In Many Cases Active Directory Is The Last Line Of Defence

Uploaded on 2022-10-11 in TECHNOLOGY--Resilience, FREE TO VIEW

Organisations of all sizes and across every industry are failing to address Active Directory (AD) security gaps that can leave them very vulnerable to cyber attacks. AD is a massive and complex attack surface that has long been a prime target for criminals seeking valuable privileges and data.

AD is a database and set of services that connect users with the network resources they need to get their work done. The database, or directory, contains critical information about your environment, including what users and computers there are and who's allowed to do what.

AD stores information about objects on the network and makes this information easy for administrators and users to find and use.

Active Directory uses a structured data store as the basis for a logical, hierarchical organisation of directory information. But incident responders have found that the AD service is involved in the bulk of attacks they investigate, underscoring major security challenges for defenders.

This is according to results from a survey of IT and security leaders who have deployed Purple Knight a free security assessment tool, in their environments. Organisations scored an average of 68% across five Active Directory security categories, a barely passing grade.

Large organisations fared even worse in the assessment, reporting an average score of 64%, indicating that the challenges in securing Active Directory expand with legacy applications and complex environments, particularly in large organisations.

AD Security Vulnerabilities

Microsoft AD  was a revolutionary technology at the time of launch - originally released with the Windows 2000 server operating system - continues to support much of the connected world and has prevailed over other directories for one core reason: it was open.

It is because of this openness and ease of integration that AD remains to this day a foundational piece of infrastructure for 90% of businesses. However, its biggest strength 21 years ago has since become its most concerning weakness.

The Threat

If you take into account that a hacker can use any unprivileged AD account to read almost all attributes and objects in AD, including their permissions, allowing them to find computer accounts in any domain of an AD forest that are configured with unconstrained delegation, then you get an idea for why the default AD openness has become a vulnerability.

Today, due to the disappearance of the network perimeter, identity has become the last line of defence from cyber attacks. 

Mandiant has recently reported that 90 percent of the incidents they investigate involve AD in one form or another. Some of the largest and most recent AD security breaches include SolarWinds and the Colonial Pipeline attack which made headlines due to their scale and the disruption caused when Microsoft AD went down.

Purple Knight

Semperis is a pioneer in managing and protecting the identity credentials of enterprises' hybrid environments and was purpose-built for securing AD. Last year it launched a free AD security assessment tool, Purple Knight and has  recently released the findings of data from a thousand security leaders that have deployed Purple Knight.

Key summary of findings:

Organisations overall scored an average of 68%:   Across five Active Directory security categories; AD delegation, account security, AD infrastructure security, Group Policy security, and Kerberos security. This is barely passing grade. 

Large organisations fared even worse:   Reporting an average score of 64%—indicating that the challenges in securing Active Directory expand with legacy applications and complex environments, particularly in large organisations.

Organisations reported the lowest scores for Account Security:  This includes  individual accounts, such as privileged accounts with a password that never expires.

Insurance companies:   Reported the lowest overall scores (55%), followed by healthcare (63%) and transportation (64%)

Transportation companies:  Reported utterly failing scores in Group Policy (36%) and Account Security (46%) 

Public infrastructure companies:   Scored the highest overall (71%), followed by government entities (70%)

Respondents cited various catalysts for downloading the security assessment, ranging from a proliferation of attacks in their industries, organisational mandates, or post-breach remediation.

Many of the respondents said they were surprised by the findings of their Purple Knight reports and in ollow-up interviews with respondents, the research also found that:

  • Misconfigurations proliferate in organisations with legacy Active Directory implementations
  • Organisations struggle with a lack of Active Directory expertise 

A recent 451 Research report said, “Directory services sit at the heart of most firms’ IT strategies, and as such they have become mission-critical assets that can present dire consequences if compromised, as we have learned from the now infamous SolarWinds supply-chain attack, and the Hafnium attack on Microsoft Exchange.”

Speaking about the report the CEO of Semperis, Mickey Bresman, commented “We saw that many companies don’t have a good understanding of the Active Directory exposures that adversaries are able to use against them... We wanted to give security teams that don’t have deep AD expertise a way to understand their AD security posture, and then close any existing gaps so that adversaries won’t use those against them.”

The report includes more information about the security indicators that were flagged, responses from the IT and security leaders on what it revealed for their organisation and, importantly, the steps that they are putting in place to close these gaps.

While some businesses are doing a better job at discussing and securing Active Directory compared to a decade ago, there is still much more work  to be done. 

Semeperis:    Microsoft:    Dark Reading:   Lepide:     Quest

You Might Also Read: 

Azure Active Directory Recycle Bin Won’t Save Your Critical Data:

 

« Germany Warns About Russian Anti-Virus Software
Improving The Security Of Open Source Software »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

AON

AON

Aon is a leading global provider of risk management (including cyber), insurance and reinsurance brokerage, human resources solutions and outsourcing services.

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

NISC was established as a secretariat of the Cybersecurity Strategy Headquarters in collaboration with the public and private sectors to create a "free, fair and secure cyberspace" in Japan.

Perspective Risk

Perspective Risk

Perspective Risk provides penetration testing, security assessments, risk management & compliance solutions, InfoSec training and consultancy services.

Devo Technology

Devo Technology

Devo Security Operations is a next-gen cloud SIEM that enables you to gain complete visibility, reduce noise, and focus on the threats that matter most to the business.

Idemia

Idemia

Idemia is a global leader in security and identity solutions.

Wayra UK

Wayra UK

Wayra UK, part of Telefónica Open Future, has been chosen to run a new cyber accelerator facility to help UK start-ups grow and take the lead in producing the next generation of cyber security systems

Surevine

Surevine

Surevine builds secure, scalable collaboration solutions for the most security conscious organisations, enabling collaboration on their most sensitive information.

TRU Staffing Partners

TRU Staffing Partners

TRU Staffing Partners is an award-winning contract staffing and executive search firm for cybersecurity, eDiscovery and privacy companies and professionals.

Antares NetlogiX

Antares NetlogiX

Antares Netlogix are a leading Austrian service provider for IT security, critical infrastructures and managed security services.

eMazzanti Technologies

eMazzanti Technologies

eMazzanti Technologies provides IT consulting services for businesses ranging from home offices to multinational corporations throughout the USA and internationally.

SnapAttack

SnapAttack

SnapAttack is a collaborative platform that empowers your security team to stay ahead of threats, create robust behavioral analytics for your existing tools, and prove your program's effectiveness.

Gen Digital

Gen Digital

At Gen™, our mission is to create technology solutions for people to take full advantage of the digital world, safely, privately, and confidently – so together, we can build a better tomorrow.

StrongBox.Academy

StrongBox.Academy

StrongBox.Academy provides cybersecurity training courses that are tailored to the specific needs and challenges of the industry.

Silk Security

Silk Security

Silk is the first platform that enables enterprises to take a strategic, sustainable approach to resolving code, infrastructure and application risk.

Vultara

Vultara

Vultara provides web-based product security risk management tools for electronics manufacturers.

Venticento

Venticento

Venticento is an IT company specialized in consulting and network support and assistance for companies that need to make their business processes more effective.