Applying the MITRE ATT&CK Framework to Your Active Directory

By Nikolay Chernavsky July 20, 2021 | Active Directory

I recently had the pleasure of teaming up with Ran Harel, principal security product manager at Semperis for a webinar focused on making the MITRE ATT&CK Framework relevant and actionable for organizations seeking to ramp up their security. In the webinar we zeroed in on the most attacked target – Active Directory – and demonstrated how attackers exploit AD, how those attacks map to the MITRE Framework and showed some valuable tools that can help in discovering and combatting these relentless attacks.

One interesting point that came out of the webinar was the false sense of security most practitioners feel towards their AD deployments. We began the session by asking all participants to rate how secure they feel their AD is. Fifty percent reported that they feel AD is “very secure” while 43% reported “somewhat secure”. These results are in direct conflict with real-world data generated by hundreds of Semperis Purple Knight assessments of AD. The average Purple Knight security score for AD overall comes in at 64% — that is a failing grade by any measurement. That is not actually surprising given the state of today’s AD protection.

I suggested during the session that many organizations have “given up” on AD protection. The best protection as of today exists in the form of Microsoft guidelines and best practices – this is not enough to protect keys to the kingdom. Organizations spent a lot of time and money on audit and management of AD, but not on protection and detection. I would argue that AD is the most unprotected asset in most organizations. To breach AD you only need to compromise one user account.

Ran Harel drove that point home with a great demo of AD attack tactics. He showed how the current Print Nightmare exploit is executed on standard AD deployments, and if you were following Microsoft’s advice you would have still been vulnerable. Microsoft has since provided patches to eliminate the vulnerabilities but not before thousands of organizations fell victim to the attack. When mapped to the MITRE ATT&CK Framework, it’s simple to see how even the with the best intentions, most organizations find themselves hard-pressed to detect and thwart the lateral movement and privilege escalation tactics that attackers use, and that the Framework helps to expose.

The value of the MITRE ATT&CK Framework comes as practitioners use it, not just as theoretical insight but as a guide for practical and actionable remediation and prevention. Threat actors think differently than security practitioners, and the Framework allows us all to think like the attacker and therefore protect ourselves better.

The wonderful thing about this move from theory to practice is that there are organizations here to help you. My organization, ISSQUARED provides the insight and consulting that helps you put the Framework into action. And Semperis provides the industry’s most powerful tools for the entire lifecycle of attacks – before, during, and after. Semperis’ tools provide enterprise-grade continuous monitoring and automatic remediation through the Directory Services Protector (DSP) solution – which Ran demonstrated powerfully – and point-in-time assessment through Purple Knight, which is a free tool to help generate a baseline and provide a realistic view of the actual security of your AD environment. Both tools are thoroughly mapped to the MITRE ATT&CK Framework as well as many industry regulations and best-practices frameworks such as CIS and NIST.

I invite you to watch the recording of this webinar to learn more about the MITRE ATT&CK Framework and how to move it from theory to practice. You can find the recording here. And while you’re at it, I recommend downloading and running Semperis Purple Knight to see where you currently stand and how that stance maps to the framework. Once you know, then you can begin to defend.

 

About the author
Nikolay Chernavsky
Nikolay Chernavsky CISO at ISSquared
Linkedin
Unlock cyber resilience. Get a demo