The challenges of securing Active Directory [Q&A]

Microsoft Active Directory is used by a majority of the world’s organizations. But Cyberattacks and misconfigurations targeting AD have surged in recent years, leading to critical outages and data loss.

We spoke to Bob Bobel, CEO of Cayosoft, about how to address critical weaknesses in enterprise infrastructure associated with Microsoft Directory services.

BN: How important is Active Directory to an organization's tech infrastructure?

BB: If Microsoft Active Directory (AD) suffers an outage, all business stops. It's that critical. Active Directory is a core system used by nearly every organization to manage user permissions and access to all networked resources, which includes other core systems, applications for business operations, sensitive IP, and customer information. In other words, AD represents both the keys to the kingdom and the treasure map leading to an organization's most valuable assets.

BN: What challenges do organizations face in securing their Active Directory infrastructure? Why is Active Directory so attractive to hackers?

BB: Hackers cannot wish for a better system to target -- more than 90 percent of Global 1000 organizations use Active Directory, which controls the bulk of any given organization resource access. Beginning in 2014, AD was extended to encompass access to web applications and resources through its Microsoft Azure integration. The level of access AD provides is immense. Should hackers gain a foothold in a company's AD, they gain near-unlimited access to company assets, logins, etc. (basically a free hall pass to go and do whatever you want). Active Directory is often targeted in ransomware attacks because nearly all core company systems are tied to it. If AD domain controllers become encrypted, the fallout is widespread and immediate, with the potential to cripple any satellite offices and infrastructure within its network. Because Microsoft Active Directory is so widely used, criminals need only leverage a single skill set to breach most organizations across any industry vertical -- a big advantage for the bad guys, and a significant challenge for defenders.

BN: What problems arise for organizations when a cyberattack triggers an Active Directory outage? What are the consequences if the time to recover AD is drawn out?

BB: Once a cybercriminal has administrative control over an organization's Active Directory, they can encrypt data stored on any server or systems joined to the directory, as well as any backup repositories accessible through AD. They can also obstruct employee access to all computers and essential productivity tools an organization uses and prevent suppliers from viewing inventory levels. Basically, employees can’t work, suppliers can't see, and customers can't buy.

Primary AD-enabled applications are used for accounting, sales, services, and product fulfillment. Locking companies out of these vital tools significantly impacts their operations and customer service capabilities, and they immediately begin to lose money. The more prolonged an Active Directory recovery is, the more costly it will be to an organization’s bottom line, reputation, and customers. In some cases, even lives may be at stake. Recently a hospital was forced to shut down its emergency rooms because they lost their computer systems due to an AD attack.

When examined together, only 84 percent of mid-size and small businesses cannot restore their active directories in under an hour. Knowing this, the financial impact of AD downtime starts to come into focus. For instance, assuming an average salary of $75k, a mid-size company with 5,000+ employees risks losing $1.5 million per day ($3,125 per minute) in labor costs alone.

BN: Should a Ransomware attack occur, what are the first steps an organization should take?

BB: Should a catastrophic ransomware attack cripple company operations, restoring Active Directory takes top priority. This order of operations is necessary to restore full functionality across an organization’s network environment since many core systems and business applications depend on Active Directory to function. At the individual level, employees rely on AD to access their endpoints, and customers use AD to access online their accounts to purchase goods and services. A restored Active Directory will re-enable suppliers, customers, and employees to return to normal operations post-outage. It’s nearly impossible to do so without AD.

BN: What are the key principles organizations should follow to protect and secure the sensitive data stored in Active Directory?

BB: A combination of multi-factor authentication (MFA) adoption and the implementation of zero-trust architecture across a company's network will protect against most hackers' attempts to compromise a business's Active Directory.

User governance under these conditions enables organizations to set up roles, rules, and automation that help prevent access to sensitive data. This can include removing standing privileges and enabling just-in-time task-based scoped administrative workflows. Establishing rules, roles, and automation for repeatable processes, heightened security, and minimized manual administrative tasks are also recommended.

Active change monitoring is a crucial part of any secure Active Directory design, enabling organizations to identify attacks in progress or past attacks. Specific best practices include adding rules designed to detect and roll back dangerous changes, such as automatically and immediately undoing any additions to an administrative group outside of an approved secure process.

Finally, develop and periodically test incident response plans for AD attacks considering containment and recovery. Robust backup and recovery strategies for AD data should include offline backup systems isolated from the network. Conducting automated daily, proactive security assessments to identify and address AD and Entra ID vulnerabilities, as well as daily automated recovery testing, will give organizations peace of mind that they can identify and recover quickly and reliably from an AD-targeted attack.

Image credit: Momius/depositphotos.com