Microsoft is warning of the threat posed by attacks targeting domain controllers and the critical role compromises on those systems can play in network attacks.
The Redmond software and services giant warned administrators that threat actors can specifically target domain controller servers in order to obtain a privileged position on networks and move laterally to access more critical pieces of an organization’s infrastructure in order to carry out ransomware attacks.
Microsoft's April 9 report on the threat said domain controllers were breached in more than 78% of human-operated cyberattacks, while the primary device used to spread ransomware at scale was a domain controller in over 35% of cases.
“In recent years, human-operated cyberattacks have undergone a dramatic transformation,” warned Microsoft partner director of product management for endpoint security Alon Rosental.
“These attacks, once characterized by sporadic and opportunistic attacks, have evolved into highly sophisticated, targeted campaigns aimed at causing maximum damage to organization.”
The problem, according to Rosental and the rest of the Microsoft security team, is that threat actors who are able to compromise domain controller systems will then have access to administrator level accounts and also gain direct access to databases and servers at the heart of the network.
Taking over a domain controller provides the golden key to a threat actor looking to carry out a ransomware attack as they manage identity and access through Active Directory (AD) for any on-premises environment.
“To execute the ransomware attack as fast and as wide as possible, threat actors aim to achieve access to a central asset in the network that is exposed to many endpoints,” Rosental explained.
“Thus, they can leverage the possession of high-privilege accounts and connect to all devices visible in their line of sight.”
To remedy the issue, Microsoft’s security team is advising administrators to pay special attention to securing the ways in which outside users are able to access domain controllers and the permissions needed for end users.
Not surprisingly, Microsoft’s answer to the problem is a subscription to a Microsoft product. The company has updated its Defender for Endpoint platform with containment features for systems designated as High Value Assets, including domain controllers.
The aim is to provide administrators with more precise control over systems that are both sensitive to data security but are also required to be exposed to end users and the public internet.
“Unlike other endpoints, domain controllers must remain highly accessible to authenticate users, enforce policies, and manage resources across the environment,” said Rosental.
“This level of accessibility makes it difficult to apply traditional security measures without disrupting business continuity. Hence, security teams constantly face the complex challenge of striking the right balance between security and operational functionality.”
