Increased odds of potentially significant cyberattacks exploiting Microsoft Active Directory stemming from its complexity and certain security gaps have prompted the Cybersecurity and Infrastructure Security Agency, National Security Agency, and other law enforcement agencies from other Five Eyes nations to release new guidance on combating such a threat, according to SecurityWeek.
With Microsoft AD being mostly targeted via Kerberoasting, AS-REP roasting, and password spraying attacks, as well as Microsoft Entra Connect, GPP password, MachineAccountQuota, and certificate service compromise, organizations should leverage Microsoft's Enterprise Access Model and other tiered models to bolster privileged access security, the joint guidelines revealed. Organizations have also been urged to utilized AD's canary objects to determine compromise. "Detecting Active Directory compromises can be difficult, time-consuming, and resource intensive, even for organizations with mature security information and event management (SIEM) and security operations center (SOC) capabilities. This is because many Active Directory compromises exploit legitimate functionality and generate the same events that are generated by normal activity," said the guidance.