Hybrid labor agreements, geopolitical disputes and supply chain disruptions have generated a constant buzz of mistrust and dismay. And it is in this type of environment that cybercriminals thrive.
Ransomware groups reportedly earned $692 million from their collective attacks in 2020 and initial access to Active Directory (AD) is one of the ways affiliates and initial access brokers gain access to the network of a organization, as noted in Tenable’s Ransomware Ecosystem report.
Identities are the new security perimeter for any business, and Active Directory, the primary identity access management solution used by most organizations, is by design a single point of failure. Often left unprotected and considered an afterthought, poor AD setups have proven time and time again to be low hanging fruits that bad actors exploit. An unsecured AD can lead to monumental losses if compromised.
In fact, in 2021 alone, 38% of organizations around the world have lost business due to cyberattacks. This includes increased customer turnover, lost revenue due to system downtime, and increased cost of acquiring new business due to diminished reputation.
Ransomware-as-a-service (RaaS) teams are increasingly using tools such as PowerShell, Bloodhound, and others to perform reconnaissance and identify paths to high-privileged targets in AD, which can cripple an organization’s IT infrastructure.
History has proven that traditional security tools and approaches have not been very effective due to the increased number of successful attacks and continuous attack paths to AD.
Since the CISO is responsible for enforcing cybersecurity strategies and policies to protect the company’s most critical assets, the most lucrative path would be to think like an attacker to better protect the organization.
Understand the types of attacks exploiting AD misconfigurations
- The new attacks are complex and well hidden: These attacks take advantage of elevation of privilege and bypass logging. This is possible because they imitate a new domain controller and the fake domain controller’s log never exists. These attacks include DCSync, DC Shadow, and there are other attacks that impersonate other users such as Pass the hash, Pass the ticket, Silver ticket, and Golden ticket. In May 2021, the FBI revealed that DarkSide, the ransomware group that attacked Colonial Pipeline, was targeting Active Directory to move laterally and deploy malware.
- Slow Attacks: Some attacks are slow, which means that threat actor activity resembles normal actions on the network. These attacks primarily attack user account passwords, so no privileges are required. They only need access to the network to attempt to connect. One of these attacks is a password spray attack. For example, the Iranian threat group DEV-0343 used password spraying against Office 365 accounts to target the defense, maritime and oil industries in October 2021.
- Attacks that exploit core technology and configurations: These attacks take advantage of misconfigurations to create backdoors and gain persistent access unnoticed. Notorious Ryuk ransomware group is known to compromise credentials of core group of users in order to move laterally and deploy malware.
A CISO’s Practical Guide to AD Security
- Evaluation: Most organizations in India scan AD for configuration errors once or twice a year. If the DA is evaluated annually, its changes will remain invisible for a full 365 days. And even if a threat is detected a year later, we must average of 287 days to solve the problem. Assessing the current state of Active Directory is a necessity given the number of ransomware groups exploiting vulnerabilities within it. The first step in securing AD is to identify, document, and report the current privilege status of AD users and groups. Once done, security teams should continuously monitor AD for changes and misconfigurations. Automated tools that facilitate continuous monitoring can help security teams in this process.
- Assignment: Once security teams have inventoried each user and privilege level, security teams can add, modify, and remove privileges following a zero-trust model. The principle of zero trust is based on granting access to users only when they need to perform a particular task. The least privilege model is the best defense for CISOs looking to secure AD.
- Audit: Auditing provides IT context for when and how to access the AD environment. Automated tools that can provide this context make the work of security personnel easier. Audit analytics gives CISOs insight into who has access and who is using access for what task at any given time. This process allows organizations to determine if privileged access is being abused and detect unusual activity before it can escalate.
- Technology to simplify AD security: Every organization running AD should be made aware of their existing security issues that could lead to an attack on their infrastructure. Unfortunately, AD and SIEM monitoring solutions do not provide this service or functionality. Organizations need the right tools that make the assessment, assignment, and audit process simple and agile. Without the right security tools, AD security can become a Herculean task given the number of users within an organization and its third parties in the software supply chain.
With AD being such a lucrative avenue of attack, CISOs can no longer ignore how vulnerable it makes an organization to cyberattacks. Some threat actors even leave backdoors open allowing them to collect information without needing to access it. In a world where ransomware and double extortion tactics are a reality, AD security cannot be an afterthought.
With the right solutions that provide real-time detection of misconfigurations, CISOs can provide tangible metrics on and remediate vulnerabilities and misconfigurations that pose the greatest threat.
(This article is written by Kartik Shahani, Country Manager, Tenable India)