Rethinking Active Directory security
In the wake of a cyberattack, Active Directory is sometimes dismissed as just another service that needs to be recovered, and security is an afterthought. But the hard reality is that if Active Directory is compromised, so is your entire environment.
90% of organizations use Active Directory as their primary store for employee authentication, identity management, and access control. Today, it’s becoming more common for organizations to take a hybrid approach to identity and focus on the cloud interdependencies and complexities that result. But it’s important to understand that cloud identity still depends upon the integrity of on-premises Active Directory.
Since Active Directory is used as a source from which to sync to other identity stores, any tampering with Active Directory can cause a devastating ripple effect across your identity infrastructure. It’s a common scenario that often catches security leaders off guard.
Active Directory and the insecurity ripple effect
A change made within on-premises Active Directory by an attacker can provide access to much more than just local resources. An attacker, can for example, make a compromised on-premises user account a member of a Sales group in Active Directory. This group likely would provide access to on-premises systems, applications, and critical data.
But because Active Directory often federates with cloud applications via external IDP (e.g., Azure AD), it’s reasonable to assume that this same change in membership could allow access to a cloud-based CRM environment (like Salesforce), customer data (hopefully contained to the breached account, but more likely to the entire organizational data) and other resources.
In many cyberattacks it’s more complex than the example above, where it’s necessary to gain elevated privileges via one account only to compromise a second, third, and so on, each time moving from system to system, or – in the case of a hybrid environment – from on-premises to cloud, leveraging access to on-premises Active Directory to specifically target accounts known to have access in the cloud.
The recent attack on NTT is an interesting example. After compromising a cloud-based server, attackers were able to use that server as a stepping stone to the internal Active Directory, gaining the keys to the kingdom, including servers hosting customer data and other sensitive resources.
Despite attacks likely involving more than one compromised account and many changes within Active Directory, the end result is the same – the attacker gains access to resources anywhere within the logical environment, no matter where it resides.
The SolarWinds attacks are another example of Active Directory’s dual role in protecting an organization’s assets but also providing a launchpad for attackers at the same time. While Active Directory was not the main vector in the SolarWinds attacks, several common Active Directory attack techniques were used to move around both the on-premises and cloud identity and application environments to extend the reach of the attackers.
Protecting Active Directory like it’s ring 0
In some development architectures, ring 0 is where the OS kernel resides and enjoys full access to every resource. For many organizations, Active Directory is the Ring 0 of all your security; compromise it, and the attacker has the keys to the kingdom. What’s necessary is a concerted effort to protect Active Directory.
To be clear, this goes beyond the traditional monitoring tools, as they often lack the Active Directory-centric security that’s required to catch more sophisticated identity attacks. By modifying Active Directory, attackers can get access to anything in the network. Therefore, specific security provisions must be in place to monitor for and prevent unsanctioned changes within Active Directory itself, as well the ability to return to a known secure state, should a change find its way past prevention efforts.
Additionally, the hardening of Active Directory is often an underappreciated task, but it should be considered key to limiting the impact should an attacker get into your environment and try to leverage Active Directory to move through your network.
The ripple is real; if an attacker can compromise your Active Directory, there’s nothing they won’t be able to access in the long run. This makes Active Directory unique, requiring specific measures be in place to ensure it’s protected.
Be prepared for an influx of new attacks
If there was ever a time to re-examine the security of your Active Directory, it’s now. Many organizations appreciate the importance of Active Directory but are a step behind in securely managing it, particularly as COVID-19 has accelerated the adoption of mobile workers, cloud services, and devices.
Since Active Directory is a prime target for attackers attempting to steal credentials and deploy ransomware across the network, it’s worth considering the repercussions of an Active Directory attack even if you’re not directly responsible for its daily operation.
Make it a priority to identify and communicate who is responsible for securing Active Directory in your organization, and implement comprehensive threat monitoring, detection, and response capabilities both on-premises and in the cloud.
With the ability to continuously scan your directories for security vulnerabilities, intercept cyberattacks in progress, and quickly recover from ransomware and other data integrity emergencies, you’ll stay ahead of attackers, reducing the likelihood that a compromised Active Directory will lead to your organization making headlines.