Active Directory as A Target: Why AD Defense Is More Critical Than Ever

By Thomas Leduc February 19, 2017 | Disaster Recovery

We can start with the obvious. Active Directory is the cornerstone of an increasing number of business functionalities, and every year more work hinges on stable AD operability. AD access is also a gateway to a lot of your organization’s information. It’s known that there is no such thing as an attack-proof organization, and according to a PwC research, no companies are “under the radar” of cyber attackers. Several researches, including the PwC one and another by The Heritage Foundation are showing an exponential increase, year over year, in the number of attacks. I’m sure you’ve had all this information and you are increasing your cyber-attack preparedness overall, as well as specifically for AD.

So, if you already know how prepared you need to be, why am I writing this post? Because increasingly, Active Directory is targeted by attackers, and you should know why, how you can enhance defenses, and what to do if a breach leads to an Active Directory disaster.

In the large majority of organizations (90-95% per most research firms), Active Directory serves as the identity repository. Add to that the fact that attackers need to start from a very simple foot-in-the-door access to Active Directory. It’s not necessary to get into the system with administrator privileges, because even with very basic access most attackers will need less than 72 hours to escalate privileges and obtain admin access. This is scary enough because at this point, an attacker can do and see ANYTHING within the organization. But there is more: an attacker in this position can have unlimited and undetected access for days, months, or even years. Moreover, if an attacker realizes the breach was detected, he/she can collapse the entire AD, leaving the organization at a shut-down state. So even when an organization recognizes the breach, there is a need to take measures so the attacker does not know about the detection – which amounts to a lot of work. Add all this up and you can understand why AD is such an attractive target for attacks, and why it’s a recent trend.

So what can you do to be stronger in the face of an attack? Clearly, there are many steps you can take to defend your Active Directory, and dozens of whitepapers just on this topic alone. But a list of several important, easy to implement steps is not a bad start:

Privileged Accounts Can Put AD at Risk

It’s a best practice to review your organization’s privileged accounts and groups (the highest priviledge built in groups are Enterprise Admins, Domain Admins, and Administrators). In many organizations, both the number of priviledged accounts and the privilege given to certain roles far exceed the necessary. Needless to say, more priviledged accounts means more people can make a mistake that could be devastating to AD. However, with more priviledged accounts you also reduce your ability to track the activity of individuals with AD privileges, which could lead to delays in detecting breaches. Microsoft encourages organizations to reduce the number of priviledged acconts and eliminate unneccesary privileges. Microsoft even offers guides to help administrators minimize privileges in the best way. It’s also good to consider the creation of secured administrative hosts – specific workstations that enable priviledged team members to perform administartive tasks, and to implement two-factor authentication for admins.

3. Nearly 8% of organizational data breaches are from internal sources (disgruntled/recently fired employee)

Secure Physical Devices

It’s not a secret that if an attacker can access your Domain Controllers, your AD’s security is no longer in your hands. So by now you probably made sure to protect your actual domain controllers. But did you consider that user devices (desktops, laptops, mobile) can also be a volunerablily? As we mentioned before, privilege escalation is quite common, and it is sometimes a matter of hours from gaining access that the perpetrator can get admin privileges. The proliferation of devices that have access to corporate data requires reevaluating the attack perimeter of your AD. Set up guidelines for passwords and encryption, try to make it hard to reach your organization’s assets from user devices, and differentiate trusted from untrusted devices at the very least. In addition, you would be wise to educate employees about device best practices and teach them about the implications of poor device security.

1. When tested, 13% of people fall prey for phishing attempts (they click a link or download a file)

Monitoring AD Activity Can Lead to Early Detection and Prevention

Having an easy way to monitor exactly what actions are taken in your organization, and by who, is a great way to maintain control of your AD. Imagine showing up in the office in the morning and noticing an unusual amount of activity from the night before. It should immediately alert you that something is going on that warrants an investigation. The general guideline here is to monitor AD activity constantly and in real time and catalogue past activity, so you can look into past states. There are tools to help you achieve just that. For example, Semperis Active Directory State Manager can help track all the activities that take place in AD in real-time, log everything to an SQL database, and enable you easy comparison of current state and past states, or any two past states. It also offers a convenient dashboard that enables you to easily monitor activity anytime.

Passwords (Yes, I Know You Heard That One Before)

The stats on Active Directory breaches and organizational data access are clear. According to the Verizon DBIR from 2016, 63% of data breaches in organizations involved weak, default, or stolen passwords. Your password guidelines are critical to your AD’s security. If you want to know what are the recentmost password best practices, both Microsoft and NIST recently released password recommendations based on information they collected from thousands of breaches, and it’s worth the 5 minute read.

2. 63% of data breaches in organizations involved weak, default, or stolen passwords

It’s critical to protect Active Directory and prevent attacker access to your organization as the key step. However, in some cases you find yourself past that stage, and at a point where you need to recover from an attacker-induced Active Directory disaster. In this case, it’s always better to rely on a robust AD DR tecnology over native tools. The key reason is Active Directory Forest Recovery is a cumbersome process that requires expertise and time. But when Active Directory is down, the last thing you have is time. Advanced AD disaster recovery solutions can help make the process easier and faster. For example, Semperis Active directory Forest Recovery can help you restore full AD operability with just three clicks and minutes to recovery.

4. Detecting internal data theft takes longest than any other attack and could take years.

In case you have not yet started giving special attention to your Active Directory security, both by reducing the attack perimeter, and by actively monitoring for breaches – this would be a good time to start. Attackers are not idle in finding better ways to access your data, and with the increase in targeting AD, you want to be on top of your system’s security and err on the side of caution.

About the author
Thomas Leduc
Unlock cyber resilience. Get a demo