Active Directory security: AD monitoring and proactive security detection combined
The term “Active Directory security” generates a few different reactions, depending on who you ask. To fully understand its significance, we must separate the unique concepts related to AD security. These include:
- Security scanning and evaluation – Similar to a pentest, this assumes that existing security misconfigurations and attack pathways exist in every AD. The scan and evaluation locate them.
- Security hardening – This is proactively ensuring that settings and configurations are configured with a security-first mindset.
- Change monitoring – This is the continued monitoring and archiving of all changes that occur in the AD environment (users, groups, OUs, GPOs, etc.).
- Historical reporting – This is the ability to run detailed queries against a DB of changes that have occurred in AD over time to see trends, changes, and even track down attack actions.
- Compliance reporting – This is the process of producing reports on current and historical settings and actions within AD that ensure basic security practices are being followed.
- Attack pathway detection – Attackers rarely look directly at basic settings for their attacks. Rather, they search for misconfigurations and vulnerable backend processes which they can leverage to move laterally and gain privileges. Attack pathway detection finds the same routes the attacker wants and sends alerts as they open up.
- Attack detection – Attacks such as DCSync, DCShadow, and password spraying need to be detected as they are initiated so they can be stopped immediately.
- Threat hunting – Most attackers create a multitude of backdoors into AD when the opportunity presents itself. Therefore, if a single misconfiguration or malicious action is detected, security professionals can perform threat hunting actions to see if any other backdoors were initiated.
AD monitoring solutions
AD monitoring solutions typically rely on security logs for their information and reporting. This reactive approach is excellent for change monitoring and compliance reporting. After all, their goal is not to detect attacks or misconfigurations, but to see all changes occurring within AD for later analysis. AD monitoring solutions do a very good job with:
- Change monitoring
- Historical reporting
- Compliance reporting
Of course, these activities are essential for most organizations since they need to generate reports for auditors and executives to pass audits and meet internal guidelines.
Weaknesses of AD monitoring solutions
What these solutions omit is looking at the AD security environment through the eyes of the attacker. Attackers do not want to be tracked (no logs generated), do not want to stand out (impersonation of another user, group, computer, or process is ideal), and do not want to trigger an event that can easily be spotted.
Detecting attackers who function at this level requires more a proactive approach than a reactive one. Recon tools like BloodHound and Infection Monkey give the attacker visibility over the paths they need to compromise privileged groups/users. Attackers can use these pathways by leveraging tools and techniques like Mimikatz, Kerberoasting, impersonation, and more.
Unfortunately, AD monitoring solutions are not equipped to look for these tools or attack vectors. It’s no surprise, as many of the concepts are far from linear and require the complex incorporation of ACLs, group memberships, attributes, user rights, and more. It takes an analysis solution (hint: Alsid) to dynamically calculate attack pathways in real time and see what the attacker sees.
Alsid – Proactively securing AD
The Alsid approach is to perform the same recon and analysis actions the attacker performs, but in the following manner:
- No agents
- No privileges
- Nothing installed on any DC
- Initial scanning and evaluation of existing misconfigurations and attack pathways into the existing AD environment
- Automatically and persistently analyzing new attack pathways
- Real-time alerting and SIEM/SOAR integration for immediate response
- Ongoing attack detection
- Threat hunting to ensure all backdoors and misconfigurations are found
Every AD has misconfigurations and settings an attacker can leverage. Finding and fixing these security flaws is paramount to eliminating attack pathways.
Since AD is constantly evolving, consistent monitoring of any change within AD, along with immediate analysis of the change causing a new attack pathway, is also critical. With hundreds, if not thousands, of changes occurring in AD, users, groups, OUs, GPOs, etc. every day, new attack pathways are being created. Alsid informs you of these immediately.
Not all attacks are thanks to misconfigurations, so these attacks must be seen in real time to stop them ASAP. Password spraying and brute-force attacks can’t be negated. However, being able to detect them as they happen is essential. DCSync and DCShadow, which don’t log events, go unseen by AD monitoring solutions. Alsid gathers information from the DC replication stream to highlight these attacks in real time.
There are major benefits to having an AD monitoring solution in nearly every organization. The power of producing reports for auditors and management is vital. That said, AD monitoring solutions fail to provide the depth required to secure AD to the level an attacker is leveraging future threats. The need to mitigate existing threats is also essential, and detecting attacks as they occur provides an organization the chance to stop them. AD monitoring solutions come up short in both these areas. Alsid fills the gaps to ensure Active Directory can be protected before and during an attack.Contact us