Written by Ray Kafity, VP-META at Attivo Networks
In 2021 we experienced an extensive increase in cyber security breaches and attacks in the Middle East, and unfortunately, it is expected to continue in 2022. Organisations are faced with the burden to tackle the increase in cyber-attacks and the after-effect of working remotely. And the preferred target for cybercriminals is the Active Directory (AD), dubbing them the businesses’ Achilles Heel, especially when it comes to ransomware attack preparedness. Microsoft estimated that more than 95 million AD accounts come under attack each day, and that number has almost indeed risen since then.
Active Directory represents a skeleton key capable of unlocking the rest of the network for attackers. AD provides the directory services that enable administrators to manage permissions and control access to resources throughout the network, making it essential to an organisation’s day-to-day operations—but it also makes it a target. Because it manages permissions and authentication, AD needs to be easily accessible to its user base. Unfortunately, this makes it notoriously difficult to secure.
The AD’s role in network operations is so extensive that most customers (understandably) lack the in-depth knowledge needed to troubleshoot AD security. It isn’t just a matter of patching known vulnerabilities or correcting misconfigurations. Any exposed setting or poorly adjusted parameter can allow an attacker to infiltrate the system. Protecting AD involves visibility to exposures, live attack detection, managing security policies and requires insights into compliance drift when users do not follow those policies consistently. In other, more dynamic situations, like mergers and acquisitions, major environment changes can make management exponentially more difficult.
Why Do Attackers Target Active Directory?
For most enterprises, AD is the central repository for all accounts and systems within the network, and it is responsible for all authentication and authorisation to the network. It is a lucrative target for attackers since compromising AD can give them access to all network resources and the necessary rights and privileges to make changes that make it harder to locate and remove them from the environment.
Unfortunately, many open-source and freely available tools, including Bloodhound and Mimikatz, make attacking and compromising AD dangerously simple. Attackers use these tools to identify accounts capable of granting them administrative rights and conduct their attacks in a way that allows them to elevate their privileges and hide their tracks. Almost every major ransomware attack includes a step in which the attacker leveraged AD along the way for information, privileges, or both. AD can quickly become an adversary’s best friend if not adequately protected.
Steps to Secure Active Directory
There are certain best practices that enterprises should adhere to, including hardening AD, keeping privileged accounts to a minimum, using jump boxes, and following secure technical implementation guides. But these alone will not keep AD safe. Responsible organisations should implement identity security solutions that provide visibility into exposed credentials that create potential attack paths and allow access to AD. Visibility into AD exposures and vulnerabilities is essential as well.
New tools capable of helping organisations secure AD have also emerged. Identity Detection and Response (IDR) solutions are today considered an essential element of AD defence, as they can help defend against attackers targeting AD infrastructure within the network. For faster, more comprehensive threat detection and improved investigation and response times, enterprises need to detect attackers targeting credentials, cloud entitlements, and Active Directory—and IDR can help. Peter Firstbrook, Vice President of Gartner Research, recently stated, “Identity Detection and Response is a critical capability of any solution calling itself an XDR,” further lending credence to the value of IDR.
Prioritising Active Directory Security
Attackers recognise that the unique nature of AD makes it both highly valuable and difficult to secure—and exploiting it is now a priority for them. Ultimately, defenders can’t secure their directory services when they don’t understand the risks or have clear insights into when these assets are under attack. IDR provides continuous visibility into exposures, misconfigurations, and credentials that attackers seek to exploit during an identity-based attack. Adversaries aren’t going to stop targeting AD any time soon—but today’s organisations now have tools and resources at their disposal that can quickly detect and derail attackers seeking to exploit credentials and Active Directory.
