Why Active Directory is the Main Target of Insider Cyber-Attacks

Jason Coggins by   08.22.2018   Auditing

It’s no longer a surprise statistic when we say that nearly half of all data breaches occurred as a result of insiders. This is because more and more organizations are starting to understand the fundamental value of data and the potential implications of having large numbers of privileged users. In fact, according to a study conducted by the Ponemon Institute claims that the average cost of a data breach rose 30% over the last five years up to almost $4 million.

Internal security breaches are becoming increasingly popular to report on, and the resulting damages to company reputation can be just as catastrophic as the financial damages of the breach itself. It’s too early to truly know the damage that the insider attack at Tesla will have on the reputation and bottom line of the business. However, we did see a sharp decrease in the value of the stock price, costing key holders huge sums of money.

Insider threats can be very difficult to detect and are almost impossible to truly prevent. They can go unnoticed for large periods of time, or simply all come down to the careless behaviour of a privileged user. Insider threats range from calculated, efficient attacks to accidental misuse. However, how much damage an insider can inflict on your organization will rely entirely on the type and volume of data they can get their hands on. Malicious insiders will look to get access to systems that contain the most amounts of valuable data. This is why, often, Active Directory is the first port of call for an insider attack.

Active Directory Risks

90% of the world’s enterprise organizations use Active Directory (AD) as their primary method for authentication and authorization, so it makes sense that this would be the first place an attacker would look to compromise. Where else are they going to be able to get their hands on such a myriad of both sensitive company and employee information? If that isn’t enough proof for you that AD is a prime target, Microsoft tells us that 95 million AD accounts are the target of cyber-attacks every day.

As if securing on-premise AD wasn’t complex enough, with the wider adoption of Office 365, the potential attack surface has increased dramatically. Azure Active Directory is used by all Office 365 applications to help authenticate users. To do this, every Office 365 instance requires a separate Azure AD tenant. This piles on yet another complex and threat-prone environment for IT to try and secure. What this means from a security perspective is that any insider threat looking to compromise on-premise AD can have a wide-ranging effect throughout any web-based applications that are leveraging Azure AD.

How to Secure Active Directory from Insider Attacks

So, for starters, there is no piece of software or technology that will completely eradicate insider threats. Due to their very nature, you are likely to experience one at some point, if you haven’t already. Perhaps the only way you can start to secure your AD from insider threats is by following a list of best practices in conjunction with a good Active Directory auditing solution.

The first step to securing your AD is to minimize the potential attack surface that insiders would be able to take advantage of. This means cleaning up the number of forest and domains in your network. It also means limiting the number of privileged users and permissions to your network, as it is through these types of accounts that the most dangerous insider threats arise.

Administrative accounts are like gold dust to a potential attacker, as they have high levels of privileges and access to the most sensitive data. Not only should you limit the number of administrative accounts in your organization, those people that do hold them should be monitored closely.

You also need to be enforcing incredibly strong password rules and policies. Users should not be sharing their passwords, making physical copies, or using passwords that are personal to them. Passwords should be complex, contain numerous special characters, upper case letters and be regularly changed. That way, if the worst happens and an account is breached, changing the password regularly ensures the attack cannot continue indefinitely.

In addition to these best practices, you should also deploy a user behaviour analysis solution that monitors the activities of the privileged users in your Active Directory. Such solutions enable you to audit, monitor and alert on AD changes to help you spot anomalous behaviour and potential insider threats. LepideAuditor, for example, comes pre-packages with numerous reports that are geared towards giving you actionable information regarding your AD environment. These reports clearly show the “who, what, when and where” for every change made to AD, as well as a list of current permissions. Try LepideAuditor today.

Do you like this blog post?

Notice: ob_end_flush(): failed to send buffer of zlib output compression (0) in /home/lepidec/public_html/blog/wp-includes/functions.php on line 3818