We have just done the first episode of our Insider Threat podcast, and it was a little scary. I’m no stranger to doing a show; so that wasn’t scary. What was frightening is how easily the bad guys can exploit our Active Directory and Microsoft platforms. I sat down with Jeff Warren, who wrote our recent blog series, 4 Active Directory Attacks and How to Prevent Them, and asked him how difficult it was to find and deploy the attacks he described. Now, I know it isn’t hard to find ways to exploit vulnerabilities. There are whole marketplaces on the Darknet to buy kits to be a cybercriminal. It is easy to assume, however, that these kits require some expertise and background to use. What Jeff clarified is that a person needs only malice, patience, and a good internet connection to be the kind of cybercriminal we all worry about. Tools like BloodHound, PowerShell, and Mimikatz don’t even require people to invest a dime (or a bitcoin) to get started.
In the Microsoft world, there has been a big reaction to exploits like EternalBlue, which have recently done damage in the wild through WannaCry and other malware. One of the most interesting parts of our discussion is when Jeff points out that these are not where we really ought to focus our energy. The reason is simple. You can patch yourself out of vulnerabilities like WannaCry.
However, there are nagging, foundational issues that are extremely hard to tackle and are the heart of the 4 Active Directory attacks we lay out. These issues are about handling admin rights – both at the domain and local level. They’re also about ensuring you are watching for obviously fraudulent authentications, tickets, and other security events. Unless you have the organizational will to act on these things, the next EternalBlue-like headline won’t matter because you’ll already be a target for attackers using free tools to exploit the normal ways of doing business.
Of course, there are strategies to mitigate the security risks of your Active Directory and Microsoft platforms. We talk about that in the podcast, but focus more on how the bad guys pull off these attacks. If you read the blog series in connection with the podcast, then you get the whole picture – how the bad guys formulate these attacks, what the attacks do to take advantage of your systems, how you can tell if you’re vulnerable, and what you can do to improve your security posture.
Click here to listen to the podcast.
To read the full blog series accompanying the podcast, please click here.
To be notified of Insider Threat Podcast episodes, sign up here.