Microsoft Active Directory (AD) is used by over 90% of the Fortune 1000 for identity and access management. It’s also a prime target for hackers. With control of AD, attackers can take control of endpoints of interest, or give themselves access to whatever systems they need to achieve their ultimate objective, whether that is trying to deploy ransomware or exfiltrate sensitive data. Major enterprises with large Active Directory environments are especially vulnerable because they tend to have a high volume of misconfigurations and over-privileged users that attackers can take advantage of. In fact, in a recently completed research project on Active Directory Certificate Services, every AD environment examined over several months had misconfigurations that attackers could abuse.
As attacks against AD are inevitable, it follows that stopping them should be a top priority for chief information security officers (CISOs) and chief executive officers (CEOs) at those Fortune 1000 companies. Unfortunately, it’s not. It’s difficult for security teams to get executive buy-in to address the problem because measuring and improving AD security is challenging. There are several reasons why:
- First, the AD user interface makes it very difficult for IT to get visibility into which users have privileges to which systems. This makes it nearly impossible to measure how at-risk those systems are, or even understand the scope of the problem.
- Second, removing user permissions or fixing misconfigurations often has unintended consequences that make it harder for those users to do their jobs. AD administrators and executives won’t make these changes without a clear idea of the benefits — so security teams need to prove that a fix is worthwhile to get it approved.
- The final issue is the scope of the problem. We’ve seen firsthand that nearly all environments have hundreds, if not thousands, of AD misconfigurations. Without a way to prioritize these issues, most executives will decide the problem is too large to tackle, given the many other security risks competing for their time and budget.
To win over executives, security teams must find a way to rank AD security issues and give clear instructions on fixing them. If they can’t quantify the problem and show the benefits of making improvements, decision-makers will almost always default to the status quo. With that in mind, here are several ways to make the C-Suite more likely to invest in AD security.
Measure Risk Empirically
The first way to help get the C-suite on board with AD security is to empirically measure the exposure of an AD environment. Explaining potential risks associated with AD is often too abstract; executives need a simple, defensible measurement of how exposed their AD environment is before allocating a budget to it. One useful method of measuring this is by looking at high-value AD targets or Tier Zero assets (the Active Directory domain admins, or domain controllers, PKI, and any others with access to high-value systems specific to the organization in question). Measuring the number or percentage of users that have access to Tier Zero assets through abusable privileges is a good baseline for how vulnerable those high-value assets are to attackers. Mapping chains of potential identity attacks (sometimes called AD Attack Paths) adds another layer of detail and allows IT to measure the percentage of the entire user base that could reach Tier Zero through these routes.
Risk measurement should be as simple as possible – reduced ideally to a single number — and it should respond as AD changes. This allows the security team to approach executives and say, “we can reduce our overall AD risk exposure by 15% by taking the following steps” That is a hard argument for a CISO to reject. Security best practices like Tiered Administration and Least Privilege that should (on paper) improve AD security often aren’t implemented correctly or at all because the teams attempting them can’t quantify risk reduction.
There are several tools that will generate a list of all overprivileged users or abusable misconfigurations in an AD environment, but they don’t provide enough information to sway the C-suite because the results aren’t prioritized. An overworked AD admin or security team won’t have the capacity to act on dozens or hundreds of issues — they need to be ranked and prioritized. Just like the overall risk measurement, this prioritization needs to be based on empirical data that everyone understands. If an executive asks, “Why do we need to make this change?” and the security team answers, “It fixes a critical misconfiguration,” the next question will be, “What makes this “critical”? or “Is this actually critical within the context of our specific architecture or configuration?” If the security team can’t answer that, they’ll have a hard time convincing executives to support them.
Answering this question often requires getting better visibility into AD so that the ramifications of a single misconfiguration (i.e., how many Attack Paths it creates, how many users can take advantage of it, etc.) can be measured.
Offer Practical Guidance
To get executives on board with fixing AD security, the security team must prepare remediation instructions that are feasible and detailed. AD admins (the ones who will actually be implementing these fixes) and executives are more likely to refuse to take action if the fixes seem overly complex, poorly defined, too expensive or too time-consuming. Removing privileges can be a particularly anxiety-inducing exercise because it may cause critical business processes to fail. To get C-suite buy-in, remediation guidance should follow these criteria:
● Not require major changes like switching to a different directory service or drastically changing the existing architecture. This was an issue with Microsoft’s Red Forest, also known as Enhanced Security Admin Environment (ESAE), that was retired in January 2021. Because it required creating an entire separate AD forest, it was simply a non-starter for most IT teams.
● Offer detailed step-by-step guidance for AD teams, both on how to resolve the issue but also on the attack or risk itself. This can be very helpful for those who don’t have a security background.
● Include steps to determine if a specific privilege is required and be clear about the potential consequences of fixes. This allows all parties involved to weigh the costs and benefits of the remediation.
● Give the expected outcome of the fix so that AD admins can verify it worked as intended.
By following these practices, security teams will be able to present a much more compelling case to the C-suite for investing in AD security. The key is to measure the problem and the effects of remediation actions accurately. Fortunately, more attention is being paid to AD security as part of the fallout from attacks like the SolarWinds attack in Dec. 2020 and the PetitPotam attack in Aug. 2021 that use Attack Paths in Active Directory. As a result, the time is right to present a plan about this to company leadership — because the more attention we start paying to Active Directory security, the safer everyone will be.