- Half of large companies have been the subject of a cyberattack on Active Directory (AD) services in the last one to two years, a report from Enterprise Management Associates on behalf of Attivo Networks and Tenable found. In 42% of those attempts, the attacks were successful, according to the survey of 250 IT professionals and executives from organizations with at least 1,000 employees.
- The majority (86%) of companies plan to either slightly or significantly increase spending to secure AD environments. They cited reasons for the spending increase, include the higher prevalence of AD attacks, the increase in work from home, the expanded use of cloud IT and the increased prevalence of ransomware.
- "The issue with AD is that it is so extensive that most customers do not have the in-depth knowledge to identify and fix every exposed setting or parameter," Carolyn Crandall, chief security advocate and CMO at Attivo Networks, said. "It's not just a matter of patching or incorrect configurations since there are references on hardening and configuring AD."
Attacks on AD have been a serious problem over the past year. AD attacks played a considerable role in the SolarWinds campaign and, most recently, in attacks involving LockBit 2.0 ransomware.
During the SolarWinds campaign, the state-sponsored threat actor used what is known as the Golden Security Assertion Markup Language (SAML) to create fake user credentials, bypass two-factor authentication and move laterally within a corporate network. The attackers gained elevated access privileges and, once granted, they exfiltrated data from the organization's computer network.
Attackers often use open source and freely available tools like Bloodhound and Mimikatz to attack AD. The tools help attackers find the shortest path through AD and steal passwords during attacks.
AD is leveraged by more than 90% of organizations as the backbone of their identity management system, Gartner researchers estimated in a September 2020 study. Most companies, however, have difficulty with several aspects of using AD, including privileged access, identity governance and strong user authentication.
"AD is not a vulnerable solution by itself and it can be tuned and protected, however, default AD configuration leaves it vulnerable to what would be considered by most security experts as a common attack," said Mickey Bresman, co-founder and CEO of Semperis.
Companies can use several techniques to protect AD, including reduce the use of privileged accounts, use jump boxes and follow secure technical implementation guides, Crandall said.