In Many Cases Active Directory Is The Last Line Of Defence

Organisations of all sizes and across every industry are failing to address Active Directory (AD) security gaps that can leave them very vulnerable to cyber attacks. AD is a massive and complex attack surface that has long been a prime target for criminals seeking valuable privileges and data.

AD is a database and set of services that connect users with the network resources they need to get their work done. The database, or directory, contains critical information about your environment, including what users and computers there are and who's allowed to do what.

AD stores information about objects on the network and makes this information easy for administrators and users to find and use.

Active Directory uses a structured data store as the basis for a logical, hierarchical organisation of directory information. But incident responders have found that the AD service is involved in the bulk of attacks they investigate, underscoring major security challenges for defenders.

This is according to results from a survey of IT and security leaders who have deployed Purple Knight a free security assessment tool, in their environments. Organisations scored an average of 68% across five Active Directory security categories, a barely passing grade.

Large organisations fared even worse in the assessment, reporting an average score of 64%, indicating that the challenges in securing Active Directory expand with legacy applications and complex environments, particularly in large organisations.

AD Security Vulnerabilities

Microsoft AD  was a revolutionary technology at the time of launch - originally released with the Windows 2000 server operating system - continues to support much of the connected world and has prevailed over other directories for one core reason: it was open.

It is because of this openness and ease of integration that AD remains to this day a foundational piece of infrastructure for 90% of businesses. However, its biggest strength 21 years ago has since become its most concerning weakness.

The Threat

If you take into account that a hacker can use any unprivileged AD account to read almost all attributes and objects in AD, including their permissions, allowing them to find computer accounts in any domain of an AD forest that are configured with unconstrained delegation, then you get an idea for why the default AD openness has become a vulnerability.

Today, due to the disappearance of the network perimeter, identity has become the last line of defence from cyber attacks. 

Mandiant has recently reported that 90 percent of the incidents they investigate involve AD in one form or another. Some of the largest and most recent AD security breaches include SolarWinds and the Colonial Pipeline attack which made headlines due to their scale and the disruption caused when Microsoft AD went down.

Purple Knight

Semperis is a pioneer in managing and protecting the identity credentials of enterprises' hybrid environments and was purpose-built for securing AD. Last year it launched a free AD security assessment tool, Purple Knight and has  recently released the findings of data from a thousand security leaders that have deployed Purple Knight.

Key summary of findings:

Organisations overall scored an average of 68%:   Across five Active Directory security categories; AD delegation, account security, AD infrastructure security, Group Policy security, and Kerberos security. This is barely passing grade. 

Large organisations fared even worse:   Reporting an average score of 64%—indicating that the challenges in securing Active Directory expand with legacy applications and complex environments, particularly in large organisations.

Organisations reported the lowest scores for Account Security:  This includes  individual accounts, such as privileged accounts with a password that never expires.

Insurance companies:   Reported the lowest overall scores (55%), followed by healthcare (63%) and transportation (64%)

Transportation companies:  Reported utterly failing scores in Group Policy (36%) and Account Security (46%) 

Public infrastructure companies:   Scored the highest overall (71%), followed by government entities (70%)

Respondents cited various catalysts for downloading the security assessment, ranging from a proliferation of attacks in their industries, organisational mandates, or post-breach remediation.

Many of the respondents said they were surprised by the findings of their Purple Knight reports and in ollow-up interviews with respondents, the research also found that:

  • Misconfigurations proliferate in organisations with legacy Active Directory implementations
  • Organisations struggle with a lack of Active Directory expertise 

A recent 451 Research report said, “Directory services sit at the heart of most firms’ IT strategies, and as such they have become mission-critical assets that can present dire consequences if compromised, as we have learned from the now infamous SolarWinds supply-chain attack, and the Hafnium attack on Microsoft Exchange.”

Speaking about the report the CEO of Semperis, Mickey Bresman, commented “We saw that many companies don’t have a good understanding of the Active Directory exposures that adversaries are able to use against them... We wanted to give security teams that don’t have deep AD expertise a way to understand their AD security posture, and then close any existing gaps so that adversaries won’t use those against them.”

The report includes more information about the security indicators that were flagged, responses from the IT and security leaders on what it revealed for their organisation and, importantly, the steps that they are putting in place to close these gaps.

While some businesses are doing a better job at discussing and securing Active Directory compared to a decade ago, there is still much more work  to be done. 

Semeperis:    Microsoft:    Dark Reading:   Lepide:     Quest

You Might Also Read: 

Azure Active Directory Recycle Bin Won’t Save Your Critical Data:

 

« Germany Warns About Russian Anti-Virus Software
Improving The Security Of Open Source Software »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Hyper Recruitment Solutions

Hyper Recruitment Solutions

Hyper Recruitment Solutions is a specialist and highly compliant recruitment consultancy dedicated to the Science and Technology sectors.

V-Key

V-Key

V-Key is a global leader in software based digital security, providing solutions for mobile identity, authentication, authorization, and mobile payments for major banks.

LMG Security

LMG Security

LMG Security is a cybersecurity consulting, research and training firm.

A-LIGN

A-LIGN

A-LIGN is a technology-enabled security and compliance partner trusted by more than 2,500 global organizations to mitigate cybersecurity risks.

Securis

Securis

Securis provides organizations and agencies with the highest level of professional, ultra-secure data destruction and IT recycling.

Vanbreda

Vanbreda

Vanbreda Risk & Benefits is the largest independent insurance broker and risk consultant in Belgium and the leading insurance partner in the Benelux.

Startupbootcamp Fintech & Cybersecurity

Startupbootcamp Fintech & Cybersecurity

Startupbootcamp is the world’s largest network of multi-corporate backed accelerators helping startups scale internationally.

Document Security Systems (DSS)

Document Security Systems (DSS)

DSS anti-counterfeit, authentication, and brand protection solutions are deployed to prevent attacks which threaten products, digital presence, financial instruments, and identification.

Fastcomcorp

Fastcomcorp

Fastcomcorp offers a world-class proactive cyber security defense and risk management consulting. Including Darkweb monitoring and posture assessments.

Viria

Viria

Viria is an information and security technology solution provider that promotes digitalization in a secure way.

Packetlabs

Packetlabs

Packetlabs specializes in penetration testing services and application security.

NightDragon

NightDragon

NightDragon is a venture capital firm investing in innovative growth and late stage companies within the cybersecurity, safety, security, and privacy industry.

ACSG Corp

ACSG Corp

ACSG Corp is a Critical Infrastructure Protection Company with a multi-disciplinary focus on building analytics software for various industry sectors.

Arcanna.ai

Arcanna.ai

Using a wide range of out-of-the box integrations, Arcanna.ai continuously learns from existing enterprise cybersecurity experts and scales your team’s capacity to deal with threats.

Cranium

Cranium

AI is being implemented into every business process, but nobody knows whether their AI is secure. Our mission is to deliver security and trust to the AI revolution.

ABPGroup

ABPGroup

ABPGroup is Asia’s leading cybersecurity technology provider focusing on providing best-of-breed solutions that address today’s pressing challenges.