Proactivity is key in Active Directory security

Proactivity is key in Active Directory security

Carolyn Crandall at Attivo Networks explains the importance of addressing Active Directory defences as a way of protcting against ransomware

Reports of new ransomware attacks are filling the news on a daily basis. What is less commonly promoted is that they all have one common element: the leverage of Active Directory (AD).

This technology is responsible for critical authentication and authorisation processes across enterprise resources and it can be considered the technical ‘spine’ of an organization. AD is used by 90 percent of Fortune 1000 companies and organisations need to prioritize protecting it to have the best chance against this onslaught of attacks.

Threat actors consider AD a primary target, because it contains the information and privileges that are needed to advance their attack. Attackers also know that AD is intrinsically insecure and traditional security controls are simply not designed to provide visibility to inherent risks or real-time detection of attack.

Periodic audits and monitoring of logs are unquestionably ineffective, and businesses need to seek out new cyber-security innovations that provide visibility to exposures and entitlement risks from the endpoint, through AD, and into multi-cloud environments. Without using identity-based security controls, organisations are likely to only become aware of a ransomware attack after the breach has taken place and they have been served.  

The rise in ransomware exploiting AD

Most widescale ransomware attacks require AD control to create new objects, install backdoors, and distribute malware to other systems. The rise of Ransomware 2.0 has led to a decline in traditional ‘smash and grab’ attacks and an increase in extortion tactics.

Previously, attackers would need access and time to exfiltrate and encrypt data. However, more recent attacks have been far more deliberate, moving quickly throughout the network and with an intent to gain control, which can be used for disruption of service leverage.

To acquire the control needed, ransomware attackers will take advantage of any exposures and vulnerabilities they come across. This can be from misconfigurations or vulnerabilities that can be exploited before the company has the knowledge of or time to patch the issue.

A recent example is the Microsoft Exchange zero-day vulnerability, which the state-sponsored hacking group Hafnium exploited. In this case, attackers became aware of the vulnerability in advance of the patch, which provided plenty of time for other threat actors to install back-doors, gain persistence, and conduct ransomware attacks.

Another example is the Ryuk group attack in 2020, which went from a single email to domain-wide ransomware infections in just over a day. The group then demanded over $6 million to unlock the systems. The attack started with an initial infection of the Bazar malware loader. The attackers conducted reconnaissance over 26 hours, and once they managed to execute the ransomware payload on the Domain Controller, they infected the rest of the network. 

The limitations in AD security

The very nature of AD means it is easily accessed across an enterprise, making it far more susceptible to attack due to how complex it is to secure. If successful, attackers could manipulate the AD to change group membership, permissions, security policies, and access control lists (ACLs). Once inside, they would have free reign to move laterally through the network by changing user rights and impersonating employees.

Given that the general view of AD focuses on service availability rather than security, it is not surprising that the protection side is lacking. These attitudes need to change, however, as vulnerabilities can lead to attackers gaining access to critical privileged access and control, in addition to the ability to move discreetly throughout the network.

Traditional AD protection has focused primarily on controlling vulnerabilities by patching, adhering to the principle of least privileges, and tiered administration policies. While these measures are essential, they are no longer sufficient by themselves, tying back to the issue around reactivity versus proactivity.

An organisation can only patch a vulnerability after it is known, and even log analysis combined with SIEM correlation centres on post incident detection rather than prevention. To get ahead of this, businesses need to put the reactive approaches behind them and move into a proactive future where they can both prevent attacks on Active Directory as well as detect attacks being conducted.

Strengthening defences

When it comes to tackling AD exposures and vulnerabilities, visibility is crucial. One of the central undertakings is to regularly validate AD accounts and objects and maintain an updated list of permissions and privileges.

Frequently assessing settings and configurations can limit vulnerabilities, including account exposures, overlooked permissions, and excessive entitlements. Attackers target accounts with delegated admin or shadow admin permissions, but these regular assessments can restrict unnecessary credentials or access rights that create attack paths within AD. 

Businesses must implement improved attack detection, which happens earlier in the attack life-cycle and can pick up activities like password spray attacks or mass account lockouts or changes.. Attack tactics such as Ransomware 2.0 are dependent on the attacker’s ability to move laterally throughout the network and identify valuable assets and to elevate their privileges.

AD protection tools and strategies include real-time detection, identifying and remediating exposed credentials on the endpoint, detecting unauthorised AD queries, and hiding and denying access to sensitive or privileged AD objects. These approaches can restrict unauthorised visibility to data and prevent attackers from gaining accurate information when querying AD.  These controls quickly alert on attack activities like brute force attempts, password spray attacks, and other tactics targeting AD objects.

By mitigating AD vulnerabilities, security teams can stop ransomware attackers before they get the chance to access and leverage AD. Today’s advanced cyber-security tools make it easier for organisations, large and small, to enhance their defences and protect their credential identities and privileges effectively.

In a world where cyber pathways are abundant, businesses must protect against and counter those wishing to take advantage of inherent directory services and over provisioning weaknesses. Given how accessible AD is across an organisation and the consequences if compromised, its security must be viewed as a top priority.

Taking a more proactive approach to AD cyber-security will strengthen a business’s position moving forward and will help ready the organization for future growth and inevitable expansion into multi-cloud environments.

Carolyn Crandall is Chief Security Advocate at Attivo Networks

Main image courtesy of

Copyright Lyonsdown Limited 2021

Top Articles

Double trouble: the rising threat of double-extortion ransomware

Ransomware attackers continue to threaten businesses at an increasing scale, speed and sophistication.

The blurring line between nation-state and cyber-criminals

Russia is widely known to be involved in a plethora of cyber-criminal activity.

XDR: Delivering value where SIEMs fail

Implementing an XDR solution means faster detection, and remediation of cyber incidents

Related Articles

[s2Member-Login login_redirect=”” /]