What makes Active Directory so important?
Over 90 percent of enterprises use Active Directory (AD) in their IT infrastructures to manage computers and devices on the network, as well as user access. It is every CISO’s nightmare to have their AD compromised. Once an attacker compromises AD, they gain a full “GPS” to the network, which they can use to accelerate their attack. These attacks are also very tricky to stop as the attacker is now using validated information and legitimate credentials to conduct their activities. Rebuilding and restoring AD operations in a way that the attacker can no longer use any compromised access can also be quite lengthy and complicated.
Why is a compromised Active Directory such a nightmare for CISOs?
AD serves an essential role in the day-to-day running of a business, authenticating and authorising all users and devices for Windows-based networks. The directory plays a central part in security strategies as it also handles the assignment and enforcement of security policies for all devices, as well as the installation and updating of software.
AD is vital in providing authorised access, serving as a central repository for all information relating to the network such as credentials, users, computers, and applications. With so much valuable information in one place, taking control of AD is one of the most desirable prizes for any threat actor. Further, the fact that Active Directory is connected to all devices on the network by necessity means that any compromised endpoint can potentially access it.
Gaining access to AD enables attackers to acquire valuable information on accounts to target and escalate their intrusion. According to the MITRE ATT&CK framework, AD is crucial for 10 of the 12 steps most commonly taken by threat actors, including privilege escalation, lateral movement, and data exfiltration. As such, it has a well-earned reputation as being the “Keys to the Kingdom” in any cyber-attack.
What methods do cyber attackers use to gain access to an organisation’s Active Directory?
When using a tool such as Bloodhound, an intruder can determine the shortest lateral attack path to achieve Domain Administrator privileges on the network – granting them an extremely high level of privileged powers that they can use to escalate the attack further.
Threat actors commonly begin their attacks by using malicious emails, drive-by downloads, watering hole attacks, or other tactics to gain initial entry into the network. They rely on unsuspecting users opening emails, clicking on links, visiting sites, or making mistakes to initiate a compromise. Once they have access to the initial entry point, they can steal any stored account information or steal in-memory credentials and hashes with tools like Mimikatz. They may also use other credential theft techniques like Man-in-the-Middle attacks to intercept valid credentials in transit.
The moment threat actors have access to the first infected AD-member system, they have access to critical AD data. They frequently deploy automated attack tools such as Bloodhound to enumerate the AD and map out the entire environment. This reconnaissance enables threat actors to identify the high-value assets, systems, and privileged user accounts necessary to complete their objectives. From here, they can form a plan of attack that can most directly access these assets while leaving a minimum level of evidence to alert security teams.
What measures should companies be taking to mitigate the risk of a cybercriminal getting to their Active Directory?
Organisations should be following several best practices to secure their AD. Strict policies around user security, such as the use of strong passwords and 2FA, can help reduce the chances of attackers acquiring credentials. Establishing separate administrator accounts per person alongside implementing tiers of access can help to limit the damage a single compromised endpoint can inflict.
Also, organisations can use behavioural analytics to monitor for anomalous behaviours that may indicate that threat actors have compromised a user account, potentially identifying them before they can escalate their attacks. Red teaming activity is also valuable here, as the team can simulate a real attacker and discover viable attack paths that attackers might exploit.
Due to the damage an AD attack can inflict, organisations should also be seeking out new ways to protect their systems to keep ahead of the evolving tactics of attackers. One particularly effective new strategy is to use deceptive techniques against the intruder.
This approach involves the creation of a decoy environment populated by realistic fake assets, including the AD controllers. These decoys are immediately effective against any network-based reconnaissance activity and misinform attempts to map the network. The fake AD controllers can appear as trusted servers in the production AD environment, but only validate decoy credentials seeded on production endpoints to the deception environment. Attackers that steal these decoy credentials and follow them end up within the decoy environment, authorised by the decoy AD and landing in a subnet that appears real but contains only decoys. The decoy environment records their every move and alerts the security team to their activities while identifying the source of the attack.
Additionally, deception modules on production systems can identify unauthorised queries from compromised systems, whether from an automated tool like Bloodhound or a remote attacker entering commands and return fake data that leads to the decoy environment. Attackers would have a hard time distinguishing the real credentials and other AD data from the false information the deception feeds them, causing them to lose time and making them question the effectiveness of their tools. Such misinformation and misdirection tricks them early in the attack cycle, which disrupts their ability to progress their attack while alerting the security team to their presence, sometimes before they can move laterally from the initially infected systems. The deception occurs even when the attacker is just attempting to observe the environment during AD reconnaissance and has no impact on the production AD environment or operations.
Alongside preventing an intruder from reaching the production AD environment, this approach also provides security teams with valuable insight on their adversaries. As the would-be attacker stumbles through this deceptive environment trying to locate the real assets, the security team has them under constant surveillance, recording all of their secrets. By monitoring the threat actor’s activity, security teams can learn a great deal about their TTPs (tactics, techniques, and procedures). This insight enables them to strengthen existing defences and close any gaps the attacker exploited, leaving them much better prepared to repel future attempts.
Attackers targeting AD hope to use its capabilities to conceal their activity better as they escalate their intrusion. By tricking them into revealing themselves at the early stage of inquiry and redirecting the attack into entering a deceptive environment full of decoys instead of production systems, defenders can fool them into revealing all of their secrets.
Carolyn Crandall, Chief Deception Officer, Attivo Networks