With the disappearance of the network perimeter, identity has become the last line of defence from cyberattacks.
March 2020 will forever be known as the month that plunged much of the world into uncertainty, chaos and isolation.
A health-centric earthquake with little warning reverberated throughout economies and societies. Some of the hardest hit by its shockwaves were companies. Thanks to COVID-19, working from home went overnight from being a luxury to a necessity.
From an IT perspective, there were a variety of approaches to the herculean task of quickly implementing remote access for most or all an organization’s employees. The heavily regulated financial services market, for example, saw most of its key players opting to stick with remote access to SaaS applications through the corporate network via virtual private networks (VPNs), beefing them up so that they could support tens of thousands of users at a time.
Meanwhile, more agile markets and enterprises that were previously on the fence about migrating to access cloud applications directly via the internet changed quickly. The pandemic forced them to implement what would usually take months in a matter of days.
In both scenarios, there was a need to provide single sign-on (SSO) capability. It allows users to use one set of credentials for on-premises and cloud apps. It is paramount for good security. But to achieve SSO, a hybrid identity architecture that projects an organization’s credentials into the cloud service is required.
From a security perspective, hybrid identity poses a challenge. By its very nature, it is more complicated than standalone cloud or on-premises systems. This is simply because there are more moving parts. The key risk, however, is the fact that most hybrid identity architectures are based on the most common on-premises identity system in the world: Microsoft Active Directory (AD).
How hybrid identity may result in massive supply chain attacks
Microsoft AD was built before cloud computing, nation state cyber warfare, ransomware, and other modern threats that organizations are grappling with right now. It was built for a different era. Launched around 21 years ago it isn’t equipped to handle today’s intense threat environment.
Yet, AD remains a foundational piece of infrastructure for 90% of organizations.
There are a number of elements working against AD. AD typically supports various legacy applications that may require old and insecure authentication protocols such as NTLM. There is usually a pressing need to install these applications right away without ensuring the least privileged accounts to manage them. It also leads to a lack of access reviews to remove privileged accounts when no longer needed.
Underneath it all, AD was fundamentally designed to make resources easily discoverable to domain users – not hide them away. Over time these security gaps accumulate. This has resulted in a series of configuration weaknesses and multiple potential points of entry for a threat actor.
AD supply chain attacks that made headlines
As a result, AD continues to be a source of many security-centric nightmares. The SolarWinds breach is a case in point where, unbeknownst to some, AD was an active vector that the threat actors used in developing one of the most malicious supply chain attacks seen to date.
Attackers successfully broke into the systems of the network security solutions provider SolarWinds. It allowed them to add malicious code into its Orion software used by 33,000 of its customers to manage their networks. When SolarWinds sent out its next regular software update, the tampered code created a back door. That allowed the infiltrators to access the IT systems of these companies and deploy even more malware.
18,000 organizations installed the malicious update that went undetected for months. This included many high-profile clients such as Fortune 500 companies and US government agencies.
Once inside the network, AD was then used to conduct internal reconnaissance and gain administrator access to the domain. It allowed them to steal the SAML signing key of a company’s AD FS servers. They then executed a Golden Ticket attack against their Microsoft 365 environment to gain access to corporate email.
AD, by its very nature, is highly open. It is a factor that allowed the threat actors to exacerbate the complexity and extent of the attack with ease. Simply put, it is extremely vulnerable to cyber disasters capable of spreading across a network in the blink of an eye.
Solving the AD security crisis
The SolarWinds attack was an extreme incident, yet it is one that is by no means isolated.
According to Skyport Systems, AD mismanagement unknowingly exposes 90% of businesses to security breaches. Mandiant Consulting supports this. It estimates that around 9 in 10 of all the attacks that their team investigates involve AD in some form, whether as the initial attack vector or as a means of achieving persistence or elevated privileges.
Yet what compounds the statistics shared by Skyport and Mandiant even further is the fact that AD is simply not going away. As long as on-premises operations exist, AD will prevail.
What’s the solution?
For an organization to truly shield themselves from the potential exposure-based threats of AD and hybrid identity, they need to protect this core identity system across all aspects of the attack. At Semperis, we’ve created a free, easy-to-use, extremely powerful tool, Purple Knight. It allows companies of all shapes and sizes to perform a security assessment of their AD environment. Yet this is just the first step.
Companies also need the capabilities of monitoring and rolling back unauthorized changes in AD during an attack and gaining key insights when the wheels of an attack are in motion.
Organizations tend to focus too much on preventing attacks and not enough on recovery. However, given the growing frequency and complexity of ransomware and other threats, it is crucial that companies not only pursue effective recovery, but are able to do so in a way that ensures the original malware sitting on their servers is not reinstated.
Threat actors will almost always look around a network for days, weeks, even months before detonating a malware payload. They will try to understand what value or data they can gain, attempt retrieval of that value, then finally detonate the payload as the last step in an attack. This means that AD domain controllers restored from traditional server backups will probably contain the malware. It starts the cycle again.
Getting to grips with AD and its associated threats might seem a daunting prospect. However, it is vital that companies take the necessary steps to minimize the potential for this highly vulnerable vector to be used in attacks.
Identity is the last line of defence
With the disappearance of the network perimeter, identity has become the last line of defence from cyberattacks. We’re proud to sponsor the Hybrid Identity Protection (HIP) conferences, a global events series and podcast focused on helping organizations meet the identity and access management challenges that arise in today’s fast-moving business environment. Our mission is to make the world a safer place through intelligent collaboration and knowledge sharing.
For security teams charged with defending hybrid and multi-cloud environments, Semperis ensures integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing Active Directory, Semperis’ patented technology protects over 40 million identities from cyberattacks, data breaches, and operational errors.
The world’s leading organisations trust Semperis to spot directory vulnerabilities, intercept cyberattacks in progress, and quickly recover from ransomware and other data integrity emergencies. Semperis is headquartered in New Jersey and operates internationally, with its research and development team distributed between San Francisco and Tel Aviv.
Semperis hosts the award-winning Hybrid Identity Protection conference (www.hipconf.com). The company has received the highest level of industry accolades and was recently ranked the fourth fastest-growing company in the tri-state area and 35th overall in Deloitte’s 2020 Technology Fast 500™. Semperis is accredited by Microsoft and recognised by Gartner.
