Active Directory Attack Blog Series
Spending time with customers in Texas last week left me speechless – literally. One customer asked me a question for which I was not prepared. They have been following our Active Directory attack blog series. They found it very interesting, but they had one major question. Why should they spend so much time thinking about what attackers do? If they spend all your time creating good security programs and practices, isn’t that the best they can do? I have been taking the value of the work we have done exposing attacks for granted. But had I been mistaking “cool” for “valuable” this whole time? The conversation that followed brought out some interesting points, and I thought I would share it with all of you.
For me, this is a philosophical truth right out of Sun Tzu’s Art of War – know your enemy. Of course, quoting philosophy books isn’t a good way to get budget approved in many organizations. So the challenge here is to articulate exactly why this was true. Talking it through, this IT Director and I came up with three (3) good reasons why knowing how bad guys attack makes business sense:
- Fix bad configurations and poor Active Directory practices—Many assume that keeping a system like Active Directory safe is Microsoft’s responsibility. Something goes wrong and they ought to issue a patch. But a door with an excellent lock from the manufacturer is easy to walk through if you leave it open. In other words, a fully patched Active Directory can still be open to threats from bad configurations and poor practices. All the Active Directory attacks we discuss fit into this category. There are no patches to solve these issues. If you don’t understand the dangers of these common practices, you will not know what to look for as signs of being attacked nor how to approach changing practices and policies to avoid active directory attacks.
- Build a business case for protecting Active Directory—Being conversant on how the bad guys are attacking you makes it easy for you to justify the time, effort, and tooling you want to invest in protecting these platforms. If the first item is about making sure you understand these attacks yourself, this is about making sure you can help others understand them, too. Your program is likely similar to this customer’s and you are likely in a constant battle to protect and secure executive investment in the maintenance and expansion of the program. A big part of that is quantifying the risks the program mitigates and that means clarifying the cost of doing nothing. What we are doing is arming you with the weapons you need to build a business case that is clear.
- Prioritize investments based on your greatest Active Directory risks—Knowing there are threats you must address, and being able to express the risk of not addressing those threats, is not the whole picture. Understanding the relative ease of the Active Directory attacks helps you prioritize. You know where you have spent time building up monitoring and controls. You also know where you are not as well-defended as you would like. If you find out there’s an easily attacked spot that sits in one of your current blind spots, then you have a good candidate for a high priority task. Being able to prioritize effort in this way lets you spend time and resources wisely. That not only means you get more done, it also feeds into that second point of being able to better position your program to executives further up the food chain. If you can show that you have built a program that has clear goals, weighted by risk, and prioritized by effort and resources, then you will present yourself as a mature security program
Read the Active Directory Attack Series
If you have not been reading the Active Directory attack series, then you should start immediately (Or maybe you’ll want to finish this to understand the value and then go off and read them.) So far, we’ve written up attacks on your core Active Directory platform, service accounts, permissions in Active Directory, and we’ve just started a series on how attackers use Mimikatz to steal credentials. In all these blogs, you will learn the methods of the bad guys from reconnaissance through persistence to data exfiltration. If you have never looked at how easy the bad guys have it and how many tools are out there to help them, it may be pretty scary. More than simply being scared, though, we hope that these will help you improve your security program’s impact and value.
To register for the Active Directory attack webinar, How Attackers Are Stealing Your Credentials with Mimikatz, please click here.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jonathan Sander is STEALTHbits’ Chief Technology Officer (CTO). As CTO, he is responsible for driving technical innovation, ensuring that STEALTHbits is well positioned in their current and emerging markets, and he will also lead corporate development efforts. Jonathan also plays the role of evangelist at STEALTHbits venues large and small. Prior to STEALTHbits, Jonathan was VP of Product Strategy for Lieberman Software.
As part of Quest Software from 1999 through 2013, he worked with the security and ITSM portfolios. He helped launch Quest’s IAM solutions, directing all business development and product strategy efforts. Previous to that, Mr. Sander was a consultant at Platinum Technology focusing on the security, access control and SSO solutions. He graduated from Fordham University with a degree in Philosophy.