In Many Cases Active Directory Is The Last Line Of Defence

Organisations of all sizes and across every industry are failing to address Active Directory (AD) security gaps that can leave them very vulnerable to cyber attacks. AD is a massive and complex attack surface that has long been a prime target for criminals seeking valuable privileges and data.

AD is a database and set of services that connect users with the network resources they need to get their work done. The database, or directory, contains critical information about your environment, including what users and computers there are and who's allowed to do what.

AD stores information about objects on the network and makes this information easy for administrators and users to find and use.

Active Directory uses a structured data store as the basis for a logical, hierarchical organisation of directory information. But incident responders have found that the AD service is involved in the bulk of attacks they investigate, underscoring major security challenges for defenders.

This is according to results from a survey of IT and security leaders who have deployed Purple Knight a free security assessment tool, in their environments. Organisations scored an average of 68% across five Active Directory security categories, a barely passing grade.

Large organisations fared even worse in the assessment, reporting an average score of 64%, indicating that the challenges in securing Active Directory expand with legacy applications and complex environments, particularly in large organisations.

AD Security Vulnerabilities

Microsoft AD  was a revolutionary technology at the time of launch - originally released with the Windows 2000 server operating system - continues to support much of the connected world and has prevailed over other directories for one core reason: it was open.

It is because of this openness and ease of integration that AD remains to this day a foundational piece of infrastructure for 90% of businesses. However, its biggest strength 21 years ago has since become its most concerning weakness.

The Threat

If you take into account that a hacker can use any unprivileged AD account to read almost all attributes and objects in AD, including their permissions, allowing them to find computer accounts in any domain of an AD forest that are configured with unconstrained delegation, then you get an idea for why the default AD openness has become a vulnerability.

Today, due to the disappearance of the network perimeter, identity has become the last line of defence from cyber attacks. 

Mandiant has recently reported that 90 percent of the incidents they investigate involve AD in one form or another. Some of the largest and most recent AD security breaches include SolarWinds and the Colonial Pipeline attack which made headlines due to their scale and the disruption caused when Microsoft AD went down.

Purple Knight

Semperis is a pioneer in managing and protecting the identity credentials of enterprises' hybrid environments and was purpose-built for securing AD. Last year it launched a free AD security assessment tool, Purple Knight and has  recently released the findings of data from a thousand security leaders that have deployed Purple Knight.

Key summary of findings:

Organisations overall scored an average of 68%:   Across five Active Directory security categories; AD delegation, account security, AD infrastructure security, Group Policy security, and Kerberos security. This is barely passing grade. 

Large organisations fared even worse:   Reporting an average score of 64%—indicating that the challenges in securing Active Directory expand with legacy applications and complex environments, particularly in large organisations.

Organisations reported the lowest scores for Account Security:  This includes  individual accounts, such as privileged accounts with a password that never expires.

Insurance companies:   Reported the lowest overall scores (55%), followed by healthcare (63%) and transportation (64%)

Transportation companies:  Reported utterly failing scores in Group Policy (36%) and Account Security (46%) 

Public infrastructure companies:   Scored the highest overall (71%), followed by government entities (70%)

Respondents cited various catalysts for downloading the security assessment, ranging from a proliferation of attacks in their industries, organisational mandates, or post-breach remediation.

Many of the respondents said they were surprised by the findings of their Purple Knight reports and in ollow-up interviews with respondents, the research also found that:

  • Misconfigurations proliferate in organisations with legacy Active Directory implementations
  • Organisations struggle with a lack of Active Directory expertise 

A recent 451 Research report said, “Directory services sit at the heart of most firms’ IT strategies, and as such they have become mission-critical assets that can present dire consequences if compromised, as we have learned from the now infamous SolarWinds supply-chain attack, and the Hafnium attack on Microsoft Exchange.”

Speaking about the report the CEO of Semperis, Mickey Bresman, commented “We saw that many companies don’t have a good understanding of the Active Directory exposures that adversaries are able to use against them... We wanted to give security teams that don’t have deep AD expertise a way to understand their AD security posture, and then close any existing gaps so that adversaries won’t use those against them.”

The report includes more information about the security indicators that were flagged, responses from the IT and security leaders on what it revealed for their organisation and, importantly, the steps that they are putting in place to close these gaps.

While some businesses are doing a better job at discussing and securing Active Directory compared to a decade ago, there is still much more work  to be done. 

Semeperis:    Microsoft:    Dark Reading:   Lepide:     Quest

You Might Also Read: 

Azure Active Directory Recycle Bin Won’t Save Your Critical Data:

 

« Germany Warns About Russian Anti-Virus Software
Improving The Security Of Open Source Software »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Sepior

Sepior

Our vision is to make Sepior the leading provider of cloud-encryption software in the world.

Decision Group

Decision Group

Decision Group are a Total Solution Supplier offering Network Forensics and Lawful Interception tools.

Jscrambler

Jscrambler

Jscrambler addresses all your JavaScript and Web application protection needs.

Preempt Security

Preempt Security

The Preempt Platform delivers adaptive threat prevention that continuously preempts threats based on identity, behavior and risk.

CyberGuarded

CyberGuarded

CyberGuarded are an accredited vendor independent information security testing and auditing company.

Olfeo

Olfeo

Olfeo is a content filtering software vendor. Our proxy and filtering solution helps our customers to manage, monitor and secure their Internet traffic.

Netmarks Indonesia (NMID)

Netmarks Indonesia (NMID)

Netmarks Indonesia is an IT solutions provider offering services related to ICT infrastructure, digital transformation and cyber security.

HITRUST Alliance

HITRUST Alliance

HITRUST provides widely-adopted common risk and compliance management frameworks, related assessment and assurance methodologies.

Resolvo Systems

Resolvo Systems

Resolvo is provides comprehensive security assessment and testing services in Asia.

RankedRight

RankedRight

RankedRight empowers security teams to take immediate action on their most critical risks.

ZINAD IT

ZINAD IT

ZINAD is an information security company offering state-of-the-art cybersecurity awareness products, solutions and services.

Harbottle & Lewis

Harbottle & Lewis

Harbottle & Lewis is a leading UK-based law firm focused on the Private Client and Technology, Media and Entertainment sectors.

ATSG

ATSG

ATSG is a global leader in transformational technology solutions for today’s digital enterprise. Cybersecurity ranging from Advisory & Assessment to Fully Managed Detection and Response Services.

Highen Fintech

Highen Fintech

Highen is a blockchain software development company with offices in the United States and development centers in India.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

M7 Services

M7 Services

M7 Services are a comprehensive Managed Services Provider (MSP) with a focus on delivering cutting-edge information technology solutions and unparalleled customer service.