Attackers Set Sights on Active Directory: Understanding Your Identity Exposure

Identify the architectural limitations of Microsoft Active Directory by assessing identity threats with CrowdStrike’s complimentary Active Directory Risk Review

December 14, 2022

| | Identity Protection

Eighty percent of modern attacks are identity-driven. Why would an attacker hack into a system when they can simply use stolen credentials to masquerade as an approved user and log in to the target organization?

Once inside, attackers increasingly target Microsoft Active Directory because it holds the proverbial keys to the kingdom, providing broad access to the systems, applications, resources and data that adversaries exploit in their attacks. When an attacker controls the keys, they can control the organization.

 

The impact and escalation of an Active Directory attack is a big reason why it’s frequently targeted. Fifty percent of organizations have experienced an Active Directory attack in the last two years, with 40% of those attacks successful because the adversary was able to exploit poor Active Directory hygiene.

The problem for security teams and CISOs is they often lack visibility into the risk presented by Active Directory and identity threats. With thousands of identities and configurations to manage, understanding the level of risk and enforcing Active Directory hygiene can be difficult — but the ability to detect and stop identity-based attacks is critical to stopping breaches. Understanding the risk that your Active Directory creates is the best place to start.

Get a free, 1-hour Active Directory Risk Review today

Good Active Directory hygiene starts with gaining visibility into the risk, attack paths and threats your organization faces.

CrowdStrike is offering a complimentary Active Directory Risk Review to help security teams achieve visibility, understand risk and gain insights into the proactive steps that stop identity-based attacks before they happen.

CISOs and security teams can immediately gain critical insights into the organizational risk created by Active Directory. To understand the depth of visibility CrowdStrike delivers, here’s a quick look at the risk uncovered across three anonymous assessment participants:

A Financial Services Organization

  • Uncovered several hundred stale service accounts that had not been disabled for years.
  • Identified that some accounts were both privileged and had compromised passwords — an easy target for “silent abuse.”

A Consumer Technology Firm

  • Identified 13 partner firm accounts that were accidentally over-permissioned. This opened up the organization to supply chain attacks.
  • The company discovered that the accounts had unintended domain admin rights left open for the past 19 months.

An Insurance Company

  • Discovered more than 20 accounts with SPNs and compromised passwords — low-hanging fruit for Kerberoasting.
“The AD Risk Review was an eye-opener. It was incredibly helpful to have automated insights pointing us to our largest risks.” — an Active Directory Risk Review participant

Gaining instant visibility into Active Directory hygiene is a critical step in overcoming the architectural limitations that put organizations at risk. As many participants note, the risks that are uncovered during the process are incredibly common to any user of Active Directory. The insights highlight the challenge administrators of these environments face and the challenge of properly securing Active Directory.

Join our CrowdCast to learn more about AD security and identity protection

The Crisis of Trust: Architecture Limitations of Active Directory Create Risk

The exploitation of Active Directory is an industry-wide problem that has been known and growing for years.

Released with Windows 2000, Microsoft Active Directory has become the de facto definition of “legacy technology.” Despite being outdated and architecturally limited, Active Directory still serves as the identity infrastructure for a majority of modern organizations. According to a report, 90% of Fortune 1000 companies still use Active Directory. The prevalence of use and architectural limitations is why it's a priority target for attackers. It’s also creating a crisis of trust within the industry.

A security compromise of Active Directory can undermine an entire identity infrastructure. Attackers can elevate privileges, move into different systems and applications, and launch even more devastating attacks like data exfiltration, system takeovers, ransomware, productivity disruption, supply chain attacks and more.

This was most infamously seen in Golden SAML supply chain attacks of December 2020. In testimony on CyberSecurity and Supply Chain Threats before the Senate Select Committee on Intelligence, CrowdStrike CEO and Co-founder George Kurtz highlighted that one of the most sophisticated aspects of the StellarParticle campaign was how skillfully the threat actor took advantage of architectural limitations in Microsoft’s Active Directory Federation Service credentialing and authentication process…”

In the same testimony, Kurtz highlighted a potential solution, stating, The only silver lining to the Golden Ticket/Golden SAML problem is that, should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world’s most widely used authentication platforms.

Unfortunately for many customers, the legacy and architecture decisions of yesterday still create risk today. Waiting for these architectural limitations to be fixed isn’t a security strategy — but understanding and mitigating the risk Active Directory creates is the basis for a strong security posture.

CrowdStrike’s Active Directory Risk Review is free for both customers and non-customers. The simple, two-step process will deliver an automated discovery of your greatest areas of identity risk to uncover insights like adversary attack paths, compromised credentials, excess privileges and much more.

In the latest episode of Under the Wing, see how the CrowdStrike Falcon® platform delivers unified Identity Threat Protection to stop the latest identity threats.

Additional Resources

Breaches Stop Here