“Cybersecurity teams should look for exposed, orphaned, or duplicate credentials and shadow admin accounts that create attack paths from endpoints to the AD controllers,” says, Carolyn Crandall, Chief Security Advocate and CMO, Attivo Networks, in an exclusive interview with ITSecurityWire.
ITSW Bureau: Why are CISOs forced to focus their attention and efforts on AD protections?
Carolyn Crandall: According to Microsoft, attackers target Active Directory over 95 million times per day whilst 80% of all attacks use privileged access. Attacker use of Active Directory has been an element in every recent major breach and ransomware announcement.
Traditional AD protection focused predominantly on controlling vulnerabilities by patching, trying to adhere to the principle of least privileges, and tiered administration policies. Some organizations try to detect attacks by logging everything and sending it to a SIEM to look for unusual activities. While these steps are necessary, they fall short when trying to quickly identify attacks that originate from endpoints or make changes to AD settings and policies with low false-positive rates.
ITSW Bureau: How can enterprises effectively assess active directory cyber hygiene?
Carolyn Crandall: The cybersecurity teams of enterprises must understand what patches are available and make sure everything gets patched promptly. They should Regularly audit Active Directory policies and settings for any exposures and remediate them. Moreover, they should ensure that they continuously assess and swiftly change settings and configurations to limit exposures, overlooked permissions (Kerberoasting, delegated Admins/Shadow admins), and entitlements.
The Cybersecurity team should make provisions that limit access to the least privileges required. They should understand and remove unneeded credentials/access rights that create attack paths to AD. Furthermore, they should enable auditing on AD and review the logs regularly for unusual activity.
ITSW Bureau: How can enterprises identify vulnerabilities in their active directory before an attacker can make their move?
Carolyn Crandall: Keep up to date on Microsoft patches. Audit policies and trust relationships across forests regularly. Inventory all user or device accounts, privileges and entitlements. Review and reassess AD security settings regularly. Regularly assess for any Kerberos vulnerabilities in AD. Continuously assess the AD environment to identify vulnerabilities.
This continuous audit uses tools that run continually or on-demand to detect vulnerabilities at the domain, user, and device levels. Detect live attacks. The cybersecurity team should note that this is different from detecting an attack with logs or a SIEM. This capability detects unauthorized queries to AD and raises an alert on such discovery activity.
Using concealment and misdirection technology solutions can also serve for early alerting and threat intelligence collection. In this case, the solutions return fake data to the attacker that directs them to decoys when they try to use it. These decoys collect their TTPs and IOCs for analysis while the attacker is unaware of the bait and switch. Not only does it increase the attacker’s cost as they follow a fool’s errand, but the defenders get the opportunity to remediate the situation before the attacker can exploit AD or the information or access contained within.
Detection can also serve to disrupt early-stage attacks, such as, for example, gathering information (DCSync attack), creating persistence (DCShadow attack), and gaining privileges to change policies and settings (Golden Ticket attack).
A successful Golden Ticket attack can be devastating, with wide-spread implications and often the need to completely rebuild Active Directory. If the organization does not understand the attackers and completely removes their access, the adversaries can simply rinse and repeat the whole process. To say this is ugly is an understatement.
Cybersecurity teams should look for exposed, orphaned, or duplicate credentials and shadow admin accounts that create attack paths from endpoints to the AD controllers. Users may mistakenly store these account credentials on their workstations, leaving them available for attackers to steal and reuse.
ITSW Bureau: What steps can enterprises take to stop attackers from performing cyber espionage that enables them to identify regular IT activities and security measures?
Carolyn Crandall: Attackers typically target and exploit Active Directory to identify IT activities, gain privileges, change policy settings, and erase their tracks. Organizations can take the following steps to mitigate the risk of Active Directory exploitation:
- Detect and prevent attackers from querying AD for info while remaining undetected.
- Prevent attackers from gaining accurate information when querying AD.
- Detect and prevent attackers from changing settings within AD.
- Quickly detect activities like brute force attempts, password spray attacks, or other tactics that target AD objects.
- Prevent attackers from getting delegated access info to acquire administrative rights by using Bloodhound or other similar tools.
Carolyn holds the roles of Chief Security Advocate and CMO at Attivo Networks. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has a demonstrated track record of effectively taking companies from pre-IPO through to multi-billion-dollar sales and has held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate.