Keeping the Active Directory healthy is a business priority

Ray Kafity, Vice President – Middle East, Turkey & Africa at Attivo Networks, elaborates on the importance of keeping its Active Directory in its best shape.

Microsoft’s Active Directory (AD), which debuted in the late 1990s, has become the industry standard in directory services. It is now used by nine out of ten organizations in the Global Fortune 1000. However, due to it being a common target of cyberattacks and that it is difficult to secure, AD has been dubbed a CISO’s “Achilles Heel.”

According to Microsoft, attackers target more than 95 million AD accounts every day, emphasizing the severity of the situation. Due to AD’s volatile and dispersed nature, as numerous organizations are typically responsible for different portions, securing it isn’t easy. An administrator’s task as AD increases is to ensure that it runs smoothly.

To classify an AD as “healthy,” it must perform properly, bringing all systems online and validating users.

Companies have been treating AD as part of the plumbing, as the common belief is that as long as the AD is up and running, they should not modify it. This practice carries significant risk as it can overlook changes in administrators, the remote work landscape, and mergers and acquisitions, which create additional security risks when they do not make necessary changes.

Given its targeting by cybercriminals, organizations must take specific measures to keep AD healthy by patching it regularly, auditing policies and security risks, and securing it both on-premises and in the cloud. It is essential for security teams to be aware of AD exposures that leave them vulnerable to attacks. Any organization building a zero-trust architecture will also need to have visibility for managing the least privileges and risks associated with group policies and overlapping trusts.

There is no such thing as a purely “healthy AD” as attack surfaces continually evolve from a security aspect. There are not enough people-hours to go deep and fast enough into the data to understand the risks. It is essential to have automated and continuous visibility to AD exposures vulnerable to attack and detect any attacks on Active Directory in real-time to achieve these insights.

A rigorous procedure
While protecting against AD attacks can be difficult, it is not impossible—all one needs are the correct tools and methods. One can protect AD by patching and evaluating vulnerabilities and settings that can render it vulnerable to attack. For example, organizations can avoid “Kerberoasting” (an attack that provides an easy way for adversaries to gain privileged access) by putting the correct settings, rules, and configurations in place.

It is good practice to continuously examine and limit the number of rights and delegated administrators present. CISOs must thus comprehend the web of permissions and authorizations they have enabled and the entitlements surrounding them.

It’s not enough to inquire who belongs to which security group when it comes to AD security. Every object in AD has an access control list to which administrators can add user accounts. With this in mind, it’s critical not to overlook security flaws like overlapping permissions and other settings that could expose the company to attack.

All these precautions may be in vain unless the organization can detect a live Active Directory attack. These activities are, however, difficult to detect using logs or periodic inspections.

Attackers frequently use open-source tools like Bloodhound to find the critical leverage point for accessing an organization’s vital resources to get AD admin rights. When using these approaches, bulk modifications and other changes to AD settings are a tell-tale indication for organizations to health check their AD. A brute force or password spray attack typically appears as multiple password resets or user lockouts on the domain controller. It’s complex and time-consuming to hunt for such behavior using typical controls.

Anticipating Cyber-Attacks
If organizations detect attacks on AD early, they can significantly reduce the potential damages. They can’t afford to wait for an aberrant behavior to trigger an alert from a security control, such as an attacker modifying a security configuration. The enemies will have advanced downstream and will be able to do much more, including installing backdoors.

After breaching perimeter defenses and gaining a footing within the network, adversaries will conduct surveillance to discover potentially valuable assets—and how to get to them. Targeting AD is one of the most acceptable ways to do this because they can disguise it as routine company activity with little risk of detection.

Thus, attempting to prevent opponents from accessing AD in the first place is reasonable. Recent Active Directory protection developments provide concealment technology to hide and limit access to AD objects while detecting illicit queries attempting to mine the data to use in an attack.

Security teams can also use disinformation to misdirect adversaries into engaging with decoys, diverting the attacker’s attention to a location where the security team can gather data to strengthen their defenses. Detecting and preventing enumerations of rights, delegated admins, and service accounts early in the attack cycle can alert defenders to the presence of an adversary. Deploying deceptive domain accounts and credentials on endpoints can misdirect attackers, sending them to decoys for engagement.

Protecting AD with the least privileges and tiered administration is no longer enough — this method does not scale. AD creates a massive hairball that is tough to untangle when factoring in M&A, cloud adoption, and nomadic staff.

While there is no such thing as a perfectly “healthy” AD, businesses can take precautions to safeguard their settings. Organizations should use new technologies to uncover vulnerabilities and execute continuous AD pen tests in a highly complex cybersecurity landscape. Firms must also look beyond audit logs to find vulnerabilities and update their security procedures with mechanisms for detecting live attacks.
As it involves people, processes, and products, securing AD becomes a complicated procedure. However, organizations can simplify it with the correct tools, detecting attacks sooner and reducing resource requirements.

A traditional approach will not get you there, but recent security breakthroughs will help.