By Carolyn Crandall, Chief Security Advocate, Attivo Networks

Despite this, AD isn’t always front-of-mind for organizational decision-makers. AD isn’t something most executives consider a major concern—it’s something they expect to work. However, Microsoft once estimated that more than 95 million AD accounts come under attack every day—and that number has almost certainly grown. New research conducted by Enterprise Management Associates (EMA) further indicates that 50% of organizations studied experienced an attack on AD within the past one or two years. Attackers know that gaining control of AD is a kingpin; they can see that AD is vulnerable, targeting it with increased frequency. For organizations that wish to remain secure, it is time to elevate AD security to not only a CISO-level concern but one that executives review in the context of business continuity and company welfare.

Active Directory Protection Challenges

Because Active Directory is responsible for authentication throughout the enterprise, every identity within an organization needs to connect to AD somehow. AD needs to be accessible—which is a significant reason it is intrinsically insecure. Credential theft is an increasingly common attack tactic among today’s attackers, and just one stolen, exposed, or weak password can open the door to exploiting Active Directory. This year’s Verizon Data Breach Investigations Report (DBIR) indicates that 61% of all breaches now involve credential data, and attackers often use those valid credentials to circumvent perimeter defenses.

Using valid credentials helps attackers avoid setting off the usual alarm bells. They will almost always leverage that advantage to move laterally throughout the network to identify valuable data to steal or encrypt. They will almost always target AD to acquire additional admin-level credentials that will allow them to escalate their privileges and expand the scope of their attacks. And unfortunately, once an attacker has compromised AD, they can erase their tracks and become extremely difficult to remove from the system. They will essentially have the keys to the castle.

The consequences that stem from the exploitation of Active Directory are broader than many realize. A major breach or loss of domain control can have substantial downstream effects, whether the attacker is a cybercriminal running a ransomware attack, a nation-state threat actor conducting espionage, or an activist interfering with business. Think of it this way—if an attack disrupts a manufacturing line, it may be bad, but it’s fixable. That same attack might also disrupt shipping, purchasing, and other areas that can grind business to a halt, not just for one enterprise but also for the partners and customers that rely on it.

Think about the implications of one component shortage and how it could stop the assembly line on a car, a refrigerator, or computer. Worse still, in areas like utilities and critical infrastructure, security failures can and have put lives at risk. For proof, look no further than the Oldsmar, FL water system attack or recent Ponemon research indicating that ransomware-related shutdowns in the health care industry directly impact patient safety, data, and overall care availability.

The Cost of Poor Active Directory Protection

The threat of a breach concerns every organization, and most have made strides in improving their preparedness related to security hygiene and posture management. However, given the implications, the relative lack of focus on AD is a problem that needs addressing. Regulatory and compliance standards are undoubtedly moving in this direction, but they are currently vague about what it means to “protect data and personal information.” Other advisory bodies have been much more direct in their recommendations, like the National Institute for Standards and Technology (NIST) and MITRE.  Both have issued guidance for organizations to help them specifically protect AD—and no one should be surprised when governments begin to follow suit.

Cyber insurance is another fast-growing industry, and insurers closely monitor developments within the threat landscape. Cyber insurers want to ensure that their clients take reasonable precautions to protect themselves from risk, as with any insurance company. With 61% of attacks involving credential data, they will be reticent to issue payouts to organizations that have not taken the appropriate steps to protect themselves. Insurers today almost always mandate using multi-factor authentication (MFA), but it is not enough. With credential-based attacks continuing to rise, cyber hygiene and posture management will need to expand identity security to defend against credential misuse or privilege escalation and protect directory services management systems like Active Directory.

These factors can significantly impact an enterprise’s risk profile and, ultimately, their coverage. Cyber insurance is a must in today’s threat environment, and the potential for regulatory action will only loom larger as the issue of credential-based attacks continues to grow. With Active Directory now a priority target for attackers, organizations that do not prioritize the visibility needed to assess and measure AD vulnerabilities accurately could find themselves in hot water. The days of periodic audits and log monitoring are over—they are no longer enough. Today’s organizations need to identify exposures and misconfigurations related to credentials and AD continuously and in real-time—anything less, risks the enterprise being dangerously exposed to attackers and regulatory and liability concerns. Thus, making Active Directory Protection an area of interest for businesses and threat actors alike.

