Carolyn Crandall at Attivo Network explains why 90% of organisations need an Active Directory health check.
When Microsoft unveiled Active Directory (AD) way back in 1999, could anyone have known just how important it would turn out to be? Now used by roughly nine of out ten businesses in the Global Fortune 1000, AD is the standard in authentication, identity management and access control.
Yet with success and ubiquity comes risk, with AD targeted in more than 80% of attacks, including high-profile incidents such as the SolarWinds and Microsoft Email Exchange hacks.
Securing AD is no easy matter, leading to many describing this vital service as a CISO’s “Achilles Heel”. Protecting AD is a difficult and complex endeavour with high stakes because any attacker who gains access to this central column of an organisation’s digital infrastructure can damage it severely – but it’s a non-optional activity in today’s threat landscape. So how does one keep AD healthy and make sure it’s functioning at peak performance?
A fitter, healthier Active Directory
Many organisations installed their AD more than 20 years ago, meaning it is now gnarled and scarred by policy changes, settings updates and a myriad of mistakes or accidental vulnerabilities that the admins have simply forgotten.
Therefore, making significant changes to AD is like building scaffolding on top of scaffolding. The only way anyone can possibly know about all the decisions and changes made over two decades is if they worked as a sysadmin for that entire period. Even then, since Active Directory constantly changes, there is no easy way to fully understand or keep up with every vulnerability or misconfiguration lurking in an AD.
The scale of Active Directory is one problem with keeping it secure, but there’s also the challenge of organisational complexity. When it comes to determining if an enterprise AD is healthy, there is an apparent disconnect between departments. AD admins will consider Active Directory to be working well if it does its job effectively in operational terms by allowing users to get validated and keeping systems online.
From a security perspective, a healthy AD looks very different. CISOs and SOC teams will want to know that AD is working correctly and securely. They know that if AD goes down, business stops, meaning they can’t simply place it on standby and repair it if they discover a vulnerability. AD must remain operational and is an ever-changing hydra that is constantly evolving alongside the business. It’s a difficult patient for sure, but keeping AD healthy is non-optional.
Prescription for a healthy Active Directory
Securing AD is like tending a garden because its ever-changing nature means that a vulnerability could emerge at any time. Even if security teams manage to keep the pests at bay for one season, new threats will inevitably arise and mess up their carefully tended systems.
The first step to building a healthy AD is to make sure all patches are up to date. CISOs must also check the exposures and settings that make them vulnerable to attack. Ensuring one has the correct settings, policies and configurations will help prevent threats such as Kerberoasting – an Active Directory attack that exploits weak encryption and poor service account password hygiene.
It is also prudent to limit the number of permissions and delegated administrators known as “shadow admins”, privileged users who are not part of an AD security group and can operate at relative discretion. Identifying and locking down shadow admin accounts is essential because they are preferred targets for attackers and can grant adversaries the ability to extend their attack whilst evading detection.
Security teams must also understand the web of permissions and authorisations they have enabled and the entitlements around them. In AD, every object has an access control list to which one can add user accounts. Admins can assign something as simple as the ability to change someone’s password to a specific user, but it won’t necessarily show up in a group. If an attacker gains access to an account with enough permissions, they can grant themselves extended privileges and cover their tracks. It becomes essential to gain visibility of users who have such permissions and limit these accounts to as few as reasonably possible.
Organisations should also audit policies regularly and account for exposures such as overlapping permissions and other settings that could open up the organisation to attack.
An active approach to AD security
Traditional AD protection often depends on after-the-fact detection rather than a proactive approach that looks for vulnerabilities and plugs security holes before attackers exploit them. Using logs and SIEMs to look for attacks or abnormal behaviour is often mistake-prone because alerts are lost in the noise or mistakenly viewed as benign.
It’s best to move beyond detection to keep AD safe because organisations can do more to remediate an attack on AD if they discover it early. They can’t afford to wait until a security control detects anomalous behaviour to trigger an alert, such as an attacker obtaining the information needed to change a security setting. The adversaries will have already traveled further upstream to extend their attack and cover their tracks.
It makes sense to prevent adversaries from accessing AD in the first place, which is where misdirection and deception can be useful. Organizations can use modern concealment technology to essentially cloak Active Directory objects and credentials, denying an attacker the ability to find and access data. They can replace real data with disinformation, which directs attackers into an engagement server for threat intelligence gathering. Additionally, if an organisation creates decoy environments or assets, it can fool attackers into engaging with them and, therefore, away from its real crown jewels. Once the decoy environment traps the adversaries, defenders can analyse their behaviour and gain valuable intelligence to defend against future attacks.
Prepare for attack
Organisations should also ensure they can detect live attacks targeting AD. Attackers often seek to gain AD admin rights using open-source tools such as Bloodhound to discover the primary point of entry that allows them to access a firm’s critical resources.
Tell-tale signs that businesses can look for include mass changes to AD settings, such as many reset passwords or people getting locked out, indicating a brute force or password spray attack.
However, although firms can use traditional controls to look for such malicious activity, it’s time-consuming and involves a great deal of manual work. Thus, any organisation using AD must check that it is operating securely now, rather than waiting for an attack.
We all go to the gym, eat healthily and take steps to keep ourselves in good shape in the hopes of avoiding health problems in the future. Organisations should do the same with their Active Directory because a patch in time can save nine.
Carolyn Crandall is chief security advocate at Attivo Networks
Main image courtesy of iStockPhoto.com