Generating CISO buy-in for Active Directory Protection ranks high in a company’s success against ransomware attacks. Active Directory (AD) sits at the heart of almost every enterprise network, with more than 90% of businesses using it as their identity management system. It serves as the central repository for identity information, including credentials, user accounts, individual devices, applications, and more, making it incredibly important—and an obvious target for cybercriminals.
By Carolyn Crandall, Chief Security Advocate, Attivo Networks
Despite this, AD isn’t always front-of-mind for organizational decision-makers. AD isn’t something most executives consider a major concern—it’s something they expect to work. However, Microsoft once estimated that more than 95 million AD accounts come under attack every day—and that number has almost certainly grown. New research conducted by Enterprise Management Associates (EMA) further indicates that 50% of organizations studied experienced an attack on AD within the past one or two years. Attackers know that gaining control of AD is a kingpin; they can see that AD is vulnerable, targeting it with increased frequency. For organizations that wish to remain secure, it is time to elevate AD security to not only a CISO-level concern but one that executives review in the context of business continuity and company welfare.
Active Directory Protection Challenges
Because Active Directory is responsible for authentication throughout the enterprise, every identity within an organization needs to connect to AD somehow. AD needs to be accessible—which is a significant reason it is intrinsically insecure. Credential theft is an increasingly common attack tactic among today’s attackers, and just one stolen, exposed, or weak password can open the door to exploiting Active Directory. This year’s Verizon Data Breach Investigations Report (DBIR) indicates that 61% of all breaches now involve credential data, and attackers often use those valid credentials to circumvent perimeter defenses.
Using valid credentials helps attackers avoid setting off the usual alarm bells. They will almost always leverage that advantage to move laterally throughout the network to identify valuable data to steal or encrypt. They will almost always target AD to acquire additional admin-level credentials that will allow them to escalate their privileges and expand the scope of their attacks. And unfortunately, once an attacker has compromised AD, they can erase their tracks and become extremely difficult to remove from the system. They will essentially have the keys to the castle.
The consequences that stem from the exploitation of Active Directory are broader than many realize. A major breach or loss of domain control can have substantial downstream effects, whether the attacker is a cybercriminal running a ransomware attack, a nation-state threat actor conducting espionage, or an activist interfering with business. Think of it this way—if an attack disrupts a manufacturing line, it may be bad, but it’s fixable. That same attack might also disrupt shipping, purchasing, and other areas that can grind business to a halt, not just for one enterprise but also for the partners and customers that rely on it.
Think about the implications of one component shortage and how it could stop the assembly line on a car, a refrigerator, or computer. Worse still, in areas like utilities and critical infrastructure, security failures can and have put lives at risk. For proof, look no further than the Oldsmar, FL water system attack or recent Ponemon research indicating that ransomware-related shutdowns in the health care industry directly impact patient safety, data, and overall care availability.
The Cost of Poor Active Directory Protection
The threat of a breach concerns every organization, and most have made strides in improving their preparedness related to security hygiene and posture management. However, given the implications, the relative lack of focus on AD is a problem that needs addressing. Regulatory and compliance standards are undoubtedly moving in this direction, but they are currently vague about what it means to “protect data and personal information.” Other advisory bodies have been much more direct in their recommendations, like the National Institute for Standards and Technology (NIST) and MITRE. Both have issued guidance for organizations to help them specifically protect AD—and no one should be surprised when governments begin to follow suit.
Cyber insurance is another fast-growing industry, and insurers closely monitor developments within the threat landscape. Cyber insurers want to ensure that their clients take reasonable precautions to protect themselves from risk, as with any insurance company. With 61% of attacks involving credential data, they will be reticent to issue payouts to organizations that have not taken the appropriate steps to protect themselves. Insurers today almost always mandate using multi-factor authentication (MFA), but it is not enough. With credential-based attacks continuing to rise, cyber hygiene and posture management will need to expand identity security to defend against credential misuse or privilege escalation and protect directory services management systems like Active Directory.
These factors can significantly impact an enterprise’s risk profile and, ultimately, their coverage. Cyber insurance is a must in today’s threat environment, and the potential for regulatory action will only loom larger as the issue of credential-based attacks continues to grow. With Active Directory now a priority target for attackers, organizations that do not prioritize the visibility needed to assess and measure AD vulnerabilities accurately could find themselves in hot water. The days of periodic audits and log monitoring are over—they are no longer enough. Today’s organizations need to identify exposures and misconfigurations related to credentials and AD continuously and in real-time—anything less, risks the enterprise being dangerously exposed to attackers and regulatory and liability concerns. Thus, making Active Directory Protection an area of interest for businesses and threat actors alike.
CISO Support Is Critical
Now more than ever, organizational leaders need to elevate cybersecurity to a Board-level discussion. This conversation must go beyond user and device hygiene and expand into protecting credentials, privileges, and the Active Directory systems that manage them. Ransomware is clearly on every company’s list of top concerns, and they need to understand that its continued success is a result of Active Directory-related exposures. CISOs can help connect the dots by improving cyber hygiene and reducing risks, taking steps including controlling privileged credentials, gaining visibility into when privileged accounts get used, and ensuring that detection for live attacks on Active Directory is in place.
About the Author
Carolyn Crandall is the Chief Security Advocate at Attivo Networks, the leader in preventing identity privilege escalation and detecting lateral movement attacks. She has worked in high-tech for over 30 years and has been recognized as a top 100 women in cybersecurity, a guest on Fox News, and profiled in the Mercury News. Carolyn also co-authored the book Deception-Based Threat Detection: Shifting Power to the Defenders. She is an active speaker on security innovation at CISO forums, industry events, and technology education webinars.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.