By Kartik Shahani, Country Manager, Tenable India
Since the beginning of 2021, India has witnessed the most ransomware attack attempts per organization, with an average of 213 weekly attacks. Ransomware is more damaging than other computer malware since it not only infects devices but also encrypts data. More often than not, organizations pay the ransom in exchange for a decryption key that restores access to the data. Rather than merely encrypting data on infected devices, ransomware attackers have started to target resources beyond the devices themselves. For example, ransomware can enumerate mapped drives and the availability of file shares on the network, which is stolen and then sold on the dark web.
Malware usually includes a means of propagating itself from an initial infected device to other devices on the same network. Instead of writing code, cybercriminals are leveraging a mechanism that is already present: the Active Directory (AD).
AD allows organizations to centralize management of user login credentials, configure settings on servers and workstations, and manage other aspects of an organization’s security. Once attackers gain access to the AD, they essentially own the organisation’s IT infrastructure and can move laterally to compromise further systems. Even when IT teams take measures to secure domain controllers — the servers that run AD Directory Services, AD can still be easily compromised via end-user devices if security best practices are not followed. Here is how organisations can make it difficult for attackers to weaponize AD:
1. Reduce privileged AD group membership: As important as it is to limit membership of Domain Admin and Enterprise Admin groups, they are not the only privileged groups in AD. Schema Admins is an example of another privileged group. Members of the Schema Admins group can make changes to the framework in the Active Directory forest, essentially allowing attackers to remain unnoticed. Organisations can start by auditing the membership of privileged AD groups and by working to reduce their membership.
2. Restrict the use of privileged AD accounts: If users across different endpoints are granted access to privileged AD credentials, it would only be a matter of time before attackers gain access to those privileged accounts. Organizations can limit the use of privileged AD accounts to devices that are specially secured for the purposes of administering Active Directory. For instance, organisations can monitor activities if they know which systems are allowed to perform administrative tasks.
3. Manage end-user devices using a local account: Organizations generally grant remote access to users for a domain user account. If there’s a system in place to randomize and periodically change the local administrator password on each device, like Microsoft’s Local Administrator Password Solution (LAPS) tool, then domain accounts for remote support can be avoided. Using a local account for supporting end-user devices makes it harder for attackers to compromise Active Directory. By auditing local administrator account passwords and ensuring each device has a unique local administrator account password allows organisations to stop using domain accounts for remote support.
4. Rotate privileged AD accounts with multi-factor authentication: Passwords are insecure because they can be abused if it lands in the wrong hands. Yet, many organizations rely on passwords alone to protect privileged AD accounts. Even if organisations use complicated passwords, employees will end up writing them down, which renders the process counterproductive. Multi-factor authentication can block 99.9% of automated attacks on AD. This requires organizations to provide something in addition to their password, like a biometric gesture or one-time code generated by an authenticator app.
5. Monitor AD for unusual activity: Continuously monitoring AD for unusual activity reveals misuse of privileged accounts and other malicious behavior. With the right data, organizations can proactively stop ransomware attacks from spreading via AD. Security Information and Event Management (SIEM) products can be used to collect information from the Windows Server Event Log. Security teams can then identify threats from the data collected, providing an opportunity to block ransomware and other types of malware before they infect the entire network.
6. Implement a tiered administration model for AD: It is risky to have many privileged users who can access sensitive business information. The repercussions of a breached privileged account can be costly. Reorganising AD so it can be managed with a tiered administration model can help thwart lateral movement. For instance, if an attacker has compromised a tier 2 user like helpdesk user accounts, security teams can spot unusual activity if the user tries to gain access to a tier 0 account, which include domain controllers and Privileged Access Workstations and check lateral movement.
The security industry at large hasn’t been perfect in addressing threats involving AD. Most Indian organizations view AD as something to be scanned twice a year. With some high profile attacks in the last few years spread using AD, it’s more important than ever to make AD security part of an organization’s overall cybersecurity strategy. Continuously monitoring AD can identify configuration issues and ensure potential threats and breaches are detected swiftly. Organizations need to identify security issues with AD before attackers exploit them to spread ransomware.