Cyber criminals regularly exploit vulnerabilities and poor practices around Microsoft Active Directory to obtain credentials that allow them to infiltrate organizational systems, cause damage and exfiltrate data. This report describes StealthINTERCEPT, the real-time policy enforcement, change and access monitoring and Active Directory security component of the STEALTHbits’ Data Access Governance Suite, that helps organizations to protect against these forms of cyber-attack.
Attacks on IT systems have become a major risk to organizations which can prevent access to critical data through ransomware or lead to penalties for loss of regulated data. Cyber criminals regularly exploit vulnerabilities and poor practices around Microsoft Active Directory to obtain credentials that allow them to infiltrate organizational IT systems, cause damage and exfiltrate data. Protecting against this form of attack has become the top priority for cyber defence.
Traditional perimeter security devices like firewalls, IDS (Intrusion Detections Systems) and IPS (Intrusion Prevention Systems) are widely deployed. While these remain an essential part of the defence for the connected business, they are not able to detect a range of threats including the use of compromised credentials, insider threats, data exfiltration, access misuse and zero-day attacks. SIEM (Security Information and Event Management) is also promoted as a solution to these problems. To be effective SIEM needs to incorporate access related data. While SIEM is a core security technology it has not been successful at providing actionable security intelligence in time to avert loss or damage.
External attacks now involve a complex process, sometimes involving an insider element. There are several known vulnerabilities in Windows and Active Directory which, if not properly defended, can be used to gain administrative access to the Active Directory Domain Controllers. This enables the attacker to create fake user credentials giving legitimate access to systems and data.
These include the Kerberos Vulnerability for which the Python Kerberos Exploitation Kit (PyKEK) is readily available. This allows an attacker to take ownership of an Active Directory forest with only a user account and a connected Windows computer (and associated admin account). Another common attack is on the Windows LSASS (Local Security Authority Subsystem Service) to obtain and use credentials held in memory. While Virtual Secure Mode with Credential Guard can protect against these in the latest versions of Windows 10 Enterprise and Windows Server 2016 however, not all organizations are using these.
Many organizations implement a forced password change policy where users must change their password regularly and cannot reuse previously used passwords together with rules for password complexity. However, few implement the recommendations in NIST SP800-63B that require new passwords to be screened to prevent the use of those “obtained from previous breach corpuses”. Organizations need to take steps to protect against the reuse of breached credentials and should implement the recommendations in the NIST SP800-63B.
These threats make it essential that organizations use the strongest possible defences for their Microsoft AD (Active Directory) deployments. You must always assume that your AD is under attack and may already have been breached. Take active steps to remove known vulnerabilities, apply relevant patches and fully monitor configuration as well as activity. Monitor not only normal administrative actions but also operations like directory synchronization and automatically block suspicious activity as soon as it is detected.
Cyber-threats to IT systems exploit any weaknesses in the critical technology that supports user identity, privilege and access rights. Therefore, this must be strongly protected as a top priority. It is important to look for solutions that suits the specific needs of your organization. Consider solutions that include managed services and pre-configured analytics, not just bare tools.