How much thought does the average person devote to the plumbing that delivers water to their home? How often do they consider the mechanics of the engine that powers their car, the modem that allows them to access the internet or even the coffee maker that delivers their morning jolt of caffeine? Today’s world prioritizes convenience, with technology that users expect to “just work” without much thought or effort on their part.
Unfortunately, while most people can get by just fine without knowing the ins and outs of the internal combustion engine, some technologies require a greater level of understanding. In the cybersecurity world, one such technology is Active Directory (AD). Although AD manages identities and authentication across the enterprise, too many business leaders treat it as part of the plumbing. But cybercriminals are beginning to exploit AD’s relative vulnerability in record numbers. Expecting it to “just work” is no longer enough—modern enterprises need stronger protections in place, and they must learn to recognize the signs that their AD may be compromised.
The most recent Verizon Data Breach Investigations Report (DBIR) noted that 61% of breaches now involve credential data. The primary reason is that gaining possession of credentials makes a cybercriminal’s job much easier and is required to gain the privileges they need to advance their attacks.
By stealing or misusing a legitimate user’s credentials, an attacker can then freely masquerade as an employee and gain access in a way that remains undetected by traditional security systems.
And all too often, targeting Active Directory is their first move. AD needs to touch nearly every part of the network to function, making it difficult to secure. An attacker who manages to compromise AD effectively has the keys to the castle and will immediately look to escalate their privileges to gain access to new areas of the network, install backdoors, erase their tracks, and seek out more valuable data. It is also the way that attacks gain control to mass distribute malware and ransomware. Stopping attackers from compromising AD needs to be a top priority for today’s defenders.
Unfortunately, the signs of Active Directory compromise are subtle, many of them nearly impossible to notice if defenders are not actively looking for them. Defending AD requires a more holistic approach to security—some indicators might signify an attack on AD is in progress, but there is rarely a smoking gun. Think of it as diagnosing a medical problem. There are countless symptoms to look for, but it isn’t always easy to tie them together into a diagnosis. Some are dismissed as unimportant or attributed to other factors.
To recognize an attack on AD, cybersecurity professionals must assume the role of a doctor and look at the symptoms and vital signs.
What symptoms should they be on the lookout for to identify an Active Directory compromise? Among the more obvious potential signs are things that affect numerous accounts, such as mass password changes indicating alteration of many credentials. Account lockouts can also indicate an attack on AD, such as password spray attacks. Other signs, like unexpected changes to security settings, are more reliable indicators of an AD attack, but they are also more difficult to notice. There are other, even more subtle things to look for, such as an account suddenly appearing in a group without a good reason or a new service account showing up without apparent authorization or purpose. And while a hidden security identifier (SID) added to an account would be a strong indicator of an AD compromise, it would also be nearly impossible to detect.
What, then, can defenders do to identify the signs of a compromise before it is too late? The first step is to monitor privileged groups for new users. There will always be audit trails to see when a user identity was created or added to a group. In addition to account creations and group membership changes, defenders should also monitor for password changes for privileged accounts, control changes to critical objects, use of SIDs from disabled accounts, and Access Control List (ACL) changes. These are all extremely subtle and likely to go unnoticed unless defenders are actively looking for them.
Unfortunately, looking for changes to these accounts is tricky—systems generate network logs in massive quantities, and reviewing them takes time. One option is to turn to security information event management (SIEM).
Instead of having a human being review lengthy logs and reports, defenders can set up SIEM rules to look for specific line items in an audit log then raise an alert if it finds suspicious activity. Alternatively, they can look to more modern assessment and attack detection tools. Today, tools are available that can automatically increase visibility into potential exposures and monitor for known warning signs, streamlining the process by reducing the number of things a SIEM must monitor while also reducing false positives. As modern networks become increasingly sprawling and the number of human and machine identities skyrocket, automation is fast becoming the only practical and reliable way to protect AD.
Active Directory compromises are challenging to detect, but automated information gathering and reporting now make early detection and prompt remediation possible. With a thorough understanding of what to look for and modern identity visibility tools at their disposal, today’s defenders are better prepared than ever to rebuff and repel attacks on Active Directory. With attackers continuing to zero in on AD as a high-value target, the ability to detect and derail them will only grow more critical.