How to Strengthen Active Directory and Prevent Ransomware Attacks


By Derek Melber, Chief Technology and Security Strategist @ Tenable

Ransomware attacks do not always follow the same steps, but addressing these three trends will allow you to secure Active Directory (AD) and disrupt attacks.

More ransomware variants, exploits, tactics... Attackers deliver something new every week. But each is an opportunity to analyze their processes. Three distinct trends are emerging that we can analyze to secure the tools attackers leverage.

Trend 1: vulnerabilities and misconfigurations
Ransomware attackers are initially compromising enterprises by one of two attack methods:

  • Exploiting vulnerabilities. Patching is like vitamins: essential, but we often forget. PSA: patch your systems (and take your vitamins).
  • Leveraging misconfigurations. Thousands of security settings require configuration. With simple queries, attackers can determine what is running on a device to know exactly which misconfigurations to exploit. Securing these before the attacker can ever see them is essential.

Trend 2: gaps in existing tools and practices
While the following security tools and practices are useful, they leave security teams with major gaps in coverage:

  • Pen testing
  • Assessments
  • Audits
  • AD monitoring
  • SIEM solutions
  • User behavior analytics
  • Artificial intelligence
  • Endpoint detection and response (EDR) and antivirus (AV)

Point-in-time visibility renders many results outdated. Some solutions are more continuous, but they are not digging into the network infrastructure at the level the attacker sees.

Trend #3: AD is a pathway
Regardless of entry point, AD is always involved as a next step in ransomware. Forensics prove repeatedly that AD is leveraged to move laterally and gain privileges to deploy ransomware.

For example, Ryuk and XingLocker (MountLocker variant) specifically need AD to succeed. Attackers know how to enumerate and analyze AD, so they rely on it to breach and deploy. After all, AD is at the center of authentication and resource access for most organizations.

Solution: three steps for reducing ransomware risk
Bucking trends and addressing key tools will help you identify what attackers are targeting. The following three steps are foundational for securing AD and managing vulnerabilities to reduce the risk of ransomware:

  1. The entire environment must be secured immediately. Easy to say, not so easy to do. Existing hardware, operating systems, applications, software and AD itself all need to be secured. Expect an attacker to inspect every aspect of the network. Prepare accordingly.
  2. The work invested in securing your network and devices should not go to waste. Once you have patched and secured configurations throughout the network, including AD, maintain these efforts with 24x7 continuous, automatic analysis of all vulnerabilities and configurations. Think of it as keeping your attack surface as small as possible-- constantly.
  3. The ability to detect attacks is vital. Simpler attacks, like password spraying and guessing, need to be detected as soon as they begin so they can be shut down. Likewise, more advanced attacks leveraging AD, like DCSync, DCShadow and Golden Ticket, must be detected swiftly. These advanced attacks are used for persistence and backdoors and to open new attack paths. Sophisticated solutions are needed to fill these gaps in monitoring and detection.

Sustaining Partners