Active Directory Security: “Drift Happens”

August 17, 2021

  • New threats, vulnerabilities and attack types emerge constantly.
  • Active Directory is usually central to the attack.
  • Security teams should immediately secure existing hardware, operating systems, applications, software and Active Directory.


New ransomware variants, new exploits, more tactics… it seems like attackers come up with something novel every week. There’s a silver lining, though. With every new attack and breach, followed by the analysis of the attack process, we see patterns. By analyzing these patterns and addressing what the attacker relies on, we can disrupt the hackers and reduce the overall security risk.



Pattern #1

Attackers initially compromise enterprises by one of two attack methods. First, they exploit vulnerabilities within the hardware, operating systems, software, applications, etc. of the devices they target. We all know that patching is essential, but it’s just like taking our vitamins – we may forget (or we just don’t see the benefits until it is too late).


Second, hackers leverage misconfigurations related to hardware, operating systems, software, applications, etc. Thousands of security settings need to be configured, but they often aren’t secured correctly. With simple queries the attacker can determine what’s running on the device they’ve connected to, allowing them to know exactly what misconfigurations to look for. Securing these configurations before the attacker can see them is essential.



Pattern #2

Current security tools and practices aren’t sufficient to secure our networks. The following tools and practices are useful, but leave major gaps in security:


  • Pen testing
  • Assessments
  • Audits
  • AD monitoring
  • SIEM solutions
  • User behavior analytics
  • AI
  • EDR and AV


Many of these solutions are point-in-time, meaning the results are outdated within days of the results. Other solutions might be more continuous, but they aren’t digging into the depths of the network infrastructure to provide info at the level the attacker is working.



Pattern #3

Regardless of the entry point, Active Directory is always a next step. Over and over again we see the forensic proof that Active Directory was leveraged to move laterally and gain privileges in order to deploy ransomware.


RYUK, SolarWinds and XingLocker (a variant of MountLocker) specifically require Active Directory to be involved. Attackers know how to enumerate and analyze Active Directory, so they rely on it for a successful breach and deployment of malicious software. It’s also central to authentication and resource access, which is another key reason attackers love to leverage AD.



The Solution

First, the direct solution to protecting your network and data is to target what attackers are targeting: Active Directory security and vulnerability management.


First, existing hardware, operating systems, applications, software and Active Directory must be secured. If the attacker is aiming to enumerate and analyze any and all aspects of your network, that’s something that needs immediate attention.


Second, all the work securing your network and devices shouldn’t go to waste. Once you’ve patched and secured configurations, these efforts need to be maintained constantly – that means 24x7 continuous and automatic analysis of all vulnerabilities and configurations. Think of it as keeping your attack surface as small as possible nonstop.


Finally, the ability to detect attacks is vital. Simpler attacks such as password spraying and guessing need to be detected as soon as they start so they can be shut down immediately. Even more advanced attacks like DCSync, DCShadow and Golden Ticket also need to be detected as they occur. These advanced attacks are used for persistence and backdoors, as well as to open up new attack paths the hacker can leverage.


Common tools can’t correctly detect everything. More sophisticated solutions are needed to fill these gaps in monitoring and detection.

Derek Melber
Chief Technology and Security Strategist | Tenable
Derek Melber is a leading technical instructor, author and consultant. He is a 16-time Microsoft MVP with deep knowledge of Group Policy, Active Directory, desktop management and Windows security. He has educated AD administrators in over 30 countries about how to efficiently and effectively secure Active Directory and Azure AD as well as publishing a broad range of educational content, including books, articles and videos, that demystify the most complex and technical subjects surrounding this space.