A frequent stop on the ransomware attack path: Active Directory

Hackers like to ‘understand and expand’ by doing recon on the Microsoft database.
article cover

Jean-Luc Ichard/Getty Images

· 3 min read

Microsoft’s database of users and computers, known as Active Directory (AD), is a bit like an amusement-park entrance booth—the ticket says which games and rides are permitted.

Ransomware threat actors, however, have frequently been faking their height to get on the roller-coaster, so to speak, by using Active Directory and its privileged accounts as the attack route. Given the costliness of the threat, companies need to watch for misconfigurations—a common precursor to an attack—to avoid breaches.

“We have a ransomware attack path that is predominantly dependent on Active Directory to be successful, and adversaries are using it, and now we have a lot more motivation [around] how we’re going to implement the best practices, that are supplied by Microsoft themselves, on how you should be using Active Directory Group Policy,” said John Dwyer, head of research for X-Force, IBM’s consulting arm.

We all make misconfigurations. Identity-platform misconfigurations are a common vector for gaining unauthorized, high-privilege access, according to Microsoft’s Digital Defense Report 2022. Microsoft incident responders found that 90% of customers impacted had “insecure Active Directory configuration.”

One misconfiguration: setting web-based access to the Active Directory manager and then missing the control that keeps the interface private. The interface is then exposed to the internet and open to an attacker.

A brand-new, fresh reconfiguration of Active Directory is rare for established organizations.

“There’s a lot of configurations that happen, or may have happened a decade ago, that now are presenting a new threat vector that the organization doesn’t know about,” said Dwyer.

You audit know. IBM, in its X-Force Threat Intelligence Index 2022, called stage three of a ransomware attack—after initial access and installation of malware—“understand and expand,” where hackers do Active Directory recon and gather a list of domain admins.

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

In a May 2022 attack, “Quantum” ransomwarers used Cobalt Strike and ADFind tools to (very quickly) locate Active Directory accounts.

Dwyer believes an Active Directory audit should limit attack paths, architect least privilege, and protect credentials.  It can also include automated alerts. One example from Dwyer’s time as a systems administrator: Anyone in the highly privileged domain admins group for longer than 24 hours was given the boot, and an email notification was sent to staff.

Dwyer also recommends yearly audits from a third-party Active Directory assessment vendor.

A September 2021 study from the industry-analyst firm EMA found that 34% of respondents performed weekly AD audits.

Nearly 80% of cyberattacks leverage identity-based attacks to compromise legitimate credentials and use techniques like lateral movement—impersonating a user and moving through multiple systems—to quickly evade detection, according to a recent report from the cybersecurity company CrowdStrike.

The high number of incidents has turned AD into a security priority, said Kapil Raina, VP of zero-trust and identity marketing at CrowdStrike, to keep hackers off the Tilt-A-Whirl.

“For more than half our customers, the security of Active Directory now falls under the CISO…It used to be part of IT operations or administration, but now it’s really become a security mandate,” Raina told IT Brew.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected]

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.