Despite 2020 being dubbed “the year of ransomware,” bad actors have ramped up ransomware attacks in 2021 even more than last year. Somewhat more alarmingly is the speed and effectiveness with which actors can compromise entire networks, enabled by sub-optimal design and maintenance of an organization’s Active Directory. That shouldn’t come as a surprise to anyone in the security world. Hackers and penetration testers alike have targeted Active Directory for years as the most effective means of achieving the attacker’s end goals.
There are many reasons why Active Directory has been, and remains, a prime mark for attackers. As many of you know, Active Directory is Microsoft’s proprietary directory service. IT Administrators use it for a variety of tasks from organizational hierarchy, managing permissions and controlling access to network resources, to what your profile picture looks like or whether you can install an application on your machine.
Its very nature is why it’s so valuable to attackers. Active Directory serves as the central repository for all non-local account authentications and privileges. As such, Active Directory contains the proverbial keys to the kingdom. Attackers can query it to perform reconnaissance on the network; identifying accounts for privilege escalation, lateral movement, or maintaining persistence within the environment; and determining the shortest path to achieving an attacker’s goal (exfiltration of sensitive data, making an impact, or both).
One 2021 study found that 50% of organizations experienced an attack on Active Directory within the past two years and more than 40% reported that the attack was successful. However, Active Directory is inherently difficult to secure – and has been for decades. In fact, many of the features in Active Directory that actually make it work are also what make it so vulnerable.
Consider, for example, the domain controller’s sync function, which transfers and updates AD objects from one domain controller to another. Attackers can take advantage of this process using a DCSync attack, which, with the help of some vulnerable accounts, can impersonate an Active Directory domain controller to then get authentication credentials from other domain controllers. A process designed to maintain availability and prevent a single-point of failure can be abused to compromise every single credential in a domain, without ever actually compromising the Domain Controller itself.
Another example: attackers can exploit functionality in Kerberos, the computer network protocol used to authenticate identities, by finding service accounts with weak passwords and using a common attack known as Kerberoasting to grab the hash of the service account, crack it offline, then use that cracked password to progress further into the network. This ability to grab service account hashes is a feature, not a bug. There’s no patch to fix this, only principals of least privilege for the account, good password hygiene, and regular password changes. This assumes the admins even remember the account exists, let alone what purpose it was originally created to serve.
At the same time, IT teams can create additional security challenges by allowing group and privilege sprawl to creep into the Active Directory environment. Some common issues include: use of unconstrained delegation, poor change management practices/documentation (temporarily elevating privileges and never revoking them), use of simple passwords, and maintaining inactive accounts. Malicious actors know how to exploit all those scenarios to their advantage.
Yet, despite such security challenges and the significant potential for successful attacks, many organizations don’t devote enough attention and resources to assess the risk associated with their Active Directory environment and implement appropriate mitigation strategies.
That’s true in the utilities industry, too.
Many security and technology leaders in this field rely only on network segmentation to provide a layer of protection for OT networks. There is a misconception that if an attacker gains access to the information technology network, segmentation will prevent the attacker from accessing the operational technology. In reality, that’s not the case – even when an organization has established a proper demilitarized zone between segmented IT and OT environments.
That’s because there’s still trust that remains between the two environments (by necessity), so a hacker who is able to compromise a Domain Controller or launch a successful DCSync attack could use hacked credentials to pick a trusted IT machine to connect with one on the OT side of the house – knowing that the two servers trust each other and the credentials would be accepted.
So what’s the short of it?
It’s this: You can lock down and air gap your OT environment, but that won’t protect you from a threat actor who has compromised the IT’s Active Directory services, especially when those services are shared between IT and OT.
The question becomes: how do organizations be more attentive to the risks associated with Active Directory? How do they cut through the massive amount of data and understand what their posture is, and how to improve it? To do that, I recommend organizations start deploying BloodHound: a free open-source software provided by SpectreOps. You can be sure attackers already are.
BloodHound is a discovery tool, designed for users to understand an Active Directory environment. It does this using graph theory and visual representation to uncover hidden or unintended relationships, kerberoastable accounts, opportunities for DCSync attacks, and a number of other misconfigurations or flaws within the environment. It then creates a graph of that analysis, thereby giving security and technology leaders a simple and quick way to depict privilege relationships and design remediations.
I worked with one client to deploy BloodHound, allowing us to identify four kerberoastable service accounts that had the appropriate permissions to accomplish a DCSync attack. Imagine, without ever compromising the Domain Controller or a Domain Admin account – attackers could easily replicate the credentials of every single user account.
In another case, I worked with a client’s Chief Information Security Officer using BloodHound to analyze his organization’s Active Directory environment and found kerberoastable accounts that he thought had been remediated months ago but were actually still active.
Learning how to use BloodHound does require an investment of time, but it’s not a steep learning curve to put this tool to use. SpecterOps has free online tutorials and blogs to help security teams get started, and the tool itself has prewritten queries that enable teams to quickly make use of it with a simple point-and-click. You can even find queries that others have written to expand upon your library.
Given all this, I advise organizations to use BloodHound to audit their own Active Directory environments, or work with us on that analysis. Then, use what BloodHound uncovers to advance onto a path of active monitoring and remediation of identified risks.
This work is critical for defenders if they want to keep pace with their adversaries, who are, as mentioned earlier, also using BloodHound to identify the easiest pathways to a successful attack in their targets.
IT and OT teams together should own this work. Yes, the IT department typically maintains Active Directory, but the impact of a successful attack on Active Directory won’t be limited to IT; as previously stated, it could cripple the OT environment, too.
And that fact alone should make it a primary concern for both IT and OT teams, as well as security personnel and, really, the enterprise as a whole.
Photo Credit: Canva
By Kurt Alaybeyoglu, Senior Director of Cybersecurity Services at Rokster