In Many Cases Active Directory Is The Last Line Of Defence

Uploaded on 2022-10-11 in TECHNOLOGY--Resilience, FREE TO VIEW

Organisations of all sizes and across every industry are failing to address Active Directory (AD) security gaps that can leave them very vulnerable to cyber attacks. AD is a massive and complex attack surface that has long been a prime target for criminals seeking valuable privileges and data.

AD is a database and set of services that connect users with the network resources they need to get their work done. The database, or directory, contains critical information about your environment, including what users and computers there are and who's allowed to do what.

AD stores information about objects on the network and makes this information easy for administrators and users to find and use.

Active Directory uses a structured data store as the basis for a logical, hierarchical organisation of directory information. But incident responders have found that the AD service is involved in the bulk of attacks they investigate, underscoring major security challenges for defenders.

This is according to results from a survey of IT and security leaders who have deployed Purple Knight a free security assessment tool, in their environments. Organisations scored an average of 68% across five Active Directory security categories, a barely passing grade.

Large organisations fared even worse in the assessment, reporting an average score of 64%, indicating that the challenges in securing Active Directory expand with legacy applications and complex environments, particularly in large organisations.

AD Security Vulnerabilities

Microsoft AD  was a revolutionary technology at the time of launch - originally released with the Windows 2000 server operating system - continues to support much of the connected world and has prevailed over other directories for one core reason: it was open.

It is because of this openness and ease of integration that AD remains to this day a foundational piece of infrastructure for 90% of businesses. However, its biggest strength 21 years ago has since become its most concerning weakness.

The Threat

If you take into account that a hacker can use any unprivileged AD account to read almost all attributes and objects in AD, including their permissions, allowing them to find computer accounts in any domain of an AD forest that are configured with unconstrained delegation, then you get an idea for why the default AD openness has become a vulnerability.

Today, due to the disappearance of the network perimeter, identity has become the last line of defence from cyber attacks. 

Mandiant has recently reported that 90 percent of the incidents they investigate involve AD in one form or another. Some of the largest and most recent AD security breaches include SolarWinds and the Colonial Pipeline attack which made headlines due to their scale and the disruption caused when Microsoft AD went down.

Purple Knight

Semperis is a pioneer in managing and protecting the identity credentials of enterprises' hybrid environments and was purpose-built for securing AD. Last year it launched a free AD security assessment tool, Purple Knight and has  recently released the findings of data from a thousand security leaders that have deployed Purple Knight.

Key summary of findings:

Organisations overall scored an average of 68%:   Across five Active Directory security categories; AD delegation, account security, AD infrastructure security, Group Policy security, and Kerberos security. This is barely passing grade. 

Large organisations fared even worse:   Reporting an average score of 64%—indicating that the challenges in securing Active Directory expand with legacy applications and complex environments, particularly in large organisations.

Organisations reported the lowest scores for Account Security:  This includes  individual accounts, such as privileged accounts with a password that never expires.

Insurance companies:   Reported the lowest overall scores (55%), followed by healthcare (63%) and transportation (64%)

Transportation companies:  Reported utterly failing scores in Group Policy (36%) and Account Security (46%) 

Public infrastructure companies:   Scored the highest overall (71%), followed by government entities (70%)

Respondents cited various catalysts for downloading the security assessment, ranging from a proliferation of attacks in their industries, organisational mandates, or post-breach remediation.

Many of the respondents said they were surprised by the findings of their Purple Knight reports and in ollow-up interviews with respondents, the research also found that:

  • Misconfigurations proliferate in organisations with legacy Active Directory implementations
  • Organisations struggle with a lack of Active Directory expertise 

A recent 451 Research report said, “Directory services sit at the heart of most firms’ IT strategies, and as such they have become mission-critical assets that can present dire consequences if compromised, as we have learned from the now infamous SolarWinds supply-chain attack, and the Hafnium attack on Microsoft Exchange.”

Speaking about the report the CEO of Semperis, Mickey Bresman, commented “We saw that many companies don’t have a good understanding of the Active Directory exposures that adversaries are able to use against them... We wanted to give security teams that don’t have deep AD expertise a way to understand their AD security posture, and then close any existing gaps so that adversaries won’t use those against them.”

The report includes more information about the security indicators that were flagged, responses from the IT and security leaders on what it revealed for their organisation and, importantly, the steps that they are putting in place to close these gaps.

While some businesses are doing a better job at discussing and securing Active Directory compared to a decade ago, there is still much more work  to be done. 

Semeperis:    Microsoft:    Dark Reading:   Lepide:     Quest

You Might Also Read: 

Azure Active Directory Recycle Bin Won’t Save Your Critical Data:

 

« Germany Warns About Russian Anti-Virus Software
Improving The Security Of Open Source Software »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber adAPT

Cyber adAPT

Cyber adAPT offers a leading network threat detection platform (NTD) to the enterprise and ODM/OEM markets.

Australian Signals Directorate (ASD)

Australian Signals Directorate (ASD)

The Australian Signals Directorate is an intelligence agency in the Australian Government Department of Defence.

Digital Arts

Digital Arts

Digital Arts provides internet security software and appliance products for companies and individuals.

Aspen Insurance

Aspen Insurance

Aspen is a leading diversified specialty insurance and reinsurance company. Products offered include cyber insurance.

Oznet Cyber Security

Oznet Cyber Security

Oznet Cyber Security is dedicated to offering integral solutions oriented to the support and security of information.

Dice

Dice

Dice is a leading recruitment platform, helping technology professionals manage their careers and employers connect with highly skilled tech talent in specialist areas including cybersecurity.

BeyondTrust

BeyondTrust

BeyondTrust is a leader in Privileged Access Management, offering a seamless approach to preventing data breaches related to stolen credentials, misused privileges, and compromised remote access.

OffSec

OffSec

OffSec have defined the standard of excellence in penetration testing training. Elite security instructors teach our intense training scenarios and exceptional course material.

Qrator Labs

Qrator Labs

Qrator Labs is a leader in DDoS attack mitigation, helping organizations protect their websites from the most harmful, sophisticated DDoS attacks.

Mobileum

Mobileum

Mobileum is a leading provider of Telecom analytics for roaming, security and risk management and end-to-end domestic and roaming testing solutions.

Lucata

Lucata

Lucata solutions support groundbreaking graph analytics and improved machine learning for organizations in financial services, cybersecurity, healthcare, pharmaceuticals, telecommunications and more.

Cybertronium

Cybertronium

Cybertronium is a leader in managing cyber risk. We bring you the latest from the complex, ever-evolving online threat environment with the insights to inspire and the expertise to act.

Hackuity

Hackuity

Hackuity is a breakthrough technology solution that rethinks the way of managing IT vulnerabilities in enterprises.

The Cyber Guild

The Cyber Guild

The Cyber Guild is a not-for-profit organization working to improve the understanding and practice of cybersecurity, and to help raise awareness and education for all.

AArete

AArete

AArete is a global management and technology consulting firm specializing in strategic profitability improvement, digital transformation, and advisory services.

Yarix

Yarix

Yarix is the leading company in Var Group’s Digital Security division and one of the most recognised, innovative and authoritative Italian companies in the IT security sector.