Recently, the authors at government cybersecurity agencies in Australia, Canada, New Zealand, the United States and the U.K. put together an important report, Detecting and Mitigating Active Directory Compromises. When you read it, hold on to your security hats.
The report dives deeply into the complexity of Active Directory (AD) and its associated security challenges. It’s a no holds barred overview. And if your organization has had AD in place for more than a few years, this report will likely raise concerns about the vulnerabilities and misconfigurations that are lurking inside your AD instance. Of course, now that you know, you should probably do something about them.
A key to cybercriminals’ success
The ongoing joke in the cybersecurity industry is that since AD is so useful to threat actors, shouldn’t it be considered an important tool for them just like Mimikatz, Bloodhound, Impacket and others? This joke hints at a larger truth, which is something that the authors highlight in their introduction:
“Malicious actors commonly enumerate Active Directory for information after gaining initial access to an environment with Active Directory. Using the information gained, they seek to understand the structure, objects, configurations and relationships that are unique to each organisation. By doing this, malicious actors sometimes gain a better understanding of the organisation’s Active Directory environment than the organisation itself.”
Why is security and hygiene around AD so important? Because threat actors repeatedly prove that it is. This year alone there were many notable, publicly disclosed breaches that depended on exploiting and using AD for lateral movement and privilege escalation. The list of these large-scale breaches includes:
- Microsoft breach by Midnight Blizzard
- TeamViewer compromise by Cozy Bear
- Black Basta ransomware attacks
Threat actors need to move laterally from their initial compromise through the middle of the attack chain to their ultimate goal, which is most typically data exfiltration or deploying ransomware. Given this, it’s easy to see why access to and exploitation of AD is so critical to their success.
Barriers to sidestepping AD
Are you thinking of getting rid of AD and moving to the cloud to sidestep all these AD security challenges? Certainly, some organizations go down this route. For startups and small businesses, the 100% cloud approach can be a viable strategy.
However, it can also be a massive undertaking because migration is so complex. Identity and access management must be redesigned from the ground up. There are compliance and regulatory requirements (including data residency). Then, there are the issues of workforce adaptation and the operational disruption that happens during the transition. And all this is costly, too. With so many barriers to change, it’s likely that AD and its associated security challenges are here to stay for most organizations for the foreseeable future.
A way forward
A key reason that organizations are in this difficult situation in the first place is that there has been a historical lack of governance of AD implementations. This issue has been growing for years, decades even, at most organizations. And it’s the result of a host of related issues. AD admins come and go. Business priorities and associated applications change. Entitlement shortcuts are implemented and never removed. Mergers and acquisitions happen. In the midst of all this, AD cleanup is rarely prioritized.
Consequently, its permissions and configurations become so complex and interdependent that administrators are often afraid to start the cleanup process. They often don’t know what business process they risk breaking. And they don’t know what risks are the highest priority and which accounts and entitlements lead directly to their crown jewel IT assets.
What organizations need most is a system that continuously discovers, prioritizes and remediates their AD-specific risks as well as their broader identity security risks. This is exactly what identity threat detection and response (ITDR) solutions enable. Proofpoint Identity Threat Defense is a good example.
The Proofpoint perspective
There’s one miss in the report from my perspective, and that is I wish the authors had provided a strong pointer to the emerging security category of ITDR. While I don’t expect government authorities to pick favorite vendors, I think a nod to ITDR and how it addresses AD vulnerabilities would have served the reader.
Our view at Proofpoint is that an ITDR solution should provide continuous coverage and comprehensive visibility into AD’s identity vulnerabilities and misconfigurations. But that’s not all. It should also cover endpoints and use other identity systems, such as PAMs, to provide the broadest view of identity security.
At the same time, ITDR systems should support the “DR” (detection and response) part of ITDR. That means they should be able to detect threat actors attempting to move laterally and to escalate privileges without them even suspecting it. And security investigators should have access to real-time forensics so that they can get the bad actor out before they do any real damage.
Learn more
If you want to get an unbiased, expert view about the risks that AD brings to your organization, check out this new publication.
If you want to learn more about how Proofpoint can help bring some order to your AD implementation, check out our web page on Proofpoint Identity Threat Defense.