Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Active Directory Audit and Response: Giving Cyber Defenders a Second Chance

April 4, 2019

  • Blog
  • Archive

You've probably heard people say, "Defenders have to be right every time, attackers only once." That's true, but fortunately with Active Directory audit and response, we’ve got a second chance at maintaining Active Directory security.


Active Directory and the Cyber Kill Chain

AD provides security and control over critical IT systems and infrastructure. As I discussed in my post Active Directory Security Risk Factors and What to Do About Them (Part 1), many attack paths lead through AD.

Cyberattackers are adept at getting a foothold into victim’s environments through spear phishing and other techniques. Once attackers control a domain account, they can perform LDAP lookups against the AD. Reconnoitering the IT environment reflected in AD, they can discover user names, job titles and roles, devices, servers, services, and user/service relationships.

Imagine having a Google-like search tool to discover the paths of privilege through AD to the “crown jewel” IT assets. It exists. Tools such as PowerSploit and Bloodhound make it easy for a “script kiddie” type of threat actor to plan their cyberattack.

Attackers can move laterally towards the target by putting the name of the account they control into a group that has privileges over the target network, server, database, or application. Still trickier exploits can leverage password resets, or compromise AD infrastructure objects that affect built-in Windows OS behavior, and can confer privileges throughout a domain.

The Big Gotcha

For cyber defense, one can lock down domain controllers with control baselines, require domain administrators (DAs) to use multi-factor authentication (MFA), and take other preventative controls. Organizations should also put tight procedural controls in place using strict AD policies, procedures, and change management. For example, adding a new DA should require a service ticket from the company’s IT service management tool, and it should go through a workflow approval.

However, many preventative controls are subject to The Big Gotcha: DAs create the rules in AD and can change them. A malicious or policy-violating DA insider, or an attacker with DA privileges, can override most of the preventative controls.

Closing the Procedural Loop

The term “AD audit” is overloaded. Sometimes it’s used for logging or monitoring (“audit log”), at other times to describe a process of verifying (“auditing”) that other controls are operating effectively. In the latter sense, audit supports compliance reporting. Auditing controls in operation also close procedural loops. It can ascertain whether or not policies or procedures on administrative privileges, DA accounts, or DC configurations are followed.

Suppose an organization with 10 DAs restricts the ability to create more through a procedure that only one DA account is authorized to add new DAs, and only with workflow approval. Audit should flag any additions of new DAs, and it should have the ability to create rules-based alerts if an out-of-process DA appears, violating the policy. For more details, check out the slides and the recording of my recent on-demand webinar: Active Directory Audit: Why and How.

The Second Chance

The diagram at the beginning of this post shows the main moving parts of an AD audit capability. When audit (a “detect” control in the NIST Cybersecurity Framework Terminology) is integrated with change monitoring and rollback (a “response” control) defenders get a second chance to stop a breach.

AD audit can also be tied with an enterprise-wide security and event information management (SIEM) solution to correlate diverse events, find additional indicators of compromise, and reduce false positives. Organizations should ensure that AD audit is part of broader AD management and monitoring capabilities that enable a rapid response.

Dan Blum

Cybersecurity Strategist and Author

Dan Blum is an internationally recognized strategist in cybersecurity and risk management. He was a Golden Quill Award winning VP and Distinguished Analyst at Gartner, Inc., has served as the security leader for several startups and consulting companies, and has advised 100s of large corporations, universities and government organizations. He consults with clients on identity management, PAM, risk management, and other topics. He's made his new book Rational Cybersecurity for Business: The Security Leaders' Guide to Business Alignment freely available for Open Access via Apress, or on Amazon.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.