How to Recognize and Prevent Active Directory Attacks

Active Directory Attacks

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Carolyn Crandall, the Chief Security Advocate at Attivo Networks, shares some expert insights on how to recognize and avoid active directory attacks.

Active Directory (AD) is under attack. That isn’t an exaggeration, an intentionally provocative statement, or a clickbait headline, but a fact. Five years ago, Microsoft stated that more than 95 million AD accounts come under attack daily. That number has exploded, with Microsoft sharing that in 2021, Azure Active Directory alone saw more than 25.6 billion brute force attacks. It isn’t difficult to see what makes AD an attractive target for attackers: it effectively serves as the GPS for the entire organization, handling identity and authentication services for more than 90% of today’s enterprises. Compromising AD can give today’s attackers a skeleton key to the entire network.  

Unfortunately, too many of these attacks are succeeding. One of the primary reasons for this is that AD is notoriously difficult to secure. Because it controls authentication across the network, every user, device, application, or identity on the web requires some level of access to AD, making it challenging to distinguish suspicious activities from standard behavior patterns without certain protections in place.

Fortunately, modern identity protection tools like those in the emerging Identity Detection and Response (IDR) category give defenders a better idea of what to look for—and help them detect and deflect adversaries before they can escalate their attacks.

The Danger of Credential-Based Attacks 

Credential-based attacks have risen steadily over the past several years, with the most recent Verizon Data Breach Investigations Report (DBIR) indicating that 61% of attacks now involve credential data. That is a shockingly high number, but it makes sense. After all, if a user accesses the network using a valid username and password, most defenses have little reason to suspect that the behavior is suspicious. Without the ability to identify abnormal behavior even from those users perceived to be valid, an adversary with a working set of credentials can often move about the network unnoticed and unconcerned.  

Unfortunately, organizations often store credentials in places that adversaries can easily access. For example, many passwords live on the endpoint, network passwords reside in memory, and browsers, emails, and other applications store all kinds of passwords. Attackers who compromise a workstation or user account will often have little difficulty gaining access to stored credentials—some of which may even be administrator credentials. From there, it’s a straight line to Active Directory, where they can escalate their privileges and gain access to things like on-premises groups, applications, and file storage.  

These tactics exacerbate what is already a significant issue for today’s enterprises. Recent Enterprise Management Associates (EMA) research indicates that 50% of businesses have experienced attacks on AD within the past one to two years, and more than 40% reported those attacks were successful. That is an unacceptable success rate for adversaries, but it isn’t surprising. Stopping AD attacks requires defenders to know what to look for—and have the tools in place to make an attacker’s life as difficult as possible.  

The Signs of an AD Attack—and What to Do About Them 

Looking for weaknesses that could allow an attacker to gain access to Active Directory is the first place to start. If defenders can find identity exposures, they should assume that attackers could use (and likely have used) them to escalate their attack. Stopping AD attacks requires visibility across the entire network, starting at the endpoint, where adversaries steal credentials.

Defenders need prompt visibility into vulnerabilities like admin credential exposures, potential attack paths, and shadow admin accounts. Reducing the attack surface is critical, restricting and alerting unauthorized access to credentials stored on endpoints. Attackers can do significant damage with a valid set of credentials. For example, those who get their hands on the right set of credentials could use them to gain access to specific resources, reset other passwords, request short-term tokens, request API tokens, or conduct other attack activities. 

AD attacks can happen fast, and dissecting logs for signs of intrusion after the fact is interesting for deep packet inspection, identifying attack signatures, and generating adversary intelligence, but typically insufficient for derailing attacks before an exploit has happened. Organizations need live attack detection, and actions like mass account lockouts or deletions should raise immediate alerts.

Suspicious password changes on sensitive accounts or mass password resets should also be flagged (though these may be more indicative of a password spray attack rather than an AD attack). Things like suspicious service creation on a domain controller, use of a default administrator account, or reactivation of previously disabled privileged accounts are also potential signs of an AD attack in progress.  

Additionally, deploying tools capable of hiding actual AD objects from attackers, intercepting uncategorized queries, and manipulating results with false information will undoubtedly throw attackers off their game. Defenders can also seed the environment with “admin” credential lures and AD decoys designed to trick adversaries into giving away their presence. These provide both an active and passive element to AD defense, making it difficult for attackers to see the network accurately, trust their tools, and avoid stepping on landmines that alert their presence.  

Stopping AD Attacks is Difficult, but Not Impossible 

Active Directory is intrinsically insecure, but that doesn’t mean organizations are relegated to leaving it unprotected. Defense in depth is achieved with continuous and automated visibility to exposures, which will seriously curtail attackers’ ability to obtain the credentials they need quickly, move laterally within the network, and compromise AD. By adding Identity Detection and Response tools capable of providing this level of visibility, organizations can extend their security coverage well beyond the scope of traditional defenses.

With IDR, security teams gain detection of identity-based attacks that are using stolen credentials, attempting to elevate their privileges, and seeking domain control for the mass distribution of malware or ransomware. AD remains a top target for ransomware attackers, and credential-based attacks increase in frequency given their relative ease and effectiveness. Trends all point to identity being the new battlefield for cybersecurity in 2022. To be prepared, organizations must rethink their security postures with this in mind.


Carolyn Crandall
Latest posts by Carolyn Crandall (see all)