Active Directory Remains a Favorite Target for Cybercriminals


By Derek Melber, Chief Technology and Security Strategist

The SolarWinds cyberattack is notable for a number of reasons — it's one of the most damaging cyberattacks and it highlights major holes in the software supply chain. It also has something in common with the vast majority of breaches today: it leveraged Active Directory, Microsoft's identity and access management platform used by 90% of the Global Fortune 1000 companies.

Active Directory is critical for organizations as it holds information as to where the keys to the proverbial kingdom are for every company — admin accounts — as well as provides the map for how to find them. Typically, intruders escalate the access permissions of a computer or user account that they have compromised until they get to a privileged account.

Attackers only need to compromise one machine in a network to get access to Active Directory and from there, they can run rampant. They can move laterally between accounts until they get administrative control and then they can pose as legitimate IT users, authenticate using valid credentials, create new accounts, change user access controls, escalate permissions and move from on-premises to Azure Active Directory in the cloud — all without being detected because they appear to be legitimate, trusted users.

Of the lessons SolarWinds offers, battening down the hatches of Active Directory is one of the most obvious.

Active Directory Security Tips
Given how many moving parts there are to Active Directory, a list of security tips would be too exhaustive to include in this article. However, here is a best practices checklist that can go a long way toward making Active Directory more secure and resistant to an attack:

  • Better password and identity access management
    The first step to keeping Active Directory secure is to make sure only authorized users are accessing data and only the data they are authorized to access. Require the use of multi-factor authentication and strong, long passwords on service accounts and actively manage the privileges.

  • Basic risk prevention and security hygiene
    Constantly monitor Active Directory security. Use technology that continuously analyzes each change for security attack paths and misconfigurations. And finally, deploy software updates as soon as possible.

  • Detect advanced attacks
    Monitor and detect attacks as they occur against Active Directory. This includes DCSync, DCShadow, Golden Ticket, and more. These advanced attacks create backdoors and persistence for attackers.

Active Directory is used in most organizations, provides attackers the proverbial keys to the kingdom, and is prone to attack due to misconfigurations. Until organizations make it a priority to harden Active Directory, we'll be seeing attackers using it as a key resource in their lateral movement and privilege escalation tactics, just like they did with the SolarWinds attack.

Sustaining Partners