Active Directory Security Needs Immediate Attention

ACTIVE DIRECTORY SECURITY NEEDS IMMEDIATE ATTENTION:

CIOS AND CISOS CAN MAKE ALL THE DIFFERENCE

ATTACKS ARE ON THE RISE! BREACHES ARE ON THE RISE!

ACTIVE DIRECTORY IS STILL THE MAIN TARGET!

If attacks and breaches are rising and Active Directory (AD) is at the center of these malicious activities, why aren’t organizations spending more time to secure AD; AKA “The Keys to the Kingdom?” The reasons might be simpler than you might think First, it is clear that the IT side and security side don’t always see eye-to-eye, nor do they always play nicely in the sandbox. Often IT says AD security is a security issue, where security says AD is an IT concern. In the middle is AD security, which is left untouched and exploitable to nearly every attacker.

The silver lining is that if CIOs and CISOs work in unity and take AD security seriously, AD can be secured This will not only provide a rocksolid foundation for AD security, it will help negate the success of so many attacks such as LAPSUS$, Quantum, Conti, Ryuk, SolarWinds, and more Since all of these attacks relay on queries of AD to find attack paths into privileged accounts and domain domination, shoring up AD security will remove these options from attackers.

CIO VS CISO: WHY BAD ACTORS ARE OWNING ACTIVE DIRECTORY

Every organization suffers from a lack of visibility and responsibility around Active Directory (AD) security Security teams do not have the depth of knowledge on AD, where IT does not have the time or desire to secure AD fully Thus, Active Directory is the main target of nearly every cyberattack today

The CIO

The CIO is responsible for ensuring that technology is leveraged and running to support the organization. This means that the technology must be available “at all costs” so employees can perform their jobs and the company remains profitable. The CIO is normally responsible for Active Directory, which is central to authorization and authentication

The CISO

The CISO is responsible for information security This means that data, devices, services, network, and nearly everything technology-focused is secure The CISO normally is responsible for the SOC and all of the security analysts

There is a very common issue that exists with regard to technology in nearly every organization

• CIOs want things to run so the company can be profitable, regardless of the overall security

• CISOs want things to be secure, regardless of the overall functionality of the organization

These two conflicting concepts can cause a significant technical and strategic split for the organization

IT AND THE AD ADMIN

The AD admin works for the business to ensure that AD and all of the services associated with daily tasks are constantly available. If AD is not available, even for a few minutes, services and applications will fail to authenticate, causing a disruption to users ’ tasks The AD admin knows that many modifications to AD and domain controllers can cause these disruptions, such as:

The AD admin is certainly concerned about security, but this is trumped by the need to have AD running 24x7. Thus, configurations and other vulnerabilities are scattered throughout AD configurations, objects, and object attributes, leaving gaping holes that attackers can exploit CIOs want things to run so the company can be profitable, regardless of the overall security

SECURITY AND THE SOC

The SOC is filled with numerous tools and security experts that create elaborate rules to detect security issues in nearly every technology that is running on the network. SIEM, SOAR, EDR, XDR, AV, and more provide the SOC with information regarding all devices and activity which could lead to a security issue or even attack With all devices sending information into the SOC, sometimes at GB/sec, the SOC analyst must be quick, efficient, and intelligent enough to know when the logs and rules are telling them a security issue is at hand versus normal behavior With such diverse devices, applications, and services, combined with GB/sec of data, it is impossible for the SOC analyst to know the inner workings of every device, service, and operating system So, the SOC focuses on the most common areas that can indicate a security issue or attack. This leaves various and cavernous holes in the fabric of the network, which can be exploited by an attacker without notice.

BAD ACTIVE DIRECTORY SECURITY HYGIENE:

WHY BAD ACTORS ARE OWNING ACTIVE DIRECTORY

It is clear that every organization is a potential target for a cyber attack Small businesses are going out of business due to ransomware attacks encrypting the data, for which the company can’t afford to pay to decrypt Huge enterprises are being breached as if they had no security in place, causing downtime, payment for ransom, and loss of credibility in the market. Multi-faceted breaches are occurring due to service and application weaknesses, which can be duplicated on every installation of the software.

