Why is Active Directory a Concern for CISOs?
It is no secret that cybersecurity threats are evolving at an unprecedented pace worldwide, posing significant challenges for organisations across all sectors.
Consequently, businesses are increasingly relying on digital infrastructure, as robust security measures are only becoming more important.
A critical threat that has become a prime target for cybercriminals, is Active Directory (AD),
AD is the centralised system that manages user identities and access controls within an organisation's IT environment and its pivotal role in controlling access to resources and maintaining business operations makes it an attractive target for threat actors.
Now, with 90% of cyber incidents involving compromise of the identity system, the security of AD has become a top priority for Chief Information Security Officers (CISOs) across the world.
To find out more, we asked Jim Doggett, CISO at Semperis, who specialises in AD threat prevention, about Why AD is a concern for CISOs.
The critical nature of active directory
AD serves as the backbone of an organisation's IT infrastructure, often working in tandem with cloud-based directory services like Entra ID or Okta.
Jim emphasises the critical nature of AD and the vital role that AD plays in keeping businesses running smoothly, stating:
"Simply put, if AD is not operational, the company is not operational."
- Jim Doggett focuses on embedding risk management, security and compliance into the business fabric to efficiently manage risks. He formerly served as global leader of Information Risk and Resiliency for the Treasury and Security Services division of JP Morgan, CISO and Chief Technology Risk Officer for Kaiser Permanente as well as Chief Technology Risk Officer and CISO for AIG. Subsequently, he helped start up Panaseer in building the first continuous controls monitoring platform (remaining as Board Advisor) and presently, CISO at Semperis.
However, this importance also makes it a prime target for cybercriminals.
The vulnerability of AD stems from its original design principles.
As Jim explains: "AD was designed to be a highly resilient and reliable enterprise directory system—and it was designed to be open. Today, that 'openness' is also its Achilles' heel."
This openness, while initially intended to enhance functionality, now presents significant security challenges in the face of sophisticated cyber threats.
The devastating consequences of AD compromise
When attackers gain access to AD, the potential for damage is immense.
Jim outlines some of the severe consequences: "An attack that compromises AND can have devastating consequences.
“It could lead to the eventual takeover of critical assets in the IT environment. This is particularly damaging in critical infrastructure attacks, such as utilities or healthcare."
The impact of such attacks can be far-reaching, affecting not just the organisation but potentially entire sectors or even national infrastructure.
Jim further provides concrete examples of the financial impact: "The attack this year on Change Healthcare led to a US$22m ransom payout to retrieve data.
“Change Healthcare has also reportedly paid more than US$1bn already in forensics and recovery costs."
These figures highlight the enormous financial burden that organisations face in the aftermath of a successful AD attack, also emphasising the need for robust preventative measures.
Common attack vectors and notable incidents
Cybercriminals often exploit vulnerabilities that have accumulated over time, particularly in legacy AD environments.
Jim points out: "Tactics by threat actors involve targeting misconfigurations in AD that have accumulated over time, particularly in legacy AD environments as well as unpatched flaws."
This emphasises the importance of regular security audits and updates to AD systems.
Additionally, several high-profile attacks have demonstrated the devastating potential of AD compromises.
Jim explains: "Notorious attacks on the Maersk shipping company, SolarWinds and Colonial Pipeline—all of which involved an AD compromise - stand as prime examples of what can happen if the vulnerabilities of AD aren't addressed."
These incidents serve as stark reminders of the critical need for robust AD security measures across all industries.
Best practices for securing active directory
Given the critical importance of AD, organisations must implement comprehensive security measures.
"The best approach for securing AD is implementing a layered defence strategy that protects AD before, during and after an attack”, says Jim.
“Organisations need solutions that address every stage of the attack lifecycle, including identifying and mitigating vulnerabilities, detecting advanced attacks, automatically remediating malicious changes, and ensuring a malware-free AD recovery in the event of a cyberattack."
This holistic approach ensures that organisations are prepared for various attack scenarios and can respond effectively to threats.
Jim also emphasises the importance of preparedness: "Given that many AD attacks are successful, organisations should prepare for the worst by having a tested AD forest recovery plan in place so they can resume business operations as quickly as possible after an attack."
By implementing these best practices and maintaining a proactive stance, organisations can significantly enhance their AD security posture and mitigate the risks associated with potential breaches.
From Jim’s insights, it seems that as cyber threats continue to evolve, AD remains a critical concern for CISOs and IT security teams.
Yet by understanding the vulnerabilities, implementing robust security measures and staying prepared for potential attacks, organisations can better protect their critical infrastructure and maintain operational resilience in the face of growing cyber threats.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand
