a domain controller could attempt to decrypt the password hashes.
• Inactive domain accounts -- Attackers are acutely aware of the presence of inactive accounts, so they will often aim to uncover these accounts as they navigate through your network, leveraging them for malicious use since they are unlikely to be regularly audited or actively monitored.
BN: How can you spot potentially malicious activity on your AD infrastructure?
DM: There are two different aspects of monitoring for malicious activity in AD. First, attackers will exploit existing configurations in an attempt to impersonate an account or use a privileged account to make modifications that can then be exploited. These changes can look like normal behavior, so having the ability to detect changes that can lead to an exploit is paramount.
Second, attacks -- both basic and advanced -- need to be monitored. More simple attacks, such as password spraying and brute force against passwords, need to be constantly monitored. More advanced attacks such as DCSync, DCShadow and Golden Ticket attacks are extremely difficult to detect, but need to be addressed as soon as possible so they don’t allow for privilege escalation or backdooring.
BN: What action should you take if you do suspect an attack?
DM: Since information can be sent directly into the SOC, as well as via email to the entire IT staff, any and all attacks that are detected need immediate attention. Quick reactions can help prevent the attack from succeeding, so quick detection and alerting go hand-in-hand. Once an attack is detected, all accounts and settings surrounding the attack need to be addressed and if need be, accounts disabled.
BN: What can enterprises do to protect their AD infrastructure?
DM: The first step to keeping Active Directory secure is to ensure all aspects of AD that can be compromised are properly secured. This includes users, attributes, groups, group members, permissions, trusts, Group Policy related settings, user rights, and much more. A good example would be to require strong authentication on service accounts and actively manage the groups they are in. Part of this means mandating multi-factor authentication for all users. Enforce the principle of least privilege across all endpoints to prevent lateral movement, blocking default administration, denying access from a built-in local administrator account and avoiding many of the built-in groups, which have too many permissions. Also use LAPS, Microsoft's local administrator password solution that enables local admin account passwords to be randomly generated and controlled by AD itself.
It's also important to understand and maintain the structure within Active Directory so only active and authorized users and devices have access. Clean up the forest and domains in your network and limit the number of privileged users, administrative accounts and permissions to AD and group policy.
Routine maintenance and good security hygiene isn't glamorous but it's crucial, especially with Active Directory. Use technology that continuously analyzes AD changes for security vulnerabilities and weak configurations. Monitor events in Active Directory for unauthorized and/or malicious behaviors that could indicate signs of attack. And finally, deploy software updates as soon as possible.