Ask any attacker – Active Directory (AD) is a massive source of information…and it is designed to give it out to those that ask! Need to know who has Domain Credentials? Just ask AD. Who are the privileged users? AD knows. How do I get from User A to Server C? Use a tool like Bloodhound to ask AD and it will automatically gather the information for you.
Cybersecurity professionals understand the importance of reducing “dwell time” - how long an adversary can remain undetected before being discovered and ejected. Dwell times have drastically improved, down from a median of 418 days in 2011 to 56 days in 2019, according to the 2020 FireEye.
M-Trends report. New and improved technologies as well as adopting industry best practices have both contributed to this reduction but, as an industry, we still need to do a better job of bringing this number down. Putting more effective tools into the hands of defenders and giving them some defensive teeth is a good step.
“We really haven’t moved much in the last five or six years on how we detect attackers early in the lifecycle,” lamented the security leader of an S&P500 company in a recent discussion. It’s true; tools and technologies for defenders have not kept pace with those available to Red teams and attackers.
Today’s adversaries have access to highly sophisticated toolboxes. As evidenced by median dwell times, they have time on their side and can count on the element of surprise. Let’s be honest - many security folks still don’t know what’s going on inside their own environment, let alone what’s actually levelled against them. Additionally, organisations face a predicament where attackers only have to be right once, whereas defenders and defensive systems have to be right all the time in order to prevent a successful attack.
AD is Still the Crown Jewels
This predicament exists is many security domains, but for the purposes of this article, we’re going to focus on one of the most common targets for attackers: Microsoft’s Active Directory (AD). Microsoft launched AD in the late ‘90s, and it quickly became the standard in the identity management market.
For any company, AD is the crown jewels of its security infrastructure, as inside AD resides a complete list of all the users, machines, logical grouping, and privileges. This confluence of information is compelling, and it enables and supports operations and user activities at work, in transit, or at home offices. Also, other programs leverage AD to determine the access and privilege level of the users.
By design, AD holds and shares information on the network to regulate users and machines accessing the company’s resources. It is also vital to remember that every computer on the company’s network can talk (has access) to the AD, making it a frequent target for attackers. Once attackers have access to AD, they can quickly identify which accounts to target and that have access to endpoints to compromise for information of interest.
Every security practitioner’s nightmare is to have a vulnerable/compromised AD, which explains why almost every Red team test includes trying to access it. Compromising the primary AD servers provides a way to move laterally within a network and find credentials to abuse for privileged accessto data and administrative access to systems.
AD is also Active Deception
A quick Google search turns up a myriad of ways to break into AD. Many attacks start with an email phish, and while organisations have gotten better at educating people and reducing the risk, the effect is that while fewer people click, the tried and true paths still work. Once in, attackers have access to sophisticated - often open-source - tools like BloodHound that can map an AD environment and uncover paths for lateral movement or privilege escalation. Forrester Research estimates that 80 percent of security breaches result in privilege abuse.
Defenders know this and have tried craft secure practices around some of AD’s capabilities. A best practice like having separate administrator accounts - both for tiers of access and per person - limits the ability for a single compromised account to create havoc. Besides implementing best practices, running Red team exercises, and keeping network and security hygiene up-to-date, what else is there to do?
The rise of active deception defence techniques and tools, such as Attivo Networks ADSecure, are helping defenders gain the upper hand. Such systems can - for example - detect the initial query against AD, modify the results, and feed the attacker fake data, like deceptive credentials or decoy systems to infect safely away from the network (which captures their signatures and intent).
Deception technology makes it such that defenders no longer have to be right all the time. They can stop attackers at the door or sow enough confusion to slow their progress - give them pause, make them think and encourage them to misstep. It’s a change in the defensive posture, but one that’s already making a significant difference to defenders everywhere.