CISO Support Is Critical

Now more than ever, organizational leaders need to elevate cybersecurity to a Board-level discussion.  This conversation must go beyond user and device hygiene and expand into protecting credentials, privileges, and the Active Directory systems that manage them. Ransomware is clearly on every company’s list of top concerns, and they need to understand that its continued success is a result of Active Directory-related exposures. CISOs can help connect the dots by improving cyber hygiene and reducing risks, taking steps including controlling privileged credentials, gaining visibility into when privileged accounts get used, and ensuring that detection for live attacks on Active Directory is in place.

About the Author

Carolyn Crandall is the Chief Security Advocate at Attivo Networks, the leader in preventing identity privilege escalation and detecting lateral movement attacks. She has worked in high-tech for over 30 years and has been recognized as a top 100 women in cybersecurity, a guest on Fox News, and profiled in the Mercury News. Carolyn also co-authored the book Deception-Based Threat Detection: Shifting Power to the Defenders. She is an active speaker on security innovation at CISO forums, industry events, and technology education webinars.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post How to Generate CISO Buy-In For Active Directory Protection appeared first on CISO MAG | Cyber Security Magazine.

Microsoft stated that attackers could penetrate a Domain Admin user in an Active Directory environment by combining these two vulnerabilities. The flaws reportedly enable remote hackers to elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.

“As Defender for Identity’s mission is to secure Active Directory and your environment against advanced and sophisticated identity threat attacks, our research team reacted fast and published a query that can be used to identify suspicious behavior leveraging these vulnerabilities. This query can help detect abnormal device name changes (which should rarely happen to begin with) and compare them to a list of domain controllers in your environment,” Microsoft said in an advisory.

However, Microsoft recommended organizations and users fix the vulnerabilities by applying the updates as soon as possible to avoid any security risks.

Finding Compromised Devices

To identify whether your systems are affected due to these vulnerabilities, Microsoft recommended the following:

• The sAMAccountName change is based on event 4662. Make sure to enable it on the domain controller to catch such activities.
• Open Microsoft 365 Defender and navigate to Advanced Hunting.
• Copy the following query (which is also available in the Microsoft 365 Defender GitHub Advanced Hunting query).
• Replace the marked area with the naming convention of your domain controllers.
• Run the query and analyze the results which contain the affected devices. You could use Windows Event 4741to find the creator of these machines if they were newly created.
• We recommend investigating these compromised computers and determining that they haven’t been weaponized.

Microsoft Release December 2021 Patch

Microsoft recently issued security patches for 67 CVEs in its December 2021 Patch Tuesday update. Of 67 vulnerabilities, 60 were deemed important, and seven were critical. Six zero-day vulnerabilities have also been fixed, being exploited in the wild. The December 2021 Patch Tuesday update resolved vulnerabilities affecting Microsoft Office, Microsoft PowerShell, the Chromium-based Edge browser, the Windows Kernel, Print Spooler, and Remote Desktop Client.

The post Microsoft Warns of Active Directory Vulnerabilities appeared first on CISO MAG | Cyber Security Magazine.

Kartik Shahani, Country Manager for Tenable in India met Brian Pereira, Editor-in-Chief, CISO MAG to discuss how Active Directory can help establish a zero-trust policy for organizations. Shahani offers advice and tips for zero-trust security.

VIDEO: What exactly is Zero-trust?

https://youtu.be/Ueh4hB3Qrzg

Based in Mumbai, India, Shahani has over 30 years of experience in the IT industry, driving momentum for enterprises. He spearheads initiatives for Tenable in the enterprise security market, manages operations and continues efforts towards channel activities in India.

He has extensive experience in the telecommunications, finance and government sectors. Along with his innovative sales strategies, he is instrumental in driving growth in India. Shahani previously worked in RSA Security, a division of Dell EMC, where he was Director for Channel in the Asia Pacific and Japan. Prior to this, he was the Executive Director of Integrated Security for India and South Asia at IBM. 

According to Tenable’s 2020 Threat Landscape Retrospective, there were 29 zero-day vulnerabilities disclosed in 2020. And 35.7% were browser-related vulnerabilities. The next highest at 28.8% is OS-related vulnerabilities. What would you suggest as ways to mitigate browser-related and OS-related vulnerabilities? What should vendors and end-users do?

Zero-days may garner most of the attention but known yet unpatched vulnerabilities enable most breaches and have become favored by advanced attackers. Considering that web browsers are the gateway to the internet, patching these assets is an essential part of securing the enterprise network. Users of Apple devices should regularly update to the latest version to protect themselves against threats.

