A popular target of attackers, Microsoft Active Directory will receive an extra measure of protection under a new offering announced Thursday by Attivo Networks. The company’s ADSecure-DC solution expands its Active Directory protection to non-Windows endpoints.
About a year ago Attivo introduced an endpoint product that could detect suspicious attempts to query Active Directory, intercept the queries, and steer them off course. “That was done on every Windows machine on the endpoint,” says Attivo Chief Security Advocate and CMO Carolyn Crandall, “but there are situations where you have Linux, Mac devices, or IoT devices that you can’t load the Windows agent onto, or you where don’t want to load an agent on a Windows endpoint. Now, with AD Secure Domain Controller, attacks can be detected from unmanaged devices.”
“With ADSecure-DC, the agent is on the Domain Controller itself,” adds Lead Architect for Active Directory Products Steve Griffiths. “When the endpoint queries the Domain Controller, the same activity goes on but it happens at the Domain Controller.”
In addition to identifying enumeration and attacks targeting Active Directory, ADSecure-DC also detects suspicious user behaviors using deep packet inspection and behavior analytics, as well as delivering high-fidelity alerts.
Millions of Active Directory misconfigurations and vulnerabilities to exploit
Active Directory is used by 90% of enterprises worldwide, which contributes to its popularity as an attack vector for digital raiders. “It’s a popular target because the vast majority of Fortune 1000 companies use it, so adversaries can reuse the same techniques against many targets,” says Andy Robbins, a technical architect at SpecterOps, a provider of adversary-focused cybersecurity solutions.
Active Directory also contains a treasure trove of data attractive to attackers. “As a database that maps and controls user profiles, network resources, and services, it contains not only a wealth of information about all users but also all the resources that they can access,” says Tony Anscombe, chief security evangelist at ESET, an information technology security company.
Active Directory can also be difficult to defend. “Because adversaries often use legitimate administrative tools and abuse existing privileges and permissions in Active Directory, it’s very difficult for defenders to tell the difference between good admin behavior and bad admin behavior,” Robbins says.
What’s more, he continues, most enterprise Active Directory environments have millions of misconfigurations and vulnerabilities that attackers can exploit. Active Directory’s built-in tools and user interface make it extremely difficult for security teams to identify and close off these attack paths.
Most defenders not equipped to handle kernel-level persistence mechanisms
Once attackers compromise Active Directory, they can elevate privileges, change security and group policies, and encrypt domain controllers. “Domain controllers provide the intelligence to know what users get to access and controls their authorization to be able to get to those things,” Crandall says.
Active Directory also gives adversaries options to establish persistence through control of the kernel, Robbins adds. “Most defenders today already struggle with detecting commodity-level persistence mechanisms like malicious scheduled tasks, and the vast majority are not equipped or staffed to handle kernel-level persistence mechanisms,” he says.
Detection is further complicated because control of Active Directory means control of the operating system on every domain-joined machine, including domain controllers. “Because most detection and threat hunting systems rely on information coming back from the operating system,” Robbins notes, “an adversary with control of the operating system can cause pieces of the operating system queried by defenders to report everything is A-OK.”
Copyright © 2022 IDG Communications, Inc.
