Despite the heavy reliance on the 20-year-old technology, Active Directory, cybersecurity efforts seem to continuously overlook this obvious and frequent target, which only puts organizations at further risk.
We’re watching the battle of cyber good and evil at a very interesting time. Overall, the security industry shows a lot of strength in its evolution of solutions and focus on attack specifics to not just detect but truly prevent attacks. We’re seeing next generation solutions in every layer of the security stack and thousands of vendors to choose from.
Despite these advances, Active Directory is still one part of an organization’s environment that gets the least cybersecurity attention. While most security programs have a SIEM solution monitoring logs for anything out of the norm, this is simply not enough.
The story of the greatest of Greek warriors, Achilles, is one known to all of us. He was protected and considered “invulnerable” in all of his body except for one of his heels. And it was in this heel that an arrow found its way to take Achilles down.
Like Achilles, Active Directory is assumed to be invulnerable because there are so many protective measures in place. But like Achilles’ heel, once an attacker can get to it, it’s game over. Even a novice attacker can do a bit of web searching and find out about vulnerabilities, procedures, and tools available to compromise Active Directory.
- It’s the cornerstone of most of operations – Despite most organizations utilizing a hybrid-cloud directory with Azure AD and Office 365 in the mix, the system of record today for most organizations is still on-premises Active Directory. Therefore, every on-prem and cloud-based service, application, data set, and resource rely either indirectly or directly on Active Directory to gain access. So, should Active Directory become compromised, every part of operations dependent upon it comes to a halt.
- It’s not designed for security – 20 years ago, Microsoft was building a way to centrally provide access and they weren’t thinking about least privilege or zero trust. Sure, it does have some elements related to the security of your environment, but think about it: there’s no permissions detail to resources stored in Active Directory at all; it’s merely an identity provider that all the other parts of your Microsoft ecosystem trust to validate a user’s identity. The security is found in each service, application, etc. In essence, Active Directory is just a Single Sign-On platform ahead of its time. This is an issue because it’s not designed to stand up to today’s threats. And the threats are coming directly for it.
- It’s now a common target for cyberattacks – While we generally never hear about technical specifics in news articles about cyberattacks, we’re starting to see Active Directory mentioned far more regularly. Virgin Mobile’s Active Directory was compromised and its data sold on the Dark Web. NTT Communication’s admitted to their Active Directory being compromised as part of a data breach. Ryuk ransomware has been shown to modify Group Policy to propagate itself to endpoints via a login script. Truth be told, we always could trace the dotted line knowing that Active Directory was very likely part of an attack; now we have data to prove it.
- Standard disaster recovery plans aren’t enough – Having the ability to simply recover Active Directory as part of greater disaster recovery efforts is a great start. But like any good disaster recovery plan, the recovery needs to align with the “disaster.” Should a cyberattack result in either infected domain controllers, a modified directory, or both, it’s necessary to have an ability not just to recover the data residing in Active Directory, but to return it to a known-secure state. That means a malware-free underlying Windows Server OS, as well as a recovered state of Active Directory that is known to be prior to any malicious modifications. Without specifically addressing both of these concerns, current disaster recovery plans for Active Directory are little better than a simple blind recovery from backups.
- The security strategy isn’t focused on protecting AD before, during, and after an attack – The disaster recovery plans above certainly help with the response efforts. But outside of that, I’d guess that the remainder of the strategy has little to nothing to do with Active Directory specifically. And that’s a problem, given the previous 4 reasons. To be clear, this goes beyond the traditional monitoring tools, which a growing number of DC Shadow-like attacks can circumvent. Active Directory-centric security tools are required to catch more sophisticated identity attacks that otherwise would leave your SIEM blind. By modifying Active Directory, attackers can get access to anything in the network. Therefore, specific security provisions must be in place to monitor for and prevent unsanctioned changes within the Active Directory itself.
Active Directory still plays a key role in most organizations today. Companies need to take a layered security strategy and include protecting Active Directory using toolsets specifically designed to prevent, detect, and remediate directory attacks. Simply assuming the layered security that sits between the cybercriminal and Active Directory is enough to protect is the fastest way to see your operations cease and your organization in the headlines.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.