Active Directory (AD) is a standard tool used by most organizations to regulate users and machines accessing the company’s resources. However, it can be both a blessing and a curse: as the central repository for all the information relating to the network – credentials, users, computers, applications, and so on – AD is essential to the day-to-day running of the business.
Every computer on the company’s network must, therefore, have some level of access to AD for the network environment to function correctly.
Having all this information in one place, however, means it is also a highly prized target for threat actors, as any compromised endpoint gives an attacker access to this central repository. Once attackers compromise AD, they can gain insight and access to the network, providing them with critical information on which accounts to target so that they can advance their attack. Defenders know this and have tried to craft secure practices to protect AD.
These best practices include having separate administrator accounts per person and tiers of access to limit the ability of a single compromised account to create havoc. In addition to these best practices, they also run Red Team exercises, and other forms of monitoring to look for anomalous behaviours. It is inherently tricky balancing this need for with preventing unauthorized access. As such, it is hard to lock down an AD server from an attacker using automated tools that can quickly enumerate it and find the information they are seeking.
Attacking Active Directory
Active Directory has a reputation for being the “Keys to the Kingdom” because - according to the MITRE ATT&CK framework - it is vital for 10 of the 12 steps commonly taken by threat actors. These steps include privilege escalation, lateral movement, and data exfiltration.
Threat actors use phishing, man-in-the-middle, and other techniques to gain the credentials they need to break into a network. Once inside the system, they often deploy attack tools such as Bloodhound to map out the entire AD environment. Through this recon, threat actors can identify the high-value assets, systems, and privileged user accounts necessary to complete their objectives and map a plan of attack.
For example, the Bloodhound tool shows them the shortest lateral attack paths through these AD objects that will get them Domain Administrator privileges on the network.
Organizations Can’t Prevent All Infiltrations
Companies can limit the capabilities and access of AD to reduce the chances of a successful attack escalation should attackers attempt to exploit it. However, this is not ideal because the trade-off is to compromise the efficiencies associated with AD.
In a further attempt to stymie the efforts of threat actors, AD admins often get three tiers of access logins for workstations, servers, and AD itself, commonly seen as the only way to limit lateral movement and privilege escalation. However, this can have repercussions when it comes to monitoring access and alerts, as security teams may ultimately find themselves being overwhelmed by a high volume of alerts or by needing to overprovision access.
Turning the Tables with Deception
Given that an organization’s network will likely experience an infiltration at some point, an alternative defence strategy is to use deception against the threat actor. Presenting them with false information that looks like the real thing prevents attackers from receiving operational AD information and can misdirect them into a decoy environment. The deception curtails their ability to move laterally through a system and their ability to trust their attack tools.
For example, when an attacker uses Bloodhound to query AD for domain admin accounts, it gets back false information. A real-world example would be the card game, three-card Monte. Unsuspecting victims get tricked into putting up their money in the hopes they will win more by finding the right card. In the same way that the street hustler dupes their victims that the card they want to pick is the one that will win them some money, deception technology convinces threat actors they are looking at something that will scoop them a big payday.
In both cases, deception dupes the participants who will, in fact, walk away with nothing. While this deception is happening, the solution records the threat actor’s TTPs for use by the security team for threat hunting and strengthening defences to prevent the system from further compromises.
Through gaining access to AD, cyber attackers hope to hide from security teams and their tools by, for example, using existing credentials or creating their domains. However, by turning the tables on the threat actors, defenders can use deception as a weapon against them to ensure that they keep their assets while the attacker is left wondering how they got played.