Active Directory has become the primary target for advanced cyberattacks and ransomware groups. Here's what you should consider when evaluating security vendors.
For more than 20 years, Active Directory has formed the backbone of digital infrastructure for organizations worldwide. When fully operational, its purpose goes beyond just governing authentication and passwords to managing the crucial access control rights for almost every organizational asset.
Active Directory is by no means a static software system, and its universal adoption is a testament to its ability to adapt and meet ever-changing business requirements. A modern organization’s architecture can change instantly. And Active Directory security hygiene can get ugly fast if not managed or secured properly.
With inefficient Active Directory management, access control gaps arise, allowing non-privileged users easy access to data that is not meant for them. But that is just the beginning, for Active Directory is now the major target of advanced attackers and ransomware groups.
Just as one falling domino can start a chain reaction, one change in Active Directory can snowball into further unexpected consequences. Eventually, this creates a hidden attack pathway in the directory. What if there were multiple attack pathways? How can a single attack pathway be detected before others surface? Are you currently able to see this activity on your own systems?
Active Directory must scale with your business in resilience and security capability. The reality is that as the demands on Active Directory grow, the service will very often devolve to an insecure, non-compliant state, becoming an organizational risk rather than a trusted platform facilitating business optimization and growth.
Enforcing Active Directory security in these circumstances is paramount, but only after the most pressing questions are answered. Not all so-called Active Directory security solutions are created equal, so we have assembled 10 fundamental questions we believe will help your decision-making process.
1. Does the vendor install agents on the Active Directory and are privileged rights required?
No security professional wants to give access to a system they spend their days maintaining. The same goes for an IT administrator who manages a complex system like Active Directory. Part of that management is ensuring that Active Directory control is not provided freely to any third party or external source. Control and privileged rights access are usually given through the deployment of agents that act under a “trust-based” jurisdiction. This ultimately gives access to view, modify or change objects. But the installation of an agent should not be a requirement for enabling Active Directory security on the domain controller, or any endpoint for that matter. Knowing the importance of Active Directory within an organization, your administrators should not feel comfortable with vendors requiring mandatory access to the directory. The installation of agents and the surrender of privileged rights imply that access to confidential corporate data is open.
It is imperative to guarantee that privileged rights to Active Directory are not surrendered and that platforms are unable to alter or modify objects. Currently, there are only a limited number of auditing solutions for Active Directory, providing little protection and only capable of monitoring and reporting on attacks after they have occurred. These auditing solutions may include agent deployments on domain controllers, which lead to partial or full control over the status of Active Directory objects. There is no reason why any third parties should require open access to these objects. Also, some agent-based Active Directory security solutions have strict update requirements to be supported regularly and sometimes even .net framework must be installed (including on the domain controller).
2. Does the vendor display information in real time?
Picture driving a car. A real-time warning system should alert you when a dangerous, oncoming driver is approaching, not after the driver hits your car. Likewise, you would want to be alerted of brake failure before you start your car, not after you’re already on the road. In the world of Active Directory security, real-time alerting is mission critical. A real-time solution must detect and alert you to ongoing configuration changes that affect security measures of the Active Directory, as well as provide recommended steps for remediation. With real-time visibility, you can validate a proactive approach to monitoring and detection, deterring attackers who sit for months within target networks waiting for the right Active Directory attack pathways to appear.
3. Is the vendor compatible with all Active Directory versions, as well as Azure AD?
Over the past 20 years, Active Directory released upgraded platform versions. One of the primary changes is the on-prem vs. cloud scenario. A platform should be able to connect with and support both on-prem and Azure Active Directory (Azure AD) components.
In addition, Active Directory has been stuck in the Dark Ages when it comes to directory configuration. Configuration upgrades have taken place periodically or not at all. As such, platforms should incorporate indicators of exposure to evaluate how “clean” is the on-prem component of Azure AD (aka Azure AD Connect). Generally, an Active Directory security platform must be fully compatible with Azure AD Domain Services, which itself is the AD Managed Service by Microsoft.
4. Does the vendor rely on event logs or object changes to provide analysis?
Trying to secure Active Directory continually with event logs is difficult and cannot provide 100 percent visibility.
To stay up to date, you need to have dedicated Active Directory security experts constantly surveying the threat intelligence space, discovering your misconfigurations that could be leveraged in attacks, understanding the event logs used to detect attacks and creating rules to extract the specific configuration event log from the full stream of all event logs. This is expensive, difficult and inefficient.
There are, on average, 10 to 20 new toxic Active Directory configurations released or discovered each year.
What’s more, attackers are now conducting attacks that do not create event logs (such asDCShadow), or they are turning off event logs in the Active Directory via system access control list (SACL) modification so they can make changes without leaving a trace.
All this means that event logs can no longer be trusted to give a full view of what is happening in Active Directory. The only way to accomplish this is by analyzing the object level in the Active Directory database, which is precisely what Tenable.ad achieves. Moreover, Tenable.ad automatically includes updates when new toxic configurations are released so they can be detected at the object level. Simply put, the attacker cannot hide.
