Identity systems such as Active Directory are a popular attack vector
Since its inception in 2014, the Semperis team has helped many companies combat cyberattacks. An increasingly common attack vector is identity systems such as Active Directory (AD).
Quite often, Semperis observes the following in this regard: Cybercriminals have gained access to critical systems through some relatively simple tactics. The intruders had already used credential theft tools and successfully hijacked one of the company’s domain admin accounts. The compromised account was then used to first create a new, hidden, dedicated account for the attacker and then add it to the compromised domain’s “Domain Admin” group. This was essentially following the simple instructions of how to attack an Active Directory domain and be persistent about it.
Do not neglect AD security basics
The reason attackers were so successful in the first intrusion can often be attributed to some security fundamentals that were neglected:
- Configuring a computer with unrestricted delegation, a popular target for attackers.
- Misuse of a domain’s built-in administrator account by using it as a service account for various SQL databases, as evidenced by the many SPNs registered to the account.
- Configuring various risky permissions at the domain level.
- Failure to change passwords on administrative accounts (of which there were too many).
The implementation of AD security basics – such as e.g. Reviewing permissions that were set years ago – is time and resource consuming. However, this effort is peanuts compared to the toll a large-scale cyberattack can take on an organization’s business operations.
In light of these findings, Semperis offers three tips for better handling IT threats that target Active Directory:
Understanding the difference between resuming operations and restoring operations
For cybercriminals, Active Directory is increasingly a key attack vector, knowing that AD is at the heart of the enterprise. The majority of organizations still use AD as their primary identity store, and as such, it is the source from which other identity stores are synchronized. Even in a hybrid environment, cloud identity stores are typically synchronized with on-premises AD. So when AD goes down, the business comes to a standstill. In the hustle and bustle of the crisis, many companies are understandably focused on resuming business operations as quickly as possible. The focus of the next phase should be to ensure that the business is not vulnerable to repeated attacks that exploit the same vulnerabilities that succeeded the first time around.
Full recovery means AD is fully restored without reintroducing malware into the system. During an attack, however, finding a clean backup or restoring AD from scratch costs valuable hours and days while the business is at a standstill. In the case of the client Semperis assisted, no one could identify with certainty an up-to-date malware-free backup. Semperis helped the company configure DC backups that could be trusted not to contain malware, and corrected some problematic vulnerabilities in one of the AD domains, further improving the domain’s resilience.
Next, Semperis helped the company set up a copy of its production AD forests in a fully isolated sandbox environment with freshly provisioned Windows Server VMs in Azure that were certainly malware-free. With this approach, the company could not only perform backups of AD forests, but also fully restore them in the event of another attack.
A solid AD security strategy must include a complete, malware-free AD recovery plan that takes minutes or a few hours at most to execute – not days or weeks.
Continuously assess AD security weaknesses
Many organizations have security tools that assess endpoint security, but neglect to protect Active Directory from the inside. To adequately protect against cyberattacks targeting AD, organizations need to know when changes to privileged groups and accounts, such as e.g. the Domain Admins group, occur. With sufficient warning, they can respond to suspected credential theft activity. These could be notifications about the creation of a new domain administrator account using a compromised account. Ideally, organizations would like to have a system that not only notifies them, but also takes action to prevent the attacker from spreading through their network.
By continually assessing and remediating AD security vulnerabilities, the company remains in a proactive position. This can prevent cyberattacks or mitigate the damage with quick, informed action if an attack does occur. Organizations must ensure they evaluate the gaps that remain in their security posture.
Does the company have an action plan in place to deal with cyberattacks?
With cyberattacks growing exponentially, security managers may feel powerless to protect their organizations from cyber disasters. Every organization should feel encouraged to establish proactive steps to prevent, mitigate and fully recover from malicious activity. Organizations should invest in Active Directory security fundamentals. They should make sure they can fully restore – not just resume – business operations following an attack. To do this, they need to continually scan their environment for vulnerabilities. By doing so, they will significantly strengthen their security posture against rampant cyberattacks.