Securing Active Directory During a Cyber Intrusion
Secureworks
Cybersecurity by security experts for security experts. We are in the fight with you!
Many intrusions exploit Active Directory due to its associations with privilege and access. It is critical to secure Active Directory after evicting a threat actor to remove persistence.
Microsoft Active Directory (AD) is the cornerstone of most organizations’ identity access management. As an organization conducts ‘business as usual’ activities, AD manages trusts to facilitate access requirements and integration between network environments. These tasks are typically orchestrated through the Domain Administrator account.
After obtaining Domain Administrator access, a threat actor can create or change any AD object in pursuit of their objectives. These objectives could include deploying ransomware or stealing data. Threat actors can also configure AD to maintain persistence if they are discovered, lose access, or are cut off from the environment.
According to?Microsoft , an AD compromise is often “irreparable” and rebuilding or restoring compromised systems does not eliminate the initial access vector. Secureworks? incident responders advise organizations to fully evict threat actors from the environment so they cannot leverage privileges, abuse trusts, and exert control over the organization's AD.
Regaining trust in AD is essential to secure remediation
Stakeholders such as customers and regulators require proof that network defenders have re-established control of a compromised domain and have secured privileged access. Some stakeholders seek guarantees before resuming business activities and lifting business-limiting restrictions. Many organizations struggle to verify and then prove they have regained control, but Secureworks incident responders can help.
A phased approach lets organizations maneuver back to normality
Secureworks incident responders use a phased approach for securing a compromised AD. The process begins by identifying how the threat actor accessed the network and determining what post-compromise actions they performed and what ‘grip’ they have on the compromised AD. Network defenders can then implement defense-in-depth controls and procedures, evict the attacker, and monitor for evidence of additional activity. The goal of this approach is to deny the threat actor the ability to surreptitiously regain unauthorized access and to harden AD as a deterrent to future threats.
领英推荐
Secureworks incident responders assist customers with the following actions:
After completing these steps, the customer must perform any additional remediation required to address the attack. They must also continue to monitor for activity and indicators that could be associated with a threat actor’s re-entry.
Active Directory remediation and eviction can be daunting but must be faced ‘head-on’
It is normal for network defenders to feel overwhelmed and threatened during a cyber intrusion. The recovery and remediation tasks can seem daunting, but Secureworks incident responders provide support and guidance, secure AD, and help customers return to ‘business as usual.’
To alleviate some of the confusion and pressure during a crisis, organizations should proactively establish and test their remediation, eviction, and recovery procedures. In addition, organizations must harden their AD implementations to deter threat actors.
Secureworks offers numerous proactive?Incident Response services ?to help customers avoid, detect, and respond to attacks.?Emergency response ?is available if you need urgent assistance with an incident.
Written by Rebecca Taylor , Threat Intelligence Knowledge Manager
|CySA+ Cert| GRC| Project Management| Data Analyst| InfoSec| Salesforce 13x Cert, CPQ Specialist | IT Professional that helps to identify company goals and offer successful solutions for your Data and Security needs.
2 年Loved the summit yesterday!