Most large companies use the Active Directory (AD) service. It allows to automate multiple tasks, integrate assets into a solid structure and simplify life for both the IT team and users. However, as an organization develops, it may acquire other (smaller) companies as well as merge and expand its business. All this affects the AD structure by adding complexity and reducing its transparency. As a result, you may need to review and harden the Active Directory to reduce the security risks.
Let us start with some theory about Active Directory. The smallest AD structural unit is domain. It can unite users, hosts, servers, and other assets in logical groups for centralized administration. The child domain automatically gets a two-way trust relationship with the parent domain, that allows to establish permissions to access certain objects or resources. By default, the domain created first will automatically become its root domain. It is the root domain that becomes the goal for cyber criminals, as it grants vast privileges on the corporate network.
Active Directory cyber-attacks often start with a phishing email. When someone opens one, he receives a shell, that is easy to miss when the AD structure is sophisticated. This is what happened with NotPetya malware, which spread through Active Directory in 2017 and caused approximately $10 billion damage globally.
AD attacks develop within a few phases. Attackers typically infect an end user workstation, scan the domain for vulnerabilities or misconfigured permissions, and exploit them. Then they conduct a series of lateral movements to gain access to a server that has more privileges in the network hierarchy. For instance, a domain controller or a business-critical file server.
There are several actions you can undertake for your organization as an internal IT security specialist or as a trusted security partner to reduce the AD-associated risks:
– Train the non-IT teams the basics of cybersecurity, so they can recognize phishing emails and properly communicate suspicious activity
– Constantly monitor the security logs to detect cyber-attacks at their early stages
– Conduct the Active Directory audit and hardening activity
Learn more on how to harden Active Directory at the next sababa [talks] webinar on 17/02. The registration is open.
Image by Pixels