Deployment of concealment techniques to sensitive files, folders, credentials, and other assets, will also limit an attack’s severity because attackers cannot exploit or steal assets that they cannot see or access,” says Carolyn Crandall, Chief Security Advocate and CMO, Attivo Networks, in an exclusive interview with ITSecurityWire.
ITSW Bureau: Can you describe some of the challenges organizations face while securing their Active Directory databases?
Carolyn Crandall: Active Directory (AD), a primary credential store, is 20+ years old but remains an instrumental tool for managing an organization’s directory services. It is estimated that over 85% of businesses continue to use Active Directory, with its environment’s becoming exponentially more complex as they expand to manage a mass proliferation of users, devices, and domain controllers. For many organizations, the sprawl of AD has turned it into a complex hairball of policy changes, settings updates, and other forgotten configurations. This complexity and growth have created opportunities for attackers to target it as they seek the privileges needed to conduct their attacks, install backdoors, and download binaries onto systems that can be encrypted for a ransomware attack.
Active Directory is highly dynamic and, therefore, complex to manage. However, ignoring its security risks and not digging deep enough into exposures can have material consequences. For instance, forgotten administrator accounts are a valued target for attackers and just one of many types of vulnerabilities that could exist. M&A activity, remote work, and the exponential rise in the number of human and non-human identities make the situation worse.
A functioning Active Directory is critical for business continuity because it stores and shares information on the network that regulates how users and machines access company resources. Every device can access AD, which means it serves as a kind of spinal cord connecting every user and device. When an adversary compromises AD, they gain the keys to the kingdom, which shows them the paths to their targets and goes so far as to grant them the power to unlock the doors. Unfortunately, the exploitation of Active Directory has been seen in virtually every significant ransomware attack.
Microsoft’s statistics reveal that 500 million active account users use AD, with 10 billion daily authentications. Around 95 million of those accounts are under cyber threat every day. AD security is a big problem and requires heightened attention. A secure AD will dramatically reduce the blast radius of an attack because it makes a threat actor’s life more difficult by denying them the ability to move laterally, extend their privileges and extend their attack.
Also Read: Top Three Security Mistakes CISOs Make today
ITSW Bureau: How can organizations prevent attackers from exploiting Active Directory? What role does concealment, misdirection, and cyber deception have in protecting this environment?
Carolyn Crandall: Attackers will quickly seek access to Active Directory as they look to elevate privileges and move laterally.
Initial protection steps should centre on reducing the attack surface by using Identity Exposure Visibility tools to identify attack paths and vulnerabilities in AD that are open to attack. For businesses deployed in cloud environments, security teams will also want to look for risks related to Azure AD.
Concealment plays a critical role in hiding Active Directory objects from the preying eyes of an attacker. Misdirection can feed back disinformation to an unauthorized query, derail the attack, and send the attacker off to reveal their secrets in a decoy. Here, defenders can also study attack behaviour and gather critical threat intelligence.
Deployment of concealment techniques to sensitive files, folders, credentials, and other assets, will also limit an attack’s severity because attackers cannot exploit or steal assets that they cannot see or access.
Cyber deception involves placing decoy assets through the network that detects credential theft, lateral movement, privilege escalation, and other indicators of adversary activity. When attackers interact with these assets, security teams get alerted to their presence and respond appropriately.
Deceptive assets could be fake user credentials stored on endpoints, which attackers can access to move laterally throughout the network and target AD. Other deception assets include decoy file shares that become a target for ransomware and other automated attacks. Decoy documents that “phone home” when opened can flag unauthorized access and potential data exfiltration attempts.
A modern deception platform will also offer the ability to redirect attack traffic whenever intruders attempt to connect to production systems, steering them towards decoys and allowing defenders to conduct forensic analysis of the threat, which can be invaluable in preparing for future attacks.
ITSW Bureau: What steps do you recommend to CISOs to get continuous visibility to the Active Directory (AD) exposures vulnerable to cyber-attacks?
Carolyn Crandall: It is vital to identify Active Directory exposures before attackers can gain control and set up backdoors. Vulnerability management should include systems that discover exposures and generate alerts when attackers target AD vulnerabilities.
These assessments should comprehensively cover critical domain, computer, and user-level exposures. The insights gained during this exercise should also cover visibility to risks related to credentials, privileged accounts, stale accounts, shared credentials, and AD attack paths.
As well as looking for exposures, misconfigurations, and anomalous activity in AD, defenders benefit from access to solutions that give real-time alerts when AD is under attack. Ideally, AD defence systems can work a little like continuous penetration testing and frequently search for vulnerabilities to address – before attackers find them.
Also Read: Identity Theft is Only Going to Get Worse
ITSW Bureau: What trends do you expect to witness in Active Directory security? How should organizations keep up with them?
Carolyn Crandall: A new category called Identity Detection and Response (IDR) has become an increasingly important way of protecting organisations from identity-based attacks. It is adjacent to Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), focusing on safeguarding credentials, privileges, cloud entitlements, and the systems that manage them, such as Active Directory.
With the heightened attention on IDR and the need for protecting AD, we will see an expansion of the exposure and vulnerability checks that automated solutions can provide. We will see more deployment options that allow protection to run at both the endpoint and domain controller levels and we will see expanded support for cloud environments. The other area of innovation will come from AD assessment and detection tools being more tightly bundled together so that when vulnerabilities must remain, advanced detection tools will engage to alert and misdirect any nefarious activity.
Carolyn is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has a demonstrated track record of effectively taking companies from pre-IPO through to multi-billion-dollar sales and has held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate. Carolyn is recognized as a global thought leader in technology trends and for building strategies that connect technology with customers to solve difficult operations, digitalization, and security challenges.