Active Directory (AD) has become a critical element of most corporate networks. Some 90% of Fortune 1000 companies use AD – and it’s responsible for critical authentication and authorization processes across enterprise resources. Users throughout the enterprise need to access AD easily—something which, while convenient, makes AD particularly complex to secure. An attacker successfully compromising AD can change group membership, permissions, security policies, and ACLs. They can then use this control to change user rights and impersonate real employees for lateral movement and privilege escalation, giving the attacker the “keys to the kingdom.”
For a widescale ransomware attack, cybercriminals need control of AD to create persistence, install new objects and backdoors, and distribute malware to other systems. Attackers consider AD a high-value target, and defenders must deploy appropriate protections. Combating this threat and mitigating the effects of today’s ransomware attacks requires a new way of thinking and more effective use of today’s new cybersecurity tools.
Ransomware 2.0 threats are severe
The rise of Ransomware 2.0 has led to a decline in traditional “smash and grab” attacks. In the past, attackers would enter the network and immediately begin stealing or encrypting any data they could find, hoping to strike gold. Today’s attackers are much more deliberate, moving laterally throughout the network to identify the most valuable assets to target. By compromising AD and granting themselves greater privileges, these attackers can access and control new network areas that potentially contain much more valuable data. Attackers can even encrypt AD as part of the ransom, forcing organizations to pay simply to return to normal operations.
Ransomware attackers will actively leverage vulnerabilities as opportunities arise. Unfortunately, there are many examples, such as the recent Microsoft Exchange zero-day vulnerability, which the state-sponsored hacking group Hafnium exploited. In this case, attackers became aware of the vulnerability in advance of the patch, which provided ample time for other threat actors to install backdoors, gain persistence, and conduct ransomware attacks. It’s a common tactic among today’s cybercriminals. With the average ransomware payout now north of $300,000 (an increase of 171% in just one year), organizations are under increased pressure to find a solution.
Why are attacks on AD so effective?
Unfortunately, organizations often view AD as operational plumbing, and they tend to measure AD performance based on service availability rather than security. It’s quite a concern given that exploiting AD exposures and misconfigurations can let attackers gain critical privileged access and control, as well as the ability to move discreetly throughout the network.
Traditional AD protection has focused predominantly on controlling vulnerabilities by patching, trying to adhere to the principle of least privileges, and tiered administration policies. And while these are necessary measures, they are no longer enough. An organization can only patch a vulnerability after discovery, and even log analysis combined with SIEM correlation tends to center on detection rather than vulnerability assessment. Today’s organizations cannot afford to focus on strictly reactive measures—they must get proactive.
Mitigating the effectiveness of AD attacks
Part of being proactive means improving cyber hygiene. Companies need to instill good cyber hygiene across the board. Still, when it comes to addressing Active Directory vulnerabilities, it’s critical to regularly validate AD accounts and objects and maintain an updated list of permissions and privileges. Continually assessing and promptly changing settings and configurations can limit vulnerabilities, including exposures, overlooked permissions, and entitlements. Attackers often target delegated admin or shadow admin accounts, but these audits can limit unneeded credentials or access rights that create attack paths within AD.
Security teams also must have visibility into potential account-related issues. Continuously auditing accounts, especially those with administrative privileges, and implementing a policy of least privileges where users only have the necessary permissions to perform their essential job functions can limit these issues. Organizations may trust their employees, but overly permissive policies, often for convenience, are disastrous if just one account becomes compromised. Security teams also must stay aware of AD credentials stored on endpoints and remove them systematically.
Finally, it’s essential to have improved attack detection. Ransomware 2.0 relies on the attacker’s ability to move laterally throughout the network and identify valuable assets. Detecting that movement represents a significant advantage for defenders, who can leverage concealment and misdirection technology solutions to help with early detection and threat intelligence collection. Such solutions can detect unauthorized attack queries to AD, raise an alert, and even return fake data to the attacker to derail their efforts. When attackers attempt to act on that data, it can steer them into a decoy that safely isolates them from the network as it collects information on the attacker’s TTPs and IOCs for analysis. The threat actors remain unaware that they are wasting their time and resources while the defenders have derailed their attack and are gathering valuable intelligence against future attacks.
Evolving threats require evolving solutions
Today’s ransomware attackers will inevitably target AD to gain privileges, change policy settings, distribute malware, and cover their tracks. Just look at recent high-profile ransomware attacks that have commanded record-breaking payouts. Fortunately, with recent innovations, organizations can efficiently mitigate AD exploitation risks by improving their cyber hygiene, maintaining awareness of account issues, and detecting lateral movement within the network.
Modern Active Directory protection tools can prevent attackers from seeing the data they seek and gaining accurate information when querying AD. These solutions can now detect and prevent attackers from making AD changes, quickly alerting on attack activities like brute force attempts, password spray attacks, and other tactics that target AD objects. By stopping attackers from exploiting AD vulnerabilities, security teams can stop ransomware attackers in their tracks—and today’s advanced cybersecurity tools are making it easier for companies of all sizes to efficiently enhance their defenses.
Carolyn Crandall, chief security advocate, Attivo Networks
