Active Directory Security: “Drift Happens” Home Insights Blog Active Directory Security: “Drift Happens” August 17, 2021 New threats, vulnerabilities and attack types emerge constantly. Active Directory is usually central to the attack. Security teams should immediately secure existing hardware, operating systems, applications, software and Active Directory. New ransomware variants, new exploits, more tactics… it seems like attackers come up with something novel every week. There’s a silver lining, though. With every new attack and breach, followed by the analysis of the attack process, we see patterns. By analyzing these patterns and addressing what the attacker relies on, we can disrupt the hackers and reduce the overall security risk. Pattern #1 Attackers initially compromise enterprises by one of two attack methods. First, they exploit vulnerabilities within the hardware, operating systems, software, applications, etc. of the devices they target. We all know that patching is essential, but it’s just like taking our vitamins – we may forget (or we just don’t see the benefits until it is too late). Second, hackers leverage misconfigurations related to hardware, operating systems, software, applications, etc. Thousands of security settings need to be configured, but they often aren’t secured correctly. With simple queries the attacker can determine what’s running on the device they’ve connected to, allowing them to know exactly what misconfigurations to look for. Securing these configurations before the attacker can see them is essential. Pattern #2 Current security tools and practices aren’t sufficient to secure our networks. The following tools and practices are useful, but leave major gaps in security: Pen testing Assessments Audits AD monitoring SIEM solutions User behavior analytics AI EDR and AV Many of these solutions are point-in-time, meaning the results are outdated within days of the results. Other solutions might be more continuous, but they aren’t digging into the depths of the network infrastructure to provide info at the level the attacker is working. Pattern #3 Regardless of the entry point, Active Directory is always a next step. Over and over again we see the forensic proof that Active Directory was leveraged to move laterally and gain privileges in order to deploy ransomware. RYUK, SolarWinds and XingLocker (a variant of MountLocker) specifically require Active Directory to be involved. Attackers know how to enumerate and analyze Active Directory, so they rely on it for a successful breach and deployment of malicious software. It’s also central to authentication and resource access, which is another key reason attackers love to leverage AD. The Solution First, the direct solution to protecting your network and data is to target what attackers are targeting: Active Directory security and vulnerability management. First, existing hardware, operating systems, applications, software and Active Directory must be secured. If the attacker is aiming to enumerate and analyze any and all aspects of your network, that’s something that needs immediate attention. Second, all the work securing your network and devices shouldn’t go to waste. Once you’ve patched and secured configurations, these efforts need to be maintained constantly – that means 24x7 continuous and automatic analysis of all vulnerabilities and configurations. Think of it as keeping your attack surface as small as possible nonstop. Finally, the ability to detect attacks is vital. Simpler attacks such as password spraying and guessing need to be detected as soon as they start so they can be shut down immediately. Even more advanced attacks like DCSync, DCShadow and Golden Ticket also need to be detected as they occur. These advanced attacks are used for persistence and backdoors, as well as to open up new attack paths the hacker can leverage. Common tools can’t correctly detect everything. More sophisticated solutions are needed to fill these gaps in monitoring and detection. By: Derek Melber Chief Technology and Security Strategist | Tenable Derek Melber is a leading technical instructor, author and consultant. He is a 16-time Microsoft MVP with deep knowledge of Group Policy, Active Directory, desktop management and Windows security. He has educated AD administrators in over 30 countries about how to efficiently and effectively secure Active Directory and Azure AD as well as publishing a broad range of educational content, including books, articles and videos, that demystify the most complex and technical subjects surrounding this space. Share: Threat Partner Series Related Insights Image Go365: Office 365 Password Spraying Tool June 17, 2021 Go365 performs user enumeration and password spraying attacks on organizations that use Office 365. See Details Blog Image SIEM is Like a Puppy April 20, 2021 SIEM requires significant care and attention. Organizations lacking the resources to maximize their investment should consider retaining an MSSP. See Details Blog Image Assigning Specific Public IP Addresses With Azure Automation Runbook November 04, 2020 How to assign a specific public IP address using Azure Automation runbook. Part three in a series. See Details Blog How Can We Help? Let us know what you need, and we will have an Optiv professional contact you shortly.