Michele Crockett

Unknown vulnerabilities are the top Active Directory security concern of IT security practitioners, according to a new report from Enterprise Management Associates (EMA). Known but unaddressed AD vulnerabilities fall closely behind.

Most concerning risks to overall security posture cited by survey respondents were:

  • Native Microsoft security flaws
  • Social engineering attacks, such as phishing
  • Attackers moving between AD on-premises and Azure AD

With the heightened attention on AD in the media and from research firms, including 451 Research and Gartner, it’s no surprise that unknown vulnerabilities were top of mind for survey respondents, which included IT directors and managers, IT architects, DevOps practitioners, and security directors.

The year 2021 brought a sea change in the awareness of Active Directory—the core identity store for 90% of businesses worldwide—as an attack vector for cybercriminals. One of the biggest clarion calls was the SolarWinds attack. Although it took some time for investigators to unpack this sophisticated attack, the role of Active Directory was apparent. (For more details about how AD factored into the SolarWinds attack, read Guido Grillenmeier’s post “Now Is the Time to Rethink Active Directory Security.”) As more high-profile breaches involving AD—including the Colonial Pipeline attack—occurred, AD vulnerabilities were caught in the spotlight.

Findings from Mandiant consultants corroborate the frequent exploitation of AD: They reported that in 90 percent of the attacks they investigate, AD is involved in some form as either an initial entry point or as part of a privilege escalation effort. As Paula Musich, EMA Research Director, wrote in the report’s introduction, security practitioners face a wide range of risks in managing AD.

“Because Active Directory’s configuration is in a continual state of flux, bad actors perpetually find new ways to exploit vulnerabilities to achieve their illicit aims.”

Well-publicized flaws such as the Windows Print Spooler service vulnerability discovered in June 2021 served as a catalyst for IT and security practitioners to investigate the security of their organizations’ AD environments. Since its initial release in March 2021, more than 5,000 users have downloaded Purple Knight, a free security assessment tool from Semperis that scans the AD environment for indicators of exposure and compromise and generates a report that provides an overall security score as well as expert guidance for remediating flaws. Organizations have reported an average initial score of about 68%—a barely passing grade.

In one-on-one interviews, many Purple Knight users said they were blindsided by the report findings.

“I know I have Active Directory,” said a CISO at a Canadian manufacturing company. “But I didn’t know I had these problems. And I’m pretty security-conscious. So, it was a good slap in the head.”

AD recovery concerns loom large

In addition to concerns about unknown and unaddressed AD vulnerabilities, respondents also said they worry about their AD recovery plans, including:

  • Not having a post-cyber-attack recovery plan
  • The inability to recover quickly
  • Not having a defined responsibility for AD recovery

The majority of respondents said that the impact of an attack that took down their domain controllers would range from “significant” to “catastrophic,” stoking the concern about an inadequate response plan. Only in the last few years have organizations shifted focus from business continuity plans that address natural disasters or human errors to plans that provide an adequate response to a malicious cyberattack.

As Gil Kirkpatrick (Semperis Chief Architect) and Guido Grillenmeier (Chief Technologist) wrote in their whitepaper, “Does Your Active Directory Disaster Recovery Plan Cover Cyberattacks?,” in the early days of AD, IT teams were prepared to recover AD from various problems including the inadvertent deletion of AD objects, group policy misconfigurations, and failed domain controllers. But the chances of having to recover from a complete AD outage—as cyberattacks can cause—were “very small.”

The threat landscape has changed dramatically since the early days of AD, but the challenges of recovering an entire AD forest have not. As the whitepaper authors noted, “It’s still an error-prone, complex process that requires planning and practice for all but the most trivial AD deployments.”

The EMA report results indicate that IT and security teams know and are concerned about the challenges of recovering AD from a cyber disaster.

Hybrid environments add complexity in securing identity services

The shift of workloads and applications to the cloud will be a continual, drawn-out process, according to the EMA report (and corroborated by a recent Gartner report), leaving IT and security teams to manage security in a hybrid environment for the foreseeable future. While 47% of respondents in the EMA study rated their own ability to manage and secure AD on-premises as “very competent,” only 37% of respondents gave themselves that rating for hybrid identity environments. About a third of respondents rated their skill at managing and securing a hybrid environment as “adequate.”

Respondents’ confidence in recovering Azure AD resources (such as users, groups, and roles) after a cyberattack was not reassuring: About 55% of participants expressed a “medium” level of confidence. Adequately managing security in a hybrid identity environment might be one of those situations in which practitioners don’t yet know what they don’t know: Integrating on-premises Active Directory with Azure AD authentication requires a different mindset, and failure to understand some of the key differences can open organizations to security risks.

How organizations are addressing AD security concerns

With the increased awareness of AD-related attacks, organizations are making changes to shore up their defenses in response to high-profile attacks like the SolarWinds breach. The EMA report found that:

  • 45% of organizations increased collabo­ration between operational and security teams
  • 44% increased focus on closing AD security gaps, detecting attacks, and ensuring mal­ware-free backups
  • 37% added skilled practitioners to address AD security weaknesses

The finding that organizations are fostering collaboration between operational and security teams matches that of a 2021 report from the Identity Defined Security Alliance (IDSA), “2021 Trends in Securing Digital Identities,” which reported that 64% of organizations have made changes to better align security and identity functions within the last two years. Organizations are now recognizing that a secure identity system is the starting point for protecting every other asset in the organization.

These organizational changes will pave the way to addressing the challenges and urgency of identifying and addressing AD vulnerabilities, the top concern cited by respondents in the EMA report. As identity and security teams share knowledge and collaborate on solutions, organizations will strengthen their defenses against identity-related attacks. Only 3% of respondents said their organizations continue to view and manage AD as an operational resource. As Musich noted in the EMA report: “Those laggards will have an uphill climb in catching up to the 56% of respondent organizations that make Active Directory core to their overall security strategy.”

More resources