Securing Your Active Directory: Notable Discoveries and Protective Measures

In a recent study conducted by Sophos X-Ops, it was discovered that attackers can breach Microsoft Active Directory within just 16 hours. Active Directory is a critical asset for companies, and once attackers gain access, they can move freely through the network, stealing data, planting ransomware, and causing other forms of disruption.

Effectively infiltrating Microsoft Active Directory, now known as Microsoft Entra ID (formerly Azure Active Directory), represents a significant achievement for malicious actors. Once they gain access to Active Directory, they have the capability to pivot across the network, exfiltrate data, infiltrate applications and servers, introduce hidden access points and ransomware, and initiate various forms of disruption.

As an example, even though attackers typically reach Active Directory within approximately 16 hours, they do not delay in pilfering data from that stage. According to Sophos, up until June 2023, the median duration between data exfiltration and ransomware deployment stood at around 21 hours. Nevertheless, there was a substantial time lag before the stolen data was publicly posted online, averaging approximately 28.5 days.

One reason why Active Directories are frequently targeted is their lack of robust defense measures. Sophos found that most AD servers they investigated were only protected by Microsoft Defender, and in some cases, had no protection at all. Even when Microsoft Defender was present, attackers had effective methods of disabling it.

“In fact, we have witnessed a consistent increase in the utilization of this method over the last three Active Adversary Reports. In 2021, this approach was detected in 24% of instances, which escalated to 36% in 2022 and has continued to climb, reaching 43% in the initial half of 2023,” as stated in Sophos’s report.

While disabling Active Directory, the attackers discover a safe haven to use as a launching point for their movements within the compromised organization.

Fortunately, organizations can enhance the security of their Active Directory setups by taking certain measures, particularly if they have been inactive or have solely relied on Microsoft Defender, as indicated by Sophos’s findings. Here are some for consideration:

1. Inventory: Collect a comprehensive accounting of all Active Directories. Keep this list up to date.
2. Harden administrative hosts: Secure active director administrative hosts systems by shutting down all unused services, removing stale objects, limiting ports, and everything else reasonably possible to reduce the host’s attack surface. Implement Microsoft’s Local Administrator Password Solution.
3. Adopt the principle of least privilege: Identify accounts with high privilege levels and reduce access to only the necessary levels.
4. Harden your domain controllers: Attackers can modify and destroy the Active Directory Domain Services database and access all of the associated accounts by gaining access to the Active Directory Domain Services database. These systems provide the services and information enterprises need to manage their users, workstations, applications, and servers.
5. Implement strong authentication: Multifactor authentication (MFA) can be used for Active Directory access. MFA is an additional layer of security that requires users to provide two or more forms of authentication before accessing a system or application. This can be done using Microsoft’s native multifactor authentication capabilities or third-party multifactor authentication vendors. Also, use strong passwords.
6. Monitor for compromise: Employ logging and auditing capabilities to quickly identify and investigate suspicious activity. This includes using log management tools, specialized Active Directory monitoring tools, and security information and event monitoring systems.
7. Review and update security policies: Regularly review and adjust security policies governing Active Directory deployments to ensure they remain effective.

Certainly, regardless of how diligently an organization safeguards its Active Directories, there are instances where attackers breach the defenses. Consequently, organizations need to establish the means to detect these intrusions.

Through vigilant monitoring for indications of compromise, organizations can ensure their security operations teams have the ability to scrutinize the situation and, if necessary, mobilize their incident response teams. This entails the use of general log management and monitoring tools, specialized tools for overseeing Active Directory setups, as well as security information and event monitoring systems.

By simply integrating auditing and logging capabilities, organizations can swiftly pinpoint and investigate suspicious activities.

Lastly, it’s essential to periodically assess and adapt the security policies governing Active Directory deployments to ensure they remain up-to-date and effective.

Sources :

https://isp.page/news/ransomware-gangs-take-less-than-a-day-to-breach-microsoft-active-directory-heres-what-to-do/

https://www.scmagazine.com/resource/ransomware-gangs-take-less-than-a-day-to-breach-microsoft-active-directory-heres-what-to-do