Regardless of a threat actor's initial access vector, Microsoft Active Directory (AD) remains a significant target in an organization because of its connection to privilege and access. In most cyber intrusions investigated by Secureworks® incident responders, the threat actor compromised AD Domain Administrator accounts. If the threat actors hadn't obtained that access, network defenders could have stopped the attacks or at least forced the threat actors to work harder to obtain their objectives. Secureworks incident responders recommend that organizations apply least privilege access on all AD accounts and then consider implementing additional security controls that help AD stop or withstand a major attack.
Initial compromise often leads to swift and full compromise and persistence
The prevalence of Windows systems and many organizations' dependence on AD make it a popular target. To access AD, attackers first breach an organization's network perimeter. In 2021, 88% of intrusions investigated by Secureworks incident responders involved threat actors compromising environments in one of three ways:
- Exploitation of vulnerabilities in internet-facing devices
- Compromised credentials (stealing or guessing credentials and then logging in)
- Malware dropped via phishing emails or drive-by downloads
After establishing a foothold in an environment, attackers targeting AD immediately attempt to elevate privileges to Domain Administrator. In most incidents, this operation is trivial and happens quickly. The attacker then leverages the elevated privileges to move through the network to find assets, steal data, deploy ransomware, and insert persistence mechanisms.
Network defenders must create obstacles that deter malicious actions
Securing AD during an attack is complex and challenging, so organizations should take proactive steps to enhance and secure their AD. Network defenders must create as many obstacles as possible and build a strong awareness regarding their AD implementation. They must also understand security gaps, risks, and areas for improvement.
-
Conduct an AD security assessment - During an Active Directory Security Assessment, Secureworks incident responders use configuration review toolsets and interviews with the customer's internal personnel to identify AD configuration management practices and recommend relevant cybersecurity controls. This assessment evaluates the organization's overall AD implementation and identifies potential attack vectors.
A deep dive into AD helps administrators understand vulnerabilities and areas for improvement before an attack. Organizations can improve their security posture and better protect their environment without the pressure of an active threat actor.
-
Reduce the number of privileged accounts - Many organizations do not realize how many privileged accounts exist in their network, especially in large domains. The plethora of these accounts often occurs from accidental privilege allocation when troubleshooting, privilege creep associated with role changes, and poorly privileged access management during acquisitions and mergers. Reviewing and reducing privileged accounts minimizes the exploitable attack surface.
-
Review service principal names - Service principal names (SPNs) uniquely identify service instances. When a system requests access to a service, AD resolves the SPN for that service. A threat actor could copy the service account's password hash containing the associated SPN and potentially take ownership of the service account. Network defenders must identify service accounts that have attached SPNs, review the service accounts' password status, and verify that none of the accounts are members in a privileged group.
Threat actors can also manipulate SPNs via attacks such as SPN-jacking to impersonate users on a set of services and leverage their privileges and accesses. Minimizing the number of accounts that have SPNs reduces opportunities for a threat actor.
-
Utilize group-managed service accounts - After evicting a threat actor from a compromised environment, Secureworks incident responders advise victims to reset passwords on all accounts, including Kerberos, administrator, service, and user accounts. Many organizations fear that resetting service account passwords could break applications and background functionality. Implementing group-managed service accounts lets AD manage service account passwords, periodically rotate passwords, and enable efficient coordination during an incident.
Conclusion
Investing time in AD and its associated controls can increase resilience during cyber intrusions. Creating as many obstacles as possible delays and potentially deters a threat actor that wants to explore your network, mitigating the impact of an initial foothold.
Secureworks offers numerous proactive Incident Response services to help customers avoid, detect, and respond to attacks. Emergency response is available if you need urgent assistance with an incident.