Managing Insider Threats With Active Directory Security

By: Alvaro Vitta (@AlvaroVitta) is a principal security consultant specializing in security at Dell Software. Alvaro has been assessing, designing, testing and deploying security solutions for large enterprises in the private and public sectors since 2000 in the areas of IAM; Active Directory security; and governance, risk and compliance (GRC). He holds industry certifications that include CISSP, CISSO, MCSE and ITIL.

“You mean this was an inside job?”

It may seem like a scenario straight out of the movies, but insider threats to business data are real, frightening and costly. Whether caused by negligence or malicious intent, employees, service providers and business partners are in an unparalleled position to compromise data and cost companies an estimated $5 million from a single data breach, according to the SANS Institute.

Perhaps no single system is as popular a target for insider threats as Active Directory (AD), which houses sensitive company data and is used by more than 90 percent of the world’s large companies. In fact, Alex Simons, director of program management for Active Directory at Microsoft, recently estimated that nearly 95 million accounts—or one-fifth of the total—using AD are under attack every day. These attacks are usually a combination of external and internal attacks. AD is designed to be secure, but as with any key card, security breaks down when privileges fall into the wrong hands.

As organizations initiate their Windows 2003 server migration, the transition can create additional vulnerabilities that prime internal systems for insider threats. Although there are many compelling reasons to migrate, the thought of undertaking the process fills many IT professionals with apprehension over potential data loss, incompatibility and the resulting cyber-threat risk. A recent Dell Software–commissioned survey among federal agencies to gauge how they are managing their Windows 2003 server migrations shows that Active Directory is a cause for concern for success and is cited as a main obstacle to a smooth transition—during a migration, one of the most critical tasks to mitigate the risk of data loss, downtime and associated risk is a high-fidelity transfer of AD and file server data.[1]

IT teams do their best to set and maintain appropriate permissions, but it can be a struggle to overcome limitations like a lack of automated access remediation, permission white listing, inability to enforce a fine-grain least-privilege access model and human factors such as intra-organizational job changes.

Anatomy of an Inside Threat

Insider attacks fall under a variety of scenarios that include the following:

• Cross-border economic espionage
• Well-planned conspiracies to steal trade secrets
• Disgruntled former employees with broad network privileges
• Disaffected employees using credentials that a supervisor shared in confidence
• Username and password of a supplier company’s representative stolen in a phishing attack
• Authorized users finding and copying credit-card data, then selling it on the black market

If users are intent on compromising data, they can systematically increase their AD access and cover their tracks without issuing alerts. For example, a contractor with access to a company’s administrator group might create a new administrator account. Once the administrator account is secured, they can then join an authorized nested group in the domain-admins group to gain indirect domain-admin privileges without raising alerts, as the native logs will only log direct changes to the direct domain-admins group. Next, the attacker might disable the group policy object that prevents admins from logging onto the SQL servers where credit-card data is stored (GPO setting changes not audited by native logs). After adding his bogus account to the local admin group, he can keep working his way through the system step by step until he’s retrieved customer credit-card and personal data, all without triggering any alerts.

Avoiding Insider Threats

While there is no slam-dunk approach to Active Directory security, organizations can guard against insider threats to AD by following a few best practices:

• Set account and group expirations for temporary access to sensitive groups. Instead of permanent membership to sensitive groups, use temporal group memberships with automatic start date/time and end date/time. In addition, set account expiration dates when creating accounts for temporary staff, such as contractors, interns and visitors.

• Prevent unauthorized creation of accounts and monitor changes to important settings and groups by using a list of users permitted to perform these tasks. If someone who is not on the approved list creates a user account, the event triggers an email alert. It can also trigger remediation that disables the creator’s account and/or the created account.

• Audit in real time any suspicious activities or permission changes, as well as activities performed against databases and file servers containing sensitive data.

• Implement an automated process for de-provisioning users that includes disabling/deleting accounts, removing accounts from all groups and distribution lists, removing remote VPN access, and automatically notifying HR, security and facilities management.

Additionally, organizations can take preventative measures when performing the Windows 2003 server migration to overcome AD obstacles. For security and avoiding holes during your next transition, the recent Dell survey found that only 34 percent of agencies had a high level of confidence that their data and systems would be secure and compliant after extended support of Windows 2003 ended.

In looking closer at these organizations with a high security and compliance confidence level, we’ve seen their migration approach involves two focuses to overcome AD obstacles and achieve the best possible transition. First, a large proportion (39 percent) of respondents with a high level of confidence pinpointedmodernizing AD as one of the primary activities their organization did to prevent any issues associated with end of support. This effort should begin with an analysis of all applications, processes and users requiring access to ensure that appropriate resources and applications will be available when the migration takes place. It’s also imperative to identify workflows, mailboxes, programs and/or other pieces of infrastructure that could be affected before making the move. Another large proportion of high-confidence-level respondents (41 percent) noted profiling hardware as another important area of focus in ensuring a successful transition.

Whether accidental or malicious, insider threats are destructive by nature. Organizations must continue balancing the need to let their system administrators perform tasks with some autonomy against the need to grant only the privileges required for those tasks. In the meantime, anticipating insider-risk scenarios and following best practices for avoiding them can help keep your Active Directory secure and bolster your overall security footprint.