How to protect the Active Directory from cyber attacks

Semperis Chief Technologist and Microsoft MVP alumnus Guido Grillenmeier and Director of Sales Dan Bowdrey discuss Active Directory and cyber attacks

Guido Grillenmeier joined Semperis one and a half years ago and currently works as a Chief Technologist. He helps to provide security support for some of the largest enterprise customers and governments. Grillenmeier is also a Microsoft MVP alumnus.

Dan Bowdery also works at Semperis. His role as Enterprise Sales Representative for the UK and Ireland means he is responsible for selling into large accounts. He has a technical background in large-scale cloud migrations and has worked with Microsoft, HSBC, HPE, to name but a few.

What is Active Directory?

It’s not an easy product technology to explain in one minute. Picture somebody having a key in a big hotel or apartment building that allows you to enter your private door where you keep your private stuff and data. And you have somebody that manages those keys. Probably best to imagine a hotel scenario with a downstairs concierge managing all keys to the rooms. Active Directory (AD) does that for the enterprise, managing all those users and passwords that allow you to get somewhere, that allow you to access data, that allow you even to enter a room, i.e. log on to a system.

And if that is not there, if the concierge is gone, if that part of the building is burned down, you have a problem. In this case, the enterprise has a problem in that none of the users can log on to their systems or business applications any longer. If things have been fully encrypted, as would often be the case during cyber attacks, including the central directory, all keys in the enterprise are inaccessible. So, if AD is not there, people cannot work.

It’s also a mechanism to be misused, to get to systems, to reap data and to extract data to do harm to the company. So, it has two great values to the company (managing access and protecting data) and likewise to the intruders once they’re inside a company.

Could you speak about the Colonial Pipeline hack and the Solar Winds attack?

Those were prime examples from the past where Active Directory was misused to take down companies.

Let’s begin with the Solar Winds attack. That was in December 2020, just as the year ended, and people were happy to celebrate Christmas. Attackers got into their Orion software code, which was updated with malware to spread to all the Solar Winds customers via their normal software update mechanisms. This way, attackers were eventually able to infiltrate all customers of the Orion software and attack those target environments, including U.S. Government agencies. The Orion software itself, which is used by the customers to monitor their own computer systems, was used as a backdoor – an eye-opening supply chain attack!

But when you step back a moment and understand where it all began, it wasn’t the Orion software that was actually hosted in Microsoft Azure where the code was hosted. The Solar Winds company itself was breached way before that, many months before the breach to the Orion software was even noticed.

The intruders needed a way to get into that Azure environment. So they used the weaknesses of Solar Wind’s On Prem Active Directory to reap data that they needed to create their own so-called SAML token. A SAML token is used when federating the On-Prem AD with the directory in the cloud, the Azure AD.

This is the mechanism by which the cloud world trusts the On Prem world via the company’s Active Directory. For your sign-in to cloud applications, you would sign in with your On Prem Active Directory account and receive a SAML token via your On Prem Federation Service, such as ADFS. With the SAML token, you are then granted access to the cloud, in this case to the Orion Software management platform, and you go on with your business.

If you’re an intruder and could steal the secrets used to sign those SAML tokens by attacking the On Prem AD, you can then fake that log on to the cloud by faking your own tokens. Those Solar Winds SAML tokens were the first well-known Golden SAML attacks at the time. And that was gained by hacking and compromising the On Prem Active Directory first to get to that stage.

Of course, the scariest part that everybody knows about is that the infected Orion software was distributed to all the clients, which were then also breached. A lot of harm was done.

Colonial Pipeline was much more directed

Colonial Pipeline was a much more directed attack; it’s an interesting story. This is May 2021. A Colonial Pipeline user had a breached password elsewhere, not even inside the Colonial Pipeline company. Their passwords were stolen from an external website and were sold on the Darknet. And in the Darknet, some malicious bidders get access to those passwords. Matching the breached usernames with social media data allowed the intruders to understand that they are holding a password of an administrator working for the Colonial Pipeline company.

They now found an open port to a remote-control system in Colonial Pipeline that allowed logging on remotely without a second factor. They then used the breached account and that password, and they were in. And the rest is history.

The intruders were able to take over the control systems within Colonial Pipeline, but the entry point was a breached Active Directory account. And then from there on, doing reconnaissance in that environment and taking down a few systems and then a lot of mechanisms inside the company.

When the Colonial Pipeline operators noticed that some of their systems had been breached, they took down the Pipeline, they turned it off. The first time in 57 years. It was not the hackers that turned it off; instead, it was the pipeline operators who turned it off as a precautionary measure because they didn’t know how far the intruders had gone. So those are two good examples where Active Directory was in the middle of well-known cyber attacks.

How does the Active Directory become compromised, and what can we do to prevent this?

So how it becomes compromised is either stolen credentials, poor administration, and configuration of Active Directory itself.

People giving away their credentials is sometimes used, but ultimately, it’s someone logging in with a set of credentials and then elevating their permissions in order to take over and compromise Active Directory itself.

Because as we know, once you’re in there, then you can move anywhere you want within an organisation. You can look at data, you can go to the cloud, and you can look at emails. Pretty much the world is your oyster once you’re in with a set of compromised credentials.

