Microsoft Active Directory (AD) is an incredibly popular software tool, used by thousands of organizations around the world. It helps organizations to manage their users, devices, and more, and as a tool it’s ubiquitous, used by 95% of the Fortune 1000. However, it is also a common target for cybercriminals to exploit, with research indicating that 90% of cyberattacks involve Active Directory in some way.
At Infosecurity Europe 2022, Expert Insights spoke with Guido Grillenmeier, Chief Technologist for Semperis, a cybersecurity provider helping organizations to secure their Active Directory. Grillenmeier has been in the cybersecurity space for over 25 years, working for Hewlett Packard where he focussed on identity management and infrastructure security for their largest clients.
Our interview covers the Semperis platform, the challenges and importance with securing Active Directory, and Grillenmeier’s advice for improving your organization’s resilience against Active Directory attacks.
Can you give us an overview of Semperis and the solutions that you provide?
Semperis is an identity protection company, focussing on the Microsoft Directory services – both in the cloud (Azure Active Directory) and on-premises (Active Directory). The latter is the so-called legacy Active Directory from Microsoft, born with Windows 2000, today 22 years old! And basically, in the IT world, that’s a dinosaur. But that dinosaur has been extremely successful in integrating, not only Microsoft Workloads, but specifically Microsoft Workloads, in many, many enterprise customers.
So today you have 90% of companies worldwide still relying on Microsoft Active Directory, because they invested so heavily into applications that didn’t need to have their own users, they were Windows integrated. And when we say, ‘Windows integrated,’ that’s really Active Directory integrated. And that’s basically the reason why Active Directory is a prime target for intruders to go after, because there are so many businesses that still depend on it. Even if most of them live in a hybrid setup today, where they synchronize their accounts to Azure AD to allow using modern cloud-applications, like Microsoft Teams.
Where Semperis helps customers is to basically allow them to identity their weak spots in Active Directory and help them discover if there is an intruder in their environment, by looking for suspicious activity going on. Any change taking place in Active Directory is visualized and recorded in our ‘Directory Services Protector’ (DSP) solution, with which you can undo any changes manually or automatically.
DSP gives you auto-remediation capabilities if there is suspicious activity in your Active Directory. So, let’s say privileged groups, domain admins, or other objects you don’t typically change frequently. If somebody comes in and changes them without going through a proper change management process, we have you covered, even in the middle of the night. We not only warn you, but we also undo those changes. There is a ton of permissions in Active Directory that intruders use to hide, and basically persist in the environment, that you wouldn’t find, that you wouldn’t see. We can scan all permission changes live. Note that the intruders may not already be inside your network and instead are trying to attack your Azure Active Directory to get in. Which is why DSP now also tracks all changes in Azure AD and – as with the on-prem AD – periodically scans it for indicators of exposure.
But we also don’t pretend to be perfect, no security vendor can guarantee 100% security, it just doesn’t exist. There are always vulnerabilities that are new. And so you might actually, even with all the investments in security, you might still get a ransomware attack, and then it’s all about getting back on your feet and back to business.
And that’s what our Active Directory Forest Recovery (ADFR) tool is about. This tool can fully automatically recover complex Active Directory environments of any size. This is really complicated: when you don’t have any domain controllers anymore, it’s very hard to get Active Directory up and running. There’s something like a 60-page white paper from Microsoft on how to perform a forest-recovery manually, but it will take many days or even weeks. In that time, people in your company cannot log on, they cannot really do anything, including taking care of the recovery of other business applications. So it’s critical to get your AD back up and running first and quickly.
And that’s what we do. We back up Active Directory like an application, we have the technology patented. It’s difficult to do because AD is so tightly integrated into the operating system, that all other vendors have to back up everything in order to back up AD, including infected operating systems if there is a breach. We just backup Active Directory, and we can cleanly recover it on any other system, without any malware running on it. So, when recovering your AD with ADFR you have a fresh, functional Active Directory.
Why is Active Directory such a weak spot for organizations today?
Sadly, the truth is that back in the days when Active Directory was let’s say, ‘born’ with Windows 2000, the secret of Microsoft’s success was its openness. Active Directory is open like a barn door when it comes to reading information out of it, as a user in your company. And any user, not just admins. By default , any end-user in your company can read all user- and group- information from your AD as well as all critical configuration settings.
And that made it very easy to integrate with all sorts of applications. There were plenty of other directories on the market when Microsoft did launch Active Directory, and they were safer and more closed. As an administrator of a company, you would need to open those directories up for every application that you needed. You needed to know what that application required, which made it harder to integrate.
Microsoft went the other way. They basically opened up their directory, making it very easy to integrate applications and read data, it was cool. But today, that is its weak spot, and hardly any company has taken the security steps needed to make Active Directory harder to attack by reducing those weak permissions.
It’s the Achilles heel, and it’s so easy to detect vulnerabilities in AD because it is so easy to read. And once attackers know about the vulnerabilities, it’s not difficult to use them against you. Microsoft have increased AD security over the years, but there’s a variety of settings now that many companies are still not using to protect themselves, and that’s why they are still very, very vulnerable.
What are some of the consequences for organizations who do not take these steps to secure Active Directory, what can happen in the case of a breach?
Well, when an intruder is in at the beginning, they’re typically an unprivileged account, like a normal user, and they don’t have access to your sensitive business data. But that business data is usually protected by an Active Directory group! Once an intruder can take over your AD, it’s trivial to grant themselves the permissions to get to your most precious data. And if you don’t take Active Directory seriously, it makes it very easy for them to get to the next step.
The harder you make it for that intruder to get through, the easier it will be for you to detect what he is doing, because he will have to do more things to work around your borders, and he will probably get noticed by different tools. He might not get into AD, he might try and hack into other systems that you have defences on and so he’ll be found.
Attackers want to get into AD, because that way they don’t have to hack the system. You can just promote yourself to a higher level of access, and then it’s no longer hacking, you just have a legitimate access to the system. There’s a nice statement from Bret Arsenault, the CISO at Microsoft, who said at some point: “Hackers don’t break in, they log in”
So, it’s all about taking over someone else’s identity. Once you have that, once you give yourself the access, you become someone else, you become the domain admin, and you can do anything. If companies don’t take AD security seriously, they make that part of breaching the rest of their environment so much easier, and they become a victim so much faster.
Finally, what is your advice to organizations to ensure they are doing all they can to secure Active Directory against these threats?
Literally our advice is that you have to know about your vulnerabilities, so that you first of all realise them, and secondly you can do something about them. That is why we’re giving out our very powerful scanning tool for Active Director for free. Purple Knight is a tool that allows customers to get an understanding of where their security posture is for Active Directory, and now also for Azure Active Directory, because we’re expanding those capabilities.
The key thing is that you can only do something about those weaknesses once you know about them. Purple Knight is a great tool to get you started on this path!
Find out more about Semperis here: https://www.semperis.com