Active directory attacks: How to stop the serious, under-reported threat

By on
Active directory attacks: How to stop the serious, under-reported threat
The security foundations within AD haven’t changed much over the past two decades.
Photo by Chris Yang on Unsplash

High profile cyberattacks such as SolarWinds and Microsoft Exchange have shone a spotlight on how vulnerable Active Directory (AD) can be and its place in an organisation’s overall cybersecurity strategy.

Yet, until recently many business leaders may never have heard of AD or known that it was running the background.

Microsoft AD is the dominant identity management platform in enterprise environments used for authentication and control of permissions and privileges. This makes AD a prominent and valuable target for threat actors.

Historically, such attacks have caused eye-watering damage to businesses large and small but many are still unaware of  how vulnerable their AD is and this ignorance can be costly.  

Managing and securing vital business infrastructure 

For more than 20 years, AD has formed the backbone of network  infrastructures for businesses worldwide.  The use of AD is so common that 90 per cent of Fortune 1,000 organisations use AD as their primary method to provide seamless authentication and authorisation when employees log in to devices, open emails, access applications and share files. 

However, with inefficient management, access control gaps can arise, enabling easy access to vital company data and intellectual property. Once an attacker is in the network, they will use these access control gaps and misconfigurations to move laterally and escalate privileges in order to access devices and target corporate data. Managing and securing the AD environment is incredibly complex as it is constantly changing and has many moving parts. 

When it comes to mitigating risk, the first step should be to secure current threats and misconfigurations within the AD environment. As an analogy, investing in an expensive security system won't do much to secure your home if there’s an open window on the first floor. This means the existing AD security needs to be cleaned up and then this high level of security maintained constantly. 

Typically, the size and complexity of most AD networks make manual monitoring challenging and real-time detection of attacks near impossible.  Therefore, tapping into technology solutions to support the monitoring and analysis of AD attack paths plays a vital role in securing the infrastructure. 

Detecting, investigating and hunting threats to mitigate risk 

Earlier this year, our research found that between January and October 2020, 730 publicly disclosed events resulted in over 22 billion records exposed, with 35 per cent of breaches caused by ransomware - a threat leveraging AD environments. 

Attacking AD is a goldmine because once an attacker gains control of AD, they effectively have the keys to the kingdom. They can move laterally to any connected device, gain control of privileged accounts, leave backdoors, add new machines to the network, deploy ransomware, compromise sensitive systems and steal sensitive data. AD administrators must implement least privilege access wherever possible. This means providing users with only the privileges they need to perform a particular task. This access should be given and revoked for the duration of the task. Administrators must also rectify accounts with too much access.

While it’s impossible to completely avoid all attacks on AD, it is essential to be able to detect attacks on AD in real time, so alerts can be sent to the administrators and security analysts as soon as possible. 

AD requires continuous monitoring and analysis so security teams can stay on top of changes to environments and group policies that might expose a security issue, which the attacker can leverage. This additional insight will enable businesses to act proactively. If attacks on AD are detected and alerts sent in real time, these attacks can be addressed quickly and in an efficient manner, but without this context, security teams will constantly be in a reactive state.  

The security foundations within AD haven’t changed much over the past two decades; that’s more than enough time for attackers to find weaknesses in an organisation’s AD defences. With years of growth and restructuring, an organisation’s AD likely has hundreds of hidden weaknesses and attack paths. As cybersecurity threats continue to skyrocket, now is the time for businesses big and small to mitigate the secret threat in AD that’s getting too little attention until now. 

Scott McKinnel is Country Manager for ANZ at Tenable.

Copyright © BIT (Business IT). All rights reserved.

Most Read Articles


What would you like to see more of on BiT?
How To's
Photo Galleries
View poll archive

Log In

  |  Forgot your password?