In a recent webinar I co-hosted with Semperis (the folks behind the Purple Knight security assessment tool), we focused on a key common denominator across recent high-profile attacks—Active Directory. In the session “How Attackers Exploit Active Directory: Lessons Learned from High-Profile Breaches,” Sean Deuby and Ran Harel from Semperis joined me as we discussed four recent attacks that created headlines—SolarWinds, the Hafnium Exchange 0-day attacks, the Colonial Pipeline attack, and the attack on Ireland Health Service. Although every breach was different in terms of tactics, and was executed by different bad actors, they all had devastating consequences. In our discussion, we covered three of the most important preventative measures that organizations can take to protect themselves against cyberattacks.
“You’d have to be living under a rock for the past year to have missed the significant cyber security events that have happened on a week-to week-basis. We spend a lot of time talking about the novel ways bad guys attack. But in reality, the threat actors are not in it to find novel ways; they just want to get in—and the superhighway for threat actors is Active Directory.”
Sean Deuby, Semperis Director of Services
1. Protect email from advanced threats
One of the most common entry points for attackers is email. Advanced phishing campaigns are extremely convincing to end users, and they provide an avenue for attackers to obtain valid credentials and/or deliver malware to endpoints. It is crucially important that organizations take a multi-faceted approach to protecting themselves from these threats. Security awareness training and phishing simulations are important to educate and measure risk. No matter how much training you do, attackers will still succeed. To combat this, an advanced email threat protection solution—one that raises the bar beyond anti-spam and anti-virus tools—must be part of your defense strategy. A service that uses machine learning algorithms and other advanced detections to detect and block phishing messages and suspicious attachments must be in place in today’s threat landscape.
2. Prevent lateral movement
Once an attacker compromises a client computer or member server, they will look to move laterally across the network and escalate privilege. Preventing lateral movement makes the attacker’s job dramatically harder. You can put in place some technically simple—but sometimes operationally challenging—controls to block lateral movement. First, the local administrator password on each endpoint must be different. Microsoft offers a free solution called the Local Administrator Password Solution (LAPS) to achieve this. Second, you cannot nest domain accounts in the local administrators group to enable easy IT support. IT personnel must use LAPS to retrieve administrative credentials for specific endpoints.
3. Secure access to privileged credentials
Preventing adversaries from obtaining privileged access—especially Domain Admin—is a critical defense. If an adversary can escalate their privileges, they can achieve higher or even complete control of the entire network. Implementing effective controls that isolate and protect privilege credentials is extremely important. Two of the most common control sets we implement at Ravenswood Technology Group are the concepts of tiered security controls and privileged access workstations (PAWs). Tiered security controls prevent high-privilege credentials from being exposed to higher-risk assets such as client computers where the credentials might be stolen. PAWs isolate the tasks an administrator performs from their day-to-day workstation to a highly secured workstation, protecting the credential and the administrator’s session from threat vectors such as email, Internet access, and some types of malware.
Is your AD ready for today’s threat landscape?
The attacks we discussed in this webinar are just four of the countless breaches that are making daily headlines. Hardening your organization’s IT environment is critical and for practically any enterprise, Active Directory must be a core component of your hardening strategy. For a free assessment of Active Directory security controls, take Purple Knight for a free test drive to evaluate your Active Directory. Between Ravenswood and Semperis, there are probably no two organizations (outside of Microsoft itself) with more combined AD security expertise. We have an extremely powerful partnership that helps organizations worldwide raise the bar on hybrid identity security.
To get more advice on how to protect your organization, check out the on-demand web seminar. And, of course, you can download Purple Knight for free to identify and address AD security gaps and gain confidence in the security of your AD environment—no matter how complex, convoluted, or neglected it is.