Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

The challenge of preventing AD attacks

Jim Cook from Attivo Networks explains how organisations can mitigate risks associated with an increase in Active Directory attacks.

user iconJim Cook
Tue, 26 Apr 2022
Jim Cook
expand image

Of all the targets in the sight of cyber criminals today, they don’t come much bigger than Active Directory (AD).

The number of attacks against AD has increased dramatically in recent years. Microsoft revealed that in 2021, Azure Active Directory alone saw more than 25.6 billion brute force attacks.

One does not have to look far to see why AD is so attractive to attackers. An AD server sits at the heart of an organisation’s IT infrastructure and handles all identity and authentication services. Compromising AD can give attackers a skeleton key to the entire network.

On the rise

AD provides authentication and authorisation to all enterprise resources – devices, applications and web access, and is, therefore, a prime target for cyber attacks. Traditional security approaches such as periodic AD assessments and constant log analysis combined with SIEM correlation are costly and complex.

Thankfully, IT security teams have modern solutions to help with these challenges. Many organisations are taking advantage of identity protection tools such as those in the emerging identity threat detection and response (IDR) category, which helps them detect and deflect adversaries before they can escalate their attacks.

Credential-based attacks

Credential-based cyber attacks have continued to increase in recent years. According to the Verizon Data Breach Investigations Report, 61 per cent of all attacks involve credential data.

Although this finding is concerning, it makes sense that if a user accesses the network using a valid username and password, most defences have no reason to suspect credential misuse.

Cyber criminals can inflict significant damage with a valid set of credentials. For example, they could use them to gain access to specific resources, reset other passwords, request short-term tokens, request API tokens, or conduct other attack activities.

Unfortunately, many organisations often store credentials in places that cyber criminals can readily access. For example, many passwords live on client devices, network passwords reside in memory, and browsers, email, and other applications store various passwords.

An attacker who compromises a workstation or user account will often have little difficulty gaining access to stored credentials, some of which may even have administrator-level authority. Once inside the network, an adversary with a working set of credentials can often move about its network unnoticed if there are no mechanisms to identify abnormal behaviour patterns.

From there, it’s a straight line to Active Directory, where they can escalate these privileges and gain access to on-premises groups, applications and file storage.

Spotting an AD attack

For IT security teams, gaining visibility to weaknesses that could allow attackers access to Active Directory is the best place to start. If a team can find identity exposures, they can expect that attackers could use these to escalate their attack. Stopping AD attacks requires visibility across the entire network, starting at the endpoints where adversaries steal credentials.

Security teams also need visibility into vulnerabilities such as admin credential exposures, potential attack paths, and shadow admin accounts. Restricting and alerting unauthorised access to credentials stored on endpoints and reducing the attack surface are critical.

One should also remember that AD attacks can happen very quickly. For this reason, an organisation needs to have live attack detection, and actions like mass account lockouts or deletions should raise immediate alerts.

Other suspicious activities to look for include password changes on sensitive accounts or mass password resets. Other signs of an AD attack are suspicious service creation on a domain controller, using a default administrator account, or reactivating previously disabled privileged accounts.

Making use of interception strategies

Security teams should also consider strategies designed to intercept and trick attackers before they can reach their goal.

Dubbed defence-in-depth, they can achieve this by deploying tools capable of hiding actual AD objects from attackers, intercepting uncategorised queries, and manipulating results with false information. Security teams can also seed their networks with “admin” credential lures and AD decoys designed to trick adversaries into giving away their presence.

An organisation taking this approach has both active and passive protective measures for AD. Together, these make it difficult for attackers to see the network accurately and keep their presence a secret.

An ongoing challenge

One should remember that AD remains challenging to secure and should therefore regard it as a top priority in securing the enterprise. Security teams can implement measures to allow early detection and rapid response by taking a defence-in-depth approach, allowing AD to remain a valuable part of an organisation’s IT infrastructure with the protection it needs to defend the enterprise against cyber attacks.

Jim Cook, ANZ regional director at Attivo Networks.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.