In a webinar I co-hosted with Semperis (the folks behind the Purple Knight security assessment tool), we focused on a key common denominator across recent high-profile attacks: Active Directory. In the session “How Attackers Exploit Active Directory: Lessons Learned from High-Profile Breaches,” Sean Deuby and Ran Harel from Semperis joined me as we discussed four recent attacks that created headlines: SolarWinds, the Hafnium Exchange 0-day attacks, the Colonial Pipeline attack, and the attack on Ireland Health Service. Every breach was different in terms of tactics and was executed by different bad actors. But all had devastating consequences. In our discussion, we covered three of the most important preventative measures that organizations can take to protect Active Directory against cyberattacks.
Since then, the FBI has warned of ransomware attacks on local government agencies, reiterating the importance of preventing malicious lateral movement. With Gartner ranking identity system defense as its Number 2 cybersecurity trend for 2022, the following measures are more important than ever for organizations that seek to protect Active Directory.
“You’d have to be living under a rock for the past year to have missed the significant cyber security events that have happened on a week-to week-basis. We spend a lot of time talking about the novel ways bad guys attack. But in reality, the threat actors are not in it to find novel ways; they just want to get in—and the superhighway for threat actors is Active Directory.”
—Sean Deuby, Semperis Director of Services
1. Protect email from advanced threats
One of the most common entry points for attackers is email. Advanced phishing campaigns are convincing to end users and provide an avenue for attackers to obtain valid credentials or deliver malware to endpoints. It is crucially important that organizations take a multi-faceted approach to protecting themselves from these threats. Security awareness training and phishing simulations are important to educate and measure risk. No matter how much training you do, attackers will still succeed. To combat this, an advanced email threat protection solution—one that raises the bar beyond anti-spam and anti-virus tools—must be part of your defense strategy. A service that uses machine learning algorithms and other advanced detections to detect and block phishing messages and suspicious attachments must be in place in today’s threat landscape.
2. Prevent lateral movement
Once an attacker compromises a client computer or member server, they look to move laterally across the network and escalate privilege. Preventing lateral movement makes the attacker’s job dramatically harder. You can put in place some technically simple—but sometimes operationally challenging—controls to block lateral movement and help protect Active Directory. First, the local administrator password on each endpoint must be different. Microsoft offers a free solution called the Local Administrator Password Solution (LAPS) to achieve this. Second, you cannot nest domain accounts in the local administrators group to enable easy IT support. IT personnel must use LAPS to retrieve administrative credentials for specific endpoints.
3. Secure access to privileged credentials
Preventing adversaries from obtaining privileged access—especially Domain Admin—is a critical defense. If an adversary can escalate their privileges, they can achieve higher or even complete control of the entire network. Implementing effective controls that isolate and protect privilege credentials is extremely important. Two of the most common control sets we implement at Ravenswood Technology Group are the concepts of tiered security controls and privileged access workstations (PAWs). Tiered security controls prevent high-privilege credentials from exposure to higher-risk assets such as client computers. PAWs isolate the tasks an administrator performs from their day-to-day workstation to a highly secured workstation. This action protects the credential and the administrator’s session from threat vectors such as email, Internet access, and some types of malware.
Protect Active Directory to prepare for today’s threat landscape
The attacks we discussed in this webinar are just four of the countless breaches that are making daily headlines. Hardening your organization’s IT environment is critical. For practically any enterprise, efforts to protect Active Directory must be a core component of your hardening strategy. For a free assessment of Active Directory security controls, take Purple Knight for a free test drive to evaluate your Active Directory. Between Ravenswood and Semperis, there are probably no two organizations (outside of Microsoft itself) with more combined AD security expertise. We have an extremely powerful partnership that helps organizations worldwide raise the bar on hybrid identity security.
To get more advice on how to protect your organization, check out the on-demand web seminar. And, of course, you can download Purple Knight for free to identify and address AD security gaps and gain confidence in the security of your AD environment—no matter how complex, convoluted, or neglected it is.
Originally published June 10, 2021