Active Directory : The foundation of an organization’s access, authorisation, and authentication

Active Directory : The foundation of an organization’s access, authorisation, and authentication

Active Directory : The foundation of an organization's access, authorisation, and authentication

Regardless of the original access vector used by a threat actor, Microsoft Active Directory (AD) remains a prominent target in an organisation due to its relationship to privilege and access. The threat actor compromised AD Domain Administrator credentials in the majority of cyber intrusions assessed by iConnect’s incident responders. If the threat actors had not gotten such access, network defenders may have halted the assaults or required the threat actors to work harder to achieve their goals. According to iConnect’s incident responders, companies should use least privilege access on all AD accounts before considering adopting additional security measures to assist AD halt or resist a significant assault.

Initial compromise often leads to swift and full compromise and persistence

Because of the proliferation of Windows computers and the reliance of many companies on AD, it is an attractive target. Attackers must first break an organization’s network perimeter in order to get access to AD. Threat actors breaching settings in one of three methods were engaged in 88% of intrusions probed by iConnect’s incident responders in 2021:

  • Vulnerabilities in internet-facing gadgets are being exploited.
  • Credentials in jeopardy (stealing or guessing credentials and then logging in)
  • Malware is distributed by phishing emails or drive-by downloads.

Attackers targeting AD quickly seek to escalate privileges to Domain Administrator after gaining a footing in an environment. Most of the time, this process is simple and quick. The attacker then uses the increased access to navigate the network, looking for assets, stealing data, deploying ransomware, and inserting persistence mechanisms.

Network defenders must put up barriers to stop malicious behaviour.

Because securing AD during an assault is hard and difficult, companies should take proactive actions to improve and secure their AD. Network defenders must construct as many barriers as feasible while also raising awareness about their AD deployment. They must also be aware of security holes, threats, and opportunities for improvement.

  • Conduct an AD security assessment – During an Active Directory Security Assessment, Secureworks incident responders evaluate AD configuration management practises and suggest applicable cybersecurity policies using configuration review toolsets and interviews with the customer’s internal people. This evaluation assesses the entire AD implementation of the company and identifies potential attack vectors. Before an attack, a deep dive into AD helps admins uncover weaknesses and places for improvement. Without the pressure of an active threat actor, organisations may strengthen their security posture and better safeguard their environment.
  • Reduce the amount of privileged accounts – Many businesses, especially big domains, are unaware of how many privileged accounts exist in their network. The proliferation of these accounts is frequently the result of unintentional privilege allocation when troubleshooting, privilege creep associated with position changes, and inadequate privileged access management during acquisitions and mergers. Reviewing and limiting privileged accounts reduces the attack surface.
  • Examine service principle names (SPNs) – Service principal names (SPNs) are used to uniquely identify service instances. When a system requests access to a service, AD resolves the service’s SPN. A threat actor might theoretically gain possession of the service account by copying the password hash including the related SPN. Network defenders must identify service accounts with linked SPNs, examine the password status of the service accounts, and ensure that none of the accounts are members of a privileged group. Threat actors can also utilise SPN manipulation attacks, such as SPN-jacking, to mimic users on a set of services and get access to their privileges and access. Limit the number of accounts with SPNs to reduce chances for a threat actor.
  • Use group-managed service accounts – After removing a threat actor from a compromised environment, iConnect incident responders recommend that victims reset passwords on all accounts, including Kerberos, administrator, service, and user accounts. Many businesses are concerned that changing service account credentials would damage apps and background operations. Implementing group-managed service accounts allows AD to manage service account credentials, rotate passwords on a regular basis, and enable effective incident coordination.

Conclusion

Investing in AD and its accompanying controls can improve resilience in the face of cyber assaults. Putting up as many barriers as possible slows and perhaps deters a threat actor from exploring your network, reducing the impact of an early foothold.

iConnect provides a variety of proactive Incident Response services to assist clients in avoiding, detecting, and responding to threats. If you want immediate assistance with an issue, emergency response is available.

Request for Information

Leave a Reply

Your email address will not be published.