Understanding how compromises occur is a fundamental part of forming a cybersecurity defense. With that in mind, I recently joined Andy Robbins, co-creator of the open source attack path discovery tool, BloodHound, for a webinar that outlined how attackers target Active Directory (AD).
During the presentation, we spotlighted an uncomfortable truth: the center of enterprise identity services is now a ripe, juicy piece of low-hanging fruit. It should come as no surprise that Active Directory is a source of interest to attackers, but just how much of a soft target it has become is often underestimated—likely because its status as a weak link in the security chain is not due to high-profile code vulnerabilities. In actuality, in many cases, the widest doors for attackers are the doors opened by common deployment configurations and management mistakes.
Why AD is a soft target
The fact is, AD was not built with modern security challenges in mind. In the past, pen testers and attackers alike relied on server-side exploits to compromise systems. Once inside, they would use common local administrator passwords to move laterally around the network. Today, they have more reliable techniques at their disposal that have a lower risk of detection or causing a system crash. These techniques leverage tools like BloodHound and abuse built-in protocols in the Windows operating system and AD itself.
BloodHound, for example, can be pointed at Active Directory and used to identify attack paths and find the easiest way for threat actors to elevate privileges in an environment. This is made possible because, by default, domain users have read access for any object in AD. Unfortunately, for many enterprises, the complexity of applications and infrastructure makes it challenging to remove access to objects that might interest attackers, leaving a potential door open for attackers to perform reconnaissance.
Such is the reality of securing AD. While code-related vulnerabilities can be addressed by applying the latest security updates as quickly as possible, it is the way AD is deployed in an environment that is often the greatest challenge to security. The challenges organizations face only increase as the AD environment grows more complex. As users and groups are added or deleted, the probability that misconfigurations will occur as the IT team works to maintain consistent settings and policies will continue to grow. These mistakes can take many forms, from unconstrained delegation to failing to account for inherited permissions when nesting a group.
But as the saying goes, an ounce of prevention is worth a pound of cure. Hardening Active Directory means more than just patching. It also means closing doors opened up by issues like poor group management, and to do that, organizations need to know what to look for.
Reducing risk through visibility
The most critical issues are the ones that could enable privilege escalation and lateral movement by attackers. Consider two common attacks.
Incident one: attackers target the AdminSDHolder object. Attackers attempt to modify the Access Control List (ACL) to change permissions on privileged objects through AdminSDHolder. If successful, this would give any account they added to the ACL the privileges of other accounts in a group.
Incident two: intruders launch Golden Ticket attacks. Golden Ticket attacks target Kerberos, and involve attackers who have obtained the password hash of the krbtgt account forging a logon ticket to escalate privileges and log in to any service as any user.
At its core, a defense against these and other attacks comes down to monitoring AD for suspicious activity. In order to do that effectively, it is important to leverage information about the tactics of attackers. Shrinking the threat landscape by taking actions like reviewing permissions and applying the principle of least privilege in AD groups, using complex passwords, and ensuring security updates for AD servers receive high priority is but one piece of the equation for a strong defense. The other requires the ability to detect and respond dynamically to threats as they appear.
Semperis recently moved to help customers address this technology challenge head-on. In June, we released Directory Services Protector (DSP) v3.0, which provides continuous monitoring and vulnerability assessment. DSP scans Active Directory for indicators of exposure and then prioritizes vulnerabilities according to their risk. This capability is further enhanced by a combination of built-in threat intelligence and guidance from a community of security researchers. As new threat research is uncovered, additional security indicators are dynamically added so that new attack techniques are detected.
Armed with the most current threat information, Semperis DSP can use its new auto-remediation capability to roll back critical operational or security-related changes without any administrator involvement. With auto-remediation, your organization can undo suspicious changes and prevent any further damage before it occurs. It also gives organizations the ability to detect changes and deletions across all AD partitions and Group Policy Objects even if the attacker circumvents logging.
Prevention in action
The good news about securing AD is that the means to prevent attacks is right in front of us. At Semperis, we regularly update a comprehensive list of threat indicators that allow enterprises to shut the door on the types of security holes attackers salivate over. Take, for example, recent changes to the default domain policy or default domain controllers policy GPOs. This type of modification may signal that attackers are active in the environment, as these Group Policy Objects (GPOs) control security settings and can be used to gain privileged access to AD. Another example is an unexpected change to the default security descriptor attribute on an object class in the schema—a juicy target for attackers because any changes can be propagated to newly created objects.
Using threat indicators to aid monitoring efforts improves the efficacy of security controls around AD. When combined with the ability to undo changes and perform vulnerability assessments that flag user accounts with risky controls, it reduces the likelihood of malicious behavior impacting AD and going undetected.
Threat actors take the path of least resistance to their goals. As long as the front door is open due to misconfigurations or the way AD functions, attackers will continue to approach your company’s doorstep. To harden AD, IT teams need to leverage information about the tactics of their adversaries and focus their security efforts on putting as many digital hurdles in front of attack paths as possible.
