The disclosure of the supply chain attack against SolarWinds in late 2020 was a wake-up call for federal agencies responsible for securing U.S. information assets—and for the security industry. As more details behind the attack come to light, one of the most significant revelations is that attackers used tried-and-true methods to gain initial access—through on-premises Active Directory (AD).
As Sean Deuby, Semperis Director of Services, wrote in a recent InfoSecurity Magazine article, if an attacker can circumvent authentication controls and obtain administrator access to AD, then the threat actor can gain total visibility into the AD environment—both on-premises and in the cloud. As state-sponsored threats continue to rise, continuous monitoring of AD for suspicious activity is a key component of preventing, detecting, and stopping malicious activity.
The SolarWinds attack signals that on-premises identity resources will increasingly be used as an entry point to cloud environments. However, sound security practices can help mitigate even the most complex attacks. Deuby points to recent resources, including a Microsoft blog post that provides guidelines for securing Azure AD as well as updated guidance from CISA.
Using a layered approach to securing AD that includes continuous monitoring for indicators of exposure that could compromise AD will help organizations protect their information assets. Although cyberattacks are becoming increasingly sophisticated, securing Active Directory is a fundamental step in an organization’s cyberattack defense plan.