Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Sean Deuby of Semperis examines why an ITDR (identity threat detection and response) strategy should start with Active Directory.
Identity-based attacks—in the form of ransomware, data breaches, or cyber espionage—are dominating the cyber threat landscape. Verizon’s annual Data Breach Investigations Report found that about 85 percent of web application attacks and 61 percent of all breaches used stolen credentials in 2021. Gartner placed identity system defense at No. 2 among its top cybersecurity trends, and gave a new name for the class of tools used to defend those systems: Identity Threat Detection and Response (ITDR).
As attackers have focused on user identities and credentials—using tactics such as credential stuffing or phishing to gain access to networks—defenders have done the same, looking to implement identity and access management, Zero Trust architectures, and other protections. Now, ITDR is getting a lot of industry attention and CISO buzz. But any successful ITDR strategy must start with Microsoft Active Directory (AD).
Widget not in any sidebars
Active Directory: Where ITDR Strategy Should Begin
The Importance—and Vulnerability—of AD
AD is the primary identity store for more than 90 percent of organizations around the world. Not coincidentally, AD is involved in about 90 percent of all cyber-attacks that can lead to downtime. The problem stems mainly from AD misconfigurations that make it a frequent target in the cyber-attack kill chain. Threat actors can use AD to escalate privileges, evade defensive measures, and carry out persistence techniques, among other tactics.
AD has become such a popular target for attackers because it is so essential. A recent survey found that 80 percent of respondents use a hybrid of AD and Azure AD, and 16 percent use on-premises AD as their primary data store. Only 4 percent of the organizations in the survey don’t use AD or Azure AD at all. And 77 percent of respondents indicated they would experience a severe or catastrophic impact if AD was down. Their disaster recovery solutions don’t include support for AD, or they would need to perform time-consuming manual recovery (lasting days or weeks).
Organizations also expect AD to continue as their identity store. Gartner predicts that only 3 percent of organizations will migrate completely from on-prem AD to a cloud-based identity service by 2025. ITDR solutions need to go beyond merely checking research firms’ boxes; they should include AD-specific processes.
The Elements of a Successful ITDR Solution
Gartner says ITDR describes “the collection of tools and best practices to successfully defend identity systems from endemic levels of attacks. Much like network and endpoint detection and response tools, ITDR tools support discovery and inspection, provide analysis capabilities, enable policy evaluation, and provide incident management and remediation suggestions to restore affected systems.”
What does a successful ITDR solution look like?
First, it should focus on the entire attack lifecycle—before, during, and after an attack, providing prevention, detection, automatic remediation, and recovery. And it must offer specific protection for AD and Azure AD.
Some other critical factors for ITDR include:
- Security posture assessment and real-time monitoring: Organizations must know how well prepared they are for ever-evolving attack tactics, techniques, and procedures (TTPs). A thorough assessment tool not only reveals gaps in an organization’s security posture, but pinpoints vulnerabilities so that the organization can take action—such as shutting down inactive AD accounts—and develop a maintenance plan. Survey respondents said their top overall concern in protecting AD was the failure of traditional monitoring tools to detect attacks. And they are right—many successful AD attacks bypass log- or event-based products such as security incident event management (SIEM) systems. An effective ITDR solution uses multiple data sources—including the AD replication stream—to detect advanced attacks.
- Fast, malware-free multi-forest AD backup and recovery: The ability to recover quickly from an attack is high on the list of priorities for most organizations. A ransomware or other attack that puts systems offline can inflict significant losses in revenue as well as reputational damage that hinders business operations well beyond the initial attack. In some industries, such as healthcare or critical infrastructure, the threat to public health and safety from a prolonged recovery can be devastating. The survey reflected those fears: Only about one-third of respondents were extremely confident in their ability to quickly recover AD from a cyber-attack. A solution that can perform an automated, malware-free multi-forest AD recovery in one hour or less can give organizations the resiliency they need. Part of a good defensive posture is acknowledging that, at some point, an attack will get through; being able to recover quickly is essential.
- Automatic remediation of detected threats: Once a cyber-attack starts, it can move at lightning speed, outpacing the ability of the security staff to keep up with it manually. When the NotPetya attack hit shipping giant Maersk in 2017, it infected the company’s entire network in minutes. Automatic remediation is critical to preventing an exploit from leading to elevated privileges and an eventual network takeover. Survey respondents rated automated remediation of fast-spreading attacks as the most important capability of remediation, followed by tracking and correlating changes between on-prem AD and Azure AD.
- Risk scoring, risk prioritization, and remediation guidance: When assessing an organization’s security posture, a risk score helps to determine the level of exposure in AD and identifies where vulnerabilities are found. Those capabilities can enable teams to prioritize risks according to those that present the biggest threats to the network and critical data. That knowledge can enable an organization to develop clear, risk-based remediation guidance.
- Post-breach forensics analysis: Because attackers are consistently developing new TTPs, defenders must keep up with new developments. AD-specific forensic analysis in the wake of a breach can help an organization better understand its own vulnerabilities and make improvements to help prevent future attacks. This analysis can involve a re-assessment of the infrastructure, data gathering from the attack, and interviews with key personnel. Building a timeline of the attack can help organizations understand the extent of the breach and what steps the attacker took. This is invaluable information for preventing another breach.
Today’s threat landscape puts users’ identities and credentials squarely in the crosshairs, with identity-based attacks constituting the vast majority of ransomware, breaches, and other damaging incidents. ITDR solutions and strategies that prioritize AD protection can provide the tools and techniques to defend systems against those attacks. Such solutions should be on every CISO’s radar for 2023.
Widget not in any sidebars
Sean Deuby
Sean brings 30+ years’ experience in enterprise IT and hybrid identity to his role as Principal Technologist, North America at Semperis. An original architect and technical leader of Intel’s Active Directory, Texas Instrument’s NT network, and 15-time MVP alumnus, Sean has been involved with Microsoft identity since its inception. Since then, his experience as an identity strategy consultant for many Fortune 500 companies gives him a broad perspective on the challenges of today’s identity-centered security. Sean is an industry journalism veteran; as former technical director for Windows IT Pro, he has over 400 published articles on AD, hybrid identity, and Windows Server.
