Why AD Protection Must be at the Core of Your Zero Trust Strategy

May 5, 2023 ·

6 min read

Contents

Why AD Protection Must be at the Core of Your Zero Trust Strategy By Sean Deuby, Semperis Principal Technologist, North America, Zero Trust is coming into the mainstream in Europe, according to Forrester, with over two thirds of businesses developing a zero-trust strategy. Businesses adopt the approach to secure data and operations in a hybrid work environment. However, the zero-trust model for network access has an important oversight: It implicitly assumes that the systems on which it’s applied, including Active Directory (AD) as the corporate identity store, maintain their integrity. Active Directory is, in fact, often the weak link in the identity security chain. The problem isn’t necessarily AD itself, although this technology is now over 20 years old. Properly configured and deployed, AD can be incredibly versatile. Unfortunately, it can also be misconfigured and mismanaged in as many ways as it’s deployed. Systemic weaknesses then make it a soft target. Threat actors know this. It’s why AD is frequently a primary part of the cyberattack kill chain, as it was in the Colonial Pipeline hack: 90% of the attacks investigated by cybersecurity consultancy Mandiant involved AD in some form. Because it holds the keys to the kingdom and provides a treasure map to an organisation’s data, AD can be used by hackers to gain privileges and allow lateral movement through the network. Threat actors attack AD to facilitate everything from persistence techniques to privilege escalation to defence evasion. Because cloud identity also extends from AD, it’s a prime target for credential abuse, a tactic involved in 80% of all data breaches. Different architectures, one identity source Identity is a core component of any robust zero-trust infrastructure. And it needs to be treated as such. Many of us are still working from home at least some of the time. While maintaining remote access capabilities, cloud-focused applications and security strategies, organisations must not forget that these depend upon the integrity of their core on-premises identity systems. In the past, users have largely depended on Virtual Private Networks (VPN) for remote access. Users are authenticated by a directory service – usually, Active Directory – and are then allowed onto the corporate network. However, as a solution with scalability challenges and reliance on network perimeter security, VPNs alone aren’t the answer for the modern remote workforce. Instead, a rapidly growing segment of companies has their users signin to a web-based Identity and Access Management (IAM) service with their corporate credentials to access SaaS apps such as Zoom or Office 365 directly through the internet. This method uses a zero-trust model where a user’s identity – not their network location – is key to gaining access to the application. Some of these companies go further by extending this model into their on-premises networks. They deploy devices that create a software-defined perimeter between applications and the users attempting to access them. These proxy devices (for example, Azure AD Application Proxy or Symantec Secure Access Cloud) grant the user access to only the proxy-published application instead of the broad network access granted by a VPN. Because traffic is routed through the IAM service, the user session can have sophisticated access controls such as device integrity, session risk or type of client app used. Nevertheless, some attacks successfully bypass IAM, with intruders moving laterally across networks. Securing the source Whether a user is logging in to the corporate network with a VPN or signing into a web portal to access SaaS or on-premises apps, identity assurance is always crucial. Whereas VPNs rely upon an on-premises corporate identity source, modern cloud IAM services rely on many factors such as device health, location and behaviour patterns to contribute to an identity’s assurance level. But the cores of these massive cloud services are still based on the individual user’s account credentials. Because most organisations use a hybrid identity model (projecting their on-premises identity to Internet services), the identity source for these credentials is the keystone of the entire sophisticated architecture. And for 90% of enterprises, this identity source is Active Directory (AD). This means any Zero Trust strategy – in fact, any security architecture – depends heavily on Active Directory. So how do you ensure its integrity and the integrity of its data? Minimise AD’s attack surface Implement a least-privilege administrative model and get rid of all your unnecessary administrators. This 20-year-old advice is still relevant today. Lock down administrative access to the AD service by implementing administrative tiering and secure administrative workstations. Secure AD domain controllers against attack by applying recommended policies and settings. Scan AD regularly for misconfigurations – accidental or malicious – that potentially expose your forest to abuse or attack. Monitor AD for signs of compromise and roll back unauthorised changes Enable both basic and advanced auditing. You can’t know about changes to your AD if you haven’t enabled mechanisms to log the changes. Then you need to actually look at key events via a centralised console. Monitor object and attribute changes at the directory level. The security event log will show you most, but not all changes made to AD. For example, the DCShadow attack circumvents the event log entirely. The only way to ensure you’re aware of all activity in your AD forest is to monitor the directory changes shared across domain controllers. Plan for when compromise happens – because it will Monitoring for undesired AD changes is important. But you must also be able to quickly and automatically roll back those undesired changes or you only have a partial solution. Prepare for large-scale compromise. Widespread encryption of your network, including AD, requires you have a solid, highly automated recovery strategy that includes offline backups for all your infrastructure components. According to the Identity Defined Security Alliance, 84% of organisations worldwide suffered an identity-related breach in 2021/2022. A staggering 96% reported that they could have prevented or minimised the breach by implementing identity-focused security outcomes. It is worth remembering that although you can implement a zero-trust network in a variety of ways, its core principles are always based on user identity. Whether accessing the network through a VPN or signing into an identity service’s web portal, the odds are high that your identity depends upon Active Directory. Therefore, ensuring its integrity is foundational to your company’s security.

