Active Directory (AD) is a mainstay for most organisations, especially as identity management grows for even small-to-medium businesses (SMBs) and once on-premises organisations digitize. But this widely adopted tool comes with major security risks.
Ransomware groups are frequently targeting the tool due to its stash of valuable credentials and centralised location within a network, and several common tactics, techniques, and procedures (TTPs) listed in the MITRE ATT&CK framework involve AD from credential requests to object creation, moderation, or deletion. In addition to these external threats, the internal management of on-premises and cloud instances of AD increases a network’s complexity and can double an organisation’s attack surface.
While this tool can be essential in helping organizations manage their users and access within their network, it’s also quickly becoming a must-hack for threat actors looking to execute sophisticated cyber attacks. Organizations must see AD not as secure-by-default, but as a part of their identity infrastructure that needs consistent hardening and robust security.
What is Microsoft Active Directory?
Microsoft Active Directory (AD) is a directory tool for system administrators to set and manage network access and permissions for users within a system. AD contains multiple components, including Active Directory Domain Services, Active Directory Certificate Services, and Active Directory Federation Services.
Active Directory works to connect users to network resources, and in more technical terms, AD stores data as objects, which can be individual users, groups, or even a device like a printer. The tool then sets controls for the objects, verifying pre-set controls, or giving or denying permission for certain actions.
This structure of AD helps explain why it’s so valuable to threat actors. Not only can this tool store user credentials and grant access to various resources, but threat actors can also work to alter the permissions themselves as well as see how the network is configured and what users have access to. It’s a treasure trove of both action and information for hackers and is often referred to in the cybersecurity industry as holding “the keys to the kingdom.”
Active Directory and Identity Security
There are two sides to AD when it comes to identity security. One side is that AD allows organisations to implement their identity and access management (IAM) goals, and identity security initiatives, by configuring permissions for users and devices within the network. Limiting permissions and network access allows an organisation to better follow zero trust models and privilege access management (PAM) within their network. It also creates visibility, allowing IT teams to see the “who, what, and when” of internal access, and allowing them to make changes to harden or adjust their network access.
The flip side is that constant configuration can be overwhelming for already strained internal resources. In addition, AD is a massive target, and a potential weak spot, in an organisation’s identity security structure because threat actors see the same value in it. If they can get into AD through a vulnerability, steal credentials, and change permissions, an organisation’s entire identity security structure will dissolve, giving the threat actor free rein to launch an attack.
Active Directory Security Risks
Active Directory can be a major weakness in your network. 90% of global Fortune 1000 companies use the tool, but according to a recent white paper, only a quarter of those organisations consider its security a top priority.
Weaknesses within Active Directory include:
- Administrators that are not security experts
- Lack of security prioritization for AD
- Internal resources are strained and lack AD specialization
- Added complexity to the network that expands the attack surface, especially for hybrid or enterprise environments
- Targeting of the tool by threat actors at an increasing frequency
- Built on legacy software
- It’s ubiquitous, meaning threat actors can always rely on its existence as an attack avenue
- Contains out-of-the-box configuration
- Contains loopholes due to legacy protocols and encryption schemes
There are multiple ways a threat actor can gain access to AD, furthering their attacks. These fall into two categories, based on whether a threat actor has internal access already or not. If they lack internal access, they will rely on social engineering and password-based attacks. If they have internal access, there are a few common tactics they will utilize, including:
1. Kerberoasting. This attack targets service accounts and exploits the Service Principal Name (SPN) for a user attribute, allowing the hacker to obtain and crack the “password hash” for a user account. This opens a series of doors within the network, allowing the hacker to pass as a legitimate user and make lateral movement.
2. Man-in-the-middle. Certain legacy protocols are supported out-of-the-box for AD and can be easily exploited via man-in-the-middle attacks, which occur when an attack captures an encrypted authentication message and is able to crack it, or when an intercepted encryption message is relayed to another host.
3. Pass-the-hash. This tactic involves attackers using a tool like MimiKatz, which exploits authentication protocol, to impersonate a user and dump credential hashes from memory.
4. Default credentials. Some administrators will forget to change the password for devices and systems from the default, allowing threat actors to gain access by trying the default passwords that arrived with the device.
5. Active Directory privilege escalation. If a threat actor has credentials for a certain user, they may force- add them to an AD user group with extensive or privileged permissions, allowing them deeper access into the network.
6. Active Directory privilege abuse. Because AD can be cumbersome to manage, especially for strained or inexperienced staff, user privileges within AD may be too permissive or have more access than is needed, which threat actors can target and exploit.
This is not a full list, and threat actors are evolving tactics to infiltrate and use AD for their attacks, which makes Active Directory security more critical.
Another reason threat attackers target AD has to do with “breakout time,” or the time a threat actor moves from initial access to lateral movement and privileged escalation. This time is decreasing across industries, and once lateral movement occurs, it’s more difficult for internal teams to detect and stop the threat, especially if the threat actor is using legitimate credentials. Active Directory often gives threat actors immediate access to other parts of the network, speeding up that breakout time and allowing for more sophisticated attacks to occur.
See how Arctic Wolf works to detect threats before lateral movement happens
How To Harden Your Active Directory Security
While hardening your Active Directory is not a simple, one-and-done task, and will take both time and resources, the prioritisation is worth it considering how vital AD is to your organization’s overall identity structure and security.
There are several ways to harden AD, from the broad to the deeply technical and micro, but there are five that all organizations should implement first.
1. Password policy updates. Strong passwords go a long way in preventing man-in-the-middle and password-based attacks. Standard best practices say that a password should be at least 12 characters long with letters, numbers, and special characters. Strong user awareness training should also be implemented to highlight the value of individual password hygiene.
2. Access control and authentication. Limiting the attack surface in case an Active Directory attack is successful is critical for minimizing or stopping lateral movement. Multi-factor authentication (MFA) will prevent access, even if a password is hacked, and other access controls, such as the following of zero trust guidelines or implementing privileged access management (PAM), will prevent a threat actor from moving deeper into the network or gaining access to AD and the network in the first place.
3. Enforcing strong encryption in AD. The basic settings in AD only offer basic encryption. By tightening configurations, and adding layers of encryption, you’re not only reducing the chances that an attacker will be able to crack passwords, but buying your security team time to detect initial access before it turns lateral movement can occurs.
4. Audit permissions and file sharing. Visibility is a major component of any security strategy, and the same is true with AD. Your team should know be able to analyse security groups, privilege escalation paths, user account permissions, and potential attack paths. The same should be done for files within AD as well. This can be achieved with BloodHound, a tool designed to help organizations map out their AD. Threat actors can use BloodHound as well to map out attack patterns or weaknesses once they have access to AD.
5. 24×7 monitoring. Knowing unusual behaviour is happening, in real-time, can be the difference between stopping a threat or having to clean up a major incident. It’s important for your organisation to have a monitoring solution in place, preferably one like Arctic Wolf® Managed Detection and Response, which can alert a security team to detections coming directly from AD, as well as identities and other network sources.
This is not an exhaustive list, and Microsoft has many resources for organisations who need guidance hardening Active Directory, especially for technical aspects like network segmentation or domain controller hardening.
Explore what Arctic Wolf sees for the future of Active Directory security in our Arctic Wolf Labs 2024 Predictions.
See how Arctic Wolf stopped an active directory attack before it turned into a full ransomware incident.
