The concept of security for Active Directory has increased over recent years, with more focus placed upon this business critical function.

While most attack techniques are generally theoretical, the realities could be devastating if an attacker is successful in compromising Active Directory (AD).

This led to the launch of a report - Detecting and Mitigating Active Directory Compromises - by national security agencies in September, calling out the critical need for organisations to secure their AD and hybrid identities as these become prime targets for hackers.

The NSA said that “gaining control over AD gives malicious actors privileged access to all systems and users.”

As well as gaining privileged access, malicious actors would be able to bypass other controls and access systems, including email and file servers, and critical business applications.

Also, a threat actor can also modify AD information to establish persistent access and remotely login to organizations, bypassing multi-factor authentication controls.

In the beginning

First released by Microsoft in 1999, Active Directory is the most widely used authentication and authorization solution in enterprise IT networks globally. However speaking to SC UK, Simon Hodgkinson said AD fundamentally lacked having security at its core from those early days, as he claims “Microsoft fundamentally didn't build security into AD from day one.” 

Hodgkinson formerly held a number of senior security roles at BP, including serving four years as CISO, and also ran global infrastructure and operations, data centers and networks. He asaid AD has become so crucial to business operations as “if AD doesn't work, nothing works, and therefore, your business can't operate.”

He explains: “We put a big focus on making sure that not only could we back up AD and actually recover it with integrity - and that word integrity is really important - because there were threat actors in our environment, just like [they were in] everybody else’s, and the dwell time was months, if not years, especially when you've got sophisticated nation states who are in the network.

“I’d say ‘judge me on finding them, don't judge me on whether they're in the environment, because they are’.

He says he recognised back then that AD was a massive pain point in terms of technical debt, it was a pain point in terms of security posture, it was a pain point in the fact it was a 20 year old technology and we haven't got a whole bunch of people coming into AD as specialists, “and we haven’t got a lot of capability in there.”

Hodgkinson, who now serves as a strategic advisor at AD security vendor Semperis, said AD is “absolutely core” to the operation of the business, but believes that part of the problem with AD is we talk about the technicalities of it - in particular the technical infrastructure component - “but what people don't do is talk about the business outcomes.”

In particular, using AD to enable the business to be successful and operate, and be able to explain to executives that it is one of the most critical applications from a confidentiality, integrity and availability perspective. “In BP it was AD, and you'll get people talk about ‘we're all cloud’ but those cloud identity platforms are mastered from AD, and typically configured in a hybrid mode,” he said.

At the core

He says that there are very few organizations that do not have AD at their core - unless they were born in the cloud or are native cloud from an identity perspective. “Even though at BP, we moved all our data centers out to the cloud, at the very heart of the company is AD.”

Hodgkinson says that by actually elevating that conversation around AD, you do get more executive attention. “As if the identity platform is down, you can't do anything,” he says. In the case of recovery from a ransomware attack, “the most important application to recover is AD.” As that is what gets the business moving again.

Zero Trust

We moved on to another subject, that of zero trust - which Hodgkinson calls “a really nebulous term” but one to consider when “reducing the blast radius.” Once again stressing the point that identity security is so critical, he said “you cannot do zero trust unless you've secured your identity.”

He claims that if you look at nine out of ten attacks, particularly with more sophisticated attackers, “their objective is to get domain control to own your AD because at that point they literally can go anywhere.”

He says this often known as getting the keys to the kingdom, and the power that an attacker can wield can be devastating in the wrong hands. Is AD one of those technologies that we consider to be ‘always there and always on and working’? If so, consider what part AD plays in both the daily process and in your crisis management. If it's operation and possession is so crucial, maybe it's time to give it some extra attention.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.