Threat Intelligence

Active Directory attack guidance issued by Five Eyes

Share
AD Active Directory written on green key of a computer keyboard.

Increased odds of potentially significant cyberattacks exploiting Microsoft Active Directory stemming from its complexity and certain security gaps have prompted the Cybersecurity and Infrastructure Security Agency, National Security Agency, and other law enforcement agencies from other Five Eyes nations to release new guidance on combating such a threat, according to SecurityWeek.

With Microsoft AD being mostly targeted via Kerberoasting, AS-REP roasting, and password spraying attacks, as well as Microsoft Entra Connect, GPP password, MachineAccountQuota, and certificate service compromise, organizations should leverage Microsoft's Enterprise Access Model and other tiered models to bolster privileged access security, the joint guidelines revealed. Organizations have also been urged to utilized AD's canary objects to determine compromise. "Detecting Active Directory compromises can be difficult, time-consuming, and resource intensive, even for organizations with mature security information and event management (SIEM) and security operations center (SOC) capabilities. This is because many Active Directory compromises exploit legitimate functionality and generate the same events that are generated by normal activity," said the guidance.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.