Security Market Segment LS
Tuesday, 31 March 2020 15:11

Why deception rules in the defence of Active Directory

Jim Cook Attivo Networks Jim Cook Attivo Networks

GUEST OPINION by Jim Cook Attivo Networks: A long time target for adversaries, Active Directory is getting a long-awaited defensive makeover, writes Jim Cook, ANZ Regional Director, Attivo Networks.

Ask any attacker – Active Directory (AD) is a massive source of information…and it is designed to give it out to those that ask! Need to know who has Domain Credentials? Just ask AD. Who are the privileged users? AD knows. How do I get from User A to Server C? Use a tool like Bloodhound to ask AD and it will automatically gather the information for you.

Cybersecurity professionals understand the importance of reducing “dwell time” - how long an adversary can remain undetected before being discovered and ejected. Dwell times have drastically improved, down from a median of 418 days in 2011 to 56 days in 2019, according to the 2020 FireEye.

M-Trends report. New and improved technologies as well as adopting industry best practices have both contributed to this reduction but, as an industry, we still need to do a better job of bringing this number down. Putting more effective tools into the hands of defenders and giving them some defensive teeth is a good step.

“We really haven’t moved much in the last five or six years on how we detect attackers early in the lifecycle,” lamented the security leader of an S&P500 company in a recent discussion. It’s true; tools and technologies for defenders have not kept pace with those available to Red teams and attackers.

Today’s adversaries have access to highly sophisticated toolboxes. As evidenced by median dwell times, they have time on their side and can count on the element of surprise. Let’s be honest - many security folks still don’t know what’s going on inside their own environment, let alone what’s actually levelled against them. Additionally, organisations face a predicament where attackers only have to be right once, whereas defenders and defensive systems have to be right all the time in order to prevent a successful attack.

AD is Still the Crown Jewels

This predicament exists is many security domains, but for the purposes of this article, we’re going to focus on one of the most common targets for attackers: Microsoft’s Active Directory (AD). Microsoft launched AD in the late ‘90s, and it quickly became the standard in the identity management market.

For any company, AD is the crown jewels of its security infrastructure, as inside AD resides a complete list of all the users, machines, logical grouping, and privileges. This confluence of information is compelling, and it enables and supports operations and user activities at work, in transit, or at home offices. Also, other programs leverage AD to determine the access and privilege level of the users.

By design, AD holds and shares information on the network to regulate users and machines accessing the company’s resources. It is also vital to remember that every computer on the company’s network can talk (has access) to the AD, making it a frequent target for attackers. Once attackers have access to AD, they can quickly identify which accounts to target and that have access to endpoints to compromise for information of interest.

Every security practitioner’s nightmare is to have a vulnerable/compromised AD, which explains why almost every Red team test includes trying to access it. Compromising the primary AD servers provides a way to move laterally within a network and find credentials to abuse for privileged accessto data and administrative access to systems.

AD is also Active Deception

A quick Google search turns up a myriad of ways to break into AD. Many attacks start with an email phish, and while organisations have gotten better at educating people and reducing the risk, the effect is that while fewer people click, the tried and true paths still work. Once in, attackers have access to sophisticated - often open-source - tools like BloodHound that can map an AD environment and uncover paths for lateral movement or privilege escalation. Forrester Research estimates that 80 percent of security breaches result in privilege abuse.

Defenders know this and have tried craft secure practices around some of AD’s capabilities. A best practice like having separate administrator accounts - both for tiers of access and per person - limits the ability for a single compromised account to create havoc. Besides implementing best practices, running Red team exercises, and keeping network and security hygiene up-to-date, what else is there to do?

The rise of active deception defence techniques and tools, such as Attivo Networks ADSecure, are helping defenders gain the upper hand. Such systems can - for example - detect the initial query against AD, modify the results, and feed the attacker fake data, like deceptive credentials or decoy systems to infect safely away from the network (which captures their signatures and intent).

Deception technology makes it such that defenders no longer have to be right all the time. They can stop attackers at the door or sow enough confusion to slow their progress - give them pause, make them think and encourage them to misstep. It’s a change in the defensive posture, but one that’s already making a significant difference to defenders everywhere.

Read 2346 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Staff Writers

Our Staff Writers and Guest Writers contribute content to iTWire each day and they are available asset to the team. If you want to be a staff writer please contact us.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News