Most organizations, from the SMB market to global enterprises, leverage Microsoft Active Directory (“AD”) for part or all of their authentication and authorization services. In smaller organizations AD can also handle other core infrastructure services such as DNS, DHCP, and software package distribution (e.g., deployed via GPOs). Due to the centralized nature of these services being available on each Domain Controller (an AD server), these systems are often the end goal of threat actors during the lateral movement phase of the overall intrusion.
All this is generally known to IT professionals, of all skillsets, and yet most forensic or recovery engagements that MOXFIVE leads include AD being compromised at some point by the threat actor. Unfortunately, what is common in organizations of all sizes is a misunderstanding of the overall directory’s structure (a “forest” of “domains”), object permissions, and how the objects within are interrelated. The underlying issue is that AD can be enormously complex as the organization grows, especially if there are mergers or acquisitions that require trusts into pre-existing AD domains. Add on top of this that AD skillsets are at a premium for internal IT teams, and this means most AD admins do not have the time or knowhow required to map out and fix every misconfiguration leading to a security gap.
At MOXFIVE we break securing AD into two workstreams that can be accomplished concurrently. First is mapping out trusts between objects within AD, privileged group memberships, and audit policies in place. Threat actors can leverage unknown trusts to elevate their level of access or abuse privileges for groups not regularly monitored, but you can’t fix what you don’t know. Having a fresh set of eyes with specialized tools to review AD is highly recommended at a semi-regular cadence. A lot can change over time, whether its new domains being added or a former employee leaving and taking their historical context and knowledge with them. PingCastle is a powerful tool made specifically for this whole process, but it takes an understanding of the output and how to fix what is reported to truly decrease vulnerable attack vectors.
The second workstream is around securing the configurations, services, and protocols used while interacting with AD or the Windows environment as a whole. For example, configuring LDAP signing reduces the risk that a threat actor active within the environment can intercept and leverage a legitimate ticket (AD authentication) to impersonate a privileged user or escalate privileges on the account already in use. Another example is implementing Microsoft’s Local Admin Password Solution on Domain Controllers to randomize the local administrator credential on all domain joined servers and workstations. This helps lessen a threat actor’s ability for lateral movement within the environment; you can read more about this solution in our previous blog Minimizing the Impact: Local Administrator Password Solution. These are just two examples in a list of industry secure best practices that we recommend and implement for our clients.
As with any area of the security realm, securing Active Directory is not a “silver bullet”, it is adding a layer of security in an attempt to make it more difficult for a threat actor to reach their end goal, access to and control of your information. Given the widespread usage of AD in organizations of all sizes it is well known to threat actors, MOXFIVE aims to assist organizations in leveling the playing field and assisting with protecting these “crown jewels”.
Thomas brings a combination of operational and defensive security expertise in a wide range of environments, both in a consulting and internal capacity, to the MOXFIVE team. Thomas has supported companies ranging from Fortune 100 to small, privately-owned businesses and his history understanding complex technical problems and creating agile solutions is an asset to any organization’s team assisting their organizational capabilities.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.