“Just about every organization in the world at this point is probably using some flavor of Active Directory. So, I think it’s being targeted by just about every threat actor out there,” Doug Bienstock, senior manager at cybersecurity firm Mandiant, told Government Technology.
But careful attention to account privilege management, Active Directory configurations and authentication policies can help boost defenses.
WHAT IS ACTIVE DIRECTORY?
Active Directory is a Microsoft service used to manage who and what gets access to an organization’s network assets.
It “enables administrators to manage permissions and access to network resources,” according to TechTarget. It supports needs like controlling which systems and applications are accessible to regular users and which are limited to higher-privileged accounts, for example. It also underpins single sign-on services, which let users log in only once before getting access to various applications, thus sparing them having to re-authenticate themselves each time.
This on-premise Active Directory often links with a cloud-based counterpart to provide a smoother process for users who are authenticated by their networks to then access cloud services.
For example, this connection enables employees at an organization with a cloud email service to log into their computers and then immediately start reading their emails — without having to go through separate authentication steps with the email application, Gil Kirkpatrick told GovTech. Kirkpatrick is the chief architect for products at Semperis — a cybersecurity firm that sells Active Directory recovery and defense solutions — and author of Active Directory Programming.
Such convenience comes with security trade-offs, however. This connection between on-premise and cloud services means that attackers who manage to compromise on-premise Active Directory can then move to attack those cloud resources.
ATTACKS GROW WITH CACHED PASSWORDS
Hackers can get a foothold in a network through efforts like phishing to steal an individual’s account credentials or malicious websites that download malware onto a single machine.
But this is rarely the end game: many cyber attackers aim to escalate their privileges until they’re able to deploy malware onto as many machines as possible and move through a network in pursuit of the most valuable data.
Once hackers gain initial entry to a device, they typically use software tools to seek out any privileged credentials that may be cached — i.e., temporarily stored — on the machine’s memory, Kirkpatrick said. They are also likely to check whether the machine can connect to other devices on which higher-level credentials may be stored or which may have security weak points, like unpatched software.
If an administrator used privileged credentials to log into the machine to fix a printer problem, for example, “those credentials may still be floating around in memory,” Kirkpatrick said.
Similarly, if an administrator used their privileges to remotely connect to a network asset, the hacker may be able to revive that connection.
“[One possibility] is that there’s a privileged session sitting in memory,” he said. “It’s like a connection to a file server, where the administrator accesses the file server with privileged credentials, and that file server session is just sitting in memory. And from that, the attacker can hijack it and use that session for his own means.”
Caching is often intended to create a smoother user experience, but also creates greater risks: hackers could try to access cached credentials or sessions, to get more privileged access to a network. The intruders then may build on this process, looking for ways to elevate their privileges even further and moving through the network, often with the aim of becoming domain administrators with access to the most sensitive databases.
Once they find useful data, they are likely to exfiltrate it.
Microsoft has written on these kinds of threats:
“More than malware, attackers need credentials to succeed in their attacks,” Microsoft wrote in a May blogpost. “In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment.”
Attackers who get enough access to do so may try to obscure their activities by creating new user accounts for themselves in Active Directory and granting those accounts access to remote access tools like VPNs or Remote Desktop, Microsoft wrote. This would help attackers fly under the radar, because observers may see what looks like legitimate accounts using legitimate tools in the ways for which they were designed.
MANAGING ACCESS, ACCOUNTS
One way to boost defenses is to ensure administrators only use their privileged credentials when they absolutely need and otherwise rely on lower-level credentials whenever possible, Kirkpatrick said. Doing so would mean that only these lower, less valuable credentials become cached in local memory where hackers might find them.
Following cyber hygiene basics also goes a long way, including requiring all users to use multifactor authentication (MFA), as well as limiting access to sensitive systems to only a small number of accounts that truly need it, Bienstock said.
But organizations with many accounts may lose track of the privileges available to each.
A 2022 Microsoft blog post recommends organizations use tools like BloodHound to get insights about the quantity of administrator accounts in their enterprise. However, attackers also use BloodHound to identify the easiest ways to travel through a victim’s systems in pursuit of high-level accounts, so organizations must be careful to monitor for signs that the tool is being used maliciously.
LIKE A TREASURE MAP
Machines included in Active Directory can read the full directory. That’s useful for hackers looking to discover which assets are potentially valuable and how to travel through the network to reach them.
“[Active Directory] is basically a road map to all of the things on the network you might want to look at,” Kirkpatrick said. “So you can look for a server whose name is ‘Critical _Sales_Data_SQL_Server,’ things like that. And that just gives you an idea of machines you want to come back to and see if you can get privileged access to them.”
GROUP POLICIES
Ransomware actors want to deploy malware onto as many machines as they can, as efficiently as they can. That puts a target on an operating system feature called Group Policy.
Group policies dictate the security configurations for a group of machines, and intruders who obtain access to accounts with certain privileges can adjust these policies to impact all the devices in the group in one go, Kirkpatrick said.
Group policies can also be used to replicate files to all the members of the group. Intruders can abuse this function to replicate their malware, deploying it throughout the network.
“If you’ve managed to land on a machine, and you can get access to that replicated file directory, you can put your malware in there — you can put the ransomware payload in there,” Kirkpatrick said. “And then it will replicate across the network, and you can then modify people’s log on scripts, for instance, so the first thing that happens when they log on in the morning is the ransomware downloads to their machine.”
This makes it important to remove unnecessary members from groups.
THE CLOUD QUESTION
Cloud-based versions of Active Directory can manage permissions and access for cloud environments, and link with on-premise Active Directory to support hybrid organizations.
Cloud providers manage the security of the cloud Active Directory services, but client organizations still must do their part to ensure they’ve properly configured their cloud environment to meet their specific needs, Mandiant’s Bienstock said.
That can be a moving target, Bienstock noted. Cloud providers push out automatic updates, rather than leave end users to choose whether to adopt them. But these changes can affect organizations’ security postures, so entities should re-check their defenses and setups after each update.
Kirkpatrick also reminded that hybrid organizations must still attend to on-premise Active Directory security and should patch promptly plus practice backing up and recovering their active directories.