By Alan Zeichick
As many as 95 percent of all major enterprises are running Microsoft domain networks. Those networks can scale to huge: Tens of thousands of user accounts for employees and contractors. Tens of thousands of desktops, notebooks, mobile devices, physical servers and virtual servers. Hundreds of databases and applications. Local data centers and an increasing number of cloud resources. Microsoft domain networks have proven effective at managing those huge networks. However, there is an potential vulnerability inherent in the design of those networks: That the beating heart of a Windows domain network, Active Directory, could be subverted by hackers, if they successfully gain a foothold on that network by taking over an endpoint device or by stealing an authorized user’s credentials.
Active Directory is what keeps track of every object allowed to be on a Windows domain network – users, hardware and applications. The directory itself is a complex database. For each object, it stores a wealth of relevant information, including a description, location, and specifications. It also contains essential information about resources — that is, which other objects an specific object is authorized to utilize. Consider those to be the object’s permissions or digital credentials.
The Active Directory service is quite secure, resistant from attempt to create unauthorized objects, or change the digital credentials of objects. However, in the wrong hands, the information in Active Directory could be used to provide a hacker with sensitive information about the organization, the network, and the objects on the network – users, hardware and applications, and the various privileges afforded to those objects. Most of the time, that’s not a problem: Since only authorized objects can access Active Directory, that knowledge is secure.
What happens if an object is breached, however? Say an authorized user’s account information is stolen by a phishing attempt that steal the user’s login and password. Or that malware was installed onto an authorized laptop via a malicious USB thumb drive or a website with embedded malware. A hacker could then surreptitiously use that subverted account to run software that scans Active Directory to reveal potential vulnerabilities, such as servers with default passwords, or out-of-date applications with known exploitable bug, or users with elevated privileges (like the CFO or a senior systems administrator) who could be targeted for attack.
Active Directory Openness is a Feature, not a Bug
Why not lock Active Directory down? Why not restrict access? Well, access already is restricted, to what the system believes are authorized objects. To lock Active Directory farther would impede the smooth running of the enterprise network. To use an analogy: A company might decide that its conference rooms can only be used by authorized employees. But what if someone steals an employee’s badge? Welcome to Conference Room B – and whatever might be in there, like a company phone list.
That brings up the real challenge: How to ensure that Active Directory remains fully open and useful to authorized objects — while making it worthless to hackers who might have compromised a user account or hardware.
But first: Is this a significant risk to enterprises running Windows domain networks? Ed Amoroso, CEO of TAG Cyber, a global cybersecurity consultancy, believes so. “When really good hackers break into your perimeter, when they get in the enterprise, they don’t walk, but they run to your Active Directory, because it provides a map of your entire network,” he said. “So it stands to reason that as part of any really good hack, they’re going to go look at Active Directory and get a good understanding of what assets are there to either exploit or exfiltrate or – hopefully not destroy.”
“The first thing that attackers will do after getting a foothold on a domain machine, it’s, they will try to learn about the environment and steal domain credentials,” explained Roi Abutbul, co-founder and CEO of Javelin Networks, which sells technology to protect Active Directory. “The idea behind learning about the environment is through querying the Active Directory, which, literally, it’s a database, contains the entire information about the entire resources inside the environment. Just simply querying the Active Directory and you get anything you want and get the knowledge about anything you need, as in a hacker, about the environment.”
Scott Scheferman, Director of Consulting at endpoint security company Cylance, concurred. “When a Windows endpoint is compromised, the bad guys usually will try to gain escalate privilege on the endpoint. The next step is obviously to target the Active Directory. Why not? These days it’s very easy to do so. When we do our compromise assessments, and we do thousands per year, we often find that Active Directory is a very integral part of the question of how far the attacker has moved and what data they’ve had access to.”
Once In Active Directory, Information Galore
The hackers have gained a foothold by compromising a device or user account. They’ve installed and run tools that search Active Directory. Now what? Microsoft says, it’s not good.
