Should an attacker gain access to your Active Directory (AD), you could find yourself in a lot of trouble as AD serves as the gatekeeper to your critical assets. It is imperative that you have as much visibility as possible so that you can quickly recognise and respond to any suspicious behaviour that takes place on your network.
Sure, AD will generate event logs which you can scrutinize in order to gain the visibility you need; however, using the native logs to identify suspicious events would be akin to searching for a needle in a haystack. The native logs generate a lot of noise, they provide inadequate storage options, and provide no options for generating reports.
LepideAuditor is able to aggregate logs from multiple sources and display a summary of important events via an intuitive console. Combined with real-time and alerts and customizable reports, LepideAuditor gives you the visibility you need to protect your Active Directory.
Protection Against Social Engineering Attacks
Whenever possible, hackers will seek to steal a users’ login credentials, as this is often easier than trying to initiate a brute-force attack on LDAP or Kerberos – an authentication protocol used by Active Directory. They often try to do this via some sort of phishing attack – where a user is tricked into handing over details which can help the attack gain access to their account.
While it is theoretically very difficult to protect against social engineering attacks, since they are ultimately caused by human error, we can at least predict certain behaviours that may indicate that something suspicious is taking place. Should an attacker gain access to a set of credentials, they will likely try to use those credentials on as many devices as possible, to see what data they can access.
Using LepideAuditor for Active Directory, you can setup alerts based on a threshold condition – as to detect an unusually large number devices accessed by a given user. Likewise, threshold alerting can be used to identify suspicious login attempts. For example, if a large number of failed login attempts occur over a short period of time, this might indicate a brute for attack. In such a situation, a custom script can be executed which can disable a user account, or anything else that may prevent the attacker from gaining access to the network.
Identifying “Privilege Creep”
If an attacker is successful in gaining access to your network, they will likely seek to obtain more credentials in order to access more data. The attacker will try to add themselves to privileged groups, and/or delete privileged user accounts in order to make it hard for administrators to initiate a response.
Using LepideAuditor, we can check to see if any new members have been added or deleted from privileged groups, and either trigger an alert or execute a custom script to lock down the account and/or server.
Preventing Attacks from Spreading
Attackers will naturally seek to use their stolen credentials to move laterally across your network. Each time they login to a different server, a new event will be created. Again, threshold alerting can be used to identify patterns of behaviour that exceed the typical usage pattern of a particular user.
In this case, an alert or custom script can be executed if a certain number of servers are accessed within a defined period of time, which, when combined, exceed the typical usage pattern represented by that user.
These are just some of the ways in which LepideAuditor can help to keep your Active Directory secure. For a more detailed look at how our Active Directory auditing solution can help you better secure your AD environment, click here.