Why Cybersecurity Must Include Active Directory

Active Directory Was Not Designed for Cybersecurity

Active Directory was first introduced in 1999, as a part of Windows 2000 Server. During these times, Microsoft was not thinking about modern security concepts such as “least privilege” access or “zero trust”.

As you might expect, attackers are always looking for ways to compromise an organization’s Active Directory environment. After all, were an attacker to gain access to a Domain Admin account, they would effectively have the “keys to the Kingdom”, as they say. To make matters worse, Active Directory vulnerabilities, and the techniques used to exploit them, are generally well documented.

There are many tools and exploit kits that are freely available to download, enabling even novice attackers to try their luck. This is why (in the context of data security) some security experts refer to Active Directory as a company’s “Achilles heel”.

Many Organizations Do Not Follow Active Directory Cybersecurity Best Practices

Approximately 90% of organizations use Active Directory to control policies for users and services.

However, few of them are aware of Active Directory security best practices, or perhaps they fail to implement them due to other reasons. According to an assessment carried out by Skyport Systems;

• Over 50% of organizations allow administrators to use the same account to configure Active Directory as they use for everything else.
• Less than 10% have implemented secure administrative workstations (SAWs), as recommended by Microsoft.
• Less than 25% of organizations use multi-factor authentication (MFA) for AD administrator accounts.
• Almost no organizations have implemented host-based firewalls for their Domain Controllers.
• Less than 15% use administrative whitelists.
• Virtually no mid-market enterprises have followed Microsoft’s recommendations for building an Enhanced Security Administrative Environment (ESAE).

How to Communicate the Importance of Active Directory Cybersecurity to Your Executives

Many companies will have a number of security technologies already in place. They will have SPAM filters, AV software, and virtual sandboxes in place to protect emails. They will have firewalls, IPS, and SIEM solutions in place to protect endpoints and servers from malicious network traffic.

So why is Active Directory security so frequently overlooked?

Well, the main reason is that the CISO’s often struggle to communicate the importance of Active Directory security to the relevant executives, which, to be fair, is not an easy task. CISO’s must convince them to allocate a sufficient amount of resources to secure Active Directory, in terms of time, money, and staffing. Below are some tips that can help CISO’s get the point across.

1. Explain why AD is crucial to the functioning of the business

It is important to speak the language of the executives. They’re not going to throw money at something if they don’t think that it will pay off, or at least, prevent them from losing large sums of money at a later date.

You will need to explain that the security of your entire IT environment hinges on having a secure AD, which will require creating a list of all critical business operations that could be affected by an AD breach. In terms of real-world examples, there are plenty of high-profile Active Directory-related data breaches to choose from.

However, Active Directory is rarely ever mentioned in the publications surrounding these breaches, as most readers probably don’t care about the specific technologies involved. Below are some examples of costly cyber-attacks that were ultimately the result of unsecured/misconfigured AD:

• June 2017: Ransomware attack on Maersk
• June 2018: NotPetya attack on Saint-Gobain
• March 2019: LockerGoga attack on Norsk Hydro
• May 2019: RobinHood attack on Baltimore City

Once you have clearly explained the business (including legal and financial) implications of AD security to your executives, they may be more receptive to a bit of tech talk.

2. Explain how and why AD is a prime target for cyber-criminals

As mentioned above, attackers are always seeking an opportunity to compromise a Domain Admin account, or any Active Directory accounts for that matter. Attackers are constantly developing new and improved attack vectors that automate the process of identifying weak credentials, over-privileged or inactive accounts, Windows systems vulnerabilities, Active Directory misconfigurations, and anything else that might enable them to get their foot in the door.

3. Explain why backups are not enough

Taking regular backups of your Active Directory will only help to restore your environment to the state it was in prior to the incident, which obviously won’t help to prevent attacks. And even then, you must be able to identify what was actually breached and how in order to be sure that restoring the backup will effectively eradicate the threat.

It’s also worth noting that restoring Active Directory backups is not always a straightforward process, as your AD may consist of a large forest of groups and objects, which are replicated to other servers in the cluster. Effective incident response consists of prevention, detection, response, and remediation, and this must be clearly explained to your executives.

4. Explain the importance of 24/7 Active Directory monitoring

It is practically impossible to keep your AD secure if you don’t have visibility into how it is being used. And, as already mentioned, simply restoring a backup following a breach isn’t going to help you if you don’t know what happened, how, why, and when. You will need visibility into any changes to objects, Group Policy, user accounts, password resets, Group Membership, and any kind of anomalous login activity. It is also a good idea to automate the process of detecting and managing inactive user accounts, as attackers will often try to leverage these accounts in order to carry out malicious activities with less chance of getting noticed.