Monday, 22 February 2021 18:38

How to Ensure Active Directory is not Your Achilles Heel

By Jim Cook, Attivo Networks
Jim Cook, ANZ Regional Director Attivo Networks Jim Cook, ANZ Regional Director Attivo Networks

GUEST OPINION by Jim Cook, ANZ Regional Director, Attivo Networks: With cybercriminals always on the hunt for new ways to mount attacks, organisations are paying more attention to the weaknesses that exist within many deployments of Microsoft’s Active Directory (AD).

Developed by Microsoft as a set of processes and services that aid the management of Windows domain networks, 90 per cent of Australian businesses use AD. Criminals are attracted to AD because it contains details of network structure and login credentials for users, allowing them to establish a foothold within an infrastructure, move laterally through the network without detection, and secure administrator privileges.

Cybercriminals are also increasingly targeting Kerberos tickets, which Windows domains use for authentication. They then use these to exploit unfixable weaknesses in the authentication protocol and gain access to other systems. When including compromised user and password management systems that could extend into security controls, it’s perhaps unsurprising that a hijacked AD can take an organisation many months to rebuild.

Boosting AD Security

Given the critical and sensitive role that AD plays within an organisation, many people wonder why it isn’t locked down more securely. Unfortunately, the answer is that it comes down to the way AD functions in the first place.

From the outset, Microsoft built AD to give users access to services. AD administrators will often use three tiers of access logins for workstations, servers, and AD itself as a way to limit lateral movement and privilege escalation. Unfortunately, this can have repercussions on monitoring access and alerts, as security teams may ultimately find themselves overwhelmed by the high volume of alerts or over-provisioning access to function.

As a means of boosting AD security, IT security teams have increasingly turned to innovations for assessing vulnerabilities in AD and deception and concealment tactics. These approaches are attractive because gaining continuous visibility to Active Directory vulnerabilities equips the security team to remediate them promptly. Combining concealment of AD objects and decoys that lure attackers to them can be effective ways for detecting an attacker’s activity during the initial observation and discovery period.

For example, a cybercriminal might use the Bloodhound application to query AD for domain admin accounts. The deception technology intercepts this query, hides the real information, and returns fake results.

To the attacker, everything seems normal, and they may believe they have successfully gained the data they sought. A deception AD server can also confirm the deceptive objects provided while the real ones remain hidden.

When the attacker begins lateral movement using the deceptive objects and escalates the attack, the security team can be prepared and ready to watch their next move. The attacker then uses their newly found “administrator” credentials, which leads them straight into a decoy that records their every step.

This AD security approach can be potent because now the IT security team knows the attacker’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). TTPs and IOCs are critical intelligence that security teams can use to stop the attackers from advancing further and prevent future incidents.

An Effective New Approach

Many people are unsure whether this approach will hurt AD’s ability to provide its essential services. That is not the case when the solution is deployed at the endpoint and doesn’t touch the production AD controllers. With this endpoint-based technology, the IT security team does not need privileged access and must only query AD to gather the knowledge to build the deceptive environment and objects.

Attackers have had no reason to distrust their tools and, as such, will rely on them until they feel they cannot. In the event the attacker does realise the defenders have duped them, it’s simply too late.

A less determined attacker may just give up given the increased complexity of an attack. More motivated attackers will slow down and incur additional costs as they move more cautiously, suspecting that the security team has become aware of their attack and has gathered critical information on their tools and intent.

Military forces around the world have used the tactics of deception and decoy for years. Now, organisations see the effectiveness of the same approach when it comes to defending the IT assets.

Improving AD security will allow IT security teams to prevent attackers from gaining access to the resources they need and ensure digital infrastructures remain secure. Consider what steps you should be taking to improve your organisation’s AD security.


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments