Microsoft Active Directory (AD) is the cornerstone of most organizations’ identity access management. As an organization conducts ‘business as usual’ activities, AD manages trusts to facilitate access requirements and integration between network environments. These tasks are typically orchestrated through the Domain Administrator account.
After obtaining Domain Administrator access, a threat actor can create or change any AD object in pursuit of their objectives. These objectives could include deploying ransomware or stealing data. Threat actors can also configure AD to maintain persistence if they are discovered, lose access, or are cut off from the environment.
According to Microsoft, an AD compromise is often “irreparable” and rebuilding or restoring compromised systems does not eliminate the initial access vector. Secureworks® incident responders advise organizations to fully evict threat actors from the environment so they cannot leverage privileges, abuse trusts, and exert control over the organization's AD.
Regaining trust in AD is essential to secure remediation
Stakeholders such as customers and regulators require proof that network defenders have re-established control of a compromised domain and have secured privileged access. Some stakeholders seek guarantees before resuming business activities and lifting business-limiting restrictions. Many organizations struggle to verify and then prove they have regained control, but Secureworks incident responders can help.
A phased approach lets organizations maneuver back to normality
Secureworks incident responders use a phased approach for securing a compromised AD. The process begins by identifying how the threat actor accessed the network and determining what post-compromise actions they performed and what ‘grip’ they have on the compromised AD. Network defenders can then implement defense-in-depth controls and procedures, evict the attacker, and monitor for evidence of additional activity. The goal of this approach is to deny the threat actor the ability to surreptitiously regain unauthorized access and to harden AD as a deterrent to future threats.
Secureworks incident responders assist customers with the following actions:
- Enumeration - Secureworks incident responders conduct an Active Directory Security Assessment to gather information about the customer’s AD implementation and the exploited and potential attack vectors in the environment.
- Remediation - The customer leverages the knowledge from the enumeration phase to remove unknown or undesirable configurations. It is also important to evaluate and restrict privileges as appropriate.
- Eviction - Evicting threat actors can be a complex and time-consuming process, so planning and organizational support is paramount. If network defenders perform this phase incompletely or improperly, the threat actors could re-enter the network. This phase primarily focuses on resetting the Kerberos tickets and the critical infrastructure, administrator, service account, and end-user passwords.
After completing these steps, the customer must perform any additional remediation required to address the attack. They must also continue to monitor for activity and indicators that could be associated with a threat actor’s re-entry.
Active Directory remediation and eviction can be daunting but must be faced ‘head-on’
It is normal for network defenders to feel overwhelmed and threatened during a cyber intrusion. The recovery and remediation tasks can seem daunting, but Secureworks incident responders provide support and guidance, secure AD, and help customers return to ‘business as usual.’
To alleviate some of the confusion and pressure during a crisis, organizations should proactively establish and test their remediation, eviction, and recovery procedures. In addition, organizations must harden their AD implementations to deter threat actors.
Secureworks offers numerous proactive Incident Response services to help customers avoid, detect, and respond to attacks. Emergency response is available if you need urgent assistance with an incident.