Active Directory is a complex technology and is very powerful. But because it’s complicated, lots of companies, especially small and medium-sized companies, work with many defaults. And the default permissions are fairly extensive from a reading perspective. That means that everybody can read a lot of data and permissions in AD and thus find out about various vulnerabilities that they can use in the next step to take themselves further.

So, they can find the user accounts that they need to go after, those that have high privileges, who are the domain administrators. And if I then find one of those user accounts logged on, on one of the other clients that I may be lurking on, then I grab his or her credentials because, once I’ve reached a particular capability with malware, that’s easily possible. I then pass on that person’s credentials elsewhere using the good old pass-the-hash attack or other techniques. I have now become that administrator.

This means that once you’re inside the corporate network, it’s not so hard to elevate to an administrative level via the company’s Active Directory. Unfortunately, the classic setup in most companies – and we shouldn’t exclude government agencies here either – is to just work with the default permissions that Microsoft has configured the AD with.

Although the technology does support lockdown, not many people are doing that, which segues nicely into your second question…

What can people do to protect from attacks?

The first port of call, pardon the pun, is to run an assessment of your environment. If you think about most of the organisations we talk to, they have it either still running with the default permissions, or the Active Directory environment is so old it’s been maintained and managed by lots of different organisations over the years. Resulting in a real mismatch of configuration – people that know what’s in place and people that don’t know what’s in place. What you need to do is really assess AD and understand all your gaps today based on the latest and greatest security information that is available now.

If you have done this a few years ago, you probably wouldn’t have been concerned. But now the bad actors are using lots of different methods to gain entry, you really need to reduce your attack surface. The first port of call, pardon the pun, is to run an assessment of your environment.

How are the attacks linked to the Dark Web?

The Dark Web is, of course, a synonym for where the bad guys meet and greet; it probably has virtual coffee shops, bars etc. The Dark Web is where data is exchanged, and even ransomware as a service is sold.

Bad actors get their assignments and actually sell their results. You have to understand that an attack on larger companies, or potentially any victim, small or large, is a multi-phased approach.

Somebody gets inside the network. Others who are more specialised in the particular industry move inside the network to get further, to get to company data, to hack Active Directory.

Ransomware as a service starts with one company trying to get in through phishing emails and through malicious websites. And then, once they’re in, they sell those initial access points. Of course, they first add a command and control tool on a compromised client that allows them to reach inside from anywhere. Then they sell that access literally like goods on the Dark Web. Who bids most to take it further for victim ABCD?

This is a multimillion-dollar business, and it’s all driven through the Dark Web

What people don’t realise is that this is a multimillion-dollar business, and it’s all driven through the Dark Web. There’s subcontracting out different elements of cyber attacks to different crews who have those specialities.

What can the UK government do to prevent cyber attacks, then?

The NCSC (UK’s National Cyber Security Centre) puts out guidance weekly, daily, and monthly, and a lot of that guidance is extremely helpful and insightful but often quite generic.

I think Active Directory, specifically, is an often overlooked and misunderstood platform. So, the way they can help people is to make them more aware of how it’s being compromised, the types of people that are compromising it, and the types of tactics they’re using to get in there and then advise them on what kind of solutions are out there. Today they’re not doing that.

They’re quite mature in other areas like endpoint protection, antivirus, and that kind of thing. But for large enterprises running Active Directory environments, they’re not really giving them the type of advice that we would give organisations, for example.

Do you think the government is doing enough?

I’d say the UK NCSC needs to adopt Active Directory skills that I don’t think they have to the maturity level they need.

We shouldn’t forget that we’re talking about a technology that’s a dinosaur in the industry. We’re talking about technology that was released with Windows 2000 in the year 2000 and developed quite a few years before that. Roughly 25 years ago. That was a quarter of a century ago. That technology was well designed back then and still is good technology today, but it is not fit to counterfeit the current cyber attacks.

As mentioned, AD is not the first line of defence, it’s the second line. It’s when somebody already got inside. The weaknesses of AD are then used against you – this is how intruders can take down a company very easily.

Now, I just said the technology is old, but it’s still used in 90% of all enterprises and certainly government agencies because the alternative is to use cloud directories, and that is not doable for everyone. Specifically, not doable when you have invested a ton of money into your various business applications that are most often integrated with AD. There’s a long roadmap to migrate away from all those business applications that your company runs on before you can actually get rid of this ageing technology.

And there’s definitely been an awareness shift as well. So, if you’ve asked me five years ago what you’re doing to protect Active Directory, I’d have talked about Endpoint, I would have talked about gaining access to the organisation.

I wouldn’t really be talking or concerned about AD itself. And when I first started at Semperis two years ago, that was the sort of conversation I was having with people. Jump to today: August 2022 is a completely different story. People are fully aware that AD is the number one attack vector for cybercriminals, and that’s where the government needs to get to as well. They need to start being aware of that.

So if people can’t rely on the government, what should they do?

Gartner came out with some really good advice recently, which is the necessity for identity threat detection and response (ITDR). And that really nails down the topic of AD security. And what that’s really telling people is to go and look at your current systems, backup systems, recovery systems, threat analytic systems, and really understand, are they looking at AD specifically, and are they going to be able to recover AD and to reverse malicious or accidental change in your environment?

I would say the first port of call is to look at that guidance and then look at the vendors, like ourselves, specialising in this field.