How to Automate Investigation of Active Directory Security Breaches

Author: Guy Nadivi

It’s estimated that 90% of organizations around the world use Active Directory as their primary identity service for authentication and authorization. Hackers know this, which is why Active Directory has become one of their favorite targets. Of course, it isn’t just hackers looking for vulnerabilities in order to gain access to your network resources. It’s also insiders.

Regardless of whether your attacker is external or internal, if successful, they can cause enormous damage to your enterprise, both financial and reputational. Automation can help accelerate investigation of these security breaches, and as a result, greatly reduce an organization’s exposure from attacks on corporate Active Directory deployments.

What makes Active Directory so popular among organizations?

One obvious thing is that it’s published by Microsoft, which makes Active Directory the default choice for Windows environments.

Active Directory is also very configurable and customizable, making it popular for organizations with very specific identity access requirements.

Additionally, Active Directory is very adept at centralizing management of compute resources and identity access, which eases the administrative burden on technical staff. A major benefit!

Finally, it’s fairly easy to manage Active Directory since it has a familiar Windows interface.

It turns out though that all the same benefits which make Active Directory so popular with System Administrators, also makes it popular with a couple of other demographics.

I’m referring of course to outside hackers, working either as individuals, or as part of crime syndicates, or even under state sponsorship from an adversarial nation.

Increasingly, Active Directory is also being targeted by disgruntled employees, or insiders motivated to commit harm against YOUR organization. One spectacular recent example of that is Edward Snowden, the former NSA employee who stole hundreds of thousands of incredibly sensitive classified documents that were subsequently leaked to the public. His case illustrates what can happen to an organization even as hyper-security conscious as the NSA if it focuses too much on defending against outsiders – it gets blindsided by an insider.

There are many best practices that security experts recommend to protect your Active Directory from people with nefarious intentions like outside hackers or disgruntled employees. I won’t go into depth about those recommendations, but I do want to mention one you’re probably already familiar with that’s very important: Least-Privilege Administrative Model.

This is the principle of restricting access rights for users, accounts, and computing processes to just the resources absolutely required to perform their job. For example, if all a particular user needs for their function is to read documents, then there’s no need to also give them access to write documents.

That’s why the Least-Privilege Administrative model is considered a simple concept that’s easy to understand.

If you implement the Least-Privilege Administrative model, it’s going to be effective at reducing risk for your enterprise, which in turn will increase security. Sounds great so far, right?

As it turns out though, the Least-Privilege Administrative model is rarely implemented by organizations. Despite the general consensus about its positive benefits, it’s considered too difficult and tedious to actually use.

Coincidentally, I found an interesting quote about implementing least-privilege administrative models in a document published by the organization which knows better than anyone about Active Directory’s security vulnerabilities – Microsoft!

The first part of the document reads “…..in assessing Active Directory installations, we invariably find excessive numbers of accounts that have been granted rights and permissions far beyond those required to perform day-to-day work.”

A little further down in this document it talks about the sophistication of those attacking Active Directory and says “Unfortunately, the path of least resistance in many environments has proven to be the overuse of accounts with broad and deep privilege.”

If you’re interested, and especially if you’re tasked with securing Active Directory, I recommend reading this Microsoft document yourself (“Implementing Least-Privilege Administrative Models”).

Those administrating Active Directory as part of their job role know that implementing the Least-Privilege Administrative Model is the best option in terms of effectiveness, but it’s also difficult to implement. What then should one do?

Ayehu proposes that you consider a modified Least-Privilege Administrative Model that applies to all administrator accounts, and relies on automation to ensure strict compliance.

How would that work? Conceptually something like this.

In Active Directory, there would be tiers of privilege for various administrative accounts based on the tasks a given administrator type would need to carry out. However, in accordance with our model, those accounts would receive the least amount of privilege needed to accomplish those tasks, and nothing more. Every administrator account would then be assigned to a given tier.

Ayehu’s automation platform would integrate with Active Directory to automate much of the enforcement of these strict tiers.

When there is any movement between the tiers, or even a new account created, Ayehu would provide automated detection, investigation, and triage services to the appropriately designated SysAdmin via a simple Slack interface, and would furthermore document all of this activity in a standard ServiceNow ticket.

If implementing a full Least-Privilege Administrative model is impractical at your organization, using this approach allows you to at least deploy it for your admin accounts. That way, you can leverage Ayehu’s enterprise-grade automation to tie together all these components into an effective unified defense for Active Directory.

With an estimated 90% of organizations using Active Directory as their primary identity service for authentication and authorization, it’s just a fact of life that AD is going to be under relentless assault, from both external and internal attack.

There is no one solution that can completely protect Active Directory from all the different angles those attacks vector in from. However, automation does have a role to play as an important defensive tool for Active Directory by making implementation of a modified Least-Privilege Administrative model for your admin accounts a far more feasible option than it might otherwise be.

If you’re interested in test driving Ayehu NG and seeing how it can help secure your Active Directory deployment, please visit our website and download your very own free 30-day trial version today by clicking here.