Freely subscribe to our NEWSLETTER

In the case of SolarWinds, attackers escalated privileges by exploiting unauthorized access in AD access control lists. This allowed them to move laterally within the victims’ networks under the cover of those stolen elevated permission levels to access and exfiltrate sensitive data. Attacks like these are now driving organisations to make securing AD a priority.

Despite attacks on AD increasing in both severity and costs in the last year, this type of attack is unfortunately nothing new. Security researchers first identified golden ticket exploits back in 2017, and attackers have targeted AD for years in hopes of getting a leg up into high-value enterprise resources. There are two primary reasons for this. The first is that AD holds the key to unlocking a wealth of valuable data. The second is that the directory-based identity services platform is used by 90% of enterprises worldwide for authentication and authorisation.

To better understand the growing number of severe attacks on AD, Semperis partnered with Enterprise Management Associates (EMA) to survey 250 IT professionals and executives on how their organisation responds to the growing risk and how their priorities around securing AD are changing.

Here are the top findings from the EMA research report, “The Rise of Active Directory Exploits: Is It Time to Sound the Alarm?”

1. 50% of organisations experienced an attack on Active Directory in the last 1-2 years.

Given the increase in the prevalence of AD attacks, it’s surprising that only 50% of respondents indicated that their organisations had their AD system attacked in the last year or two. By Microsoft’s own reckoning, 95 million AD accounts are targeted by cyberattacks every day.

It’s very possible that a significant portion of these attacks could have gone unnoticed. 25% of survey respondents said that detecting live attacks is the biggest AD security challenge. This distinct lack of visibility combined with the high rate of attacks against AD means it’s not a far cry to assume that organisations could be missing stealthy attackers who successfully covered their tracks. It’s also possible that some security professionals may not realise that AD frequently plays a part in ransomware attacks, which have been rapidly increasing in number over the last couple of years.

2. Over 40% of Active Directory attacks were successful.

Mandiant threat hunters estimate that 90% of the incident response engagements they conduct with clients involve AD in some manner, whether it is the initial attack vector or targeted to achieve persistence or privileges. This makes the high success rate of attacks against AD deployments particularlyalarming.

3. Penetration testers successfully exploited Active Directory exposures 82% of the time.

Although IT operations and security operations teams are the primary groups tasked with conducting assessments, they are also periodically supplemented with assessments conducted through internal red team or pen testing activities. For the 29% of respondent organisations that conduct internal red team exercises or penetration testing against AD, attempting to exploit AD exposures as a part of those exercises is relatively common. For those that do so, the success rate is startlingly high at 82%.

Given the deep level of AD expertise required to find vulnerabilities and understand the types of errors that can lead to exposures, many organisations do not have the resources to frequently conduct AD assessments. And automated penetration testing tools only get security teams part of the way there in terms of maintaining good AD security posture. Even with available expertise, it’s still a cumbersome process to remediate exposures and vulnerabilities because of AD’s complex structure. Factors like a lack of visibility into AD exposures and the requirements to research the exposure posed a challenge for 38% and 37% of respondents, respectively.

4. 86% of organisations plan to increase investment in protecting Active Directory.

Given the growing number of headlines around AD exploits (e.g., SolarWinds, LockBit ransomware), it’s no surprise that security teams are placing AD security at the top of their list of priorities. The increase in the prevalence of AD attacks drove the largest percentage of organisations to plan an increase in spending on security, but other issues are also spurring those decisions. The pandemic caused two major interrelated changes in IT activity. First, it created the need to support large scale remote or work-from-home activities. Second, it accelerated cloud migration plans for most enterprises.

While Microsoft continues to post security updates for AD, nothing will prevent AD attacks from happening, evident by the growing number of incidents. To safeguard their organisation from today’s threats, security teams must increase their visibility into AD’s attack surface and be able to quickly respond once a live attack is detected.

In addition, audits remain a primary method to identify and secure exposures, but they are not the only method or tool security teams can or should use, especially given their snapshot nature. Today, new tools are being designed to spot patterns of malicious activity in real-time as attackers seek to gain access to privileged accounts and create back doors. Recently introduced by Semperis, Purple Knight is a free AD security assessment tool that queries an organization’s AD environment and performs a comprehensive set of tests against the most common and effective attack vectors to uncover risky configurations and security vulnerabilities. Semperis also offers the industry’s most comprehensive hybrid AD threat detection and response platform, Directory Services Protector.