Developed by Microsoft as a set of processes and services that aid the management of Windows domain networks, 90 per cent of Australian businesses use AD. Criminals are attracted to AD because it contains details of network structure and login credentials for users, allowing them to establish a foothold within an infrastructure, move laterally through the network without detection, and secure administrator privileges.
Cybercriminals are also increasingly targeting Kerberos tickets, which Windows domains use for authentication. They then use these to exploit unfixable weaknesses in the authentication protocol and gain access to other systems. When including compromised user and password management systems that could extend into security controls, it’s perhaps unsurprising that a hijacked AD can take an organisation many months to rebuild.
Boosting AD Security
Given the critical and sensitive role that AD plays within an organisation, many people wonder why it isn’t locked down more securely. Unfortunately, the answer is that it comes down to the way AD functions in the first place.
From the outset, Microsoft built AD to give users access to services. AD administrators will often use three tiers of access logins for workstations, servers, and AD itself as a way to limit lateral movement and privilege escalation. Unfortunately, this can have repercussions on monitoring access and alerts, as security teams may ultimately find themselves overwhelmed by the high volume of alerts or over-provisioning access to function.
As a means of boosting AD security, IT security teams have increasingly turned to innovations for assessing vulnerabilities in AD and deception and concealment tactics. These approaches are attractive because gaining continuous visibility to Active Directory vulnerabilities equips the security team to remediate them promptly. Combining concealment of AD objects and decoys that lure attackers to them can be effective ways for detecting an attacker’s activity during the initial observation and discovery period.
For example, a cybercriminal might use the Bloodhound application to query AD for domain admin accounts. The deception technology intercepts this query, hides the real information, and returns fake results.
To the attacker, everything seems normal, and they may believe they have successfully gained the data they sought. A deception AD server can also confirm the deceptive objects provided while the real ones remain hidden.
When the attacker begins lateral movement using the deceptive objects and escalates the attack, the security team can be prepared and ready to watch their next move. The attacker then uses their newly found “administrator” credentials, which leads them straight into a decoy that records their every step.
This AD security approach can be potent because now the IT security team knows the attacker’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). TTPs and IOCs are critical intelligence that security teams can use to stop the attackers from advancing further and prevent future incidents.
An Effective New Approach
Many people are unsure whether this approach will hurt AD’s ability to provide its essential services. That is not the case when the solution is deployed at the endpoint and doesn’t touch the production AD controllers. With this endpoint-based technology, the IT security team does not need privileged access and must only query AD to gather the knowledge to build the deceptive environment and objects.
Attackers have had no reason to distrust their tools and, as such, will rely on them until they feel they cannot. In the event the attacker does realise the defenders have duped them, it’s simply too late.
A less determined attacker may just give up given the increased complexity of an attack. More motivated attackers will slow down and incur additional costs as they move more cautiously, suspecting that the security team has become aware of their attack and has gathered critical information on their tools and intent.
Military forces around the world have used the tactics of deception and decoy for years. Now, organisations see the effectiveness of the same approach when it comes to defending the IT assets.
Improving AD security will allow IT security teams to prevent attackers from gaining access to the resources they need and ensure digital infrastructures remain secure. Consider what steps you should be taking to improve your organisation’s AD security.