“They can do a lot of things, actually,” starting with reconnaissance, said Benny Lakunishok, Senior Program Manager at Microsoft. “They can start getting more and more credentials to gain a better foothold in that environment. Ultimately, and that’s only a matter of time, trying to get what they’re after, the crown jewels, whether that’s credit card or a customer information or anything like that.”
It’s a dire picture once the hacker gets in, worried Stefan Lager, vice president of services at SecureLink Group, a security-specific integrator and managed security service provider in Europe. “He can do basically anything. He can start scouting the network. By contacting Active Directory he can see all the machines available, know where to jump next, try to get a privileged account. Then he can do whatever he wants.”
Why Not Change Active Directory?
Active Directory itself is not a vulnerability, but it can be exploited to provide valuable information to hackers. Can Microsoft do anything to stop hackers from exploiting Active Directory for their own nefarious ends? Probably not directly, because Active Directory needs to be open in order to work. However, that doesn’t mean that other products or services can’t be put in place around it.
Microsoft’s Lakunishok said there are two things that can be done. “One of them is a lot of services and guidelines on how to harden Active Directory and harden the environment, to protect themselves against such attacks. The second one are products to help them secure and detect and respond to those kind of threats.”
Should one look to Microsoft for a solution? Javelin Networks’ Abultbul doesn’t think so. “Microsoft, at the end of the day, they are not a security company,” he said, “Most of their efforts are focused about operational management. At the end of the day their security solutions are not available today in the market, to prevent from hackers to steal the domain credentials or to query and learn about the environment, using Active Directory manipulations.”
Concrete Steps to Take Today
Microsoft isn’t going to change. Active Directory isn’t going to change. That doesn’t mean that CISOs are out of luck. There are actions that can be taken today, said TAG Cyber’s Amoroso. “One of the techniques that we’ve had in security for many years is deception. It’s an element of warfare. All kinds of different conflict strategies involve the use of deception and lures and traps and so on.”
He continued, “It’s only natural that at this point we would start thinking about taking that basic Active Directory map and introducing some deception. That uncertainty is going to make hacking much more difficult in the enterprise.”
In this context, deception means populating the network with fake objects that look like they are real Active Directory objects. In fact, the number of fakes would vastly outnumber the real Active Directory objects. Legitimate users are trying to access specific resources, and thus wouldn’t see the fakes. However, hackers conducting reconnaissance on a victim’s network would quickly touch one of the fakes – and that would set off alarm bells, which would not only alert security teams to the intrusion, but also isolate the hacked object from the real Active Directory and the rest of the network.
“Deception help you in this case,” agreed Javelin Networks’ Abutbul. “With deception, with Javelin, the idea is that we will mask the real database, the real typology of Active Directory, without changing Active Directory. So at the end of the day, the attacker will see a totally different image about your Active Directory.
When he will try to attack or access one of those fake resources, he will be caught red-handed, and we will be able to alert and get all the forensics and contain the – literally the breach.”
“One of the first things [organizations] should do is understand Active Directory,” said Cylance’s Scheferman. “Hire an outside firm, if you don’t already have the experience internally. Don’t try to do it yourself. Don’t just read the manual, if you will. Don’t expect your default configurations to be anything like a secure environment.”
Scheferman continued, “There are other vendors out there that are very adept at managing Active Directory, especially from a security standpoint. Javelin, for example, and some other ones. So that would be my recommendation, is get outside expertise.”
If the network is breached and a credentialed user account or device is taken over by hackers, Active Directory can help hackers gain the inside knowledge to expand their foothold. Active Directory can’t be changed without affecting the ability of the network to functional properly. However, the lesson is clear that Active Directory can’t be left unprotected. For any business or enterprise using a Windows domain network, protecting Active Directory should be a top security priority, before hackers exploit can steal the digital credentials, the keys to the kingdom.