COVID-19 has often been cited as the catalyst accelerating pre-existing trends in the past 18 months, with ecommerce and automation two of many multiple markets championing this school of thought
The widespread shift to remote and hybrid working models, however, was less acceleration and more holistic transformation born out of necessity. Prior to the pandemic, only 4% of Europeans worked from home, but when the pandemic struck this figure rose to 88% of staff.
As organisations were forced to adapt almost overnight, IT professionals were called into action, taking a variety of different approaches to ensure the continuance of operations on a remote basis. Those in more heavily regulated markets such as financial services enhanced their virtual private networks (VPNs) as a means of maintaining access to SaaS applications through the corporate network. Meanwhile, more agile markets and enterprises that were previously considering shifting to cloud-first IT policies were compelled to adopt them when staring down the barrel of a national lockdown.
In both instances, cloud-based single sign on (SSO) capability – providing users with remote access to their corporate networks with the same credentials they use on premises – is vitally important to security.
To achieve SSO, a hybrid identity architecture that projects an organization’s credentials into the cloud service is required. Yet hybrid identity presents its own challenges.
Not only is it more complex than cloud-based or on-premises systems, but most hybrid identity architectures depend upon Microsoft Active Directory (AD) – the most widely used on-prem identity system in the world, and a foundational piece of IT infrastructure for roughly 90% of companies globally.
The problem with Microsoft AD is that it was rolled out over two decades ago, in an era where the IT landscape looked entirely different. From a security perspective this is a fundamental flaw – simply put, Microsoft AD is not prepared for today’s intense threat environment.
Hybrid identity was a key vector in the SolarWinds breach
AD was designed to make resources easily discoverable to domain users, and therefore still supports several legacy applications that often require outdated, insecure authentication protocols such as NTLM. Over time these legacy-based security gaps can accumulate, creating a series of configuration weaknesses and multiple hard-to-protect points of potential entry for a cyber attacker.
A prime example of an AD-related breach is the SolarWinds attack that first came to light in late 2020. Here, AD was an active vector that the threat actors used in developing one of the most malicious supply chain attacks seen to date.
After successfully infiltrating SolarWinds’ systems, the threat actors implemented malicious code into its Orion software – a network management tool used by 33,000 of the company’s customers.
When the next regular Orion software update was released, the tampered code created a back door that allowed the hackers to access the IT systems of 425 Fortune 500 companies and US government agencies, where they were able to deploy even more malware.
Crucially, AD was used to conduct internal reconnaissance, elevate privileges, and gain administrator access to the organisation’s domain. In turn, the SAML signing key of the organisation’s AD FS servers was stolen, enabling the execution of a Golden Ticket attack against its Microsoft 365 environment to gain access to corporate email.
Response is as important as prevention
Albeit an extreme example, the SolarWinds attack it is just one of countless AD-related incidents that happen every year.
According to Mandiant researchers, approximately 90% of all businesses are exposed to security breaches as a result of AD mismanagement, while 9 in 10 of all attacks involve AD in some capacity – either as the initial attack vector, or a means of manipulating and elevating privileges.
Despite being the most widely used on-prem identity system in the world, AD is extremely vulnerable to cyber disasters capable of spreading across a network like wildfire. And it is not going away. If on-premises operations exist, AD will prevail.
So, what is the solution? What can be done to protect against AD-centric threats?
At Semperis, we’ve created Purple Knight – a free, easy-to-use assessment tool that companies of all sizes can leverage to perform AD-centric security analysis and understand where vulnerabilities may lie. Yet this assessment is just the first step.
Organisations need an end-to-end strategy for defending against cybercriminals before, during, and after an attack. In addition to tools for identifying security gaps, security and identity teams need solutions for detecting attackers that have breached the network and are moving laterally through the system. Catching threat actors before they unleash malware can be tricky: Many malicious AD changes fly under the radar of traditional SIEMs. A solution that automatically rolls back unwanted AD changes can help protect against a cyber disaster.
Once the system is breached, organisations understandably focus on resuming business operations as quickly as possible. But that approach can backfire: Threat actors will often reside in a network for weeks or months, understanding exactly what value they might be able to extract before detonating a malware payload. Without appropriate response planning, AD domain controllers restored from traditional server backups will more than likely contain the same malware – thus starting the attack cycle all over again.
Shift to remote work raises the stakes for defending against cyberattacks
According to a report from Upwork, 36.2 million Americans will be working remotely by 2025 – an 87% percent increase compared to pre-pandemic levels. And as this shift toward at-home working continues, and the network perimeter dissipates, identity has become a primary line of defence against cyberattacks.
It is therefore vitally important that companies understand this shift. That’s why we’re proud to sponsor the Hybrid Identity Protection (HIP) conferences, a global events series and podcast focused on helping organisations meet the identity and access management challenges that arise in today’s fast-moving business environment. Our goal is to encourage intelligent collaboration, knowledge sharing and conversations that will help to make the world a safer place.
For security teams charged with defending hybrid and multi-cloud environments, Semperis ensures integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing Active Directory, Semperis’ patented technology protects over 40 million identities from cyberattacks, data breaches, and operational errors. The world’s leading organisations trust Semperis to spot directory vulnerabilities, intercept cyberattacks in progress, and quickly recover from ransomware and other data integrity emergencies. Semperis is headquartered in New Jersey and operates internationally, with its research and development team distributed between San Francisco and Tel Aviv.
Semperis has released its Active Directory Security Halftime Report which can be found here: https://pages.semperis.com/2021-ad-security-halftime-report/. The report will be updated on a periodic basis to serve as a timely, concise index of resources for organisations that have prioritized hardening their Active Directory and Azure Active Directory defences against escalating cyberattacks.
About the Author
Sean Deuby is Director of Services at Semperis. Semperis is the pioneer of identity-driven cyber resilience for cross-cloud and hybrid environments. The company provides cyber preparedness, incident response, and disaster recovery solutions for enterprise directory services—the keys to the kingdom. Semperis’ patented technology for Microsoft Active Directory protects over 40 million identities from cyberattacks, data breaches, and operational errors. Semperis solutions are accredited by Microsoft and recognized by Gartner.
Featured image: ©Rawf8