By Nuno Antunes Ferreira, director for Spain and Portugal of Semperis.
Despite IT's heavy reliance on Active Directory (AD), a technology over 20 years old, cybersecurity teams seem to overlook that AD is an obvious and frequent target for cybercriminals, exposing organizations to greater risk.
We are at a very interesting time, witnessing the battle of cyber good and evil. Overall, the cybersecurity industry is constantly updating solutions and focusing on the specific features of attacks, not only to detect them, but to prevent them effectively. We're seeing next-generation solutions for every layer of the security infrastructure and thousands of vendors to choose from.
Despite these advances, Active Directory remains one of the parts of an organization's environment that receives less attention on cybersecurity. Although most security programs have a SIEM solution that monitors logs to detect anything out of the ordinary, it's not enough.
We all know the story of Achilles, the greatest of the Greek warriors who was protected and considered “invulnerable” throughout his body except on one of his heels. It was right on that heel where an arrow hit him and knocked him down.
Like Achilles, Active Directory is supposed to be invulnerable because there are many protective measures. But like the Achilles heel, once an attacker reaches him, the game is over. Even a novice attacker can do a web search and find vulnerabilities, procedures and tools available to compromise Active Directory.
It's the cornerstone of most operations — Even though most organizations use a hybrid cloud directory with Azure AD and Office 365, the registration system, today, for most organizations, remains Active Directory on-site. Therefore, all services, applications, datasets, and resources, both on-premises and in the cloud, are indirectly or directly dependent on Active Directory for access. If Active Directory is compromised, all parts of the operations that depend on it stop.
It's not designed for security: 20 years ago, Microsoft built a way to provide access centrally and they weren't thinking about the principle of least privilege or zero trust. Of course it has some elements related to the security of an environment, but think about it: there are no details of permissions for resources stored in Active Directory; it's simply an identity provider that all other parts of the Microsoft ecosystem trust to validate a user's identity. Security is found in every service, application, etc. In essence, Active Directory is nothing more than a single sign-on platform ahead of its time. This is a problem because it is not designed to deal with current threats. And the threats come straight after her.
Now it's a common target for cyber attacks - Although we usually never hear of technical details in the news about cyber attacks, we're starting to see Active Directory being mentioned much more regularly than before. The Virgin Mobile Active Directory was compromised and its data was sold on the Dark Web. NTT Communication admitted that its Active Directory was compromised as part of a data breach. Ryuk ransomware has been shown to modify Group Policy to spread to endpoints through a login script. To tell you the truth, we were always able to draw the dotted line knowing that Active Directory was very likely to suffer an attack; now we have data to prove it.
Standard disaster recovery plans are not enough - Having the ability to simply recover Active Directory as part of major disaster recovery efforts is a great start. But like any good disaster recovery plan, recovery needs to align with the “disaster”. In case a cyber attack causes infected domain controllers, a modified directory, or both, it is necessary to have the ability not only to retrieve the data that resides in Active Directory, but to return it to a known safe state. That means an underlying Windows Server operating system free of malware, as well as a recovered state from Active Directory that is known to predate any malicious modification. Without specifically addressing these two concerns, current Active Directory disaster recovery plans are little better than simple blind backup recovery.
The security strategy does not focus on the protection of AD before, during and after an attack - The disaster recovery plans mentioned above certainly help with response efforts. But other than that, I guess the rest of the strategy has little or nothing to do with Active Directory specifically. And that's a problem, given the 4 reasons above. To be clear, this goes beyond traditional monitoring tools, which can be avoided by a growing number of DC Shadow attacks. Active Directory-centric security tools are needed to detect more sophisticated identity attacks that would otherwise leave your SIEM blind. By modifying the Active Directory, attackers can access anything on the network. Therefore, specific security provisions must be established to monitor and prevent unauthorized changes within the Active Directory itself.
Active Directory continues to play a key role in most current organizations. Enterprises must adopt a tiered security strategy that includes Active Directory protection using toolsets specifically designed to prevent, detect and remedy directory attacks.
To assume that the layered security that stands between the cybercriminal and Active Directory is sufficient to protect the company is to risk a cessation of operations and the organization in the headlines.