5. Does the vendor proactively identify dangerous misconfiguration attack pathways out of the box?
Recall the car-and-driver analogy. Similarly, built-in anticipation within an Active Directory security platform provides several benefits that can increase the likelihood of breaking potential attack pathways. Built-in anticipation enables a proactive approach to Active Directory security, rather than the reactive method that is used by the vast majority of existing solutions.
The most common way Active Directory gets hacked today is through misconfigurations in the software that are used to escalate privileges or propagate ransomware. Therefore, the most effective method to secure Active Directory is to continuously detect and remediate dangerous configurations as soon as possible once they appear. Tenable.ad provides security teams with this powerful advantage.
Active Directory is constantly evolving, with potentially hundreds of changes occurring every minute. Any of these changes could open your environment to adversaries, such as backdooring techniques ( e.g.,. AdminSDProp modification) and credential dumping techniques (e.g., Kerberos roasting attack).
Tenable.ad quickly and simply enables proactive, comprehensive security to continuously harden Active Directory, including Group Policy Objects (GPOs). As cyberattacks increasingly exploit dangerous Active Directory misconfigurations, the ability to detect and remediate new misconfigurations before they can be weaponized is key. Detecting them after the fact has little value.
With Tenable.ad, you can continue to detect the most complex Active Directory attacks without draining your security team’s resources.
6. Can the vendor provide in-context security information in real time?
It is not enough to simply display the specific deviance for an Active Directory object, as this view provides limited “global” information. This data will not reveal where the specific problem is coming from.
An incriminating object needs a detailed, accurate explanation of the security issue and, where relevant, to show how multiple security issues relate to each deviant object. You should be allowed to individually select each separate security problem from one specific object and address it independently. Coupled with the detailed information explaining how to fix these complex security issues, Tenable.ad empowers clients to proactively harden their Active Directory.
Tenable.ad enables continuous detection and remediation at the object level, providing real-time, in-depth explanations of each detected Active Directory security event, why it is dangerous and how to fix it.
By detecting Active Directory attack pathway misconfigurations, attacks like Pass-the-Hash, GoldenTicket, DCShadow and DCSync can be stopped before they begin.
7. Does the vendor detect advanced Active Directory attacks in real time—out of the box?
From a detection viewpoint, cyberattacks are becoming more complex. While the types of attacks are diverse and numerous, there are specific attack types that primarily target the Active Directory.
Tenable.ad detects standard attacks like password spraying out of the box, as well as the much more complex and difficult-to-detect attacks like DCShadow. The most advanced attackers will run stealthy attacks that switch off event logs to allow them to establish persistent access to the Active Directory via backdoors. Tenable.ad also detects these complex Active Directory backdoors in real time, right out of the box.
Remember that real-time detection alone is not enough and should be followed by an easy-to-understand set of remediation steps that provide a non-security-focused administrator with the ability to take the recommended actions.
8. Does the vendor enable forensics and threat hunting at the object level?
While you should not give out access or control over an Active Directory object, you still want to get accurate information at the object and attribute levels. Organizations need a platform with a built-in trail flow interface that detects and displays in real time such detailed information and changes. This advanced monitoring and alerting should be supported along with relevant steps to fix any changes that may create attack pathways.
Recall those 10 to 20 new toxic configurations that are discovered in Active Directory each year. Since Tenable.ad captures and stores every object change once connected, this data can be easily accessed for threat hunting at the object level, including extensive object attribute visibility.
Access to real-time, accurate and relevant security analytics specific to Active Directory is paramount to ensuring that IT and security teams see a realistic picture of their Active Directory security posture. Dashboards should include a security view of Active Directory, as well as compliance scores, attack numbers and information flow with graphs highlighting the constant evolution of related security metrics.
9. Can the vendor visualize security attack pathways for easier analysis?
The original authors of Tenable.ad conducted the advanced Active Directory security research used to develop BloodHound. The Tenable.ad topology graph provides a unique and intuitive way of exploring Active Directory security attack pathways, including hidden or unintended relationships, visually and continuously against existing data.
Your security teams can explore trust relationships and interconnections against all existing ones mapped by Tenable.ad. These connections highlight the communication that takes place between the various Active Directories a client may have and are color-coded to highlight the varying degrees of safe and dangerous trust relationships.
10. Can the vendor integrate with other security solutions?
No organization can be 100 percent secure. However, crucial security steps and technologies at various organization layers need to be implemented to stay a step ahead of attackers. Perimeter and endpoint security solutions are vital instruments as outer-layer security, but they do not possess the ability to protect the core of an organization: Active Directory. Likewise, an application consisting of only access controls could not halt anyone who has deliberately or mistakenly been granted open access to an entire network.
Having the ability to run numerous, integrated security solutions simultaneously is the only way an organization can truly protect its outer and inner core. The ability to integrate via email, Syslog and APIs is essential, as is the ability to have alerts correlated with security information and event management (SIEM) tools and even security orchestration, automation and response (SOAR) platforms, all of which Tenable.ad provides out of the box.
To learn how Tenable.ad can help continually secure and protect your Active Directory, check out our product overview.
This blog post originally appeared on the Alsid website on August 20, 2020.