In many cases, hacker attacks follow the same pattern: first, attackers try to log on to the network with traditional user credentials. They then use tools to gain elevated privileges. Once an attacker has taken over enough vulnerable user accounts and has the appropriate privileges, they can use their elevated privileges to wreak havoc on the network and steal data. This approach is simple, effective, and works on almost any network.
“When I find a breach on a network, the first thing I do is look for domain administrator privileges by reading credentials from the systems’ memory. I keep looking until I find such privileges on a network. And I always do!”, says Alissa Knight, a well-known hacker. She became known for successful attacks on government agencies in the U.S. and now works for intelligence agencies in cyber warfare. This information should be enough for company officials to start looking for vulnerable identities on the network.
Often, a whole chain of stolen credentials is successful, which in many cases can be used with elevated privileges on the network, for example by stealing credentials from administrators. This poses a significant threat to an organization’s reputation and, of course, the economic damage when cybercriminals steal sensitive documents or other data.
According to the Verizon Data Breach Incident Report, credentials are the most sought-after category of data in breaches (60%). According to the Identity Defined Security Alliance, 79% of organizations have experienced an identity-related breach in the last two years.
Here’s how to secure active directory with confidence: get the facts
It quickly becomes clear that administrators of organizations with active directory should review and adjust the security of the environment to achieve maximum security. Many environments make it too easy for attackers. First, tools like PingCastle help analyze the active directory environment and identify vulnerabilities. This is accompanied by instructions on how to close obvious vulnerabilities. The use of this tool should be mandatory for active directory environments of all sizes, especially since PingCastle can be tested for free.
There are also free tools for checking permissions in an active directory infrastructure, such as AD Permissions Reporter, which can help you find mis-set permissions. There are many other tools available in this area. It is important that administrators identify and remediate vulnerabilities in the environment, including permissions.
Block malware, ransomware, and hacker gateways
Other security measures include identifying entry points for hackers and securing the environment. This includes ensuring that accounts with administrative privileges in the environment are not also used to work with traditional PCs. In addition, administrator rights should be implemented according to a Permission Access Management (PAM) system. This is where administrators are given only the rights they need for administration. In addition, there is the Just-In-Time (JIT) approach, where administrator accounts only have these rights for a certain period, and the rights are restricted again after a task has been completed.
Privileged Access Workstations (PAW) are also important. These are specially secured workstations that are used exclusively for Active Directory administration. These workstations, as well as other computers on the network, should be secured using Group Policy. Microsoft provides templates that can be used to maximize the security of computers on your network.
Install updates promptly and remove unnecessary users and computers
Microsoft releases updates on the second Tuesday of each month. Administrators should install updates as soon as possible on that patch day. This is because updates are often available for vulnerabilities that are already publicly known and for which exploits are available. Installation can be largely automated using built-in tools.
Active directory environments often accumulate legacy user and computer accounts that are no longer in use but are still functioning. If an attacker hijacks such an account, they can move around the network with impunity. Legacy items should be removed as soon as possible for security reasons.
Prepare for emergencies
Ultimately, there is no such thing as 100% protection against cyber-attacks. For this reason, managers should ensure that the environment is fully backed up and that a disaster recovery plan is in place. This plan should also be tested on a regular basis. This should include recovery in a test environment to ensure that each step works reliably and is practiced regularly. This will ensure that in the event of a disaster, recovery will work as quickly as possible.