The word is out that identity systems—and Active Directory in particular—are prime targets for cyberattacks. As a company that pioneered solutions purpose-built for protecting and recovering Active Directory from cyberattacks, we were happy to see multiple research firms recently confirm the criticality of AD-specific cybersecurity solutions. Gartner not only named identity system defense as one of the 2022 top trends in cybersecurity but also devised an entirely new category—Identity Threat Detection and Response (ITDR)—and named Semperis as an example vendor of ITDR solutions.
But we know from our work on the front lines helping organizations prevent, remediate, and recover from cyber disasters that having an effective ITDR security strategy goes beyond checking the research firms’ boxes. At the recent Gartner Identity & Access Management Summit in Las Vegas, we polled attendees about their top criteria for evaluating ITDR solutions.
Top takeaway: Organizations are looking for ITDR solutions that span the entire attack lifecycle—before, during, and after an attack—and offer protection specifically for AD and Azure AD. As Gartner and other analyst firms have pointed out, organizations need AD-specific security and recovery solutions to adequately protect their hybrid AD environments.
As a preview of our forthcoming full report on these findings, here are the top ITDR capabilities organizations are looking for to secure and recover their hybrid AD environments, as well as some commentary from Darren Mar-Elia, Semperis VP of Products. (Check out the video below for his summary of ITDR evaluation criteria we gathered from Gartner IAM Summit attendees.)
We’ve broken out the top five ITDR findings in detail below:
- Automated, malware-free multi-forest AD recovery in an hour or less
- Detection of attacks that bypass SIEM and other traditional tools
- Visibility into attacks that move from on-prem AD to Azure AD
- Ability to uncover misconfigurations and vulnerabilities in legacy AD environments
- Automatic remediation of detected threats
1. Automated, malware-free multi-forest AD recovery in an hour or less
The “response” component of ITDR looms large for the organizations we surveyed, as most business leaders and their security and IT ops teams recognize that no entity can eliminate the possibility of a cyberattack. Survey respondents expressed a pessimistic view about their ability to recover AD from a cyberattack: 77% of organizations indicated that in the event of a cyberattack, they would experience a severe impact—meaning they have a general disaster recovery solution but no specific support for AD, or a catastrophic impact—meaning they would need to conduct a manual recovery using their backups, which would require days or weeks. The loss in business revenue, reputational damage, and—in the case of healthcare organizations—patient health and safety from a prolonged recovery can be a devastating event.
“Organizations can do all the right things to prevent a ransomware attack, but at the end of the day, it’s still possible to be compromised,” said Darren Mar-Elia, Semperis VP of Products. “And you need a solution that can bring you back to a known good state as quickly as possible.”
2. Detection of attacks that bypass SIEM and other traditional tools
Reflecting the growing awareness that cybercriminals are constantly devising new tactics, techniques, and procedures (TTPs) for attacking identity systems, survey respondents cited the failure to detect attacks that bypass traditional monitoring tools as the top overall concern in protecting AD. The concern is warranted: Many attacks that succeed in exploiting AD bypass log- or event-based products such as security incident event management (SIEM) systems. Organizations need solutions that use multiple data sources—including the AD replication stream—to detect advanced attacks.
3. Visibility into attacks that move from on-prem AD to Azure AD
As more organizations adopt hybrid cloud environments, detecting attacks that move from on-prem AD to Azure AD—or vice versa, as in the SolarWinds attack—has emerged as a top concern for many organizations. Reinforcing Gartner’s prediction that only 3% of organizations will migrate completely from on-premises Active Directory (AD) to a cloud-based identity service by 2025, 80% of respondents in our survey said they either use on-prem Active Directory synchronized to Azure AD or they use several different identity systems, including AD and/or Azure AD.
But protecting those hybrid AD systems is top of mind: Survey respondents indicated that the most important capability for preventing attacks in their organizations was continuous monitoring for AD and Azure AD vulnerabilities and risky configurations. Only a third of respondents indicated they were “very confident” they could prevent or remediate an on-prem AD attack, and only 27% indicated the same level of confidence regarding Azure AD.
“I suspect we’ll see more vertical attacks that move from on-prem AD to Azure AD over time, and at Semperis we’re focused on providing the visibility to those hybrid attack paths,” said Mar-Elia.
4. Ability to uncover misconfigurations and vulnerabilities in legacy AD environments
It’s not surprising that survey respondents rank the importance of continuous monitoring for AD and Azure AD vulnerabilities and risky configurations so highly. Given the number of attacks that exploit AD vulnerabilities on a near-daily basis, organizations are understandably concerned about assessing their environments for vulnerabilities that could leave them open to attackers.
Users of Purple Knight, Semperis’ free AD security assessment tool, are often dismayed at their initial low-security posture score. But knowing where the vulnerabilities lie and applying expert remediation guidance gives users a roadmap for improving security.
“Purple Knight helped us take action on items right away, such as shutting down or disabling Active Directory accounts that shouldn’t have been disabled,” said Keith Dreyer, CISO of Maple Reinders in Canada. “And then it helped us develop a long-term maintenance plan.”
5. Automatic remediation of detected threats
Cyberattacks often move at lightning speed once the attackers drop malware, so automatic remediation is critical to preventing an exploit from leading to elevated privileges and an eventual network takeover. In the notorious 2017 NotPetya attack on shipping giant Maersk, the company’s entire network was infected in minutes.
Survey respondents indicated that automated remediation of malicious changes to stop fast-spreading attacks was the most important remediation capability, followed by tracking and correlating changes between on-prem AD and Azure AD.
ITDR solutions need to protect hybrid identity systems before, during, and after an attack
Gartner’s designation of a specific category of solutions to address identity system defense is a testament to the rise of Active Directory as a prime target for cybercriminals—exploited in 9 out of 10 cyberattacks. From our survey results and conversations with customers, we know that organizations are concerned about the challenges of protecting hybrid identity environments throughout the entire attack lifecycle. When evaluating ITDR solutions, prioritize the prevention, detection, automatic remediation, and recovery from AD-based cyberattacks.
Subscribe to our blog to learn more about the emerging category of Identity Threat Detection and Response and how you can build a layered identity system defense strategy.