A global threat to enterprises: The impact of Active Directory attacks

• Contributed by Jerome Robert, chief marketing officer at Alsid.

Introduction

If you are a CEO, CFO, CMO, or basically any non-IT member of a management team, you probably haven’t heard of Active Directory (AD).

Nonetheless, you are using it every day, every hour, every minute when you log in to your device, open your emails, access an application, or share a file.

It is the very foundation on which your IT infrastructure is built.

Naturally, you probably haven’t heard of what would happen if this vital pillar of your IT were compromised.

You might even think this is an unrealistic scenario. Perhaps it’s nothing more than a thought experiment for security geeks who dream up zombie-apocalypse scenarios?

High-level risks

Being the global orchestrator of your IT infrastructure, Active Directory is, by design, a single point of failure.

On the other hand, Active Directory is perpetually evolving, in tandem with the enterprises’ organigrams, business architectures, and M&A activities. So that Active Directory is also, by construction, a heterogeneous system that gets – from a security hygiene standpoint – quite ugly quite quickly.

This awesome combo – an insecure single point of failure – hasn’t gone unnoticed among the hackers’ crowd. About a decade of Active Directory-related attacks gone public have taught us – the hard way – the actual risks organisations face.

There are two ways hackers exploit Active Directory that lead to dramatic business disruptions:

• Crippling Active Directory itself. By undermining the very foundation of an organisation’s IT, attackers can prevent users and applications from logging into their systems and accessing their required resources. And while this may seem a hit-and-run tactic, there are some well-documented – albeit poorly addressed – procedures for hackers to persist into their victim’s AD even after a greenfield rebuild. Seek, destroy, repeat.
• Using Active Directory as a transport for destructive malwares. Destructive malware is not rocket science. Highly sophisticated payloads such as Stuxnet are the exceptions, while today’s consumer-level ransomwares are good-enough to do the destruction job effectively. The only challenge in those attacks is distribution: getting these malwares installed on a sufficiently large number of endpoints so that recovery at scale becomes unrealistic. In this regard, exploiting Active Directory weaknesses is the only practical option for hackers to move laterally within the infrastructure. That is: literally all large-scale, infrastructure-wide attacks that have crippled production capabilities in the recent years had an Active Directory exploit at their core.

(Cyber)Insider trading

These cybercriminal activities are by nature difficult to quantify, but several recent empirical studies found strong correlations between drops in stock prices and breach announcements. Hackers groups involved in Cyber Insider Trading fall under two distinct categories:

• Hacker-Traders steal non-public data to inform their trades, therefore gaining unfair advantage in the free market. Notable cases involve massive theft of soon-to-be-disclosed earning reports or early-stage indications of M&A projects at enterprises or investment banks.
• Traditional cybercriminals anticipate a drop of their victims’ stock price after the disclosure of their attack, and thus increase their attack’s return-on-investment by adding a trading component to it.

As for any other malware-driven cybercrime, exploiting Active Directory remains the only effective way for hackers to move within an organisation’s IT until they gain access to the data they are looking for.

Direct financial losses and stock prices

Our industry now has a couple of decades of reference points on cyber extortion, vandalism, and theft. This sad history has at least one good facet: direct, immediate money-cost of attacks is now a well-documented field of research.

There are four very direct, immediate ways enterprises and shareholders lose money because of a cyber incident:

• Sudden stock price drops
• Legal penalties and charges
• Money heist
• IT remediation costs, per se

As explained earlier, no large-scale attack on an IT infrastructure would succeed without exploiting, at some point, a couple of Active Directory weaknesses.

So that all those costs are indeed linked to the insecurity of this critical infrastructure.

That being said, the IT remediation costs themselves can grow exponentially accordingly to the post-incident state of Active Directory itself: if it’s entirely compromised – which is often the case – then the remediation truly is a greenfield rebuild.

This painful process usually mobilises dozens, sometimes hundreds, of employees and specialised contractors who refactor the entirety of the architecture during nights and weekends. And that comes at great costs.

Addressing active directory security

The security industry at large hasn’t been perfect in addressing this threat early on. But we haven’t lost the battle either.

Fighting Active Directory-related cybercrime is now an established field of research that has produced practical risk-mitigation tactics.

Best Practices

There are several trusted sources that detail the best practices organizations should follow in order to harden and defend their Active Directory. Most notably:

• Microsoft - https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
• NIST - https://nvd.nist.gov/ncp/checklist/669
• ANSSI - https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-active-directory/

These recommendations will ensure your organisation follows a strict hygiene when it comes to AD security, so that you’re less exposed to those aforementioned risks.

However, they will not help you – or only very marginally – when it comes to detecting ongoing attacks that penetrate your well-hardened infrastructure.

Real-time monitoring

Using a tool to audit Active Directory can identify configuration issues, but audit data quickly becomes stale, and AD must be monitored continuously to ensure potential threats and breaches are detected swiftly.

Because the threat landscape is constantly changing, events collected from Active Directory should be analyzed against a threat intelligence feed to ensure issues are flagged as they occur and brought to the attention of IT staff.

Unfortunately, this is hardly do-able without specialised tooling.

Taken separately, the security and Active Directory talent pools are already scarce. Hiring a team of professionals who boast both skills is close to impossible. In this context, the use of specialised technologies that can combine AD-focused intelligence feeds and local logs is the only viable solution to monitoring Active Directory at scale.