Active Directory sits in a dangerous security blind spot

Cybercriminals are always on the lookout for security gaps. These gaps can take many forms, such as incomplete security coverage, misconfigurations, exposed credentials, and software and device vulnerabilities. Unfortunately, it remains impossible to stop 100% of attacks from infiltrating a network, especially as the attack surface grows at unprecedented rates. As a result, focusing on perimeter edge defenses alone is insufficient, and a strong shift to identity as the new perimeter is underway.

Today, organizations are increasing their investments in protecting their endpoints and in various levels of Identity and Access Management (IAM) programs. However, Active Directory (AD), often managed by security, identity, and other organizations, is often overlooked due to administrative and organizational complexity. It is also intrinsically not secure and remains dangerously vulnerable to attacks as organizations forego its safety in favor of operational efficiency and access. Compromising AD can allow attackers to grant themselves privileges to download malware for ransomware or business disruption, locate and access their targets, and change security settings that can go so far as to lock out real administrators. Given the consequences, if compromised, it represents a true Achilles Heel for enterprises and remains a factor in a majority of cyberattacks.

The Importance of Active Directory

Active Directory can be considered the GPS of the enterprise, providing authentication across resources that span the entire network. Over 90% of Global Fortune 1,000 companies use AD, making it a nearly universal authentication solution. Microsoft has estimated that threat actors attack 95 million AD accounts each day, and that number is likely even higher now. The prevalence of identity-based attacks further underscores AD's value to attackers, and the 2021 Verizon Data Breach Investigations Report (DBIR) reinforces this point, noting that 61% of breaches now involve credential data.

Unfortunately, AD is notoriously difficult to secure because it touches nearly everything on the network—and it is constantly changing. The need for operational efficiency results in overprovisioning, which creates problems of its own as organizations overlook security policies and grant unintended access and control. Most organizations will attempt to mitigate this risk by using logs and SIEMs to protect their AD environments, but this is neither complete nor effective when detecting attacks in a timely fashion. Others look to Microsoft AD audits and tools to find risks. This approach also has limitations in that these tools are generally used periodically or are extremely limited in their ability to detect and understand dangerous exposures. Organizations must look beyond traditional security tools and toward newer innovations that provide continuous visibility to AD vulnerabilities, exposures, attacks, and unauthorized access.

Don't Overlook AD Protection

AD is a prime example of a high-risk environment left dangerously unprotected. Although it represents a potential gold mine for attackers, AD sits awkwardly between endpoint and access management solutions, causing joint management and security gaps driven by a conflict in goals over its use and control. Identity teams want it operational, while management wants it to be efficient—both of which often come at the expense of security. Security teams need AD to be more secure but lack the tools to understand the risks and to influence prompt remediation. They also often lack the power to make changes to risky configurations since it could limit access for others or have unintended consequences. Only tools that provide greater visibility and a better understanding of the risks can bring them together and drive alignment on critical fixes.

Executives think of Active Directory as a service: a central management platform that ensures employees can get easy access to the resources they need. In their minds, tools like firewalls, logs, and SIEMs, combined with periodic audits, should keep AD sufficiently protected. Unfortunately, this is not the case, even if a full audit was made only days ago. Taking a passive stance on AD may have been sufficient in the past, but recent large-scale attacks have demonstrated how attackers can obtain genuine credentials to impersonate actual employees and pass straight through most identity systems. It would be negligent to leave AD exposed and at risk of compromise.

Making Life Hard on Attackers Is Critical

Despite new investments in endpoint protections and identity management services, neither will effectively protect AD. Organizations need AD-specific protections designed to identify issues and unauthorized attempts to access their data or settings.

Visibility is a critical element of this. Enterprises need to identify changes to AD that might indicate an attacker's presence, such as mass account lockouts or deletions. Suspicious password management, brute force login attempts, and other signs can also reveal an attacker. If enterprises do not have sufficient network visibility, attackers can try all of these tactics with little fear of discovery. The earlier in the attack cycle, enterprises can detect activities like queries from non-privileged accounts, suspicious processes connecting to AD, and others, the better their chances of derailing the attack.

Taking steps such as hiding critical network assets, files, or AD objects and sprinkling false ones can fool attackers into going off course and giving themselves away. Placing deceptive credentials on endpoints can also trick attackers into revealing their presence when they attempt to use them. By making life harder for attackers, organizations can demonstrate that they are not an easy target—potentially convincing attackers that they are better off focusing their efforts elsewhere. At a minimum, it will slow adversaries down and give defenders more time to effectively respond to and mitigate the attack.

Better AD Protection Means Better Network Protection

Active Directory is a critical component of identity and authentication, but today's enterprises do not put nearly enough emphasis on its protection. Modern identity and endpoint solutions have left AD in a strange middle ground, with a complex and often conflicted web of ownership over its security. Attackers have capitalized on this lack of focus, targeting AD with millions of attacks each day.

Stolen credentials and privilege escalation take place in a significant percentage of today's attacks, underscoring the need to protect this critical asset. Placing increased emphasis on AD protection with AD-specific security tools is essential. Closing this coverage gap with better visibility and detection capabilities will help enterprises avoid losing domain control of their systems and security controls, greatly reducing cybercriminals' impact.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.