Today’s attackers have been successful with targeting Active Directory (AD). To the adversary, it represents a skeleton key capable of unlocking the rest of the network. AD provides the directory services that enable administrators to manage permissions and control access to resources throughout the network, making it essential to an organization’s day-to-day operations—but it also makes it a target. Because it manages permissions and authentication, AD needs to be easily accessible to its user base. Unfortunately, this makes it notoriously difficult to secure. Properly protecting Active Directory closes overlooked security holes to increase the organization’s defensive posture.
The Role of Active Directory in Network Operations
AD’s role in network operations is so extensive that most customers (understandably) lack the in-depth knowledge needed to troubleshoot AD security. It isn’t just a matter of patching known vulnerabilities or correcting misconfigurations. Any exposed setting or poorly adjusted parameter can allow an attacker to infiltrate the system. Protecting AD involves visibility to exposures, live attack detection, managing security policies and requires insights into compliance drift when users do not follow those policies consistently. In other, more dynamic situations, like mergers and acquisitions, major environment changes can make management exponentially more difficult.
Understanding Active Directory’s Value to Attackers
For most enterprises, AD is the central repository for all accounts and systems within the network, and it is responsible for all authentication and authorization to the network. It is a lucrative target for attackers since compromising AD can give them access to all network resources and the necessary rights and privileges to make changes that make it harder to locate them and remove them from the environment.
Unfortunately, many open-source and freely available tools, including Bloodhound and Mimikatz, make attacking and compromising AD dangerously simple. Attackers use these tools to identify accounts capable of granting them administrative rights and conduct their attacks in a way that allows them to elevate their privileges and hide their tracks. AD can be a business’s Achilles Heel when it comes to ransomware attack preparedness. Almost every major ransomware attack includes a step in which the attacker leveraged AD along the way for information, privileges, or both. AD can quickly become an adversary’s best friend if not adequately protected.
Taking the Necessary Steps to Secure Active Directory
There are certain best practices that enterprises should adhere to, including hardening AD, keeping privileged accounts to a minimum, using jump boxes, and following secure technical implementation guides. But these alone will not keep AD safe. Responsible organizations should implement identity security solutions that provide visibility into exposed credentials that create potential attack paths and allow access to AD. Visibility into AD exposures and vulnerabilities is essential as well.
New Tools to Secure Active Directory
New tools capable of helping organizations secure AD have also emerged. Identity Threat Detection and Response (ITDR) solutions are today considered an essential element of AD defense, as they can help defend against attackers targeting AD infrastructure within the network. For faster, more comprehensive threat detection and improved investigation and response times, enterprises need to detect attackers targeting credentials, cloud entitlements, and Active Directory—and IDR can help. Peter Firstbrook, Vice President of Gartner Research, recently stated, “Identity Threat Detection and Response is a critical capability of any solution calling itself an XDR,” further lending credence to the value of ITDR.
Making Active Directory Security a Priority
Even Microsoft estimates that 95 million AD accounts come under attack each day, and that number has almost certainly risen since then. Attackers recognize that the unique nature of AD makes it both highly valuable and difficult to secure—and exploiting it is now a priority for them. Ultimately, defenders can’t secure their directory services when they don’t understand the risks or have clear insights into when these assets are under attack. ITDR provides the continuous visibility into exposures, misconfigurations, and credentials that attackers seek to exploit during an identity-based attack. Adversaries aren’t going to stop targeting AD any time soon—but today’s organizations now have tools and resources at their disposal that can quickly detect and derail attackers seeking to exploit credentials and Active Directory.