Enterprises that start concentrating on protecting the active directory will be doing themselves a huge favor, Derek Melber emphasized in his Tuesday afternoon InfoSec World 2020 session, “New Attack Patterns: Targeting the Keys to the Kingdom.”

“The attackers are going directly after the core IAM (Identity and Access Management) for nearly 95 percent of the world: Active Directory,” emphasized Melber, technical director for North America at Alsid, in a preview of his session.

Organizations are generally not prepared for the way that attackers are changing their attacks, and meanwhile trying to secure their environments against traditional attacks, which is why those charged with guarding the keys to the kingdom need to now alter their security strategies.

“Attackers are now looking deeper into object and attribute configurations to exploit raw access and functionality within the Active Directory (AD),” Melber said. The reality is that many attacks bypass the event logging and look like routine access, he added.

He pointed out that the Active Directory was built on insecure concepts and architecture, and trust of who’s using it. Meanwhile, attackers want to perform actions that look like standard AD management.

Since attackers generally fall into categories – insiders and outsiders – their approaches to getting into the network are different, and both usually have no problem getting read AD access, noted Melber, the 15-time MVP winner in both Active Directory and Group Policy.   

Insiders have an easier time gaining network access, but once outsiders make it past endpoint access, which is easily obtainable through phishing schemes, the AD is as susceptible to pilfering, he said. 

Of course, attackers always covet privileges that come with group membership, permissions/ACLs (Access Control List), user rights, and those who impersonate legitimate users.

“The Cyber Killchain Framework is a security gap that has received too little attention,” Melber contended. At stake are local privilege escalation for credentials and the AD, undetected lateral movement, backdooring, business resources tampering and exfilitration using side-channel tunnels. 

Not protecting ADs go hand in hand with leaving your organization susceptible to ransomware attacks, he points out, citing RYUK malware waiting to be dropped until an AD misconfiguration months later.

SIEMs and AD monitoring, while very good at reporting for compliance and executives making budget requests, fail to stop attacks because they rely on event logs, and the event is completed by the time the alert is posted. “You can’t see events that are not logged, Melber said, adding that there are too many events to allow the system consume them efficiently. While attacks can trigger alerts, they can look normal or delay. “Immediate notification is necessary to negate an attack,” he said.