NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Videos
    • Glossary
    • Infographics
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Active Directory Audit and Response: Giving Cyber Defenders a Second Chance

April 4, 2019

  • Blog
  • Archive
  1. Home
  2. Blog
  3. Active Directory Audit and Response: Giving Cyber Defenders a Second Chance

You've probably heard people say, "Defenders have to be right every time, attackers only once." That's true, but fortunately with Active Directory audit and response, we’ve got a second chance at maintaining Active Directory security.


Active Directory and the Cyber Kill Chain

AD provides security and control over critical IT systems and infrastructure. As I discussed in my post Active Directory Security Risk Factors and What to Do About Them (Part 1), many attack paths lead through AD.

Cyberattackers are adept at getting a foothold into victim’s environments through spear phishing and other techniques. Once attackers control a domain account, they can perform LDAP lookups against the AD. Reconnoitering the IT environment reflected in AD, they can discover user names, job titles and roles, devices, servers, services, and user/service relationships.

Imagine having a Google-like search tool to discover the paths of privilege through AD to the “crown jewel” IT assets. It exists. Tools such as PowerSploit and Bloodhound make it easy for a “script kiddie” type of threat actor to plan their cyberattack.

Attackers can move laterally towards the target by putting the name of the account they control into a group that has privileges over the target network, server, database, or application. Still trickier exploits can leverage password resets, or compromise AD infrastructure objects that affect built-in Windows OS behavior, and can confer privileges throughout a domain.

The Big Gotcha

For cyber defense, one can lock down domain controllers with control baselines, require domain administrators (DAs) to use multi-factor authentication (MFA), and take other preventative controls. Organizations should also put tight procedural controls in place using strict AD policies, procedures, and change management. For example, adding a new DA should require a service ticket from the company’s IT service management tool, and it should go through a workflow approval.

However, many preventative controls are subject to The Big Gotcha: DAs create the rules in AD and can change them. A malicious or policy-violating DA insider, or an attacker with DA privileges, can override most of the preventative controls.

Closing the Procedural Loop

The term “AD audit” is overloaded. Sometimes it’s used for logging or monitoring (“audit log”), at other times to describe a process of verifying (“auditing”) that other controls are operating effectively. In the latter sense, audit supports compliance reporting. Auditing controls in operation also close procedural loops. It can ascertain whether or not policies or procedures on administrative privileges, DA accounts, or DC configurations are followed.

Suppose an organization with 10 DAs restricts the ability to create more through a procedure that only one DA account is authorized to add new DAs, and only with workflow approval. Audit should flag any additions of new DAs, and it should have the ability to create rules-based alerts if an out-of-process DA appears, violating the policy. For more details, check out the slides and the recording of my recent on-demand webinar: Active Directory Audit: Why and How.

The Second Chance

The diagram at the beginning of this post shows the main moving parts of an AD audit capability. When audit (a “detect” control in the NIST Cybersecurity Framework Terminology) is integrated with change monitoring and rollback (a “response” control) defenders get a second chance to stop a breach.

AD audit can also be tied with an enterprise-wide security and event information management (SIEM) solution to correlate diverse events, find additional indicators of compromise, and reduce false positives. Organizations should ensure that AD audit is part of broader AD management and monitoring capabilities that enable a rapid response.

Photograph of Dan Blum

Dan Blum, Cybersecurity Strategist and Author

Dan Blum is an internationally recognized strategist in cybersecurity and risk management. He was a Golden Quill Award winning VP and Distinguished Analyst at Gartner, Inc., has served as the security leader for several startups and consulting companies, and has advised 100s of large corporations, universities and government organizations. He consults with clients on identity management, PAM, risk management, and other topics. He's made his new book Rational Cybersecurity for Business: The Security Leaders' Guide to Business Alignment freely available for Open Access via Apress, or on Amazon.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

IDSA Report: 2022 Trends in Securing Digital Identities

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Mapping BeyondTrust Capabilities to NIST Zero Trust (SP 800-207)

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Infographics
  • Podcast
  • Videos
  • Webinars
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.