MICROSOFT ACTIVE DIRECTORY AT THE CORE

At the core of these attacks is Microsoft Active Directory. Solarwinds, Ryuk, XingLocker, Conti, Lapsus$, Quantum, Agenda… plus so many more… exploit Active Directory weaknesses, misconfigurations, and vulnerabilities to obtain enterprise privileges From this destruction there are two main questions that must be asked regarding the security of AD:

The answer to first is from my own experience. I have never seen an AD infrastructure that couldn’t be breached in minutes or hours. Even the default installation of AD has numerous exploits.

The answer to the second is yes However, this requires time, knowledge, and persistence Audits, pentests, assessments, scans, etc are not enough Instead, the solution requires that the existing structure be evaluated and every potential issue be resolved From there, the secured AD environment must be kept secure, in real time and constantly, to ensure that no security drift occurs, which could lead to an exploit.

TOP EXPLOITABLE SETTINGS IN ACTIVE DIRECTORY

To prove that your AD is not secure and could be exploited, here are a few settings that are nearly always misconfigured and exploitable.

AdminSDHolder

The default object responsible for continuously ensuring the security of all privileged users and groups is consistent

Primary Group ID

A legacy setting used by Mac clients and POSIX applications for associating a user with a specific group

SIDHistory

A user attribute used during a migration so users can access resources in their original domain

Privileged Groups

Both default and post-install created groups allowing users to perform administrative tasks on AD, services, applications, etc.

Service Principal Names

Attributes used to allow service accounts to perform actions on behalf of the service they support

THE REALITY

The list above is only a short list of the exploitable objects, attributes, and other configurations within a typical Active Directory enterprise Each of the above list can be enumerated and analyzed by a domain user that has only Read-only access to these objects, attributes, and settings If any of the settings above are not secured or misconfigured, an attacker can see the issue instantly and exploit it within minutes or hours, to obtain domain privileges.

ACTION FOR EVERY ORGANIZATION

I challenge every organization that knows their Active Directory is not secure enough to withstand an attack to take a step back and develop a plan to secure it. There are some obvious steps to accomplish this:

SECURE THE EXISTING AD INFRASTRUCTURE AND SETTINGS THAT ATTACKERS TARGET

ENSURE THAT THE SECURITY IN STEP #1 IS MAINTAINED CONSTANTLY

BE ABLE TO DETECT WHEN AD IS UNDER ATTACK IN REAL TIME

With these three steps considered and completed, the entire enterprise exposure and risk will dramatically decrease

Some points to consider:

• For an AD environment with under 5000 users, Step #1 can be discovered in less than 20 minutes

• Step #2 can be executed with alerts being sent to admins and the SOC in real time

• Step #3 can be accomplished with no agents and no privileges in AD

WHAT TO DO NOW?

We encourage you to verify these settings in each and every AD domain you have If even one of these settings in a single domain is not secured, the attacker could exploit it and take over the enterprise As you go through the process to check these few settings in a few domains, keep track of the time and effort that it takes. Imagine that you will need to monitor these settings, plus MANY more, across the entire AD infrastructure, constantly!

About Tenable

Tenable® is the Exposure Management company

Approximately 40,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include approximately 60 percent of the Fortune 500, approximately 40 percent of the Global 2000, and large government agencies Learn more at www.tenable.com

WHAT IS TENABLE AD SECURITY?

Tenable Active Directory Security is a fast, frictionless (agentless), active directory security solution that allows you to see everything in your complex AD environment, predict what matters to reduce risk, and prevent attack paths before attackers exploit them.

• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts

• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.

• Prioritize and provide detailed steps for remediation steps and improvement.

• Identify and detect abnormal activity in Active Directory in real-time

• Prevent escalation of privileges and eliminate critical attack paths