14 DAY TRIAL // Active Directory security breaches have the potential to be behind vast amounts of data loss and to bring states and businesses on their knees after an attacker manages to get admin rights to an organization's Active Directory (AD) installation.
Microsoft Active Directory (AD) is a directory service developed by Microsoft for the Windows domain networks and available in Windows Server operating systems as a collection of services designed to control network domains, enterprise-wide security policies, and fine-grained access rights for selective access to users and devices via authentication.
Why is Active Directory such a significant attack vector for threat actors? Mostly because according to multiple estimates more than 85% of all government and enterprise organizations around the globe use Active Directory to manage security policies and network assets around the world.
Potential attackers who target an organization's AD installation can assign and enforce security policy changes to all domains, can install or update software on any network accessible machine, and give access to any user to all assets available on the network.
"Attackers are looking for “target-rich” systems – meaning systems where privileged credentials can be mined, identity systems that contain usernames and passwords (like Active Directory), and servers that contain privileged or sensitive information, such as PII or other business-sensitive information," said Mickey Bresman CEO of Semperis to Forbes. "Active Directory itself is also an interesting attack infrastructure since it can take down the entire organization. "
Security risks for enterprises that use Active Directory are higher than ever
This is especially dangerous seeing that AD security breaches will not be detected by any anti-malware or security suits given that a user logged in using correct credentials will not trigger any alarms.
According to a Skyport Systems study, a company focused on enterprise security acquired by Cisco in 2018, around 90% of all enterprises that use Active Directory to control policies for services and users were found to have overly exposed credentials for administrator accounts, which leaves them wide open to security breaches.
"Successful attacks against AD or admin credentials can be devastating because the blast radius reaches nearly every system in the enterprise," said Russell Rice, Skyport Systems Senior Director. "The data we collected and analyzed shows that organizations need to pay more close attention to their AD infrastructure and use a modern approach to securing AD since many attack tools are widely available, effective and free."
Furthermore, as Microsoft says in their "Best Practices for Securing Active Directory" advisory, "No organization with an information technology (IT) infrastructure is immune from attack, but if appropriate policies, processes, and controls are implemented to protect key segments of an organization's computing infrastructure, it might be possible to prevent a breach event from growing to a wholesale compromise of the computing environment."
The biggest issue when it comes to Active Directory security is not that the Fortune 500 or governments fail to implement proper security measures for their AD installations ‒ most large organizations have dedicated AD security departments ‒ but that small and medium-sized business are not aware of the risks behind not implementing AD securely.
Hardening and measures to lower the attack surface for Active Directory
What makes securing AD even more problematic is that "There are attacking methods that could be used to attack an AD, despite being hardened against attacks. Hardening won't solve the problem immediately, but organizational architecture plays a role as well," according to security expert Huy Kha. "For example, privileges and permissions that have been assigned to users should be as strict as possible and only based on a "Need-To-Know" approach."
"There are so many modern attacks that works to compromising an AD and get full access to it. A few attacks such as LSASS Dumping, NTDST.DIT Extracting, Golden/Silver Ticket, Pass-The-Hash, LLMNR/NBT-NS poisoning, Kerberoasting, and more," Kha also told Softpedia.
What can organizations do to prevent a potential security breach following an AD attack? They can use the NTLMv2 authentication protocol to encrypt credentials during transport, take advantage of Domain Admins segmentation with the help of the Administrative Tier Model, making sure to manage privileges to avoid privilege escalation incidents properly, and always be up to date on the attack methods and tools would-be attackers could use and create specifically-tailored defense plans.
Moreover, as mitigation measures against AD attacks, organizations should use extensive network monitoring to detect breach attempts and unusual traffic which could expose AD compromises, should limit domain admin privileges for increased AD hygiene, make sure that secure password policies are correctly configured, as well as secure both workstations and Domain Controllers (DCs) against both outside and insider threats.