There’s a wonderful video you can watch that’s designed to prove that people have selective attention when they are focused on the task at hand. If you want to see the video before I give a spoiler, check it out below and stop reading this blog until you’ve finished watching it.
Spoiler alert …
I was in a training class with about 40 peers the first time I saw the video and nearly three quarters of the folks didn’t see the gorilla. And no, I won’t tell you if I did or not (it’s a matter of personal pride).
This is relevant to a recent experience I had when presenting at the ISACA conference in San Francisco and at ISSA in Fort Worth.
My discussions focused on safeguarding Microsoft Active Directory and other critical (or core) systems, and both sessions had security practitioners, compliance officers and auditors.
The revelation was that while everyone was focused on security, few saw the elephant in the room—that protecting Active Directory and privileged credentials was critical.
Much of the dialog after the presentation was along the lines of: “I didn’t realize what was really going on” or “How come we don’t hear more about this?”
Why Active Directory is the Most Important Application to Protect
Let’s step back and take a holistic look at risk analysis, which many organizations use to guide their priorities on which vulnerabilities to fix.
The risk calculations are based on the likelihood a vulnerability can be exploited and the impact it will have to the organization if it occurs. The same approach is often taken to prioritize information and services to safeguard.
If applied to applications, Active Directory (AD) tops the list. AD is highly vulnerable and when compromised, the impact to an organization is devastating. Red team penetration testers know this, and compromising AD is the primary approach in their arsenal when hired to breach an organization.
And they claim nearly 100 percent success with their track records.
Active Directory is Highly Vulnerable
In the past, it required skill and patience to steal credentials, break into Active Directory, and gain dominance over the entire domain. Today the attacks are “weaponized” in tools that are widely available on GitHub.
Red teams use these tools to perform penetration testing, motivating the authors of the tools to constantly maintain and improve them. Adversaries use this to their advantage. Check out tools like Mimikatz, BloodHound and PowerSploit, to name a few.
Less than 10 percent of the audience in the ISACA and ISSA sessions knew these tools existed. They also didn’t know the ease with which they can be used to takeover the environment. To complicate the matter, there are few automated defense tools available, many unknown and not used by organizations today.
An Active Directory Breach is Catastrophic
Active Directory is the nervous system for the entire organization and the blast radius of a compromised environment is akin to a nuclear bomb.
Active Directory is used to authorize access to nearly every piece of the IT infrastructure—users, data, applications, computers, storage and the network. AD’s reach even extends into services and systems in the cloud.
If domain controllers or domain admin credentials are compromised, every system is exposed. Complicating the situation, attacks are usually very difficult to detect and breaches tough to contain.
Good News: You Can Protect Active Directory
The good news is you can focus on and safeguard Active Directory and prevent domain dominance over your AD infrastructure. The first step is to realize it’s important to do so and adjust the priorities within the organization to address the situation sooner rather than later.
Just some of the steps you’ll want to focus on include:
- Active directory hygiene: Implementing controls and best practices for configuration and operations.
- A secure admin environment: Remember, your AD is only as secure as your administrative environment.
- Protecting domain controllers: Lock down those domain controllers from threats from inside the network.
- Building an admin forest: Create an isolated environment that houses the privileged accounts for domain management.
For more information on the threats your Active Directory faces right now and how to solve them, check out the complementary Active Directory assessment program Skyport offers here.
-Russell Rice, senior director of product management, Skyport Systems