A growing number of breaches involve the exploitation of suboptimal Microsoft Active Directory (AD) configurations to allow attackers to gain a foothold within target networks, access sensitive resources, and deploy malware. As the gatekeeper to critical applications and data in 90% of organizations worldwide, AD is a common access vector for attackers and extremely complex to secure given its constant flux, sheer number of settings, and the increasingly sophisticated threat landscape.
We sat down with Darren Mar-Elia, VP of Products at Semperis to talk about what makes Active Directory security so critical and how the company is helping to secure AD environments with its latest release of Directory Services Protector (DSP) v3.5, which includes DSP Intelligence, a new module that provides automated security assessments of Microsoft AD.
What makes Microsoft Active Directory so desirable to hackers?
Active Directory (AD) is still the identity backbone for 90% of organizations. Attackers know that it is also a 20+ year old system with inherent configuration weaknesses – in other words, it’s a critical piece of most enterprises’ IT infrastructure but notoriously difficult to keep secure. Even with significant resources, large organizations are vulnerable to malicious attacks that use AD as an entry point— as was the case in numerous attacks—most recently the SolarWinds attack.
How do hackers exploit Microsoft Active Directory?
AD has a combination of factors working against it. It has to support many legacy protocols that were not built with security in mind. In many large organizations, it has to serve many masters, often with conflicting priorities around usability vs. security, and it has many possible points of entry that are complex to secure for many administrators. Add to that--the threats targeting it are constantly evolving and increasingly sophisticated. Most large organizations that have had AD deployed for many years are naturally going to have weaknesses in their security posture thanks to “configuration drift” that occurs over time. This means that attackers can more easily get in and exploit those weaknesses.
What is and what isn't Microsoft doing to secure Active Directory? Is what they're doing enough?
Microsoft itself is increasingly under scrutiny as the result of being compromised in the SolarWinds attack, as well as a subsequent unrelated breach targeting on-premises Microsoft Exchange email servers in March 2021 that allowed the attackers to compromise victim companies’ AD. Currently, Microsoft is making moves such as updating their guidance around privileged management in order to better protect organizations from attack. However, it is ultimately also the responsibility of individual organizations to keep their infrastructure secure and backed up on a continual basis.
How does DSP v3.5 help secure Microsoft Active Directory?
Directory Services Protector (DSP) v3.5 includes DSP Intelligence, a new module that provides automated security assessments of Microsoft AD. DSP Intelligence proactively uncovers dangerous vulnerabilities that arise from external threat actors, systemic weaknesses in default identity and access settings, and even internal configuration drift that leads to security regression.
To get ahead of attackers, DSP Intelligence continuously queries an organization’s AD environment and performs a comprehensive set of tests against the most common and effective attack vectors that correlate to known security frameworks such as the MITRE ATT&CK.
DSP Intelligence is designed to provide a larger range of security indicators and advance pre-attack tests to harden AD against new adversary TTPs and spot your weaknesses before attackers do. The threat hunting capabilities have also proven to be extremely helpful for organizations in post-breach scenarios to understand how attackers broke in and how to close backdoors for good.