Stepping Up Security against New Generation of Active Directory Attacks

Cyberterrorist attacks against identity and authentication infrastructure are becoming increasingly accessible for less advanced and knowledgeable hackers, making companies more at risk, and creating a new challenge for IT security teams.
Page Top

New Generation of Active Directory Attacks

Cyberterrorist attacks against identity and authentication infrastructure are becoming increasingly accessible for less advanced and knowledgeable hackers, making companies more at risk, and creating a new challenge for IT security teams.

Microsoft’s Active Directory is used as the identity platform for a majority—or about 90%—of governments and businesses running Windows. It enables authentication for numerous enterprise services and is key to security, which makes it a prime target in virtually any cyberterrorist attack.

In the modern federated enterprise, hackers manipulate the weaknesses of authentication protocols like Windows NT LAN Manager (NTLM), Security Assertion Markup Language (SAML), and Kerberos and gain access to Active Directory to move about a critical network making seemingly legitimate service requests. Performing an effective hack on the aging system, threat actors not only gain a foothold but post-exploitation, they also can move laterally from resource to resource, according to an article on Dark Reading.

Active Directory Attacks

Tools Commonly Used for Active Directory Attacks

Active Directory attacks are becoming more mainstream for several reasons. First, numerous existing Active Directory setups were designed more than a decade ago. Because of the antiquated design, the service is susceptible to Windows systems vulnerabilities and misconfigurations.

Secondly, threat actors have coopted tools that were developed for legitimate security research, such a Mimikatz and Metasploit, as demonstrated in the devastating 2017 NotPetya malware attack in Europe and the 2011 hack of Dutch certificate authority DigiNotar. Mimikatz is a leading open-source application that enables users to view and gather Windows credentials, as well as Kerebos ticket, PINs, and hashes. In recent years, other tools have emerged, such as Bloodhound, Deathstar, Angry Puppy, CrackMapExec, and Go Fetch. With such tools, the knowledge necessary to leverage an attack and infiltrate a network has decreased, along with dwell times, putting more enterprises at risk.

Additionally, according to Dark Reading, Kerberos is a stateless protocol, which means “transactions during the authentication process are not retained throughout or after the session,” making it especially vulnerable to “known attacks that allow bad actors to forge Kerberos tickets or reuse stolen credentials to move laterally through the network undetected, escalating privileges until they obtain full control over files, servers, and services.”

What Does an Active Directory Attack Look Like?

In January, it was disclosed that three United Nations offices in Europe were the target of an espionage attack that started in July 2019 but wasn’t detected until a month later. Exploiting a vulnerability in Microsoft SharePoint, the hackers gained access to Active Directory at those locations and subsequently tried to steal staff records, human resources information, and commercial contract data. The attackers were eventually able to move laterally on the networks, and the systems at the UN’s offices in Geneva and Vienna—which are used by thousands of staff members—were compromised.

According to The New Humanitarian, the attack might have been avoided with a simple patch to fix a software bug. The attack demonstrates, however, the need for more visibility into authentication systems and for the security controls, tools, and processes implemented by enterprises to continue operating as intended.

Defending Against Cyber Attacks on Active Directory

Many companies also continue with the same support paradigm and operations, rather than adapting to an “assume breach” mentality that involves a stronger and more viable defense and effective mitigation techniques.

To protect your organization against attack on your identity and authentication infrastructure, you must understand the limitations of authentication protocols, such as SAML, NTLM, and Kerebos, especially if you link authentication to cloud services to Active Directory. Security teams must discover a way to leverage analytics platforms and modern distributed systems to master the vast data sets that cloud deployments bring about. A robust response also includes integrating security operations with development and comprehensive IT management.