How to Recognize and Prevent Active Directory Attacks

Part of Solutions Review’s Premium Content Series – a collection of columns written by industry experts in maturing software categories –Carolyn Crandall, the Chief Security Advocate at Attivo Networks, shares some expert insights on how to recognize and avoid Active Directory attacks.

Active Directory (AD) is under attack. This is not an exaggeration, an intentionally provocative statement or a clickbait headline, but a fact. Five years ago, Microsoft said that more than 95 million AD accounts are attacked daily. This number exploded, with Microsoft Share that in 2021, Azure Active Directory alone saw over 25.6 billion brute force attacks. It’s not hard to see what makes AD an attractive target for attackers: it effectively serves as a GPS for the entire organization, managing identity and authentication services for over 90% businesses today. Compromising AD can give today’s attackers a skeleton key for the entire network.

Unfortunately, too many of these attacks succeed. One of the main reasons for this is that AD is notoriously difficult to secure. Because it controls authentication on the network, every user, device, application, or identity on the web requires some level of access to AD, making it difficult to distinguish suspicious activity from standard behavior patterns without certain protections. in place.

Fortunately, modern identity protection tools like those in the new Identity Detection and Response (IDR) category give defenders a better idea of ​​what to look for and help them detect and deflect adversaries before they can escalate their attacks.

The Danger of Credential-Based Attacks

Credential-based attacks have increased steadily over the past few years, with the latest Verizon Data Breach Investigation Report (DBIR) indicating that 61% of attacks now involve credentials. It’s a shockingly high number, but it makes sense. After all, if a user is accessing the network using a valid username and password, most defenses have little reason to suspect that the behavior is suspicious. Without the ability to identify anomalous behavior even from perceived valid users, an adversary with a working set of credentials can often roam the network unnoticed and unaware.

Unfortunately, organizations often store credentials in places that adversaries can easily access. For example, many passwords live on the terminal, network passwords reside in memory, and browsers, email, and other applications store all kinds of passwords. Attackers who compromise a workstation or user account will often have little difficulty accessing stored credentials, some of which may even be administrator credentials. From there, it’s a direct line to Active Directory, where they can elevate their privileges and access things like on-premises groups, apps, and file storage.

These tactics exacerbate what is already a significant problem for businesses today. Recent Associates in Business Management (EMA) research indicates that 50% of enterprises have experienced attacks against AD in the last two years, and more than 40% said that these attacks were successful. This is an unacceptable success rate for opponents, but it is not surprising. To stop AD attacks, defenders need to know what to look for and have the tools to make an attacker’s life as difficult as possible.

Signs of an AD attack and what to do about them

Finding vulnerabilities that could allow an attacker to gain access to Active Directory is the first place to start. If defenders can find identity exposures, they should assume attackers could use them (and likely have used them) to escalate their attack. Stopping AD attacks requires visibility across the entire network, starting with the periodwhere adversaries steal credentials.

Defenders need quick visibility into vulnerabilities such as admin credentials exposure, potential attack paths, and phantom admin accounts. Reducing the attack surface is critical, limiting and alerting unauthorized access to credentials stored on endpoints. Attackers can do significant damage with a set of valid credentials. For example, those who get their hands on the right set of credentials can use them to access specific resources, reset other passwords, request short-term tokens, request API tokens, or conduct other attack activities.

AD attacks can happen quickly, and dissecting logs for signs of intrusion after the fact is valuable for deep packet inspection, identifying attack signatures, and generating adversary intelligence. but usually insufficient to derail attacks before an exploit occurs. Organizations need live attack detection, and actions such as mass locking or deleting accounts should trigger immediate alerts.

Suspicious password changes on sensitive accounts or mass password resets should also be reported (although these may be more indicative of a password spray attack than an AD attack). ). Things like creating suspicious services on a domain controller, using a default administrator account, or re-enabling privileged accounts are also potential signs of an AD attack in progress.

Additionally, deploying tools capable of hiding real AD objects from attackers, intercepting uncategorized queries, and manipulating results with false information will undoubtedly throw attackers out of their game. environment with “admin” ID decoys and AD decoys designed to trick opponents into revealing their presence. These provide both an active and passive element to AD defense, making it difficult for attackers to see the network accurately, trust their tools, and avoid stepping on landmines that alert their presence.

Stopping AD attacks is difficult, but not impossible

Active Directory is inherently insecure, but that doesn’t mean organizations are relegated to leaving it unprotected. Defense in depth is achieved through continuous, automated exposure visibility, which will significantly reduce the ability of attackers to quickly obtain the credentials they need, move laterally within the network, and compromise AD. By adding identity detection and response tools capable of providing this level of visibility, organizations can extend their security coverage far beyond the reach of traditional defenses.

With IDR, security teams detect identity-based attacks that use stolen credentials, attempt to elevate their privileges, and seek domain control for mass distribution of malware or ransomware. AD remains a prime target for ransomware attackers, and credential-based attacks are increasing in frequency given their relative ease and effectiveness. All trends indicate that identity is the new battleground for cybersecurity in 2022. To prepare for this, organizations need to rethink their security postures with this in mind.


Caroline Crandall
Latest posts by Carolyn Crandall (see everything)

Comments are closed.