Why should Trust be treated as a vulnerability today?

Just as software vulnerabilities are often exploited in cyberattacks, trust is no different in perimeter-based defenses. Cybercriminals exploit privileges and trust to perform the lateral movement as part of the attack path. With a zero-trust approach, security teams can identify where trust is built into systems and networks and harden those systems. Multi-factor authentication, encryption software, identity and access management tools will also help secure critical business assets. A cybersecurity strategy that removes trust entirely from digital systems is, in fact, a great equalizer, one that any proponent of “flat” corporate hierarchies ought to be more than happy to embrace.

Can you explain how Active Directory (AD) is at the center of enabling trust?

Most organizations grant user access and privileges based on the notion that some users are more trustworthy than others based on their role. A never trust, always verify approach, derails anyone who sees themselves as “trustier than thou” because zero-trust relies on the systematic and continuous evaluation of users and their permissions. By viewing trust as a vulnerability, organizations can ensure users can only access the information they need to. Continuously monitoring the AD, allows security teams to detect unusual activity, monitor rights abuses and even stop lateral movement.

How do cyber hygiene fundamentals make zero-trust security possible?

Great security starts with a complete and continuous understanding of the attack surface, from on-premises to cloud infrastructure and from a growing remote workforce to all users connected to the network. The fundamentals of cyber hygiene include identifying systems that could potentially compromise the environment, identifying the roles of users who have access to those systems, and identifying cybersecurity vulnerabilities that could arise. With full visibility, organizations can determine who needs access to what assets and grant permission to access them on a need-to-know basis.

This is where AD plays a pivotal role. It is critical for organizations to mitigate AD misconfigurations, evaluate user rights and continuously monitor AD for suspicious activity. Once vulnerabilities arising out of trust are addressed, organizations can focus on monitoring the entire attack surface and regularly patch vulnerabilities that pose the greatest threat to critical business assets.

Can you share some tips for accelerating your zero-trust journey?

Zero-trust is not a product or solution that can be installed. It’s a strategy for implementing cybersecurity in a business world without perimeters. It’s built upon cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching and continuous monitoring. Identifying each and every user in the network provides full visibility into the attack surface including IT, OT and IoT. Once security teams know how data flows within the organization, identifying critical assets that need to be secured becomes easier. Limiting access to these assets reduces the attack pathways and allows ease in monitoring the attack surface, identifying end-point vulnerabilities and patching them regularly.

What are the potential risks that you see with the confluence of OT and IT?

In modern industrial and critical infrastructure environments, an increasing number of operational technology (OT) devices are now connected to the outside world. While this convergence presents many opportunities, it also introduces new risks. Many of the systems within the OT world are unpatched or unsupported making them especially vulnerable to malicious activity.  Since IT and OT environments are often interconnected, an attack that originates on an IT network can move laterally to the OT environment and vice versa.

Therefore, having complete visibility is of utmost importance. OT operators need to take a full inventory of all assets, firmware version, patch level, state, configuration and vulnerability positions of everything that is present within the OT infrastructure.

About the Interviewer

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

 

The post “Zero-Trust Is Not a Product or Solution That Can Be Installed” appeared first on CISO MAG | Cyber Security Magazine.

By Carolyn Crandall, Chief Security Advocate, and CMO, Attivo Networks

Stolen credentials are on the rise, and privileged access is a factor in the majority of cyberattacks. With more and more cybercriminals looking to move laterally within the network and escalate their privileges, AD represents an increasingly high-value target. The complexity of securing AD and the growing frequency with which attackers target it means that CISOs can no longer view it as a backburner item — its security is now a CISO-level concern.

The Complexity of Securing Active Directory

Over 95 million Active Directory accounts are under attack every day, demonstrating the frequency that cybercriminals attempt to compromise AD to acquire additional permissions and escalate their attacks. AD is a “master key” that manages permissions across the enterprise, and — unfortunately — access control is no simple matter. Overprovisioning is common, especially in group policies, and legacy permissions can be difficult to track. Orphaned credentials are an issue that can be hard to gain visibility into, and mergers and acquisitions can add further complexity, as merging disparate user groups and assets are often challenging. Security teams commonly lack visibility into AD changes, making it challenging to protect what they can’t see.

