How ADAssessor Brings Visibility to AD Attack Surfaces


Securing and effectively protecting Active Directory (AD) is an undeniable good practice for companies today. Especially since about 90% of businesses worldwide use AD as their primary method of authentication and authorization.

AD’s huge market share has made it a prime target for attackers. In fact, cyber attacks on AD are so prevalent that Microsoft warns that some 95 million AD accounts are the target of cyber attacks every day.

AD hosts a myriad of sensitive information, such as user account information, company resources, access control lists, and more, making it an extremely attractive target for cybercriminals. Put simply, if an attacker can exploit the information in AD, they can do pretty much whatever they want with an organization, including stealing information, compromising applications, implanting malware, or even just locking out every user. of all applications.

This is a threat made even more dramatic by the way AD is now used with Azure and Office 365, extending threats to the enterprise beyond the simple site and into the cloud. Make due diligence even more critical for cybersecurity professionals. Basic tasks such as regular audits and defining policies to protect AD should become the norm. However, these traditional best practices have proven to be insufficient as organizations continue to fall prey to attacks against AD.

It is a problem best defined by a lack of visibility. In other words, cybersecurity professionals don’t have full visibility into AD to detect attack surfaces, as well as suspicious objects or activity. Audits are only useful as a snapshot of the state of AD at a given point in time, while activity monitors often cannot lack the ability to detect abnormal actions.

ADRevaluator Attivo Networks aims to bring real-time visibility to AD by solving one of the biggest challenges facing administrators, the ability to fully understand what’s going on behind the scenes of AD, discover the surfaces of AD. attack and detect active attacks.

A closer look at ADAssessor

ADAssessor focuses on detection, visibility and response for AD environments. In other words, the product is designed to bring cyberhygiene to AD by continuously scanning the AD for exposures, misconfigurations, and abnormal activities in AD. Additionally, ADAssessor provides real-time alerts for activities that signify AD is under attack. Capabilities that are akin to continuous penetration testing for AD.

ADAssessor can be deployed on-premises or as a cloud-hosted platform, either of which is linked to Windows domain controllers to monitor AD events, such as change notifications, and detect errors from configuration, research potential attack vectors, or identify ongoing attacks.

The product bridges the gap between the cloud service and the domain controller by installing a software client on a domain-controlled PC, which also acts as an endpoint that allows the product to detect endpoint-based attacks on the domain controller.

ADAssessor uses a combination of detection and automation to generate responses and alerts, which in turn acts on immediate threats, while notifying administrators of necessary actions.

Practice with ADAssessor

ADAssessor connects to a domain using what could be described as a hybrid model. Administrators will need to install software on a local PC endpoint, which acts as an ersatz connection between the domain controller and the ADAssessor’s service engine. This method of integration has several advantages.

For example, there is no interruption to operations, which means the domain controller does not need to be shut down or restarted. In addition, the installation methodology helps keep deployment very simple, while also creating the possibility of securing the host endpoint.

However, there are a few considerations when using this type of installation, like this dedicated endpoint can become a single point of failure for ADAssessor, and this PC must also be secure, maintained and managed. These concerns aside, a hybrid deployment model appears to be a preferred method of integrating a product such as ADAssessor.

Once installed, ADAssessor takes care of evaluating the domain controller (s) for configuration errors and weaknesses in AD domains and forests. As the product detects these potential security vulnerabilities, it displays the information so that cybersecurity professionals can eliminate these potential attack vectors.

Of particular interest is how the product helps reduce attack surfaces by identifying exposures and misconfigurations that make AD vulnerable to attack. Here, the product analyzes information from Active Directory to provide visibility into account risks, privilege exposures, and policy weaknesses, which in turn are used to create something akin to risk metrics. which are presented to the administrator.

Where attacks on AD usually start

This is proving to be very important for the ongoing battle against the attackers. Attacks against AD typically begin with an attacker searching for an AD controller for exposures and misconfigurations. While attackers can have different objectives, most attacks begin with attempts at lateral movement, where attackers can attempt to gain privileged access to gain control of the domain. These types of attacks create recognizable patterns, but only if activity is continually monitored and classified.

Here, ADAssessor provides the visibility and analytics necessary to detect ongoing attacks, in real time. Additionally, ADAssessor can prevent suspicious activity from impacting AD and prevent attackers from gaining granular access to security settings (or entitlements), derailing an attack before damage is done.

ADAssessor continuously monitors identities and risks associated with privileged accounts. This monitoring creates an active baseline, identifying risks created by AD objects, such as stale credentials, service accounts, shared credentials, and commonly used paths for attacks against AD identities. . The product derails many of these types of attacks by reporting suspicious activity on the AD controller that indicates an attack is in progress. .

Typically, attackers will query AD to discover high-value privileged accounts and gather as much data as possible to create a potential attack surface. ADAssessor works well with another Attivo solution called ADSecure, which detects attempts by attackers to make unauthorized requests and then scrambles the data that an AD request normally returns.

Put simply, ADSecure intercepts unauthorized AD requests, then returns bogus information to the attacker, which security teams could then use to trap an attacker and gather information about the attack. ADSecure detections can appear on the ADAssessor dashboard.

The combination of continuous monitoring, coupled with real-time analysis, improves AD’s cyber hygiene, with the added benefit of reducing potential attack surfaces and preventing attackers from gaining a foothold in an AD domain.

Closing thoughts

ADAssessor addresses many security issues encountered by administrators in large Active Directory implementations. That said, it should not be seen as a replacement for a competent administrator, but as a tool that eases the burden on administrators. The product also helps security teams by allowing them to deepen, broaden and broaden their assessments, while gaining continuous visibility into exhibits.

ADAssessor provides immediate value by identifying and correcting Active Directory security hygiene issues. This value is further enhanced by the ease of implementation, which eliminates interruptions and provides access to an innovative management console, where analysis and data for remediation assistance are readily available.

ADAssesor also offers real-time attack detection, supported by visibility into critical exposures at the domain, computer and user level. This information reveals the identities and risks of service accounts related to credentials, privileged accounts, obsolete accounts, shared credentials, and AD attack paths.

As businesses leverage AD across domains and implement hybrid solutions, tools that can detect threats and provide visibility into complex AD implementations will become even more critical. Attivo seems to have a head start in the world of securing AD, and ADAssessor seems to be the main reason for this head start.

Source link


Leave A Reply