Active Directory Protection

The NSA, CISA, and allied cybersecurity agencies from the Five Eyes intelligence alliance, including the UK Government, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre have released comprehensive guidance to mitigate threats against Active Directory (AD), highlighting 17 common attack techniques used by adversaries. Given AD’s fundamental role in central authentication and authorization, it is an attractive target for attackers aiming to elevate privileges and gain unauthorized access to critical systems and sensitive data. The report is available at: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3917556/nsa-jointly-releases-guidance-for-mitigating-active-directory-compromises/

In a previous blog, we provided an overview of AD Attack Surface and AD Attack Paths. In Part 3 of this series, we’ll explore Acalvio’s Active Directory (AD) security solution that is designed to protect AD against advanced persistent threats (APT). Cybersecurity defense is a moving target. New and sophisticated attack variants are continuously appearing, APTs are constantly revising their strategy and seeking weaknesses in business security implementations, making it imperative for enterprises to continuously refine their security stack. Organizations often use either siloed security tools or a combination of multiple cybersecurity products that collect huge volumes of data, independently. This results in disparate and disconnected systems. While standard security solutions offer capabilities for detecting and preventing a range of Active Directory attacks, they provide a limited solution for advanced threat defense against Active Directory. Cybersecurity requires an integrated strategy that augments standard security tools with an Advanced Deception Platform to effectively protect enterprises from Active Directory exploits. Acalvio ShadowPlex offers a differentiated, best-in-class AI-based deception solution for Active Directory security. The combination of deceptions with AI-powered analytics serves as a powerful mechanism to protect the enterprise from known and new variants of Active Directory exploits, such as AS-REP Roasting, DCSync, Kerberoasting, Unconstrained Delegation, Pass-the-Hash among others. This approach is built on Acalvio’s unique and powerful Active Directory Protection Kill Chain.

In a previous blog, we provided an overview of the (unfortunately quite complex) Active Directory Attack Surface. In Part 2 of this series, we’ll explore how attackers and malicious users plan their movement and traverse Active Directory attack paths once they have discovered AD vulnerabilities, misconfigurations, and other weaknesses that they can exploit.

An Active Directory (AD) compromise has been at the core of several cyberattacks, such as the SolarWinds hack and the Ransomware attack on Colonial Pipeline. Potential vulnerabilities, such as nOAuth on Microsoft Azure Active Directory, have been identified by security researchers. When the first version of Microsoft Active Directory was released two decades ago, it was built on the philosophy of inherent trust models within the boundaries of a network. Given these legacy architectural principles, Active Directory security is a challenge. As an enterprise grows, new users, computers, applications, and cloud services are added to the enterprise network. Each addition is a new object that is managed in the AD. Administrators must set up new accounts, grant required permissions to these accounts, and enable these accounts to communicate with devices and applications. These factors make Microsoft Active Directory security very complex. In this 3-part series, we look at protecting Microsoft Active Directory, which is central to most enterprise architecture. This series covers: Understanding the AD Attack Surface. A look at Attack Paths How Advanced Deception can be used to protect the AD. This first blog discusses the AD Attack Surface and Microsoft Active Directory vulnerabilities that attackers can exploit to perform lateral movement, escalate privileges, and to maintain persistence in the enterprise network.