Bullseye on Active Directory.

Category: News
Published: 5^th February 2024

< Back to Media

Explaining why Active Directory attacks are the new threat target.

Definition

Active Directory (AD) is a technology used to manage computers and other devices on a network. AD allows network administrators to create and manage domains, users, and objects within a network. Admins can give groups of users’ specific access privileges to certain areas of a server. It also serves an organisational tool to place users into groups and subgroups, providing access control at each level.

The history of AD.

AD is a legacy technology, released in 1999, but it still plays a massive role in the organisation and authorisation of most modern companies. It was built prior to Zero Trust principles and has been used for years as building blocks for their authentication architecture. In cyber security now, AD is often used to describe a variety of identity-related services.

In recent years, remote working has increased, simultaneously there has been a growth in the reliance on AD for secure authentication and authorisation. This has created vulnerabilities in remote access solutions and can allow attackers to target weak authentication mechanisms and gain access to AD environments. That said, AD remains important and it is used by over 90% of Fortune 1000 companies.

Even though it’s a legacy technology, AD remains the best way of creating users and managing devices. As hybrid and remote working have become the norm, Azure AD has developed as the cloud version of AD. Azure AD is the identity platform which manages internal and external users securely. It has helped modernise AD technology by evolving alongside the trend of remote and hybrid working. In September 2022, 22% of the GB workforce worked at least one day from home. To adapt to this, AD vulnerability assessments do both on-prem and cloud assessments. By offering multiple options of AD, it has developed alongside the varied cyber security landscape.

Common examples of AD attacks include:

Password attacks. Attackers try to gain access either by trying all possible password combinations for a single account until one is correct, or by testing a small number of commonly used passwords against a large number of accounts (the latter method is harder to detect).
Pass the Hash. This is when an attacker uses the account’s hashed password values rather than their plain text passwords. This is hashed password is captured from one system to authenticate other systems.
Pass the Ticket. Cyber criminals use stolen Kerberos tickets to authenticate to resources (file shares and other computers) as a user without having to compromise that user’s password.
Password Spraying. A technique which attempts to trying to authenticate with a list of frequently used passwords.
Golden Ticket. The Kerberos authentication protocol is manipulated to allow a hacker access to the organisation’s entire domain. Similarly, a ‘silver ticket attack’ uses this forged service ticket for a specific resource.
DNS Spoofing and Poisoning. Attackers impersonate legitimate brands to manipulate DNS records to gain unauthorised access.

Why is Active Directory the target for so many attacks?

Recently, Active Directory has been the target for many attacks as attackers target users and computers to infiltrate entire business’ networks. Once they have gained access to an AD, attackers gain entry to a plethora of information which allows them to access, elevate privileges, move around a system laterally and identify targets within the infrastructure.

AD attacks are not deployed via malware, once the attacker has the ‘keys’ to the organisation they can enter as they please. This is harder to track and can be more dangerous as they then have access to an abundance of data within the organisation. A Business Wire report revealed that 50% of organisations experienced an attack on Active Directory over the past few years. It is not a new target of attack; however recent trends have exacerbated the opportunities for cyber criminals. Attackers are aware of the importance AD holds within a business, as it contains vital data. If they successfully infiltrate a company’s AD, it provides a goldmine of information.

Identity-based attacks have shortened the cyber-kill chain, allowing criminals to quickly steal credentials. Rather than the typical attack path, which involves more steps such as ‘initial access’ and ‘discovery’, Active Directory attacks can access directly at the ‘lateral movement’ stage. This gives them more time to access the environment and make a larger impact. Additionally, with valid credentials, it is harder to detect and prevent these attacks, further increasing the impact they can make.

The recent surge in remote working has meant that organisations rely on Active Directory for secure authentication and authorisation. Therefore, new opportunities are given to attackers who can exploit vulnerabilities in remote access solutions and target weak authentication mechanisms. This makes gaining authorisation an easier task.

Credential-based attacks such as phishing have increased in number as well. Once a user has clicked on a phishing email, they are granted access to user accounts. Tt is an easy method which can be deployed on mass with a large impact if successful.

Active Directory has a complex structure which allows many opportunities for privilege escalation at many levels. For example, if an organisation has weak access controls, or inadequate monitoring; these all provide the opportunity for attackers to infiltrate.

The increase in ransomware attacks across cyber security means that attackers can then target AD to maximise the impact on organisations. Many companies still do not have adequate security practises. As they are not properly protected, it easier for attackers to exploit vulnerabilities. This is because a security breach of AD exposes the identity infrastructure and allows a large opportunity for malicious actors to attack. As a result of this compromised state, companies may be vulnerable to future ransomware attacks, or data breaches, both of which entail further serious consequences.

Red Helix’s protection of AD.

At Red Helix, we offer identity protection and AD vulnerability assessments to help you combat the increasing threat of AD and identity-based attacks. By being aware of your current infrastructure and alerted to potential vulnerabilities you can be provided with the necessary tools to securing your robust security posture.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
crisp-clientsession/*	6 months	Session ID for existing chat through Crisp chat
li_gc	2 years	No description

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-3109036-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Send a message

Contact details

Social media