4 minute read
WHY YOU NEED TO MONITOR YOUR ACTIVE DIRECTORY
RAY KAFITY, VICE PRESIDENT - MIDDLE EAST, TURKEY & AFRICA AT ATTIVO NETWORKS, EXPLAINS WHY ORGANISATIONS SHOULD NOT LEAVE AD DATA EXPOSED TO ATTACKS
Arecent PwC survey of CEOs in the Middle East revealed that nearly three-quarters considered cyber-attacks and data leaks as threats to growth in 2021. And rightfully so, as the recent SolarWinds incident and the Exchange attacks show, cybercriminals are ramping up their efforts to cause disruption and financial cost to their victims.
Advertisement
With employees working remotely or in a hybrid setup, the challenge of guarding against cyber-attacks has increased multi-fold. Far from the security of a corporate firewall, personnel are instead logging in and accessing data from unsecured devices and public networks.
As an organisation’s security perimeter currently extends to their employee’s homes, IT teams have had to rethink their security policies and architecture. These changes are now centered on using identities to restrict access and ensure only authorised people can connect with centralised applications and data.
The role of Active Directory
Despite the broad range of different attack types cybercriminals are using, industry research has found a common factor that links more than 80% of them: Active Directory (AD). The Microsoftdeveloped directory platform is at the heart of more than 90% of Fortune 1,000 corporate IT infrastructures and has, over time, become a favoured means for gaining unauthorised access. The security challenge stems from the fact that some organisations view AD as little more than ‘plumbing’ to connect the various infrastructure components. As with many operational technologies, the focus is on having it work without service disruption, often to the detriment of its security. One approach that growing numbers of security teams are adopting involves automating vulnerability and live attack detection on Active Directory. This strategy is powerful because an undetected exposure can lead to an attacker elevating their privileges, changing security settings, and erasing their tracks. These innovative technologies can detect an attacker’s activity during initial observation and discover their presence.
Additionally, because Active Directory is inherently insecure, cybercriminals can use tools to query AD and discover ways to access an organisation’s domain admin accounts. Innovations in Active Directory protection tools can deter these activities by concealing the real AD objects, intercepting unauthorised queries, and returning deceptive results that misdirect the attacker into a decoy, negating their ability to gather useful data.
From the attacker’s perspective, things seem normal, and they may believe they have successfully gained the data they were seeking. However, when the attacker attempts to move laterally through the infrastructure using the fake information they gathered, the security team is prepared for them and ready to watch their next moves.
This approach to AD security is powerful because now the IT security team knows the attacker’s tactics, techniques, and procedures (TTPs) and can gather indicators of compromise (IoCs). They can use this intelligence to help prevent future similar attack activities.
Active Directory monitoring
Continuous visibility into Active Directory risks and detecting live attacks against it is an essential control for businesses of all sizes. The tools can offer actionable alerting and prompt remediation of dangerous exposures to reduce attack surfaces and lateral attack paths that threat actors could exploit.
The tools can also provide live detection for actions such as password spraying, DCSync, DCShadow, Golden Ticket attacks, and other events which are likely to be a sign of an attack on the network. These detections allow security teams to respond to the activities before the attacker can gain access to their chosen goals.
When choosing a tool to deploy that will effectively monitor AD, it’s important to look for a range of specific capabilities. These include continuously monitoring AD and providing reliable alerts should it spot any anomalous behaviour.
The tool should also provide actionable alerts for quick remediation of weaknesses before attackers can exploit them, reducing some of the security team’s workload and allowing them to focus on urgent activities.
The tool should provide the most effective protection with visibility and monitoring for domain, device, and user exposures across the AD. These will ensure that the security teams spot any attempted attacks as quickly as possible to limit the damage attackers can inflict.
Conclusion
On average, four out of five known attacks have leveraged Active Directory. With new innovations, continuous monitoring and protecting AD without altering the AD Infrastructure or operations is now a reality. The two primary ways to do this are by monitoring AD for misconfigurations and attacks in realtime and hiding the information AD contains, which the attackers need to steal, destroy, or tamper with data .
AD and the growing area of cloud entitlements will remain essential IT infrastructure components for many years to come. Therefore, taking time to ensure that identity security is as strong as possible now will help mitigate the risk of attacks in the future.
