BLOG: Active Directory Threat Detection and Response

March 15th, 2023 BLOG: Active Directory Threat Detection and Response
Keith Thuerk
Storage Engineer

 

 

Protect Active Directory from Advanced Attacks with Automated Remediation

 

In the past, the security boundaries of IT networks were typically limited to a small number of assets located outside the firewall, with some additional internal segmenting firewalls. This approach can be compared to a hard exterior shell that protects a vulnerable and exposed interior.

Today, enterprise IT security has advanced to include a multitude of security solutions designed to address the latest threats. It is important to pause and consider whether the foundational cornerstone of IT offerings, Active Directory (AD), is being overlooked. AD has been around for more than 20 years and is still used by 90% of enterprises globally. Unfortunately, 80% of IT breaches involve credential abuse, and systemic weaknesses in AD make it a target for hackers.

 

It is crucial to assess the reliance of your enterprise on AD and consider the following:

  • Which mission-critical enterprise systems authenticate through Active Directory?
  • Can you even access your enterprise backup solution(s) if AD is down?
  • When was the last time you performed a full Disaster Recovery test on AD?
  • How successful was the test and how long did it take to recover?
  • How important is the ability to quickly restore AD on any hardware, physical or virtual, to maintain business operations?
  • Have efforts been made to improve AD hygiene, such as account hygiene and least privilege?

 

Security Challenges of Active Directory

 

Do you find Active Directory (AD) to be a challenging tool to manage and understand, or is it just me? It’s frustrating that there isn’t an easy way to see all the defined relationships within this complex and widely used legacy tool. Additionally, it’s worth considering how many administrators have been involved in the lifecycle of your AD, including design, rework, forest merging, and hiring or firing admins. How many of these individuals are still present and actively involved in the day-to-day operations of AD?

It is also important to evaluate the security settings in your AD environment, such as deprecated protocols like RC4 and DES, and whether AES-256 encryption is enabled on every account. Regular AD cleanup is also crucial, as deprecated apps and relationships can potentially be exploited.

How often does your team perform AD cleanup? Were the Exchange relationships removed after you migrated to M365? Think about all the interactions and sync accounts related just to Exchange. Microsoft Exchange is just one example. How many other Apps has your enterprise deprecated in a move to SaaS offerings? Did those App linkages get cleaned up from AD? If not, your enterprise could have a non-optimized AD which could potentially be exploited.

As enterprises increasingly transition to hybrid cloud environments, they often discover that they lack a perimeter security solution. As a result, identity management becomes the first line of defense. While Microsoft has invested significant resources into Azure Active Directory, which boasts superior scalability, there are still inherent legacy issues that persist. As a result, establishing a strong foundation for security is crucial for enterprises of all sizes, regardless of their deployment model.

 

Semperis AD Threat Detection and Response

 

Did the aforementioned items cause a rise in your blood pressure?

Don’t worry. Mainline has partnered with Semperis, a highly rated IT security company that not only fully automates Active Directory (AD) recovery but also provides tools for protecting/monitoring AD against/for both current and new security threats.

The Semperis AD products can swiftly assess your existing Active Directory setup and enable you to enhance its security. Semperis is designed to highlight any identity security vulnerabilities and provide practical solutions to address them, resulting in a quick return on investment (ROI).

The sophistication level found in social engineering schemes is getting better, not worse. Assume credentials are being highjacked from your users or sold on the Dark Web. That translates to you to assume your network is compromised. Semperis is designed to protect AD from a cyberattack in a compromised credential environment.

The core offerings of Semperis are:

  • Active Directory Security Monitoring and Protection
  • Active Directory Service Backup and Recovery (Full Forest Recovery)
  • Active Directory Attack Path Analysis

Let’s take a closer look at the products provided by Semperis.

Active Directory Forest Recovery (ADFR) is designed to aid organizations in their AD recovery following a disaster which had affected (corrupted) AD. This tool enables the rapid backup and recovery of just the AD components, taking just minutes instead of days, and provides the ability to complete a full AD recovery with just 6 clicks on any hardware, regardless of where the backup was originally made. ADFR separates the AD from the Operating System executable space so malware, if present in OS, is not restored nor part of the ADFR backup set.

Directory Services Protector (DSP) safeguards organizations’ Active Directory by monitoring all changes in the AD environment and enabling instant rollbacks for repair. DSP provides visibility into every object creation, deletion, and modification by capturing data from AD replication streams. DSP supports scanning both the Active Directory and Azure AD for vulnerabilities from incidents of compromise (IoC) and incidents of exposure (IoE), and improper configurations. In an event of an attack, DSP offers visibility and the tools necessary to revert any malicious changes made by the attackers, enabling continued business operations.

Purple Knight (PK) is a gratis tool that is a subset of the DSP product. It provides comprehensive information about Active Directory, such as IoC and IoE, as well as outlining steps to remediate high-priority items, such as increasing awareness about Service Principal Accounts to enhance the security of your AD environment. An example of its use is to run it after your enterprise has transitioned to Microsoft 365 (M365) to clean up on-premises Exchange-related definitions, such as AD synchronization and nested Domain Admin permissions. This tool can be freely downloaded as an executable (.exe) file and requires only a domain-joined machine (with ordinary user credentials and AD Read Only access) to run. It executes PowerShell scripts against the AD and produces easily interpretable output to improve the security posture of the AD.

Forest Druid was introduced in December 2022 as a complement to PK. Its focus is on discovering and managing attack paths. Forest Druid speeds up attack path analysis by emphasizing privileged access to Tier 0 from within, whereas other attack path discovery tools mainly identify a comprehensive list of attack paths and bottlenecks from the outside.

Given the numerous benefits that Semperis can provide to an enterprise, how soon do you plan on organizing a tabletop exercise focused on AD to evaluate how you can enhance the protection of your crucial Tier Zero (0) assets?

Summary

It’s crucial to recognize why Enterprise Directory Services is a high-value target for hackers. It’s essential to secure your Active Directory (AD) environment promptly. Semperis offers robust protection through their Directory Services Protector (DSP) and a swift recovery solution, Active Directory Forest Recovery (ADFR), reducing the restoration time from hours or days to mere minutes. These solutions not only bolster your on-premises and cloud identity security but also keep your AD well-organized and secure.

Don’t wait to become a hacking statistic. Secure your IT cornerstone now. In case of AD corruption, Semperis ADFR offers rapid recovery options, allowing you to restore your AD in mere minutes, not hours or days.

More Information

Mainline is a Semperis Channel Partner, with extensive experience bringing rapid time to value while protecting your enterprise. For more information about cybersecurity threat detection and response solutions, contact your Mainline Account Executive directly or reach us here with any questions.

You may be interested in

BLOG: Deception Technology: A Critical Tool to Combat Cyber Threats

BLOG: Zero Trust – Fact or Fiction? Avoiding the Hype

Mainline