With the vast majority of organizations using some form of Microsoft’s Active Directory to consolidate and manage networked resources, the directory service is a popular target for cybercriminals. It’s particularly attractive to attackers because it contains centralized information about an organization’s entire network.
Many of the problems companies experience with Active Directory come from inadequate credential management, administrative users and privileged access; failure to patch and update all systems; and inappropriate access for roles and employees. Any of these vulnerabilities can enable attackers to take over privileged accounts and gain access to data and domain information.
Active Directory attacks generally focus on extracting privileged domain accounts, system accounts and high-value systems. Detecting these attacks can be difficult because the activities will appear as if the data is being provided to a member system as part of normal operations.
Attackers use tools such as Mimikatz and BloodHound to extract administrative accounts or identify overlapping permission and group memberships that provide greater access than anticipated. With elevated privileges, the attacker can move to more systems and engage in activities not normally allowed to a regular user.
There have been many attempts to deal with these security issues, both through procedures and technology, and some have been more successful than others.
With its latest product, Attivo Networks adds another approach to the arsenal. ADSecure, which can be run as a standalone product or as part of the company’s ThreatDefend Detection Platform, focuses on preventing attackers from gathering data from Active Directory. The approach, as described by the company, is to intercept the calls as they are being made. If it determines that the call may be malicious, it will respond to that query with deceptive data that will guide the attacker to the deception infrastructure instead of the real one. If the attacks act on that information, they become even more entangled.
In a typical attack, a hacker will attack a production system and then use an application like BloodHound to query Active Directory for domain admin accounts. The Active Directory server responds back with results. The ADSecure module will then capture and modify the response to add deceptive domain admin credentials while hiding the real admin accounts and production data, explained Chief Deception Officer Carolyn Crandall. ADSecure sends the results to the application for display, and the attacker sees fake data. A high-fidelity alert is raised, notifying the organization of malicious activity.
“It’s interesting that Attivo is looking to capture ‘intent’ of a possible attacker at a different level of abstraction than the typical ‘use a credential’ or ‘access a device over the network,’” said Fernando Montenegro, a principal analyst at 451 Research. “This approach has the potential of being more effective against different threat actors. The challenge to be overcome is to ensure that adding these potential interactions between the ‘deceptive’ reality and the ‘real’ infrastructure is done in a way that is efficient to ongoing operations.”
While ADSecure is available as a standalone product, Crandall said it works best in combination with the company’s ThreatDefend platform. “No matter how the attacker attempts to gather Active Directory information, the ThreatDefend platform with the ADSecure module inserts deception into every result,” she said. “This increases the likelihood that the attacker will engage with a decoy and security teams receive a high-fidelity alert early in the attack cycle.”
While technology is an important tool in inhibiting Active Directory attacks, organizations also should focus on putting the right processes and procedures in place, Montenegro said.
“As with other security measures, it’s a combination of looking to prevent the issue in the first place with stringent permissions, and then using monitoring to detect unusual behavior,” he said. “The challenge is that resource-strapped security teams may not have gotten around to reading up on the requirements and/or going forward with enforcing more stringent configurations.”