Ninety percent of cyber attacks exploit Microsoft Active Directory. This statistic alone should be enough to make CEOs wake up to its challenges, argues Guido Grillenmeier
When most business leaders think of Microsoft, they picture an impressive resume of business applications, including Word, Teams, Outlook and Excel. However, few will think of Active Directory (AD). Many won’t even know what it is. If you’re one of those, that’s about to change.
To many CEOs, AD is invisible; yet it is a foundational piece of IT infrastructure for 90% of organisations. This reality is problematic.
This 20-year-old technology has turned into a major security liability, one that CEOs can’t ignore. Here, we’ll outline what AD does, why it is vulnerable, how cyber attackers can use it to wreak havoc, and how businesses can prevent potentially devastating outcomes. Now, first things first…
What on earth is AD?
Put simply, AD keeps track of people and devices, providing a way for each user to prove their identity to access resources. Organisations must ensure that only authorised users can access email accounts or file shares, for example. AD enables that control. Think of it like a technical bouncer.
Authentication is vital for security. To truly understand this, consider your home. Your family doesn’t ask why you’re there because they know who you are. You authenticate yourself through your appearance and mannerisms, your human credentials. Your identity also gives you access to certain rooms or belongings.
These are the types of distinction that AD enables: which users are allowed to access what. Although AD provides this service reliably and effectively, it does not do so without security risks.
Sounds good. So what’s the problem?
AD poses a problem that CEOs can’t afford to ignore. Released over two decades ago, it isn’t equipped to combat the sophisticated cyber attacks of today.
It was originally designed to facilitate ease of use. If a user has the permissions needed to log in to a network, they are therefore trusted. However, this makes life incredibly easy for those who gain unapproved access. Once they’re in, they’re in.
90% of all successful attacks take advantage of AD
For cyber criminals, the potential for reward is significant. Imagine a physical safe in which you store all the keys to your office. AD is similar: It is the central access hub to your business’s systems, computers, software and other resources.
AD is dangerous because it is both critical to day-to-day operations and easy for attackers to misuse. Indeed, roughly 90% of all successful attacks take advantage of AD. Ransomware demands in such cyber attacks are steep. For example, CNA Financial paid a ransom of $40 million to regain access to its network in 2021.
It’s complex, OK…
With the rise of cloud applications and remote working (thanks, Covid-19), more organisations are adopting hybrid infrastructures that combine on-premises AD and cloud-based Azure AD or other cloud-hosted identity services. Hybrid identity lets employees use one login to authenticate to all services across the cloud and on premises.
Some CEOs might think that the move toward hybrid identity reduces the importance of AD. In reality, hybrid environments place even more value on the identity source, which for 90% of enterprises is AD.
Woah, 90% of cyber attacks exploit AD
CEOs must understand and address the risks associated with AD.
To improve cybersecurity, many organisations implement a zero-trust model. What does that mean? It means that whenever a user or device requests access to a resource, their identity and access rights must be verified before access is granted.
However, this verification centres on the assumption that the underlying identity system is secure. If AD isn’t secure, there is no trust to be had. Quite literally, zero trust.
When an account is compromised, the potential for malicious manipulation of network data and resources is frightening. Because of the potential for high reward, attackers are constantly innovating to find ways to target AD and launch identity-based attacks.
“In the notorious 2017 NotPetya attack, a successful attack on AD infected the company’s entire network in minutes”
Today, it is estimated that AD is exploited in 9 out of 10 cyber attacks. Gartner advises that misused credentials are now the top technique used in breaches. In fact, Gartner has deemed identity protection so important that it has defined a whole new category for it: Identity threat detection and response (ITDR) was named as one of the company’s 2022 top trends in cybersecurity.
For CEOs, an effective identity threat detection response strategy can make the difference between protecting the enterprise and watching the proverbial ship sink. In the notorious 2017 NotPetya attack on shipping giant Maersk, for instance, a successful attack on AD infected the company’s entire network in minutes, resulting in £8bn ($10bn) of damages.
Herein lies the criticality of identity protection. Although many security tools aim to keep attackers out of the networks, ITDR also focuses on addressing identity-centric weaknesses within the network.
Guido Grillenmeier is the principal technologist for EMEA at Semperis. He has been a Microsoft MVP for directory services for 12 years and he also spent 20+ years at HP/HPE as chief engineer. A frequent presenter at technology conferences and contributor to technical journals, Guido is the co-author of Microsoft Windows Security Fundamentals.