Identity – The New Perimeter
I believe it was at the 2014 RSA Security Conference when I was sitting in the big auditorium of the Moscone Conference Centre in San Francisco and listening to one of the keynotes – This one being around the topic of how identity is the new perimeter and how protecting identities in the setting of cybersecurity is paramount.
As our work environment became distributed and the perimeter effectively had to span to coffee shops and home offices, it is exactly identity security that has been one of the most important disciplines to get right.
Today, almost all cyber-attacks are possible due to the failure of creating proper security around identities, credentials, and user accounts. We see that in many of the ransomware attacks, the initial foothold and establishment is performed using stolen credentials.
For last year’s edition of the State of the Market report, we covered the importance of ensuring that credentials are protected, meaning all external services are at least using two-factor authentication (2FA) and that your privileged accounts are safeguarded by the use of Privilege Access Management solutions.
All practices that are extremely important to follow, but attackers seem to have homed in on the actual services that are operating our identity stores. Today, these services are the most critical services in an IT infrastructure, as identities are spanning both on-premises, cloud and SaaS services and are becoming the new perimeter in cybersecurity.
One service that is more targeted than ever is Active Directory, which is the distributed authentication and identity service, that runs in pretty much any enterprise organization today. Active Directory has quickly become the single source of truth about who joins and leaves organizations, and access to applications are governed and controlled in the authentication services offered by Active Directory.
The challenge, however, is that the Active Directory in itself is a distributed application that runs across your domain controllers and devices, and users are trusted based on their rights in the system.
When Active Directory was introduced in 1999, the application was not built with security in mind, and it was never foreseen that the application would gain the importance it has today. For many organizations, Active Directory is still a black box that just “works”. But when an application becomes almost as important as power and cooling in your data center, it deserves proper focus – especially from a security perspective.
Attackers are fully aware of the underinvestment by customers in securing Active Directory, and it is not a coincidence that one of the first things that attackers target when they have foothold in the infrastructure is Active Directory – first to gain even deeper access by utilizing misconfigurations, vulnerabilities and access rights that are too broadly set, and then later to wipe out the good chances to recover Active Directory systems, as attackers know that organizations typically do not have good opportunities to recover them using conventional backup systems – And if they can recover, they typically recover a system which is infected by the attacker anyway, hence making the cleanup exercise very challenging.
In Help AG, we have often seen customers experiencing the fallout from an underinvestment in security around Active Directory. In more than 90% of the incident response engagements we performed in 2021, the integrity and availability of Active Directory was a major challenge in the recovery phase. With this in mind, we asked ourselves what can be done to prevent these types of attacks and it is a two-fold approach.
First, organisations need to be much better at understanding if their Active Directory environment is secure – This can today be performed through security- and configuration assessments that maliciously evaluate your Active Directory environment and depending on the findings, necessary settings can be hardened, access rights can be reduced, or configurations can be changed to make the job harder for the attacker.
The next requisite element is to be able to constantly monitor and control the changes that are happening in the Active Directory environment. As attackers perform their attacks, they often use the same techniques, and identifying these early on allows us to not just protect the Active Directory but also use the Active Directory environment as a sensor for adversary activity.
The third aspect is around recovery. Most organizations think that Active Directory can be recovered from a backup. Technically, that is correct. However, since Active Directory is a distributed architecture that relies on an intricate database infrastructure that is synced between servers, restoring from a conventional system is extremely challenging.
If your systems and backups at the same time are infected with attackers and it is difficult to establish the integrity of the backup sets, you move from challenging to impossible.
For all these reasons, the Active Directory, being the source of most identity services in any organization, require not just a dedicated security solution, but also a recovery solution.
If, and when, malware targets an organization, time is of extreme importance in getting your identity service operational again, so that your users can access internal, cloud and SaaS services. It should be a question of hours and not days.
I would invite all of you to think about your Active Directory security and availability. If you talk to your IT teams, ask them how they would recover your Active Directory and how long it would take. Once you get the answer, ask them if they ever tested it.
I believe that in most cases you will find out that it is not an exercise that is ever performed, and the same way you test your cooling and UPS power in your data center you should also test your Active Directory because nothing runs without it.
When you are ready to make the investment and recognize the importance the solution deserves, we have a team of experts as well as the right solutions to solve the challenges.