Although enterprises have implemented numerous point solutions to detect and remediate threats as well as gain visibility across systems, AD security has not kept pace with the rapidly growing complexity of the modern digital ecosystem.
Most enterprises use active Directory (AD) to regulate machines and users accessing the company’s resources. But, it can be a blessing and a curse: acting as the central vault for all the information relating to the network – users, credentials, applications, computers, and so on – AD is crucial to the day-to-day running of the business.
Having all this information in one place makes AD a highly prized target for threat actors. Cyber criminals today are targeting AD, performing reconnaissance to discover users, computers, and servers in the network, and then moving laterally to launch multi-stage attacks to gain access and abuse enterprise resources and data.
The easiest way for a threat actor to obtain sensitive data is by compromising an end user’s identity and credentials. The situation can worsen if a stolen identity belongs to a privileged user, with broader access. As a result, most of today’s cyber-attacks are carried out by phishing campaigns.
As per the 2020 Verizon Data Breach Investigations Report, nearly one-third of all breaches in the past year involved phishing.
Keys to the Kingdom
Active Directory is sometimes referred to as – Keys to the Kingdom. Cyber criminals use man-in-the-middle, phishing, and other strategies to gain the credentials to enter a network. After entering the system, they often deploy attack tools like Bloodhound to map out the entire AD environment. With this, cyber criminals can identify the high-value assets and privileged user accounts needed to complete their objectives and map out their attack plans.
The majority of the enterprises use AD as their primary store for identity management, employee authentication, and access control in their on-premises environments. Even for those enterprises that have shifted their workloads to the cloud, it’s crucial to understand that cloud identities still rely on the integrity of on-premises AD, as it is used as a source to sync to other identity stores. Hence, an AD compromise can cause a catastrophic ripple effect across the identity infrastructure of an enterprise.
Enterprises Cannot Prevent All Infiltrations
Enterprises can limit the capabilities and access of Active Directory to reduce the chances of a successful attack escalation, but this is not ideal as the trade-off is to compromise the efficiencies associated with AD.
In an attempt to thwart the efforts of threat actors, AD admins often get three tiers of access logins for servers, workstations, and AD itself, with the view that this the only way to restrict lateral movement and privilege escalation. But, this can have consequences when it comes to tracking access and alerts, as security teams may eventually find themselves overwhelmed by a high volume of alerts and the need to overprovision access.
Using Deception against Threat Actors
Since an enterprise’s network will likely experience an infiltration at some point, an alternative defense strategy that can be employed is – deception against the threat actor. Presenting threat actors with false information that looks legitimate may prevent them from receiving operational AD information and misdirect them into a decoy environment. This method can therefore curtail their ability to trust their attack tools and move laterally through the system.
Furthermore, while this deception is underway, the solution can record the threat actor’s TTPs for use by the security team for strengthening defenses and threat hunting to prevent the system from further breaches.
With access to AD, threat actors hope to hide from security teams by creating domains or using existing credentials, for instance. However, by entrapping the threat actors, security teams can use deception as a weapon against them to safeguard their assets.