Attack Path Management: Securing the Active Directory
Table of Contents
Conti, SaveTheQueen, Quantum, Samas, Maze, Bublebee… In recent years, various ransomware have been used to attack companies’ Active Directory and spread through their systems. This has allowed cybercriminals to carry out actions such as hijacking confidential information. This trend has highlighted the need for Attack Path Management processes to detect possible attack paths, strengthen security layers and secure a critical asset for companies such as AD.
Without going any further, the possibility of attacking Kerberos, an authentication protocol widely used in Active Directory, has brought to the forefront the need to implement security mechanisms to prevent cyber-attacks against AD from succeeding.
This task is crucial given that Active Directory is dynamic. New elements and configurations are constantly being introduced. In such a way, a security assessment carried out at a certain point in time may have expired, as it has yet to analyse the changes that have occurred between then and now, either due to the existence of new attack vectors or due to the dynamism of this type of environment as a result of the deployment of new policies, configurations or services with insecure parameterisations.
Attack Path Management considers this reality, making it possible to continuously analyse the possible attack paths against the AD, helping companies anticipate the malicious actions of criminals and secure their Active Directory and, with it, the whole organisation.
Today we will analyse what Attack Path Management consists of and how it can help prevent ransomware attacks or possible intrusions from being effective and allowing them to spread through companies’ Active Directory services.
1. Active Directory: Essential for businesses and a target for bad guys
Let’s start at the beginning; what exactly is Active Directory? It is an enterprise service created by Microsoft that consists of a hierarchical structure in which information about users, computers/servers, services, and shared resources is centralised and stored and from which all aspects affecting the Windows infrastructure are comprehensively managed.
The Active Directory domain infrastructure is the backbone on which much corporate information is largely based. Data is not only stored but also made available to users and administrators of that network. We are talking about personal and service credentials, information stored in directory services, databases, and any information stored on file servers whose access control settings depend directly on the configurations established in Active Directory services.
To protect this data, which is of vital importance for any company, Active Directory provides domain services:
- Authentication protocols (such as Kerberos) ensure that the person accessing the network is who they say they are.
- Authorisation model, to establish who can access a given resource or information (e.g. a document).
In such a way, Active Directory is used to store and systematise the data used by the professionals of an organisation to work. It is, therefore, both essential for companies and an extremely attractive target for cybercriminals.
Exploiting vulnerabilities in Active Directory opens the doors of an organisation to malicious actors, who can use ransomware to infect users and computers, steal credentials, escalate privileges, commit fraud or even paralyse an organisation’s activity.
1.1. Why is AD an attractive avenue of attack for bad guys?
In addition, Active Directory is a particularly interesting avenue of attack because:
- It leads criminals to their targets (spying, data hijacking…).
- Detection is complex because malicious actors benefit, for example, from poor corporate network security permissions management and possible deficiencies in audit models or traceability of events that may occur in the infrastructure. These situations mean that evasion techniques employed by attackers can be more fruitful.
- Persistence options are greater, making it possible to carry out more complex attacks that require persistence in the network for a longer period.
- Many organisations focus on securing their security perimeter, neglecting security within the network.
2. Attack routes: Getting to the treasure map before the hackers do
As anyone who saw The Goonies as a child knows, there is nothing more important to pirates than the treasure map. To stop them from getting it, it is essential to discover the route to the treasure before they do. Regarding attack routes against a corporate network, it is similar. Criminals are busy discovering routes that allow them to accomplish their malicious goals.
These routes go beyond finding attack vectors. This is only the beginning of the route. As if the vector functions as the gateway to the cave where the treasure is hidden.
This is because the routes include the steps to develop the attack tactics (privilege escalation, lateral movement, persistence) until the concrete actions are carried out: exfiltrate information, hijack data, paralyse the company and threaten business continuity…
It is, therefore, a mistake to focus all cybersecurity resources on protecting an organisation’s perimeter while neglecting internal security mechanisms. Or, to put it another way, the controls for detecting and preventing attacks from the exploitation phase of the Cyber Kill Chain.