Different architectures, one identity source

Identity is a core component of any robust zero-trust infrastructure. And it needs to be treated as such. Many of us are still working from home at least some of the time. While maintaining remote access capabilities, cloud-focused applications and security strategies, organisations must not forget that these depend upon the integrity of their core on-premises identity systems.

In the past, users have largely depended on Virtual Private Networks (VPN) for remote access. Users are authenticated by a directory service – usually, Active Directory – and are then allowed onto the corporate network. However, as a solution with scalability challenges and reliance on network perimeter security, VPNs alone aren’t the answer for the modern remote workforce.

Instead, a rapidly growing segment of companies has their users signin to a web-based Identity and Access Management (IAM) service with their corporate credentials to access SaaS apps such as Zoom or Office 365 directly through the internet. This method uses a zero-trust model where a user’s identity – not their network location – is key to gaining access to the application.

Some of these companies go further by extending this model into their on-premises networks. They deploy devices that create a software-defined perimeter between applications and the users attempting to access them. These proxy devices (for example, Azure AD Application Proxy or Symantec Secure Access Cloud) grant the user access to only the proxy-published application instead of the broad network access granted by a VPN. Because traffic is routed through the IAM service, the user session can have sophisticated access controls such as device integrity, session risk or type of client app used. Nevertheless, some attacks successfully bypass IAM, with intruders moving laterally across networks.

Securing the source

Whether a user is logging in to the corporate network with a VPN or signing into a web portal to access SaaS or on-premises apps, identity assurance is always crucial. Whereas VPNs rely upon an on-premises corporate identity source, modern cloud IAM services rely on many factors such as device health, location and behaviour patterns to contribute to an identity’s assurance level. But the cores of these massive cloud services are still based on the individual user’s account credentials.

Because most organisations use a hybrid identity model (projecting their on-premises identity to Internet services), the identity source for these credentials is the keystone of the entire sophisticated architecture. And for 90% of enterprises, this identity source is Active Directory (AD).

This means any Zero Trust strategy – in fact, any security architecture – depends heavily on Active Directory. So how do you ensure its integrity and the integrity of its data?

Minimise AD’s attack surface

Implement a least-privilege administrative model and get rid of all your unnecessary administrators. This 20-year-old advice is still relevant today.
Lock down administrative access to the AD service by implementing administrative tiering and secure administrative workstations.
Secure AD domain controllers against attack by applying recommended policies and settings.
Scan AD regularly for misconfigurations – accidental or malicious – that potentially expose your forest to abuse or attack.

Monitor AD for signs of compromise and roll back unauthorised changes

Enable both basic and advanced auditing. You can’t know about changes to your AD if you haven’t enabled mechanisms to log the changes. Then you need to actually look at key events via a centralised console.
Monitor object and attribute changes at the directory level. The security event log will show you most, but not all changes made to AD. For example, the DCShadow attack circumvents the event log entirely. The only way to ensure you’re aware of all activity in your AD forest is to monitor the directory changes shared across domain controllers.

Plan for when compromise happens – because it will

Monitoring for undesired AD changes is important. But you must also be able to quickly and automatically roll back those undesired changes or you only have a partial solution.
Prepare for large-scale compromise. Widespread encryption of your network, including AD, requires you have a solid, highly automated recovery strategy that includes offline backups for all your infrastructure components.

According to the Identity Defined Security Alliance, 84% of organisations worldwide suffered an identity-related breach in 2021/2022. A staggering 96% reported that they could have prevented or minimised the breach by implementing identity-focused security outcomes.

It is worth remembering that although you can implement a zero-trust network in a variety of ways, its core principles are always based on user identity. Whether accessing the network through a VPN or signing into an identity service’s web portal, the odds are high that your identity depends upon Active Directory. Therefore, ensuring its integrity is foundational to your company’s security.

Fintech Herald