The Best Defense Against Insider Threats: Securing Active Directory

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Igor Baikalov of Semperis walks us through the ins and outs of an insider attack and why preventing it starts with protecting the Active Directory.

Cybersecurity protections tend to focus on external threats. This approach is understandable, considering the increased sophistication and activity of both nation-state and criminal actors. However, organizations shouldn’t overlook the rise of insider threats, which — whether intentional or unintentional — pose just as much danger as external threats to an enterprise, its data, and its ability to operate.

Thinking of malicious outside actors as the enemy, at least in cybersecurity terms, is reasonable. Yet insider threats pose a serious risk to businesses precisely because they are trusted sources. By design, insiders have access to the organization’s critical resources and sensitive data to fulfill their work duties.

Although external malicious actors receive most media attention, insider threats are on the rise, having increased by 44 percent over the past two years. Negligence by employees or contractors accounts for 56 percent of those threats; 26 percent of the threats result from malicious intent. For two-thirds of companies, insider-related incidents occur up to 40 times per year, with each incident incurring an average cost of $484,931— a high price to pay for those who are unable to catch insider threats in time.

Regardless of intent, many organizations lack the ability to identify vulnerabilities that can result in insider abuse. Furthermore, many are unable to perform post-breach forensics to close backdoors left by malicious insiders. It’s clear that businesses need to improve their defenses against these growing and costly attacks.

The Best Defense Against Insider Threats: Securing Active Directory

Start by Securing Active Directory

Access abuse is at the core of most insider threats, whether from employees, contractors, vendors, or partners. Anyone with permission to access critical business assets can potentially abuse that privilege, either through negligence or malicious intent.

A good place to start shoring up identity and access controls is by securing and monitoring Active Directory (AD). AD is a prime target for attackers and is involved in nine out of ten cyber-attacks. Not coincidentally, AD is also the primary identity store for 90 percent of organizations worldwide. A recent survey of IT and security leaders found that 16 percent of enterprises use on-premises AD as their primary data store, and 80 percent use a hybrid of AD and Entra ID (previously Azure AD) or other systems. Only four percent don’t use AD or Entra ID at all.

AD’s prominence in the enterprise means that its weaknesses can be exploited at any point that an employee, contractor, or other user has access. If an AD administrator doesn’t follow all employee offboarding policies, for example, the departing employee’s account could remain active after they’ve left the company. An attacker could exploit that account’s credentials to gain access, escalate privileges, and move through the network. The damage can be serious: 77 percent of the survey respondents classified the impact of AD being down as severe or even catastrophic.

Such findings indicate that organizations need to adopt an identity-first security strategy that involves threat intelligence, behavioral signatures, continuous monitoring, and other techniques to address every phase of the attack cycle— before, during, and after an attack.

Before an Attack

Security teams looking to bolster their AD defenses should start with a thorough, realistic view of the identity attack surface. The goal is to uncover security vulnerabilities, such as accounts with expired passwords or accounts that are no longer active. As part of this effort, organizations should scan their IT environment for indicators of exposure (IOEs).

IOEs refer to weaknesses in an organization’s IT environment that an attacker could exploit. These indicators attempt to answer questions such as:

• Is AD misconfigured?
• Could an attacker exploit anything in your AD environment?
• Does anything in the AD environment place you in a more vulnerable state than you would otherwise be in?

For instance, an AD misconfiguration could grant administrative privileges to every member of a team or grant privileged access to a vendor that doesn’t need it. IOEs can help an organization find vulnerabilities that increase its susceptibility to an attack.

During an Attack

Continuous monitoring is also incredibly important to an organization’s ability to identify indicators of compromise (IOCs). In most cases, handling or containing IOCs is more urgent than mitigating IOEs; IOCs can indicate a successful intrusion. These indicators attempt to identify whether any behavior in an organization’s system might indicate an attack in progress. For example, 50 password reset attempts within one minute are atypical behaviors that could indicate an ongoing attack. Overall, IOCs enable organizations to identify whether they are under attack and even the path of the attack.

If you think of an attack as a process rather than as a binary condition, you can better understand the benefits of uncovering these indicators. Launching a full-scale attack is not a one-step leap. An attacker must start from point A to reach point D. Attackers require several steps to, for example, compromise one system, then a security account, then a computer object, and so on, until finally gaining administrative control in Active Directory— the crown jewel for attackers. Identifying an attack in progress enables an organization to freeze the compromised identity, thus stopping the attack in its tracks.

If an IOC flags an attack underway, organizations should continuously monitor for other IOCs, track risky changes to on-prem AD and Entra ID, and automatically roll back specific changes that could signal an attack. Among the actions to monitor for:

• Unauthorized access attempts
• Changes to permissions
• Abnormal network activity, such as unexplained additions to the Domain Admins group

Continuous monitoring of the AD environment is critical, enabling an organization to promptly address potential security issues as they occur and helping to ensure the ongoing security of the environment.

After an Attack

In the wake of an attack, post-breach forensics are essential to understand the attack’s behaviors and the weaknesses exploited as part of the attack. This step can also help organizations find and fix vulnerabilities, thus preventing them from being exploited in future attacks.

By conducting a thorough post-attack analysis, organizations can answer questions that will help them understand how the attack occurred and where they might need extra protection:

• How did the threat actors get in?
• How did they compromise AD?
• How did they acquire domain credentials?
• Could they use additional exposures to regain access?
• Were there any back doors that needed to be closed?

 The insider threat is real and on the rise. The best security strategy is to address threats across the entire attack lifecycle— before, during, and after an attack. Because most advanced attacks use identity-based techniques, it’s essential to continuously and proactively monitor AD to uncover threats and misconfigurations within the IT environment. Doing so will help you prevent insider threats— and enable you to quickly detect and respond should an attack happen.