On the other hand, Attack Path Management focuses on detecting and analysing attack paths along their entire length, facilitating the identification of weaknesses in the Active Directory that could allow all phases of the cyber-attack lifecycle to be completed.
3. Attack Path Management: Protecting Corporate Networks Proactively
Attack Path Management overcomes the traditional tendency to focus on fortifying the perimeter of systems and networks, opting for a more holistic view of attacks and the paths malicious actors follow to achieve their objectives.
In contrast to vulnerability management, which focuses on detecting and mitigating vulnerabilities in a system that attackers can exploit, Attack Path Management focuses on understanding how these actors act and what weaknesses they can use to move from one phase of the Cyber Kill Chain to the next.
So it does not list the vulnerabilities of a network but maps the network to identify the different routes to the treasure: the company’s assets. And the way to get hold of them: stealing strategic information, provoking the inactivity of professionals and the company…
This task must be continuous, and its mission is to secure the network externally and internally.
A vulnerability, treated individually, may not risk the company’s security. However, if a malicious actor exploits several vulnerabilities, he can build an effective attack route.
3.1. Be aware of misconfigurations
It is worth noting that vulnerabilities often stem solely from security weaknesses in software development. However, in the context of Active Directory infrastructures, many vulnerabilities stem from deficiencies in the application of security policies or configuration errors unintentionally applied by system administrators, whose repercussions can be business-critical.
Attack Path Management, therefore, focuses on viewing threats from a broad perspective, dissecting the processes and relationships between Active Directory elements. This requires a comprehensive and continuous analysis of the following:
- Users
- Devices
- Security groups
- Rights to Active Directory objects that can be breached.
- AD policies
- Active sessions on critical systems by privileged users
- Overassignment of privileges on user accounts
- Configuration errors…
3.2. Visualising attacks before they occur
In Philip K. Dick’s futuristic story Minority Report, the police had three mutants who could foresee crimes before they happened. Bridging the huge gap between dystopian fiction and the reality of the fight against cyber-attacks, Attack Path Management serves precisely to foresee how an attack might develop before it happens.
So, on the one hand, the organisation can take the necessary mitigation actions to prevent it. But on the other hand, should a security incident occur, detection and response capabilities are optimised to expel the malicious actors as quickly as possible.
3.3. Mapping attack routes to block key points
Attack paths can be infinite. As noted above, Windows domain infrastructures are dynamic, and malicious actors are constantly devising new techniques, tactics and procedures. Therefore, blocking each attack route one by one is not operational. Instead, it is possible to detect common patterns in the paths and identify where actions can be taken to mitigate problems and cut off criminals.
By mapping attack routes, it is possible to graphically represent the steps attackers can take to reach critical company assets. This allows us to visualise the key points, also known as choke points, and to take early action before an intrusion can occur.
3.4. Prioritise remediation on the most dangerous attack paths
Each attack route has its specificities. Different elements and relationships between them come into play. The vulnerabilities that are exploited are diverse. And the critical assets they lead also differ.
Attack Path Management, therefore not only identifies and graphically represents attack paths but also serves to prioritise them according to their level of danger.
An attack path that leads to a certain asset, whose level of criticality for the company is low, is not as worrying as a path that gives attackers control over all corporate network users and access to a huge amount of valuable information, as well as its exfiltration.
When we talk about prioritising attack routes, we are really pointing out the importance of prioritising a company’s resources to protect its critical assets and mitigate the weaknesses most dangerous to its interests.
3.5. Cutting the Cyber Kill Chain of attacks as soon as possible
Attempting to cut the Cyber Kill Chain means having the knowledge and expertise in cyber intelligence and Threat Hunting to detect and respond to attacks early.
An Active Directory can be well configured and have no security vulnerabilities. And still, be successfully attacked. For example, a successful phishing attack can obtain the login credentials of a network user with administrative privileges in the infrastructure. Or a user could execute ransomware, facilitating its propagation in the corporate network.
Both cases are plausible attack routes, which must be considered when implementing detection and response measures in the early stages of the Cyber Kill Chain.
The further the attackers go, the more serious the repercussions of the security incident on the company: financial losses, damage to corporate reputation, legal consequences, etc.
