Michele Crockett

New EMA Research Highlights the Rise of Active Directory Exploits

Active Directory is getting a lot of buzz in business and tech news outlets lately—but not in a good way. AD continues to be a prime target for cybercriminals: Just a few recent examples include AD-related attacks on Sinclair Broadcast Group, camera manufacturer Olympus, and a Nokia subsidiary.

A new  report from Enterprise Management Associates (EMA)—“The Rise of Active Directory Exploits: Is It Time to Sound the Alarm?”—explores the impact on organizations of AD security weaknesses and how they’re responding. One key finding that illustrates the level of concern about AD security threats: 86% of organizations surveyed said they were planning to increase their investment in protecting AD. The skyrocketing number of publicized attacks on AD has raised awareness of AD as an attack vector.

Related reading

As EMA analyst Paula Musich noted in the report, attacking AD is the means to the end for threat actors. Attackers use AD to breach organizations’ networks, then move through the compromised information system to gain access to valuable assets. For example, in the recent string of golden ticket attacks, including the Golden SAML attack launched on SolarWinds, bad actors created fake user credentials, mimicked real users, and bypassed two-factor authentication. In the case of SolarWinds, attackers escalated privileges by exploiting unauthorized access in AD access control lists. This approach allowed them to move laterally within the victims’ networks—under the cover of those stolen elevated permission levels—to access and exfiltrate sensitive data. Attacks like these are driving organizations to double down on securing AD.

Although AD attacks increased in both severity and costs in the last year, they aren’t new. Security researchers first identified golden ticket exploits back in 2017, and attackers have targeted AD for years in hopes of gaining access to high-value enterprise resources. AD is a juicy target because it is the primary identity store used to authenticate users and grant access to organizations’ data—including highly valuable customer data.

How organizations are responding to Active Directory threats

To better understand the growing number of crippling attacks on AD, EMA surveyed 250 IT professionals and executives about how their organizations are responding to the growing risk and how their AD security priorities are changing. Musich presented top findings from the EMA report in the web seminar, “The Rise of Active Directory Exploits: How Enterprises Are Responding to an Increasingly Virulent Threat.” The key take-aways painted an alarming picture of how AD security weaknesses are affecting organizations’ overall security posture.

1. 50% of organizations experienced an attack on Active Directory in the last 1-2 years.

Given the increase in the prevalence of AD attacks, it’s surprising that only 50% of respondents indicated that their organizations have had their AD system attacked in the last year or two. By Microsoft’s own reckoning, 95 million AD accounts are targeted by cyberattacks every day.

Musich noted that a significant portion of these attacks might have gone unnoticed: 25% of respondents said that detecting live attacks is the biggest AD security challenge. This distinct lack of visibility and the high rate of AD attacks suggest that organizations could be missing stealthy attackers who successfully covered their tracks. (Guido Grillenmeier, Semperis Chief Technologist, wrote about how some threats can evade logging solutions in “How to Defend Active Directory Attacks That Leave No Trace.”) It’s also possible that some security professionals might not realize that AD frequently plays a part in ransomware attacks.

2. More than 40% of Active Directory attacks were successful.

Mandiant threat hunters estimate that 90% of the incident response engagements they conduct with clients involve AD in some manner, whether AD is the initial attack vector or the means by which attackers can achieve persistence or privileges. This finding makes the high success rate of AD attacks particularly alarming.

3. Penetration testers successfully exploited Active Directory exposures 82% of the time.

Although IT operations and security operations teams are the primary groups tasked with conducting assessments, their work is sometimes bolstered by assessments conducted by internal red teams or pen testing teams. For the 29% of respondent organizations that conduct internal red team exercises or penetration testing against AD, attempting to exploit AD exposures is a common part of the program. For organizations that conduct AD exploit testing, the success rate is startlingly high at 82%.

Given the deep level of expertise required to find vulnerabilities and understand the types of errors that can lead to such exposures, many organizations don’t have the resources to frequently conduct AD assessments. And automated penetration testing tools offer limited capabilities for maintaining good AD security posture. Even with available expertise, remediating exposures and vulnerabilities is still a cumbersome process because of AD’s complex structure. Factors such as lack of visibility into AD exposures and the requirements to research the exposure posed a challenge for 38% and 37% of respondents, respectively.

4. 86% of organizations plan to increase investment in protecting Active Directory.

Given the growing number of headlines about AD exploits, it’s no surprise that security teams are placing AD security at the top of the priority list. The rise in AD attacks drove the largest percentage of organizations to plan an increase in spending on security, but other issues are also spurring those decisions. The pandemic caused two major interrelated changes in IT activity: the need to support large-scale remote or work-from-home activities and accelerated cloud migration plans.

No end to AD attacks in sight

While Microsoft continues to post security updates for AD, nothing will prevent AD attacks from happening, which is evident from the growing number of incidents. To safeguard their organizations from today’s threats, security teams must increase their visibility into the AD attack surface and have a tested plan for responding once a live attack is detected.

In addition, audits remain a primary method to identify and secure exposures, but they aren’t the only tool security teams can or should use, especially given their snapshot nature. Today, new tools can spot patterns of malicious activity in real time as attackers seek to gain access to privileged accounts and create back doors. Recently introduced by Semperis, Purple Knight is a free AD security assessment tool that queries an organization’s AD environment and performs a comprehensive set of tests against the most common and effective attack vectors to uncover risky configurations and security vulnerabilities. Semperis also offers the industry’s most comprehensive hybrid AD threat detection and response platform, Directory Services Protector.

For more insights into how organizations are shifting priorities to address the growing threat of AD security weaknesses, download the full EMA report here.