Getting Inside the Mind of an Attacker: After the Breach – Final Words of Advice

Having your Active Directory breached is bad enough, but an attacker who gains persistence is even more dangerous. The longer they are able to hide in your Active Directory forest, the better chance they have of gaining access to your organization’s crown jewels. Undetected, they can comfortably wait for the most opportune time to take control, stealing your organization’s most sensitive data and do with it what they please.

Over the course of this series, we’ve explored multiple strategies attackers may use to gain this persistence after an attack on Active Directory, as well as methods for detection. In part one, we went over the approach of forging Kerberos tickets, in part two, we reviewed domain replication abuse, and in part three, we touched upon AdminSDHolder and SDProp abuse, SID History attacks, and skeleton key attacks. As we conclude our deep dive into persistence techniques, we have a few last pieces of advice to consider as you continue to manage your organization’s cybersecurity posture.

1. Stay as savvy as attackers.

It should come as no surprise that the persistence strategies we covered are far from the only ones at an attacker’s disposal—in fact, they may only be the tip of the iceberg. Different techniques and even chains of them are used by resourceful attackers each day. It's important for your organization to make sure that your cybersecurity team is continually learning and relearning so they remain well-versed in both new and old tactics, techniques, and procedures real attackers are using.

2. Evaluate detection and monitoring processes.

Are your detection and monitoring processes adequate? Limiting the dwell time as much as possible is critical to reducing the risk of damage. Make sure you have the tools in place to keep an eye on your environment.

For example, a Security Information and Event Manager (SIEM) is an effective way to centralize all of your systems. Mere accumulation of events won't be sufficiently helpful, so effectively configured SIEMs are able to correlate, analyze, and prioritize events, transforming them into meaningful alerts.

3. Don’t miss incidents and alerts.

Alerts are pretty useless if they don’t make sense or don’t reach their intended recipient. Security tools need both normalized data and understandable dashboards, so users can quickly understand what is happening, enabling them to make better decisions faster. Since its rare for someone to be looking at a dashboard nonstop, tools also need to provide notifications in a format that an analyst would regularly check—be it email, ticketing systems, or text messages—to rapidly notify security teams so they can swiftly take action.

4. Regularly test your security controls and defenses.

Penetration testing should be performed on a regular basis either by an internal team or a third-party service to evaluate your cybersecurity stance and show you the best way to prioritize and manage vulnerabilities. Consider granting pen testers higher privileges or permissions in order to see more advanced techniques to better assess the security of Active Directory specifically. Additionally, running a Red Team engagement may be a good way to evaluate your defense strategy against post-exploitation activities.

Working with a team of offensive cybersecurity experts that can put the different layers of your security to the test is one of the best ways to train your defensive team, enabling them to look at new techniques and giving them the opportunity to grow as cybersecurity responders.

Another Kind of Persistence

Following the suggestions and strategies in this series is a great step in preventing and detecting bad actors attempting to lurk in your Active Directory. Ironically, the ultimate solution for attackers gaining persistence is just that—persistence. Those most at risk for these advanced threats are those who have let their security grow stagnant. There is no shortcut—continually training, refining processes, evaluating solutions, and staying informed are the only reliable ways to keep on top of and ahead of attackers and threats.