Cyber criminals have stepped up their game and almost no organisation is immune today. Tactics are increasingly getting more sophisticated and the likelihood that one of your employees will click on a phishing link is very high. Gone are the days of keeping the hackers and cyber criminals outside your network. Gone are the days that firewalls and anti-virus software were the only controls required to keep hackers at bay. You simply must assume that an attacker will get inside your organisation’s network.
So, now they are inside. They are snooping around your network, trying to get access to file shares, servers and databases. The one area that is often overlooked from a cyber security perspective is Active Directory. Most organisations still use Active Directory (AD) as the primary means of identification. AD is used to grant employees access to workstations, business applications and productivity software. Similarly, AD is used to grant IT administrators access to servers and databases, to perform a wide range of administrative tasks. Due to the privileged level of access granted to IT administrators and the sensitive access associated with their accounts, attackers often focus on compromising IT administrator credentials. It is also not unlikely that attackers might be able to obtain full domain access, allowing them to create new administrators and practically have access to an endless amount of assets on the IT environment.
The cyber risk is that Active Directory, and associated objects, GPOs and configuration settings have hundreds of security configuration vulnerabilities. AD is often configured to enable access to resources, but not securely configured by default. Your typical Windows Administrator often lacks knowledge about security weaknesses in AD and how to remediate those weaknesses. Various hacker tools exist to exploit weakness in AD, such as Bloodhound, Empire and PowerView. These are extremely effective tools used by attackers to compromise AD security. When linked to general weak security practices, such as shared IT administrator passwords or storing passwords in clear text, this exacerbates the associated risk. It is often the starting point for attackers to obtain a quick foothold on a network. In the hands of a proficient attacker, it could very quickly result in the complete take-over of a network domain.
Spending time to secure AD will significantly improve your internal network security posture. There are various commercial tools available to assist organisations to remediate AD security weaknesses, although often not prioritised in security spending. Much has been written about this subject, but remediation can be complex and requires specialist Windows administrator skills. It should not be underestimated how important remediation of AD configuration weaknesses is, and should be prioritised in any organisation’s cyber security remediation activities.