Back to “The Basics” Blog Series – Part 2: Active Directory

Back to “The Basics” Blog Series – Part 2: Active Directory

Part 2 – Active Directory

This is the second part of a three part series on Maersk, me, & notPetya, a blog post by Gavin Ashton about his experiences responding to and recovering from the NotPetya ransomware outbreak at Maersk.

Not everyone realizes that in the last several years ransomware has made significant advances in its ability to not just infect a single computer, but to also pivot from that computer and infect other workstations and servers. Following a common pattern in technology, the makers of ransomware have adopted techniques previously the domain of more advanced actors – in effect, commoditizing these techniques.

Like advanced persistent threat (APT) actors, the authors of modern ransomware abuse Active Directory to propagate ransomware throughout an enterprise network following the compromise of a single computer. These strains of ransomware programmatically discover and exploit credentials, using techniques like pass-the-hash to worm their way through an enterprise network. In a matter of minutes, a single compromised workstation can result in every domain-joined workstation, server, and domain controller falling prey to a ransomware attack. What happens to an organization when their backups are also joined to the Active Directory domain?

Gartner estimates that information security spending is increasing at annualized rate of 8.2%. Despite this and the attention paid to APT’s, these techniques remain effective against many organizations today – so, are we prioritizing the wrong things? In a single word: yes. As Gavin’s eight “basics” show, it doesn’t take a multi-million-dollar investment to improve Active Directory security. It does require something harder: shifting away from the instant-gratification culture in information technology, and unwinding decades of practices that treat all assets the same.

The tactics used by APT’s and modern ransomware are all rooted in the same thing: the abuse of the trust in Active Directory, and a lack of protection for the directory itself. It doesn’t matter how strong your endpoint controls are; if domain administrators are logging on to workstations (or servers), then the entire organization is at risk. In the next post in the series, we’ll discuss how privileged access management is essential to solving these problems, and how new approaches in PAM greatly improve upon the solutions of the last fifteen years.

As I mentioned in the first post of this series, we’ll be running a webinar with Identity & Security Expert and author of the viral “Maersk, me, & notPetya” blog post, Gavin Ashton, for a 60-minute crash course on why “Do[ing] the basics” is any organization’s best option for mitigating the risks associated with credential compromise and advanced threats. I will also provide attendees a useful and valuable real-world practitioners guide to leverage when implementing Gavin’s advice, providing specifics on the approaches and tactics organizations can leverage to quickly secure what matters most. Register here!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free Stealthbits Trial!

No risk. No obligation.

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other