Authored by: Julio Sanchez
In part four of this series, we examined a penetration testing engagement that the Core Security Services team performed, exploring an insider attacker engagement that showed one of the ways an attacker can escalate their privileges using Kerberos tickets. The four scenarios presented over the course of this series demonstrate the many types of attacks, both internal and external, threat actors may use to gain control of Active Directory. These scenarios also emphasize the importance of protecting Active Directory from being breached, as it gives attackers the ability to access, create, or modify any of the main accounts, including trust relationships and domain security policies.
It can be overwhelming to realize the seemingly countless tactics attackers may use to try and access such a high value target. How can you protect Active Directory when there are so many potential attack vectors? In this final part of the series, we’ll provide a few pieces of general advice to keep in mind for how to reasonably manage and reduce risk.
1. Strengthen Authentication Policies.
Most organizations know their users may be utilizing easy-to-guess passwords, but they may still be entirely too reliant on passwords. As demonstrated by several of our examples, passwords can be guessed or cracked. If your business is solely using passwords, it may be a good time to discuss implementing Multiple Factor Authentication (MFA). There are many solutions in the market to evaluate, all of which will provide an extra layer of security that can thwart a great number of attack scenarios.
2. Keep Access Point Security Measures Uniform.
It is important to have a clear idea of the services you are exposing to the public sphere, and to be consistent across them. Remember that any external access point with an inconsistent scheme is considered a backdoor to your internal network. If possible, limit the external exposure to only what you really need for your day to day business. Additionally, every internal service should be behind a VPN login for additional protection.
3. Reevaluate Your Current Identity Management Processes.
Be thoughtful about each domain account you create, as well as the rights you are granting with them. When issuing service accounts, remember that fewer is better. Strongly limit the number of these accounts and enforce the use of strong passwords. If you even remotely suspect that any of your service accounts has a weak password, consider running a massive password reset operation right away. Though tedious, it’s nothing compared to a full Forest rebuild if an attacker were to compromise it. Finally, ensure that your IT teams are mindful and constrained about Kerberos delegation. Critical accounts, for example, should be protected from delegation.
4. Pen Test Regularly.
Of course, all of the scenarios we discussed occurred during pen testing engagements. This means the organizations where we performed these tests were able to fix these issues before an attack ever occurred. A pen test will reveal how newly discovered threats or emerging security weaknesses may potentially be assailed by attackers. Penetration testing should be performed on a regular basis either by an internal team or a third-party service to evaluate your cybersecurity stance and show you the best way to prioritize and manage vulnerabilities.
The Ongoing Security Journey
Ultimately, as time goes on, attackers are going to adapt and improve their techniques. Unfortunately, there is no foolproof, perfect security scheme which eliminates risk entirely. Even strong security technologies may be broken by attackers as they develop new strategies and resources. However, you can always make sure that you are not making the work of an attacker easier. By following the suggestions made in this series and staying informed of new techniques and vulnerabilities, your organization will be able to reduce risk and not just get inside the mind of an attacker—you’ll also be able to get ahead of them.
Is Your Organization Considering a Penetration Test?
How do you know which pen testing service is right for you? Read our blog about asking the right questions—both of your organization and its needs, and of the service provider’s processes, capabilities, reputation, and experience.