By Sean Deuby, Director of Services, Semperis

Microsoft Active Directory (AD) is central to modern corporate security. This 21-year-old technology remains a cornerstone of our complex computing environment – but, at the same time, it’s one of the most common access vectors of today’s cyberattacks and is itself vulnerable to catastrophic failure from an attack. How has this come to pass, and how can we mitigate this huge vulnerability?

AD at the center

Even at a time when cloud computing takes the lion’s share of visibility and forward thinking, AD has become more important than ever. 

Three factors have contributed to this ironic situation. First, identity is now central to modern security. As organizations have moved away from trusted network architectures and towards web services over untrusted networks, identity has become the most important component for authentication and authorization of a user. Microsoft believes that “identity is the new control plane,” while Gartner says “identity is central to providing…secure access to data, services, and systems.” To add to this, Forrester states that “identity is a core building block of a robust zero trust security ecosystem.”

Second, hybrid architectures that use on-premises identities for cloud services are the dominant enterprise identity configuration today. Regardless of the hoopla around moving to the cloud, the reality is that most organizations continue to have a substantial on-premises application footprint. These applications require the same authentication and authorization as they always have. Couple this ongoing requirement with the requirement for simple and secure login to cloud services such as Microsoft 365 and Google’s G Suite, and the need for a single authoritative identity store that works both on premises and in the cloud becomes apparent. Because of these requirements, hybrid identity architectures that allow employees to use their corporate credentials to sign in to cloud services have become the most common architecture. 

Finally, the vast majority of established organizations rely on AD as either a very important or their most critical identity store. This means that AD remains the basis for most hybrid identity – and, therefore, is central to modern security. 

AD is both the keys and the treasure map

Attackers know that AD is old, complex, and has inherent configuration weaknesses. In other words, it’s notoriously difficult to keep secure. And as a “mature (on-premises) service”, Microsoft is providing few enhancements. Even with significant resources, large organizations are vulnerable to malicious attacks that use AD as an entry point; the AD kill chain is well known and understood by both attackers and defenders (most recently illustrated in the SolarWinds and Hafnium attacks). Mandiant consultants estimate that about 90% of the attacks their team investigates involve Active Directory in some form, whether it was the initial attack vector or targeted to achieve persistence or privileges. 

Furthermore, AD contains not only the “keys to the kingdom” with user and admin credentials, but it is also the treasure map to important domain-joined resources such as databases, file servers, or line of business applications.

AD’s vulnerability to cyber disasters

AD is also now vulnerable to disasters in a way it hasn’t been in the past. Most historic disaster threats share one characteristic: they can be mitigated with physical or logical distribution or redundancy. East Coast data center threatened with a hurricane? Ensure you have a redundant data center in the central US. West Coast data center worried about rolling blackouts? Install a backup batteries or generators. 

AD was designed for such geographic disasters and has developed a well-earned reputation for continued availability during them. Because of this history, more than 50% of polled organizations today don’t have a tested AD disaster or forest recovery plan.

In contrast, the modern threat of cyber disaster has come to dominate all other threats due to its frequency and massive impact. In this threat landscape where malware can encrypt every single AD domain controller within minutes, your AD forest is now extremely vulnerable. And because the malware may have been resident on a domain controller’s OS for many weeks or months before it detonated, you can’t trust your backups; you must perform a forest recovery to rebuild.

Under the very best circumstances, it takes days to perform an AD forest recovery in medium to large organizations. All applications that depend upon AD – and sometimes it takes a disaster to realize how many actually do depend on AD – can’t be restored until AD is back. And you can’t underestimate how the stress of the event impacts people’s performance.

Remediating AD’s cyber risk

So, how do you reduce the risk of your AD being exposed to a cyber-attack? The NIST Cybersecurity Framework helps to frame the actions. Under Identify and Protect (i.e. before an attack), organizations can evaluate and reduce AD’s attack surface to lock down “configuration drift” (for example too many administrators or regular users with special permissions) that have accumulated over the years. Using a free tool such as Purple Knight can also help reveal indicators of exposure that an attacker can take advantage of. 

In the Detect and Respond phase (during an attack), organizations should monitor and respond to unauthorized changes in AD. For example, additions to a privileged group or insertion of back doors to evade detection and maintain persistence. Ideally, you should be able to respond automatically to the most important changes.

Finally, for the Respond and Recover phase (after an attack), you must be prepared to perform forensic analysis of the attack and quickly recover your AD from a scenario where your domain controllers are corrupted and you can’t rely on the integrity of your backups. In other words, you must perform forest recovery. At the very least, you should become an expert on the manual Microsoft process, customize it for your environment, and practice it regularly. To minimize recovery time, use an automated forest recovery solution.

Cybersecurity risk professionals use a risk matrix to help prioritize the cyber risks to their environment. AD’s critical role in security – coupled with its attractiveness as an attack target and its difficulty to secure – puts it in the extreme risk category. AD is not going away any time soon; cloud initiatives notwithstanding, AD will be critical to the enterprise for many years. Therefore, protecting AD should be one of your top cybersecurity priorities.