Active Directory is the world’s most well-known and widely used on-premises directory service. For many organisations, their most critical systems are dependent on Active Directory including human resources, legal and finance. With these critical systems being serviced from Active Directory, it is crucial to protect user credentials, corporate systems, sensitive data, applications and so on from potential malicious intent.
This three-part series will help you understand how an attack may occur and offer both near term and long-term solutions to provide protection against these attacks.
- Part 1: Protecting Active Directory – Understanding Targeted Attacks
- Part 2: Protecting Active Directory – Near Term Wins
- Part 3: Protecting Active Directory – Long Term Projects
Before you can design a program around protecting Active Directory from a cyber-attack, it is best to first understand a little bit about these attacks, specifically the Advanced Persistent Threat (APT). Often, the exploits used by a malicious actor are not particularly advanced or complex. Instead, they carefully research the intended target and then choose exploits which have a minimal chance of detection and can accomplish the goals of the attack.
My colleague Rob Walker wrote a blog about the war on cybercrime recently which you should check out as well. Targeted Attacks are slow and methodical, using an array of tactics to launch an attack. To understand how an attack works, it is helpful to understand the different stages of the attack (also known as the ‘cyber kill chain’).
- Research – malicious actors are looking or probing for a way to gain initial access to an environment. The target of their attacks are often individuals, groups or technologies
When investigating specific people to target in an organisation, they may use things like the company website, or well-known public services like Facebook, Twitter and LinkedIn
Based on the data obtained from this phase, specific users, groups, or technologies can be identified allowing the attacker to create or select malware tailored to one of the vulnerabilities discovered
- Breach – the next step is delivering the malware. There are several different ways an attack against a person or group of users can be distributed. The most common form of attack is spear fishing, where an email message is sent containing a malicious link or attachment. To increase the odds of the person opening the email and taking an action (click on URL, open attachment), the message may contain information gathered from the research phase which is personal to the targeted person
- Elevation of privilege – once the attacker has a foothold inside the enterprise, the malicious code will begin performing reconnaissance to discover useful resources such as user accounts, systems and network information. Tools such as key loggers, decrypters and network sniffers may be run. The goal is to obtain user logon information and escalate permissions
- Data Exfiltration – at this stage, attack vectors are resident in the infected systems and are lying in wait. Data shows compromises can go undetected for more than 200 days. As Dmitri Alperovitch stated in August 2011 as part of his Shady RAT report, “of the world’s biggest firms, there are just two kinds: those who know they’ve been compromised, and those who still haven’t realized they’ve been compromised.”
As the intrusion spreads from the initial compromised system to other systems across the network, information is gathered and passed back to the attacker’s command and control centre.
Any organisation can be a target of an attack. With the rapid infrastructure changes organisations have made due to COVID-19, new and unexpected vulnerabilities have been revealed. Part 2 and Part 3 of this series will explore near term and long-term Active Directory protection recommendations to consider. User passwords are another area where IT environments are made vulnerable, my colleague Edmund Davis explores this further in his blog ‘Pass the Passwords to the Left-Hand Side’.