Active Directory and Azure AD is at the core of any organization’s security. Simply put, AD is the means by which users, customers, partners, IoT and other edge devices authenticate to a system and receive their rights for traversing that system.
Why is Active Directory Security so important?
Cybercriminals today are targeting Active Directory (AD), performing reconnaissance to discover users, servers and computers in an enterprise network and then move laterally to carry out multi-stage attacks to gain access and abuse organization resources and data. Historically, network and physical infrastructure layers have received all the security attention and AD security has lagged. The access we grant our users are the same credentials that are being abused, stolen, and exploited either with purpose or absent mindedness.
Let’s look at the example of healthcare.gov. The backend system of this US government health insurance site was breached using the stolen credentials of healthcare agents who help people find the right plan. 75,000 individuals files were compromised. In my 2019 predictions for Windows and Office 365 professionals, I joke that humans will still be a thing in the year to come. The weakest link in any security system is the human factor and users are both the first and last line of defense.
Now it’s important to note that users are more security savvy today. No one is fooled by the spoofed email from your bank with tons of spelling errors. But just as users become more security conscious, cyber criminals are evolving their phishing tactics, weaponizing artificial intelligence and using stolen personally identifiable information to spear phish users – all with the hope of getting their hands on AD credentials.
And let’s not forget the disgruntled and accident prone insiders who can wreak just as much damage with their access, especially those with elevated privileges. In 2018 we saw Uber finally settle with Waymo to the tune of $245 million for the alleged theft of confidential schematics at the hands of a former employee.
In 2018 we started to see organizations paying attention to AD and this year we’ll see them treating AD not as legacy, but as a critical part of their infrastructure that needs to be secured beyond what is offered as the default.
How do you see organizations today managing their Active Directory? And does this impact security?
Organizations have been using native methods for managing these environments, including the command line. Microsoft is relying more heavily on PowerShell for Windows Server and Azure administration. There are 900 PowerShell commands alone for managing AD – user provisioning, groups management, attribute populations.
Scripting gives an admin a lot of control, but it also adds complexity to an environment. Left unchecked, it can breed micro developing and unknown dependencies and security misconfigurations.
Managing that complexity becomes really challenging when you have only one PowerShell person on staff. Yes, that’s what we see – a whole team of admins and just one who is proficient at PowerShell. When you have one person writing scripts, oftentimes the rest of the organization has no idea what scripts are running in their environment, punching holes through walls where they shouldn’t, or bypassing security protocols wittingly or unwittingly. A change in one system or script could break a desired state configuration for another system.
For example, in my 2019 predictions, I boldly state that the first major multi-tenancy breach for Azure AD or Office 365 will hit the news and the likely reason will be due to scripting misconfiguration.
How can someone misconfigure their multitenant environment?
It only takes one programming error to compromise everything. This can happen very easily. Let’s say a financial institution with multiple holdings spins up an Azure AD and Office 365 instance for each separate entity that may or may not be allowed to share data.
This organization will start out with a secure model managing their different tenants separately. But they need to manage and audit across these environments and they need to share data in a controlled way. So they deploy some scripts to do the management and auditing, punching a hole between Company A and B and unwittingly into Company Z.
Before they know it, there is an uncontrolled flood of information between Company A and Z for someone to exploit or regulators to fine because there’s supposed to be a firewall between companies A and Z.
And these organizations are using PowerShell to do this – with that one person. What happens when that one person leaves? Who else has the map of these scripts in their head?
This year, we’ll see organizations requiring PowerShell expertise as a basic skill set for all their Windows admins, and we’ll see them defining and applying strict security and monitoring policies that dictate when a script makes sense (as in provisioning SharePoint Online sites) and when they need to simplify the IT estate with commercial-off-the-shelf solutions that handle enterprise requirements for audit logs, error handling and security features. We’ll also see organizations start to monitor and block PowerShell scripts in their environment that are suspicious, such as hackers using living-off-the-land techniques to exfiltrate or compromise data.
How does ransomware fit into Active Directory Security?
Ransomware has gone the way of natural disasters and shuttle launches in the news – no one is paying a lot of attention, but it’s still out there and getting more sophisticated. Cybercriminals aren’t going for the masses, they are targeting their corporate victims. Think of it like account-based marketing for ransomware gangs.
SamSam is a perfect example, for the last three years the perpetrators behind this one attack have netted $6m (£4.7m). In 2018 they continued their account-based ransomware campaign, targeting 67 organizations. This isn’t the spray-and-pray approach used by entry-level hackers. It is meticulous research of their target victims, exploiting vulnerabilities or using stolen credentials from spear phishing.
In one report, we learned that cybercriminals can weaponize AI to increase the effective rates for spear phishing above 20 per cent and mutate ransomware to evade security defenses. The ransomware toolkit du jour combines the attack with mimikatz, a tool that extracts account login information from memory, and other known hacking tools to create self-propagating worms that target entire networks, including the backups.
All of this goes back to Active Directory. Users credentials are being targeted. Organizations need to apply a least privilege model and understand the full extent of who has access to what. They need to apply threat detection on top of this to look for signs of user compromise – such as ransomware or those invoking known PowerShell recon toolkits – and take immediate action to shut down the activity and user.
How does the edge computing and IoT trend play into Active Directory Security?
The rise in Edge Computing is adding more points of entry into your AD that you need to consider. At Microsoft Ignite 2018, Edge Computing consumed a large portion of the Book of News because organizations are seeing the benefits of collecting and processing data close to the source – the edge of the network (think blockchain or AI in medical operations).
It’s important to remember these devices don’t have the management stack of internal systems. The teams dedicated to maintaining decades long running mainframes or rolling out updates to user laptops simply don’t have the time or resources to maintain the thousands of IoT and other edge devices.
Patches that should be applied may not be, desired security configurations may be out of date – all of this adds more holes to your security for network reconnaissance, ransomware, and even the lucrative business of cryptojacking. Patching becomes a rational act that weighs the risk of service disruption against both the manpower required to do it and the chance of a cybersecurity incident.
Organizations will want to keep their distributed computing authentication up in the cloud with Microsoft Azure Active Directory (AD) and away from valuable internal data and resources, and they’ll want to monitor it just as they would their internal AD.
What is a worst case scenario for Active Directory Security?
All of the organizations I speak to fear this one thing – total Active Directory disaster. We’re talking a Maersk-style takeout that wipes out every single domain controller (DC) they have – even the backups – if they had them.
The NotPetya attack of 2017 is still fresh in everyone’s mind. I’ve talked to customers who call this the scorched-earth scenario – everything is wiped out. Not a single DC around the globe is left standing.
Active Directory is the lifeblood for your apps, files, and users. Without it, nothing else works. If healthcare workers can’t access the data and applications they need to prescribe medicine, review patient records, then people’s lives are at risk.
In a scorched-earth scenario we recommend customers have a well-documented and exercised AD disaster recovery plan. This plan should include all of the players and their dependencies, including the servers, the OS, the network, etc. It should also include making backups of domain controllers on a regular basis and storing those in a completely separate network so campaigns like NotPetya can’t compromise the backups.
You should also limit access to those backups to the AD admins to reduce errors and manipulation. Have a kit ready and offline that includes everything needed to stand up a new AD system. Some organizations even have physical DCs offline at disaster recovery cold sites.
Building out a plan like this goes a long ways towards building resiliency in your AD. Compromise isn’t a matter of if but when, and Active Directory needs to be an important part of any organization’s business continuity plan.
For more details on these issues and the increasing role of Azure AD, visit Quest’s website.