A growing number of threat actors use advanced persistent threat (APT) tactics to progress their attacks. More and more target Active Directory (AD), domain controllers, and flaws in Kerberos tickets to find weaknesses, steal credentials, and escalate privileges. By gathering this information, attackers can gain what they need to establish a foothold, move laterally through the network without detection, and secure administrator privileges.
More than 90 percent of businesses use AD as their identity management system, which serves as a master directory and the means to control access to enterprise services. Tools such as Bloodhound, Mimikatz, and Metasploit are useful for legitimate security research. However, they have also made it much easier for attackers to engage in credential-dumping, recovering plaintext or hashed passwords from systems, gaining Domain Admin privileges, and securing the “blueprint” of the network.
Attackers also target Kerberos tickets, which Windows domains use for authentication, to exploit unfixable weaknesses in the authentication protocol and gain access to other systems. By gaining access to credentials and accounts, attackers can move laterally throughout the network, gain privileges, and access services while appearing legitimate. When factoring in compromised user and password management systems that could extend into security controls, it’s not completely surprising that a hijacked AD can take organizations months (and in some cases over a year) to rebuild.
Given the sensitivity of an attacker gaining access to AD, one may question why companies don’t lock it down more aggressively. Well, it’s complicated. AD, by design, was built to give users access to services. AD administrators will often use three tiers of access logins for workstations, servers, and AD itself as a way to limit lateral movement and privilege escalation. Unfortunately, this can have repercussions when it comes to monitoring access and alerts, as security teams may ultimately find themselves being overwhelmed by a high volume of alerts or by needing to overprovision access.
Defending AD with deception and denial
Security defenders have actively turned to deception and denial tactics to detect and derail attacks on AD. It’s an interesting play in that deception can detect an attacker’s activity during the initial period of observation and discovery. Let’s say a threat actor uses Bloodhound to query AD for domain admin accounts. The deception intercepts this query, hides the real information, and returns fake (but legitimate-acting) results. Everything seems normal, and the attacker may get excited that they successfully gained the data they were seeking. Some attackers may stay cautious and choose to validate the information they have found. A deception AD server can also confirm the deceptive objects provided. Hiding real AD objects can also derail current ransomware attacks. The attacker can’t leverage privileged credentials to access AD for encryption because the solution hides such local or AD accounts from exploitation.
At this point, the attacker begins lateral movement and escalates the attack. Since the attempted AD enumeration, the security team was prepared for them and ready to watch the attacker’s next move. The attacker then uses their newly found “administrator” credentials, which leads them straight into a decoy, which records their every step. This newly-acquired company-centric threat intelligence can be incredibly powerful, because now the infosec team knows the attacker’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). TTPs and IOCs are critical intelligence potentially used to stop the attackers from further advances and fortifying their defenses.
Security pros often ask if this form of security will disrupt AD. It doesn’t because all the work gets done on the endpoint and doesn’t touch the production AD controllers. The security team only has to query AD to gather the knowledge to build the deceptive environment and objects. Security pros also want to know if the attacker can tell. Attackers have had no reason not to trust their tools and, as such, will rely on them until they feel they cannot. In the event the attacker does realize they have been duped, it’s simply too late. A less determined attacker may simply give up given the increased complexity of an attack. More motivated attackers will slow down and incur additional costs as they move more cautiously, knowing that the security team has become aware of their attack and has gathered critical information on their tools and intent.
An old tactic applied in a new way
Deception and denial have long been used in the military to outmaneuver an adversary. Innovations in hiding and denying access to AD, as well as files and storage systems, have made it exponentially harder for internal and external threat actors to move laterally, gain privileges, and establish the foothold they need for a major attack. With the increased sophistication of ransomware attacks, the aggressiveness of data theft seen from nation-states, and financially-motivated cybercriminals, security teams need to up their game with modern tools. Those that can use technology to do “sleight of hand” and steer the path of an attacker away from real assets and into decoys can make this not only a fair game, but a winning game for the defenders.
Carolyn Crandall, chief deception officer, Attivo Networks