Active Directory has been a top cybersecurity tool for more than two decades. The problem with protecting AD—used by roughly 90% of the Fortune 1000 companies—from ransomware attacks is simply that it wasn’t designed for today’s security landscape. Many organizations don’t even know the full map of their deployment, making AD the perfect target for threat actors.
Healthcare organizations, in particular, face significant risk. Once considered “off limits” by attackers, this sector is increasingly targeted. What can healthcare orgs do to protect themselves?
What makes Active Directory such an attractive target?
Where IT infrastructure is concerned, Active Directory is the bedrock of the entire IT infrastructure. Think of it this way: When an AD deployment is compromised, the attacker doesn’t just hold the keys into the kingdom—they now have a treasure map showing them where to find anything valuable, plus a superhighway to get them there.
“There’s a lot of information stored in Active Directory,” says Matt Sickles, Strategic Architect at Sirius Healthcare. “A map of the network, a list of sites and services, the locations and details of all administrators, even an organizational chart. This allows attackers to weaponize Active Directory for highly sophisticated attacks.”
Prevention starts with the basics
Sophisticated cyberattacks like SolarWinds might get a lot of press coverage, but such high-profile cases aren’t the norm. Most attackers look for low-hanging fruit. They want to find targets that will give them the best effort-to-return ratio possible.
Most attacks involve an attacker exploiting an oversight, such as an unpatched server. Basic security measures can go a long way toward eliminating these types of threats, including ransomware.
“Because so many attack scenarios are based on compromised elevated credentials, least privilege is an important concept when securing Active Directory,” explains Sickles. “Limit permissions, make sure you have a catalog of your group policies, and monitor for any changes. Ensuring every service account has a strong password is also a must.
“Businesses also need a way to weed through AD security alerts and manage or control service accounts,” he adds. “Finally, multi-factor authentication is one of the best defenses against ransomware you have.”
Why “traditional” security falls short
When it comes to cybersecurity, Active Directory proves to be uniquely difficult. Because of AD’s inherent complexity and the nature of service accounts, detecting indicators of compromise and proactively protecting AD against threats can be difficult, especially if detection relies on security log review.
“When a password is gained for a service account with elevated permissions, it frequently looks like normal activity,” Sickles notes. “You usually won’t know it’s compromised until there’s some sort of payload delivery or direct attack. Moreover, while there are some Microsoft-provided tools to help protect Active Directory, there isn’t a single download to easily cover basic security issues.”
“Addressing the complexities of Active Directory is very difficult,” he continues. “Being a specialized vendor, Semperis has some excellent toolsets for it.”
Criminals increasingly targeting backups
Backups are the best defense against ransomware. Unfortunately, criminals know this. As a result, many ransomware actors wait weeks or even months to trigger their payload. Worse, many directly target Active Directory backups.
When you perform a conventional backup of an AD domain controller, you’re backing up the whole server and everything on it—including any lurking malware.
“One of the biggest risks to every organization is connecting SSO from Active Directory to your backup system,” says Sickles. “Your backups must therefore either be separate, completely isolated domains or local accounts. My highest recommendation, however, is to ensure that backups are truly immutable and maintain air gapped copies of all critical systems, not just Active Directory.”
Know your Active Directory deployment
Many organizations take Active Directory for granted. They either don’t understand its importance or they lack visibility into AD. They also assume that their disaster recovery plan covers Active Directory, which often is not the case.
“Active Directory is one of the core baseline services of the organization,” notes Sickles. “It’s important to have a safety net for when it’s offline—a domain controller in safe harbor mode, for instance. And it’s imperative that businesses know how everything fits together.”
Don’t just deploy security solutions; have a plan
Security solutions alone will never be sufficient. For businesses to truly protect themselves, they also need to examine organizational processes.
The difference between a quick response and a slow one—between successfully halting or recovering from an attack and falling victim to attackers—often comes down to how well you’ve planned ahead of time.
“Organizations need to ask themselves how they will recover their Active Directory if they lose their backup system,” Sickles says. “That starts with ensuring the security operation center has planned and practiced the right use cases and scenarios. They need to run tabletops on a recurring basis to ensure that their plans and tools actually work.”
Tackle the greatest AD threats in healthcare
Protecting healthcare organizations from cybercrime involves proactively assessing threats, mitigating cyberattacks, and having a tested plan to restore Active Directory. Free assessment tools like Purple Knight can scan for indicators of exposure and compromise and are an excellent starting point to improve your AD security stance. AD-centric backup and recovery tools and services, including Semperis Directory Services Protector (DSP) and Active Directory Forest Recovery (ADFR), can provide reliable AD backups and even automate the process of remediating suspicious changes to AD.