4. Eight benefits of Attack Path Management
Considering Active Directory as a priority target and managing the paths to attack it brings with it a series of benefits for companies in their struggle to prevent and mitigate threats.
- Proactively detect weaknesses and prioritise them. The analysis and mapping of attack routes show which weaknesses can be used to advance towards the target (misconfigurations, poor security permissions policy, etc.). Resources must be prioritised to remedy weaknesses affecting critical assets.
- Check the organisation’s cyber exposure. Attack Path Management is used to build an overview of a company’s level of exposure and know where it is likely to be attacked.
- Understand how the bad guys can attack. Understanding how malicious actors operate and what techniques, tactics and procedures they might employ to attack Active Directory is critical to mapping attack paths.
- Reduce risk. Attack Path Management helps identify risks and remediate vulnerabilities before they are exploited.
- Optimise layers of defence. Attack Path Management’s core objective is to help improve layers of defence and protect Active Directory and critical company assets.
- Stop attacks at an early stage. The earlier an attack is detected, the less likely it is to succeed, and its impact on the organisation is more limited.
- Respond effectively to cyber attacks. If attack routes are known, more effective response measures can be implemented to help drive out malicious actors as quickly as possible.
- Make security decisions to protect assets from attack.
5. Attack Path Management continuity
Attack Path Management should be understood as something else than a cybersecurity service provided for a limited period and with a specific frequency. Just as vulnerability management is considered to be continuous, Attack Path Management should also be continuous. The proactive search for attack paths continuously helps secure corporate networks, detect weaknesses and consider new techniques used by malicious actors.
It is, therefore, not a task focused on mapping attack paths at a specific time but a strategy of identifying exploitable paths to fix problems and prevent malicious actors from traversing the paths to access the organisation’s critical assets.
Thus, Attack Path Management is not only limited to finding vulnerabilities but also serves to understand how malicious actors act and to know what strategies they can deploy not only to exploit an attack vector but also to make lateral movements, increase their capacity for persistence within the corporate network and succeed in their objectives: hijack or exfiltrate information, paralyse the company’s activity…
In a context where ransomware attacks against companies’ Active Directory are the order of the day, Attack Path Management must be carried out continuously, identifying new attack paths that attackers can use. This is especially true for advanced persistent threats: more sophisticated attacks that combine various techniques and tactics to break through defensive layers and spread viruses throughout the corporate network.
5.1. Network visibility and segmentation analysis
It should also be noted that efficient network segmentation can often greatly limit certain Cyber Kill Chain attack vectors.
In this sense, carrying out network visibility and segmentation analyses of corporate infrastructures is always advisable to reduce the infrastructure’s exposure surface.
6. Advanced pentesting, cyber-attack simulation and threat intelligence services: Discovering attack scenarios
To carry out Attack Path Management and efficiently protect the Active Directory against ransomware attacks, cyber-attack simulation, advanced penetration testing, and threat intelligence services can be used.
These types of cybersecurity services are used to elucidate the most plausible attack scenarios against the company, always considering the business’s characteristics and the activities it carries out.
Through these services, it is possible to:
- Discover the company’s exposure and analyse its attack surface.
- Identify threats and targets of malicious actors. For example, exfiltrate information.
- Design attack scenarios to understand how the attack routes work.
- Analyse the risks of each of these attack scenarios and prioritise them.
- Adopt prevention and mitigation measures as quickly as possible.
Designing attack scenarios allows companies to glimpse the attack routes that attackers may take and make decisions to:
- Prevent attacks.
- Address weaknesses.
- Optimise detection and response capabilities to security incidents.
In short, Attack Path Management is essential to combat the growing ransomware attacks against companies’ Active Directories. By detecting potential attack paths, actions can be implemented to prevent malicious actors from using Active Directory to access critical corporate assets and accomplish their fraudulent goals.
Advanced pentesting, cyber-attack simulation and threat intelligence services are of great added value to carry out Attack Path Management, visualise attack scenarios, establish the risk level of each one and make decisions to prioritise resources and optimise defensive layers.