Keeping Active Directory out of Hackers’ Cross-Hairs
Active Directory is a prime target for threat actors and companies must act now to eliminate it as a threat vector. Here’s why, and how.
What is Active Directory?
Active Directory (AD) is an authentication and directory service used by organizations of all types and sizes, including government agencies, healthcare facilities, and small businesses. To say it’s ubiquitous is an understatement; an estimated 90% of enterprises and 100% of Fortune 500 companies rely on it (or its cloud-based version, Azure AD) for authentication services.
While AD provides both users and administrators with a plethora of useful, central services, its security has not kept pace with the growing complexity of the modern digital ecosystem. This is unfortunately a major issue. AD is a tempting target for threat actors because of the rich personal data (account information, financial records, etc) it tends to hold.
Exploiting compromised credentials and other password-related vulnerabilities is the chief avenue threat actors use to attack AD. While there are some protections in place, major gaps exist, and as the credential crisis continues to escalate, organizations across all industries are facing a huge challenge.
What’s the issue with credentials?
The ‘credential crisis’ refers to the state of compromised credentials being used in many digital attacks. Over the past decades, cybercriminals have amassed databases of billions of account credentials and other PII, mostly thanks to poor password hygiene, weak passwords, and data breaches. These databases of stolen credentials, in turn, lead to more data breaches.
With an ever-expanding attack surface, it’s no wonder credentials are attractive to threat actors. The Verizon Data Breach Investigations Report (DBIR) stated that most ransomware attacks begin with breached credentials.
What about AD makes it a target?
AD is an attractive target for threat actors because once they get inside a network, they have access to the entire system, including sensitive information such as password hashes.
For example, take the AD password management system. Once a credential is reset, it automatically updates across the network, which is efficient. However, this process fails to determine if a credential has already been exposed in a breach.
In a similar thread, administrators within AD can create privileged accounts and groups, granting users extensive rights, privileges, and permissions to perform almost any action within domain-joined systems. While efficient, this presents a significant security risk: once access is established, the entire company network and all data become vulnerable.
These examples point at AD’s “fatal flaw” that organizations must address: preventing compromised credentials from being used to gain network access.
If a threat actor gains privileged access within AD, they theoretically have a golden ticket to everything.
How can an organization protect itself?
Account auditing and management are just the tip of the iceberg when it comes to defensive stances an organization can take. They can also ensure proper access permissions, periodically remove stale accounts, and address the password problem.
Concerns and solutions around passwords are perhaps the most important to learn more about, and not just because most breaches result from attackers using compromised credentials. A study from Microsoft found that 90% of organizations have an insecure AD configuration reducing their cyber resiliency. It also found that 80% of security incidents could be fixed by adopting modern security practices.
In addition, there are several threats to AD that actually stem directly from compromised credentials, including privilege escalation, ransomware and malware attacks, lateral movement, and insider threats.
While AD does have some built-in password security features (like complexity requirements and minimum password age) that are better than nothing, they certainly fail to adequately protect the password layer.
In the same vein, Azure AD has an additional layer of protection by comparing in-use passwords against Microsoft’s Global Banned Password list and custom banned lists curated by the individual organization. This helps reduce leetspeak substitutions and name use within user-generated passwords.
These features offer a basic level of protection but, to be frank, are no match for today’s security landscape.
What would comprehensive password protection require?
Being up-front with ourselves about the challenge of password protection is the first step we can take in addressing it. A modern credential screening solution within AD would need:
Most issues with passwords have flaws due in great part to user habits. Understanding that we will not “defeat” human habits but we need to acknowledge and design around them is a necessary step when designing policies.
For example, users understand the importance of creating strong, unique passwords for every online account. In practice, however, these considerations are often outweighed by demands for convenience, efficiency and the inability to remember numerous complex passwords. Ninety-one percent of respondents in one survey acknowledge the inherent risks of using the same password across multiple accounts, but 59% admit to doing it anyway.
To improve security outcomes, password policies need to focus on exposure—not expiration or complexity.
The National Institute for Standards and Technology (NIST) recommends that companies screen new passwords against those known to be commonly used, expected, or compromised. Given the vast and ever-growing amount of newly exposed credentials available to hackers, organizations must continuously check password integrity to keep these credentials out of AD.
Enter: Enzoic for Active Directory
The only way to protect passwords effectively is by continuously screening credentials against a database that reflects the latest breach intelligence.
Enzoic for Active Directory is a cost-effective, efficient solution that complies with NIST recommendations to protect account and system access without adding an additional IT burden or introducing friction into the user experience.
With Enzoic for AD, companies can check password integrity at creation and on an ongoing basis—ensuring that the IT environment is free of unsafe passwords. It’s an easy-to-install plugin that provides a frictionless way to identify, monitor, and remediate unsafe passwords.
With the pace of credential-based attacks showing no sign of slowing, it’s clear that protecting the password layer is a critical component of a modern AD security strategy. Every organization must take steps to shore up its defenses and reduce the threat of attacks and data breaches.