Vulnerability Active Directory
By Jürgen Haekel
Microsoft’s Active Directory (AD), which was introduced in the late 1990s, has become the industry standard for directory services. It is used today in nine out of ten companies in the Global Fortune 1000. However, it is a very popular gateway for cyber attacks, which is difficult to secure.
Jürgen Haekel, freelance journalist, Munich
According to Microsoft, nearly 100 million AD accounts are attacked every day worldwide. Due to the volatile and distributed nature of AD, where there are usually numerous teams responsible for different areas, it is not easy to secure AD against such attacks. However, this is absolutely necessary, because the Active Directory is not only the Achilles heel of the CISO, but also the backbone of the entire user and rights management in the company.
For a long time, AD was treated like the electricity or water supply – it was just there, and as long as it worked, everything was fine – never change a Running System. However, this practice poses a significant risk, as changes in administrators, the trend towards working from home, and mergers and acquisitions can create additional security risks if the changes are not adequately reflected in the Active Directory.
In view of the fact that AD is increasingly being targeted by cybercriminals, regular patches as well as the continuous review of policies and security risks are absolute mandatory tasks. In addition, AD must be regularly backed up both on-site and in the cloud. It is important for security teams to be aware of the AD vulnerabilities that make it vulnerable to attacks. Every company that builds a zero trust architecture needs complete transparency to enforce the principle of least privilege and to gain an overview of the risks associated with group policies and overlapping trusts.
There is no such thing as a completely secure AD, as the attack surface is constantly changing. Usually there are not enough employees and expertise to analyze and understand the risks in detail. Therefore, solutions are needed that automatically and continuously provide the necessary visibility and real-time detection of attacks on Active Directory.
Active Directory Security is complex
Protecting against AD attacks can be difficult, but it’s not impossible – you just need the right tools and methods. One can protect AD by patching and evaluating vulnerabilities and settings that can make it vulnerable to attacks. For example, organizations can avoid “kerberoasting” (an attack that makes it easy for attackers to gain privileged access) by implementing the right rules and careful configuration. It is generally a good practice to constantly check and limit the access rights granted and the number of administrators. CISOs must therefore understand the thicket of the authorizations they grant and the associated possibilities of the users.
With AD security, it is not enough to ask who belongs to which security group. Each object in AD has an Access Control List to which administrators can add user accounts. With this in mind, it is crucial not to overlook any security flaws such as overlapping permissions and other settings that could expose the company to an attack.
Anticipating cyber attacks
However, all preventive measures can be in vain if the company is not able to detect an attack on Active Directory. However, it is difficult to detect such activities on the basis of log files or regular inspections.
Attackers often use open source tools, such as Bloodhound, which was originally developed for Pen testers, to find vulnerabilities in AD and obtain administrator rights. With these approaches, numerous modifications and changes to the AD settings are an indication for companies to check their AD immediately. A brute force or password spray attack is usually manifested by multiple password resets or locking users on the domain controller. If companies detect such attacks on AD at an early stage, they can significantly reduce the potential damage. If you are waiting for an alert because an attacker changes a security configuration, for example, you will be late in an emergency. The attackers are then already further ahead and can do much more, including installing backdoors. However, it is complex and time-consuming to search for such behavior with the usual tools.
After breaking through the perimeter and gaining a foothold in the network, the attackers conduct a search operation, also called reconnaissance, to discover potentially valuable resources and find out how to get to them. AD is one of the easiest ways to do this, as you can disguise it as a routine corporate activity with a low risk of detection.
Therefore, it makes sense to try to prevent attackers from accessing AD from the outset. Recent developments for the protection of Active Directory offer a obfuscation technology that hides AD objects and at the same time detects illegitimate queries that are intended to capture valid data for an attack. For example, Attivo Networks has launched the ADAssessor, an innovative method for detecting and fixing security vulnerabilities in Active Directory that could be exploited by hackers to gain privileged access to critical resources.
The ADAssessor enables real-time detection of AD privilege escalation as well as domain compromise and simplifies granular access restrictions to AD information. It also provides continuous insight into the risks of identities and privileged accounts in terms of credentials, service accounts, delegated accounts, outdated accounts and shared credentials. It also improves the visibility of AD security issues and provides actionable alerts on key vulnerabilities at the domain, computer, and user levels. Security teams can benefit from this functionality without needing privileged access to Active Directory themselves
In addition to such tools, security teams can also use disinformation to mislead opponents. The goal is for the attacker to engage in decoys and focus on a place where the security team can collect data to strengthen its defense. Detecting and preventing the enumeration of rights, administrators and service accounts at an early stage in the attack cycle can alert defenders to the presence of an attacker. The provision of deceptive domain accounts and credentials on endpoints can then mislead him and serve as bait.
Securing AD using the principle of least privilege and tiered management is no longer sufficient – this method is not scalable. However, companies can take precautions to protect their settings. To do this, they can use new technologies to uncover vulnerabilities and conduct continuous AD-pen tests in a highly complex cybersecurity landscape. In addition, you should also look for vulnerabilities beyond audit protocols and update your security procedures with mechanisms for detecting live attacks.