Active Directory (AD) was first released by Microsoft in 1999 as a central identity management system. It is an important tool that manages authorisation and authentication for all users, groups, and systems in an organisation, as well as non-security related activities such as storing centralised policies and managing resources, but this also makes it a prime target for cybercriminals. It is thought that AD is exploited in 90% of cyber-attacks.
If your AD security is breached, the clean-up is notoriously difficult and can take anywhere from a few days to a month. Due to the dependencies of many systems interacting with the AD, the operational implications are huge. Running an organisation without AD working even for a short period of time can be incredibly disruptive and costly.
To avoid this, organisations should treat the AD infrastructure as a top cybersecurity concern and prioritise their efforts on prevention over recovery.
Common security challenges in managing AD
When an AD has been used for many years, it can become unwieldly and difficult to maintain, resulting in an AD sprawl. When this happens, there are very few (if any) IT employees who can understand how it was built and managed over the years. Due to the business criticality, you’d be hard pressed to find anyone that would take the initiative to optimise it under normal circumstances.
To make things worse, different vulnerabilities on AD surface regularly, and if there are no dedicated efforts to address these, then the AD is prone to exploitation. Perhaps the biggest challenge is that many IT teams don’t operate with a security-first mindset and do not place emphasis to fix these vulnerabilities promptly.
Three threats commonly affect an AD:
- Phishing. Over the last couple of years, phishing has emerged as the biggest threat to AD security. Mostly, it’s because phishing is the most efficient way for cybercriminals to reach the largest group of people. It is far easier to convince people to give up passwords than it is to try and crack them, which is now too time consuming because security controls are more advanced.
- Malware. By getting users to download compromised software through PCs and laptops, attackers can capture passwords and use them to access the AD.
- An unpatched environment. Patching is incredibly important to prevent cyber-attacks and protect data, but many organisations struggle to keep up because they fail, or lack the resources, to perform the patching themselves. AD is one of many software applications that require patching, and if it isn’t updated in a timely fashion, vulnerabilities can be exploited.
What to do if your AD security is breached
A few years ago, cybercriminals would have broken into the AD environment and moved laterally almost immediately, triggering detection alerts if they are in place. Today, persistence is the preferred tactic. The goal is to stay undetected in the system for as long as possible, which means attackers can learn and understand a lot of the corporate environment to determine where the best place is to inflict the maximum damage to the organisation.
This includes creating accounts and escalating security privileges to access sensitive data. Attackers can also remove security controls, push malware execution into group policy configuration, remove log events and cover their tracks. Hackers are now using common tools such as Microsoft’s PowerShell to do reconnaissance and keep a low profile. They can also clone an AD to study the AD configuration, even if they lose access to the AD. With the keys to the kingdom and enough time, the security implications are immense.
If you discover the AD has been hacked, make sure you do the following:
- Remove the AD from the network. This immediately stops recurring log-ins, but this will also have impact to the business.
- Investigate. AD can have complex set-ups and trying to navigate this during the recovery process can be time consuming. Find out how the breach happened and remediate the vulnerability.
- Rebuild the AD from scratch. Check current best practice because the last AD review may have been years ago, and there may be additional hardening steps required as new threat information is made available. Rebuild group policies even if it means going through them one by one, and ensure all vulnerabilities are patched. You’ll need to ensure that all employees change their password and that each one meets security standards.
- Instil a security mindset. Once the AD is back online, focus on educating employees about cyber security through user awareness training about protecting their AD accounts.
- Create a new cyber security baseline. Businesses often ignore the threat of persistence in recovery. Use this breach as an opportunity to get your security hygiene up to scratch.
To prevent another breach in the future, make sure you consider the following:
- Conduct annual reviews. This helps you make sure the AD environment is properly configured and managed.
- Implement continuous monitoring. This allows you to detect incidents early and contain them.
- Perform timely patching. Prioritise keeping patches up-to-date to prevent hackers from exploiting vulnerabilities.
- Provide ongoing security training. Make sure employees keep security top-of-mind, as they are your most effective first line of defence.
- Test the incidence response. Do this only when you get your cyber security fundamentals right. This works best for mature organisations who have done a lot of AD controls. To develop a robust response, it is worth asking yourself the following questions:
- Do you know what will happen if you lose everything?
- Are you able to perform an enterprise-wide password reset if required to do so?
Establish a strong foundation to protect your AD
Weaving cyber resilience into the business and getting the basics right is key to protecting the AD. It’s important to regularly assess the company’s security posture, identify gaps and close them. Set the AD environment up in accordance with best practice and continuously monitor for threats. It is also essential that there is an incident response plan and processes to help rebuild the business in the event of an attack.
DXC Technology collaborates with industry-leading cyber security partners using proven methodologies and robust tools to strengthen cyber security posture. More importantly, we know that innovation is critical to staying ahead. As a part of strengthening the authentication process, DXC advocates the use of passwordless authentication to minimise the impact of phishing and reduce password fatigue, an area that will help in securing access to the AD environment.