The holidays are a busy time for shoppers, retail businesses—and cybercriminals. The Cybersecurity and Infrastructure Security Agency (CISA) has previously noted “an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed” and has called holiday shopping seasons “a prime opportunity for bad actors to take advantage of unsuspecting shoppers through fake websites, malicious links, and even fake charities.” Holiday cybersecurity tips are at the top of everyone’s wish list.
Related reading: What is Active Directory security?
Holidays are the perfect time—for cybercrime
It makes perfect sense for retail businesses to be targeted around gift-giving holidays, given the abundance of payment card information they store and process. Verizon’s 2023 Data Breach Investigations Report delved into techniques that cyber criminals use to steal credit card data, especially during busy shopping periods such as Black Friday and Cyber Monday. Between typosquatting (the use of mistyped domains to impersonate legitimate retailers), Grinch bots (automated programs used to purchase entire inventories of popular products for resale at higher profit margins), and request bots (used to circumvent bot-mitigation solutions), holidays are a challenging time for retailers.
But the threats extend far beyond the retail sector or any one time of year. Attackers favor holidays and weekends year-round to launch ransomware and other network breach attempts. During these times, security and IT teams are more likely to be overwhelmed, distracted, or away from work, giving cyberattackers a better opportunity to slip past your defenses.
Organizations that close over holiday seasons—such as banks, state and local governments, and school districts and universities—are prime targets. (I recently heard about one such attack attempt during an interview on the HIP Podcast. You can listen to the full story here.)
After attackers make it inside your network, their first step is often to find the fastest means to escalate privileges: your identity infrastructure. Cyber criminals can also use Active Directory to propagate malware.
Once Active Directory is compromised, attackers can disrupt business, steal data, and even create backdoors to maintain persistence undetected and withstand cleanup and recovery efforts.
Top holiday cybersecurity tips for identity infrastructures
Building an effective cybersecurity approach is easier when you view your environment from an adversary’s perspective. And Active Directory’s role as a directory service makes it a common and popular target for attackers who want to expand their foothold in a breached network.
Although privileged accounts are a key focus area for attackers, it is important to remember that non-admin accounts can be nearly just as valuable. For example, a service-level user account with access rights to a sensitive database is worth its weight in gold.
With the new year approaching, now is a good a time to evaluate your approach to AD security. Here are three tips for hardening it against attacks.
1: Scan your Active Directory environment
Organizations need a comprehensive map of their Active Directory environment, including which accounts have which privileges and the business-related or technical justification for those rights. Implementing a strategy based on the principle of least privilege reduces the attack surface vulnerable to attackers.
Evaluating your identity attack surface so that you can address potential vulnerabilities and gaps is a great first step. Use a free, easy tool like Purple Knight for this step.
Auditing Active Directory to ensure that groups and individual accounts are limited to the permissions they need to perform their functions is critical for both security and regulatory compliance. This statement is particularly important for accounts with high levels of privileges, which should be kept to a minimum to lower the risk of one of these accounts being compromised and used by threat actors.
Other best practices include:
- Consider any account with service principal names defined as highly privileged.
- Do not store Group Policy passwords anywhere in your SYSVOL.
- Rework privileged service accounts to use the least privileges necessary and consider leveraging group managed service accounts.
- Require the use of unique, complex passwords for service accounts.
Want to take your evaluation to the next step? A free attack-path analysis tool like Forest Druid can help you find potential paths into your Tier 0 perimeter so that you can lock down excessive privileges.
2: Have a disaster recovery plan
Don’t leave your identity security (and with it, your operational resilience) to chance. Know the answers to these questions:
- What will you do if a cyberattack occurs?
- Does your disaster recovery plan include specifics for responding to an identity-based attack?
- Do you have a dedicated backup and recovery plan for your Active Directory?
- Do you know how long AD recovery will take, and do you have the tools to automate the Active Directory recovery process?
- Who will you call if you need support?
If you are short on time or team members to properly prepare for cyber threats, consider outsourcing the task. Semperis, for example, has a team of Active Directory and cybersecurity experts who provide breach preparedness and response services, from assessing your AD infrastructure to AD recovery planning and testing to incident response and attack forensics.
3: Identify suspicious activity in Active Directory
Stealthy though attackers may be, they often leave signs of their behavior. The ability to detect potentially suspicious activity, such as permission changes on the AdminSDHolder object, and misconfigurations, such as having non-default principals with DC Sync rights on the domain, is a vital aspect of Active Directory security.
For this reason, organizations should monitor Active Directory continuously and perform regular security assessments. After a breach, it is not unusual for threat actors to modify AD in various ways to enable them to persist. Changes to group membership, the sudden appearance of a new admin account, and similar clues are indicators that something might be amiss.
Security assessment tools such as Purple Knight and others offer security professionals the opportunity to identify and remove any weak points in their organization’s AD infrastructure before attackers can use them to break back in. Even better, tools such as Directory Services Protector enable you to automate rollback of suspicious changes.
Harden Active Directory for happier holidays
‘Tis the season—not just for giving, but for taking; your data, your customer’s data, and your peace of mind. Don’t let cyberattackers ruin your new year, or any other holiday. By hardening AD against attacks, you can erect a stronger barrier between attackers and their goals.