Guarding against attacks targeting hybrid Active Directory environments [Q&A]

Active Directory (AD) is used by 90 percent of enterprises as the primary source of trust for identity and access. But it can also be a weak link, exploited in many modern cyberattacks.

We spoke to Ran Harel, senior director of product management at Semperis, to explore the challenges in securing a hybrid AD environment and how organizations can best defend this expanded attack surface.

BN: What are Active Directory and Azure Active Directory?

RH: Active Directory (AD) is a Microsoft technology used to manage user accounts, computer systems, and other resources within a network. AD provides centralized authentication and authorization for Windows-based computers and can be used to manage a variety of network resources, such as printers and file servers.

Azure Active Directory (Azure AD) is a cloud-based version of AD that provides identity and access management for cloud-based applications, including Microsoft's own online services such as Office 365 and Microsoft 365. Azure AD can be used to manage and secure access to on-premises, cloud, and hybrid resources, and integrates with a variety of platforms and programming languages.

BN: Why has the jump to cloud-based systems to meet the demands of a hybrid work environment created increased vulnerabilities?

RH: The rapid adoption of cloud-based systems to support hybrid work environments has increased vulnerabilities in several ways:

• Lack of familiarity with cloud security: Many organizations lack the in-house expertise to properly secure cloud-based systems, leading to misconfigurations or oversights that cyberattackers can exploit.
• Increased attack surface: Cloud-based systems often have a larger attack surface than traditional on-premises systems, as they are accessible from anywhere with an internet connection. This can make them more attractive targets for attackers.
• Shared responsibility: With cloud-based systems, the responsibility for security is often shared between the customer and cloud provider. This can lead to confusion about who is responsible for securing specific aspects of the system, resulting in security gaps.
• Data privacy: Organizations might struggle to maintain control over sensitive data that is stored in the cloud and might be vulnerable to unauthorized access or data breaches.
• Dependence on internet connectivity: Cloud-based systems rely on reliable internet connectivity, leaving organizations vulnerable to downtime or data loss during an internet outage.

In short, the shift to cloud-based systems has created new vulnerabilities that must be properly addressed to ensure the security of sensitive information and the continuity of business operations.

BN: What gaps in security are most important for companies to focus on when operating a hybrid environment?

RH: Companies should focus on five critical areas:

• Identity: Proper identity and access management (IAM) involves implementing secure authentication and authorization methods, such as multifactor authentication (MFA), and controlling access to resources based on user roles and responsibilities.
• Network infrastructure: Securing the network infrastructure helps to prevent unauthorized access to resources and data. This includes implementing firewalls, virtual private networks (VPNs), and other security measures to secure both on-premises and cloud-based systems.
• Sensitive data: Protecting sensitive data includes implementing data encryption, backup, and disaster recovery solutions. Controlling access to data through IAM and network security measures is also critical.
• Endpoints: Securing endpoints -- laptops, smartphones, and other devices -- includes implementing antivirus and anti-malware solutions, securing device configurations, and controlling access to corporate resources.
• Applications: Securing applications -- often the primary means of accessing and manipulating sensitive data -- involves implementing security measures such as application firewalls, input validation, and secure coding practices.

By focusing on these potential gaps, companies can better protect sensitive information and ensure the continuity of operations in a hybrid work environment.

BN: What are the typical vectors you are seeing cybercriminals use as a way into an organization's AD?

RH: Cyber criminals often use the following vectors to gain unauthorized access to an organization's AD:

• Phishing attacks: These attacks often involve sending emails that appear to be from a trusted source and that contain malicious links or attachments that install malware on the user's device.
• Malware: Malware, such as viruses, worms, and Trojans, can infect an organization's network and enable cyber criminals to gain access to the organization's AD.
• Weak or compromised passwords: Weak passwords, or the reuse of passwords, can make it easier for cyber criminals to gain access to an organization's AD through brute force attacks.
• Privilege escalation: Cyber criminals can use vulnerabilities in an organization's systems or applications to gain elevated privileges and access to the organization's AD.
• Insiders: Insider threats, whether malicious or accidental, can pose a significant risk to an organization's AD. Such threats can involve employees, contractors, or third-party vendors with access to sensitive information.

By implementing strong security measures such as identity threat detection and response (ITDR), MFA, regular software updates, and employee training on cybersecurity best practices, organizations can reduce the risk of these vectors being used to compromise their AD.

BN: Can you walk us through one of the higher profile attacks, for example SolarWinds and what went wrong there?

RH: The SolarWinds attack in 2020 affected multiple government agencies and private organizations. The attackers used a supply chain attack to infiltrate the systems of SolarWinds, a widely used IT management software provider.

The attackers modified the SolarWinds software and distributed the malicious version to customers, who then installed the infected software on their systems. This gave the attackers a backdoor into customer networks, enabling them to carry out further attacks and steal sensitive information.

What went wrong in the SolarWinds attack:

• Supply chain attack: The attackers were able to compromise the software supply chain, which enabled malicious software distribution to thousands of organizations.
• Lack of visibility: Many organizations had inadequate visibility into the activity on their networks, making it difficult to detect the attack and respond in a timely manner.
• Misconfigured systems: Some organizations had misconfigured their systems, which made it easier for the attackers to gain access and persist within the network.
• Slow response: Some organizations took several months to detect the attack, which gave the attackers ample time to exfiltrate sensitive information.
• Underestimation of risk: Many organizations might have underestimated the risk posed by supply chain attacks and failed to implement sufficient measures to protect themselves.

Additional large-scale cyberattacks in recent years have targeted AD, including:

• Microsoft Exchange Server attacks (2021): Multiple zero-day vulnerabilities were discovered in Microsoft Exchange Server. The vulnerabilities enabled attackers to compromise Exchange Servers and access sensitive information, including data stored in AD.
• NetWalker ransomware attacks (2021): The NetWalker ransomware group has targeted multiple organizations, using tactics such as phishing and exploiting vulnerabilities in systems like AD to gain initial access to the target's network.
• Ryuk ransomware attacks (2021): Ryuk ransomware attacks have been a growing threat. The group has been known to target AD to gain access to sensitive information and encryption keys, which can then be used to encrypt an organization's data and demand a ransom payment.

These examples illustrate the need for organizations to continuously monitor and secure their AD and other identity infrastructure with ITDR solutions, and to implement robust security measures to protect against malicious attacks against their users, systems, and networks.

BN: How can IT professionals transition from on-prem to cloud in the most secure way?

RH: IT professionals can transition from on-prem to cloud in a secure way by following these best practices:

• Plan and assess: Start by planning the transition, including identifying the workloads to move, determining the necessary resources, and establishing the migration timeline. Assess the security requirements and perform a risk analysis to identify any potential security threats.
• Secure your cloud environment: Implement security measures -- such as network segmentation, IAM, and data encryption -- to secure the cloud environment. Use security tools and services such as ITDR to continuously monitor and secure your environment.
• Manage access and permissions: Implement role-based access control (RBAC) to manage user permissions. Ensure that only authorized users have access to sensitive data and resources. Implement MFA to enhance security.
• Implement a disaster recovery plan: Ensure that you have a disaster recovery plan in place to restore systems and data in the event of a failure or data loss. This plan might include backing up data and implementing disaster recovery as a service. Regularly test the plan.
• Monitor and audit: Continuously monitor your cloud environment for unusual activity, and audit your security logs and events to detect any potential security incidents. Respond promptly to any security incidents and implement appropriate countermeasures.

By following these best practices, IT professionals can ensure a secure transition from on-prem to cloud and reduce the risk of security incidents and data breaches.

Image credit: IgorVetushko/depositphotos.com