Tuesday, 31 March 2020 15:30

Why deception rules in the defence of Active Directory

GUEST OPINION by Jim Cook Attivo Networks: A long time target for adversaries, Active Directory is getting a long-awaited defensive makeover, writes Jim Cook, ANZ Regional Director, Attivo Networks.

Ask any attacker – Active Directory (AD) is a massive source of information…and it is designed to give it out to those that ask! Need to know who has Domain Credentials? Just ask AD. Who are the privileged users? AD knows. How do I get from User A to Server C? Use a tool like Bloodhound to ask AD and it will automatically gather the information for you.

Cybersecurity professionals understand the importance of reducing “dwell time” - how long an adversary can remain undetected before being discovered and ejected. Dwell times have drastically improved, down from a median of 418 days in 2011 to 56 days in 2019, according to the 2020 FireEye.

M-Trends report. New and improved technologies as well as adopting industry best practices have both contributed to this reduction but, as an industry, we still need to do a better job of bringing this number down. Putting more effective tools into the hands of defenders and giving them some defensive teeth is a good step.

“We really haven’t moved much in the last five or six years on how we detect attackers early in the lifecycle,” lamented the security leader of an S&P500 company in a recent discussion. It’s true; tools and technologies for defenders have not kept pace with those available to Red teams and attackers.

Today’s adversaries have access to highly sophisticated toolboxes. As evidenced by median dwell times, they have time on their side and can count on the element of surprise. Let’s be honest - many security folks still don’t know what’s going on inside their own environment, let alone what’s actually levelled against them. Additionally, organisations face a predicament where attackers only have to be right once, whereas defenders and defensive systems have to be right all the time in order to prevent a successful attack.

AD is Still the Crown Jewels

This predicament exists is many security domains, but for the purposes of this article, we’re going to focus on one of the most common targets for attackers: Microsoft’s Active Directory (AD). Microsoft launched AD in the late ‘90s, and it quickly became the standard in the identity management market.

For any company, AD is the crown jewels of its security infrastructure, as inside AD resides a complete list of all the users, machines, logical grouping, and privileges. This confluence of information is compelling, and it enables and supports operations and user activities at work, in transit, or at home offices. Also, other programs leverage AD to determine the access and privilege level of the users.

By design, AD holds and shares information on the network to regulate users and machines accessing the company’s resources. It is also vital to remember that every computer on the company’s network can talk (has access) to the AD, making it a frequent target for attackers. Once attackers have access to AD, they can quickly identify which accounts to target and that have access to endpoints to compromise for information of interest.

Every security practitioner’s nightmare is to have a vulnerable/compromised AD, which explains why almost every Red team test includes trying to access it. Compromising the primary AD servers provides a way to move laterally within a network and find credentials to abuse for privileged accessto data and administrative access to systems.

AD is also Active Deception

A quick Google search turns up a myriad of ways to break into AD. Many attacks start with an email phish, and while organisations have gotten better at educating people and reducing the risk, the effect is that while fewer people click, the tried and true paths still work. Once in, attackers have access to sophisticated - often open-source - tools like BloodHound that can map an AD environment and uncover paths for lateral movement or privilege escalation. Forrester Research estimates that 80 percent of security breaches result in privilege abuse.

Defenders know this and have tried craft secure practices around some of AD’s capabilities. A best practice like having separate administrator accounts - both for tiers of access and per person - limits the ability for a single compromised account to create havoc. Besides implementing best practices, running Red team exercises, and keeping network and security hygiene up-to-date, what else is there to do?

The rise of active deception defence techniques and tools, such as Attivo Networks ADSecure, are helping defenders gain the upper hand. Such systems can - for example - detect the initial query against AD, modify the results, and feed the attacker fake data, like deceptive credentials or decoy systems to infect safely away from the network (which captures their signatures and intent).

Deception technology makes it such that defenders no longer have to be right all the time. They can stop attackers at the door or sow enough confusion to slow their progress - give them pause, make them think and encourage them to misstep. It’s a change in the defensive posture, but one that’s already making a significant difference to defenders everywhere.

Read 4517 times

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.




Recent Comments