More than Just Plumbing

More than 90% of Global Fortune 1000 organizations use AD for authentication, identity management, and access control. Unfortunately, AD configurations become increasingly complex over time, resulting in overprovisioning and errors. The addition of temporary workers, mergers and acquisitions, and third-party vendors that need some level of access compounds the situation. In addition, the number of users, devices, and applications accessing company networks is growing every day, and today’s networks now extend from the endpoint to the cloud.

Privileged access covers credentials, databases, infrastructure, and network devices. AD touches all of these areas, which is why attackers see AD as the ultimate prize, granting them access to the rest of the network. Whether they aim to gather passwords via a DCSync attack, push changes to AD ACLs and settings via a DCShadow attack, or create anything with a Golden Ticket attack, AD is a high-value target for attackers.

Given its role in maintaining operations and allowing employees to do their work efficiently, losing control of Active Directory can cause everything from a small to complete disruption of service.

Active Directory Attacks Can Cause Serious Damage

Privileged access abuse is a factor in 80% of known security breaches, including the recent highly damaging SolarWinds and Microsoft breaches. If attackers compromise AD, they can use stolen credentials—or escalate privileges for credentials they already possess — to move laterally throughout the network. Once an attacker has “domain administrator” control of AD, an attack becomes highly difficult to stop and can require extreme measures to restore the AD environment to a non-compromised status.

Third-party attacks like the SolarWinds breach highlight how attackers can bypass perimeter defenses. In this case, modified SolarWinds products provided attackers with a backdoor into numerous company networks — circumventing any perimeter protections those organizations may have in place. Without in-network defenses, there is little to stop attackers from making a beeline for AD — and with the average cost of a data breach now at nearly $4 million, an attack that compromises AD will almost certainly be an expensive one. Payout demands for ransomware breaches, almost all of which use AD as an element of their attack, have climbed to record-breaking heights. In mid-March, PC giant Acer was hit by a $50 million ransomware attack, demanding the highest known ransom to date.

How CISOs Can Change Their Thinking

Identifying the right metrics can be a challenge for CISOs. When talking to a company board, they often feel compelled to focus on metrics like intrusion attempts, incident rates, response times, and other numbers, which, while important, do not tell the whole story. Additional metrics like excess privilege exposures can help contextualize the threat to AD and the network at large. These metrics may take some further explaining, but they provide a more comprehensive picture of network health and security.

Attackers tend to leverage many things during attacks. First, they prey on endpoints and users. They will next attempt to compromise the endpoint, then focus on local privilege escalation. Inside the network, they will conduct network and AD reconnaissance and then focus on attacking AD. Attackers always seek greater privileges, but many security teams rely on SIEMs and AD monitoring solutions, which are inefficient and only useful after an incident has occurred. And while maintaining AD privileges and policies is table stakes, it will not stop an attacker already in possession of privileged account credentials from accessing valuable assets.

Given what we know about how attackers operate, CISOs must pay more attention to lateral movement and identity protection and entitlement than to authentication and authorization. With greater visibility into potential threat paths and exposures, security teams can remediate issues and set traps for would-be attackers by hiding real AD objects and seeding the network with false ones. Rather than identifying signs of an attack after it has taken place, CISOs can enable their security teams to take a more proactive approach, tricking attackers into giving themselves away before they can escalate their attacks.

Making AD a Top-Level Priority

Attackers today view AD as an easy target, in part because organizations consider it protected by the perimeter, policies, and log management, which savvy attackers have proven they can repeatedly defeat. By shifting their attention to vulnerability visibility, lateral movement, and privilege escalation detection, CISOs can make life much more difficult for attackers and prevent minor incursions from becoming full-scale breaches. By recognizing that AD has become an attack vector of choice, CISOs can more effectively protect their networks from today’s most damaging attack tactics.

About the Author

Carolyn Crandall holds the roles of Chief Security Advocate and CMO at Attivo Networks. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate. Crandall has received many industry recognitions including Top 25 Women in Cybersecurity 2019 by Cyber Defense Magazine, Reboot Leadership Honoree (CIO/C-Suite) 2018 by SC Media, Marketing Hall of Femme Honoree 2018 by DMN, Business Woman of the Year 2018 by CEO Today Magazine, Cyber Security Marketer of the Year 2020 by CyberDojo (RSA), and for 9 years a Power Woman by Everything Channel (CRN).

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Amid Today’s Threat Landscape, Protecting Active Directory is a CISO-Level Concern appeared first on CISO MAG | Cyber Security Magazine.