Active Directory’s Attack Surface is Huge – Here’s How to Find a Threat Needle in its Log Haystack

Microsoft Active Directory is a critical tool that helps system administrators manage user privileges and secure their IT infrastructure, yet Active Directory presents several security challenges. Most problematic is that Active Directory’s attack surface is huge. Targets for attack include every domain name user account, admin and security group, domain controller, backup, admin workstation, and admin delegations and privileges. If any one of these targets is compromised, your entire Active Directory can be compromised too.

The Threats

As with all things cyber, Active Directory attacks come in the form insider threats with broad network privileges or shared credentials (42% of agencies reported incidents of cyber incidents perpetrated by insider threats in 2016) and hackers.

Hackers look for ways to penetrate your network and steal data. This usually starts with a phishing scam, followed by malware installation or credentials capture. Next, the hacker will look for vulnerabilities on the network perimeter and use a variety of techniques to elevate their permissions. Once they gain admin access, they create new accounts and add themselves to privileged groups to maintain access.

The Challenge

The threats are real, but how do you know whether there’s one silently knocking at your door? Looking for the threat needle in a massive log haystack is painstakingly time-consuming. Security logs can take hours if not days to pour over. You could setup a rule to detect specific events, but rule-based approaches generate too many alerts. Security teams rarely have the time or resources to determine which alerts are most important.

Plus, as the adoption of Microsoft Office 365 grows, the complexity of securing Active Directory increases. According to SC Media, there are over 10 billion Azure Active Directory (AAD) authentications annually, and 10 million of those are attempted cyber-attacks. Think of it as the central nervous system that makes O365 possible.

Now What?

That’s not to say that audits and alerts don’t have a place. In fact, auditing administrative group and privileged accounts in Active Directory is critical.

If a hacker tries to elevate their permissions, your organization needs to be alerted. You should also review activity of privileged accounts regularly. For example, you could get a daily or weekly report that shows all activity for the account you use to administer the network. If everything looks okay, you can move on.  If you see something suspicious you can investigate.

Change Auditor Threat Detection from Quest is a solution that can accomplish this task – from a single dashboard. Change Auditor Threat Detection quickly recognizes patterns of suspicious users or activity, giving you what you need to recognize a true threat and stop it cold (in both Active Directory and Azure Active Directory). The solution uses advanced learning technologies, user and behavioral analytics, and smart correlations to accurately spot patterns of anomalous activity to identify the highest-risk users in your environment.

Active Directory can be a beast to contain, but with some planning you can develop your game plan before a strike happens. Threats posed by external hackers as well as sloppy or disgruntled employees can be combated before they begin their misdeeds and privileged account misuse, data loss, IP theft, and more, are eliminated.

Here’s a quick video that explains more about how Quest Change Auditor Threat Detection works.'
Bradley Gernat