With the proliferation of ransomware attacks, every business feels the pressure—and often a sense of futility—in defending against cybercriminals. But companies can regain control by focusing on one of the most common attack vectors: Active Directory. Ransomware attacks often initially use AD security gaps, such as misconfigurations or weak passwords, to eventually gain access to as many endpoints and servers as possible.
No ransomware gang wants to see a single machine infected: They want every last part of your operations to be unusable, and your entire business brought to a halt. That way, they have a better chance of getting you to pay the ransom. But modern Windows client operating systems are reasonably up to date and are secure, causing determined cybercriminals to take a page from the data breach folks and first use AD to find ways to insert malicious ransomware code into your environment, access and delete your backups, and provide remote access for future attacks.
Sadly, post-attack analyses often reveal that basic AD security precautions were neglected. Particularly for organizations that have legacy apps and AD implementations going back a decade or more, ensuring proper AD security hygiene can be resource-intensive. Reviewing password policies and permission settings often gets de-prioritized—until a ransomware attack occurs that uses AD as an entry point. Even for companies that have processes in place for closing AD security gaps, configuration settings can drift over time because of changing staff, urgent requests for access, changing policies, and other factors.
Some of the most common—and most easily preventable—AD misconfigurations that lead to security vulnerabilities include:
- Configuring AD with unconstrained delegation, a valued target for attackers
- Misusing the built-in Administrator account of one domain for use as a service account for other resources, such as databases
- Risky permissions set at the domain level
- Administrative accounts with passwords that haven’t been changed in years
How can you defend AD from cybercriminals? Although no plan is foolproof against increasingly determined and sophisticated attackers, three essential steps will significantly increase your protection:
- Monitor changes to Active Directory: We’ve previously covered the unique changes within AD that ransomware strains Ryuk, Maze, and SaveTheQueen have used to aid in distributing their malware to as many endpoints as possible. You need to monitor AD in general but also watch for changes made to specific, high-value parts of AD (e.g., Domain Admins, Administrator, etc.). The latter of the two is evident, but the former is equally as important, as the bad guys are constantly figuring out new and creative ways to leverage AD. You need to watch and review any and all abnormal changes—no matter how benign they seem to you.
Remember, cybercriminals know you might be watching and will look for ways to stay under the radar, as in the case of Ryuk’s modification of a Group Policy to add a login script.
- Develop a response plan: When a change is detected that needs your attention, you need to have a response plan in place. At a minimum, a review of the change is essential, as well as the ability to uncover other changes that might have been made previously by the same account. For those deemed suspicious or downright malicious changes, have an action plan: disabling accounts, manually reverting changes, locking endpoints (if possible), etc.
It’s unlikely that cybercriminals are going to limit themselves to a single modification of AD. Once you detect one change, the response should assume the worst, as that’s exactly what the bad guys will be doing.
- Proactively protect specific objects: You will need a solution to tackle this step, as AD doesn’t do this. You need the ability to monitor specific “protected” objects (those that you deem mission-critical, don’t change often, and shouldn’t change) and automatically revert changes to the prior configuration as needed.
Although cybercriminals are becoming increasingly adept at exploiting AD, they are limited in the types and number of malicious activities they can perform. If you protect the parts of Active Directory that are high-value, obvious targets in an attack, you can fend off most attacks. And for that “zero-day” new attack on AD methodology that no one saw coming, the first step above (if taken seriously) will catch it, allowing you to develop a response plan and add that object to the list of protected objects within AD.
If you can stop the bad guys from spreading ransomware throughout your network, you’ve effectively stopped an attack and minimized the impact of the initial attack efforts. AD has become a pivotal point in ransomware attacks. By putting the steps above into practice, you’ll have a better ability to prevent, mitigate, or respond to AD-targeted cyberattacks.