Zeki Turedi, Field CTO Europe at CrowdStrike talks about the rising trend of identity-based attacks that is proving to be the biggest security issue for the CISO’s in the region.
Identity-based attacks are booming. According to the Global Threat Report, 80% of all cyber attacks now use identity-based attack methods to compromise companies. For CISOs, identity protection is one of the biggest security challenges nowadays. Particular attention should be paid to Active Directory – the Achilles’ heel of many IT security programmes when it comes to identity protection.
Entry point Active Directory
Identity systems, such as the Microsoft Active Directory (AD) used by countless companies worldwide, are among the most popular attack vectors of many cyber threat actor. If adversaries manage to successfully exploit an AD vulnerability, they often hold the company’s “master key” in their hands shortly afterwards, which gives them access to valuable information, applications and systems. At the same time, AD security ekes out a shadowy existence in many companies and thus increases its attractiveness for adversaries.
How serious the threat is for companies is illustrated by one of the recent Patch Tuesdays, where 40 per cent of the Microsoft patches released were so-called “privilege-escalation vulnerabilities” – including a zero-day vulnerability that prompted Microsoft to issue the following warning: “an attacker who successfully exploited this vulnerability could gain system privileges.”
Why adversaries today focus on identity-based techniques is obvious: Identity-based cyberattacks are extremely difficult to detect with conventional methods, as existing security measures and tools often cannot sufficiently distinguish between the typical behaviour of legitimate users and that of hackers with stolen privileges.
Thus, it is all the more important that as the TTPs of adversaries continue to evolve, corporate cybersecurity measures adapt as well. To do this, defenders must be fully aware of the ways in which identity systems are attacked nowadays and whether their current security strategy provides an adequate solution here. A look at three common AD attack scenarios and how to resolve them successfully.
Three popular AD attack scenarios
From an adversary’s perspective, the LSASS process on a Windows computer is often an attractive gateway to obtain valid credentials from legitimate users, exploit them and then move laterally. It is therefore important for the defence that the security solution deployed immediately detects and blocks this attack method and also prevents the adversaries from using valid credentials to move to an unmanaged host such as a laptop. To gain more information about threat actors, honeytokens have become a viable and recommended layer of security for organisations to incorporate into their information security strategy. With the help of honeytoken accounts, adversaries are enticed to exploit these accounts. This provides security teams with data and detailed insight into the attack path to ensure their critical resources and accounts remain protected.
Threat actors also often attempt to compromise endpoints using TTPs such as privilege escalation of local accounts or command and control. When these attempts are stopped by a powerful endpoint protection platform, cyber actors often switch to brute force attacks targeting AD accounts – typically service accounts with shared, duplicate or default passwords. Powerful identity protection solutions remedy this too, by simplifying the detection of reused passwords across the organisation’s AD, allowing administrators to instantly identify these accounts without manual AD audits and enforce the use of unique passwords to defend against threats such as credential stuffing attacks.
Another way adversaries get their hands on coveted identity data is by exploiting older protocols. This is because many organisations lack visibility into SMB and DC authentications to detect malicious and anomalous user behaviour that leads to brute force and pass-the-hash (PtH) attacks. Modern security solutions should therefore not only cover Kerberos, NTLM and LDAP/S, but also enable detection and authentications via SMB. With insights into failed and successful SMB-to-DC authentication events and active threat hunting covering CrackMapExec, PtH, Password Bruteforce, Mimikatz, etc., security teams gain additional baseline data to detect suspicious behaviour and strengthen AD security.
Choosing the right identity protection solution is critical for CISOs this year and will likely be one of the most important lines of defence. However, this doesn’t necessarily have to complicate matters as well as create another wave of alerts and additional work for already thinly-staffed teams. A good and modern solution offers companies a wealth of benefits and advanced features – all from a single source.