Eliminating Attack Paths in Active Directory

ELIMINATING ATTACK PATHS IN ACTIVE DIRECTORY: A

CLOSER LOOK AT PREVENTING PRIVILEGE ESCALATIONS

Active Directory is a 22-year-old technology that is subject to frequent changes (adding and removing users, reassigning roles and permissions, etc ) and has now saddled CIOs with decades of technical debt

Considering that almost 90% of Global Fortune 1000 companies use AD as their primary method for authentication and authorization, AD is a high-value target for attackers and is a critical component for successful ransomware attacks on enterprises.

Over the last two decades ransomware operators have successfully exploited Active Directory (AD) and its misconfigurations to launch attacks that have crippled enterprise networks.

Sophisticated AD attacks rely on multiple attack paths. In many cases, attackers look to take advantage of unpatched vulnerabilities and misconfigurations in Active Directory Often, they employ a combination of both methods in order to move around the network In the ransomware context, this means systematically exploiting unpatched common vulnerabilities and exposures (CVEs) and remote access gateways to execute primo-infection Next, attackers exploit misconfigurations in AD to move laterally through the network, gain some level of access and look to escalate privileges while maintaining persistence in the network infrastructure. Misconfigurations such as hidden permissions, nested group memberships and inherent security gaps may constitute an attack path.

The 3-Step Sequence Involved In A Ransomware Attack:

PRIMO-INFECTION AND PIVOTING: INFECTION OF AN INITIAL SYSTEM, OFTEN A PC, WITH MALICIOUS CODE

LATERAL MOVEMENT AND PRIVILEGE ESCALATION: DISCOVERY OF THE ENVIRONMENT TO DETERMINE ATTACK PATHS TO PRIVILEGED ACCOUNTS AND SENSITIVE DATA.

UNPATCHED VULNERABILITIES AND MISCONFIGURATIONS TARGETING AD PRIVILEGE ESCALATION ATTACKS IN AD

DOMAIN DOMINANCE: EXECUTION OF THE ATTACK BY THE RANSOMWARE ONCE THE ATTACK PATH IS DISCOVERED

The scope and scale of privilege exploitation attacks in AD environments continue to increase. A 201 8 Forrester report says that privileged access abuse is involved in 80% of all security breaches. Attackers with access to ordinary user accounts will move laterally in the network with the goal of elevating to a highly privileged account, such as a domain admin account. The challenge for enterprises is to detect if privileged access has been granted to a non-privileged user because that may indicate an attack.

Additionally, attack paths can be created in AD by stringing together abusable privileges and actions This could enable an attacker who compromises a single ordinary user account to gain administrative privileges or even take complete control of the IT environment

For instance, the recent privilege escalation vulnerability in AD CVE-2022-26923 allows attackers who have gained access to standard user accounts to then impersonate domain administrators and take complete control over the domain. If the attack is successful, enterprises could find themselves in the undesirable position of having to clean and rebuild their entire AD environment. It is crucial to detect and eliminate privilege escalation vulnerabilities to prevent complete AD control.

HOW CVE-2022-26923

COULD BE USED BY ATTACKERS

Microsoft fixed the high severity privilege escalation vulnerability CVE-2022-26923 in AD domain services on May 10, 2022. The vulnerability had a Common Vulnerability Scoring System (CVSS) score of 8.8 and a high severity rating. It allowed low-privileged users to escalate their privileges to the level of domain administrators. With domain admin, attackers could then access business-critical assets, such as the Exchange server, financial data, e-commerce applications, etc. Such access explains why ransomware groups target AD so they can take over multiple hosts within a network and have the widest possible reach

CVE-2022-26923 poses a high risk to compromised systems, allowing attackers to abuse AD certificate services According to Microsoft, “An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from AD that would allow elevation of privilege to System.” The acquired certificate could then be used for additional attacks, such as DCSync. With the certificate, an attacker can also retrieve a hash of the domain controller’s domain account to impersonate a domain controller and replicate all password information in the environment.

WHY CONVENTIONAL SECURITY TOOLS PROVE INADEQUATE FOR AD

Unfortunately for enterprises, attempts at abusing AD usually go unseen due to the inherent nature of the configurations involved Poor or default configurations put enterprises at risk as traditional siloed security tools fail to correlate the potential exposure of critical assets in the network

Tools such as endpoint detection and response (EDR), security information and event management (SIEM) and intrusion detection software (IDS), although useful, prove ineffective in identifying critical vulnerabilities and dangerous misconfigurations in AD that create attack paths leading to a successful ransomware attack. These reactive technologies, even when used in collaboration, are not enough.

Knowing that you have been attacked is essential, but anticipating and preventing attacks via exposure management is crucial to staying resilient and thwarting attacks. Detecting and eliminating attack pathways gives enterprises the ability to block new threats before the pathways are exploited by attackers.

DEFEATING RANSOMWARE WITH TENABLE

Ransomware groups will continue to pursue all possible avenues of attack and will continue to expand their attack techniques and tactics. While ransomware groups may not exploit every vulnerability or misconfiguration, organizations need to keep a close watch for any such weaknesses in their Active Directory environments. AD needs real-time comprehensive security to proactively find, prioritize and remediate threats and misconfigurations as quickly as possible.

Tenable Active Directory Security is a fast, frictionless (agentless), Active Directory security solution that lets you see how AD is involved in the entire attack path Now security teams can pinpoint the highest risks and provide detailed remediation steps to mitigate them A visual representation of the attack paths from any specific point of entry helps users eliminate the privilege escalation techniques that an attacker may use to compromise business critical assets.

By leveraging Tenable ad users can:

• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts

• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.

• Prioritize and provide detailed steps for remediation steps and improvement.

• Identify and detect abnormal activity in Active Directory in real-time

• Prevent escalation of privileges and eliminate critical attack paths

About Tenable Tenable® is the Exposure Management company

Approximately 40,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include approximately 60 percent of the Fortune 500, approximately 40 percent of the Global 2000, and large government agencies Learn more at www.tenable.com

It’s common for ransomware attackers to elevate their privileges and gain wide-reaching access to critical enterprise assets by targeting Active Directory using an attack path that is a result of unpatched CVEs and AD misconfigurations.

A comprehensive real-time security strategy to find, prioritize, and remediate threats and misconfigurations is essential to secure your AD proactively Tenable Active Directory Security enables users to see everything in their complex AD environment, and prioritize what matters most to address risk and eliminate attack paths.

Learn more: www tenable com/products/tenable-ad