Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Hybrid Active Directory Auditing: Same AD Security Challenges, Different Landscapes

June 26, 2019

  • Blog
  • Archive

Despite so many organizations landing in a hybrid directory environment just by the act of deploying Office365 (which requires Azure Active Directory), surprisingly little attention has been paid to how one would audit that environment and ensure Active Directory security. In this blog, I’ll explore the issue, but if you’re craving more of a deep dive, I recommend checking out my on-demand webinar: Mastering Hybrid Active Directory Auditing.

A Hybrid World

Almost all businesses today are working in what we’d call a “hybrid IT” environment. These hybrid environments are comprised of at least some cloud-based systems, some on-premises infrastructure, and oh-so-surely do the twain meet in many a documented or undocumented interconnect or integration.

It’s the same way with hybrid Active Directory. Take a look at Figure 1 below where even the cloud-only Azure AD installation may still be part of a hybrid environment. All sorts of hybrid scenarios are emerging, including do-it-yourself (DIY) deployment of domain controllers sitting in an Azure (or Amazon Web Services (AWS)) virtual machine with a trust and a VPN tunnel to someone’s AD forest.


Figure 1: Taxonomy of Hybrid Active Directory (AD) – Azure AD Scenarios

A Hybrid Kill Chain

What’s the risk? Hybrid AD topologies are just as much in the cyber kill chain as AD alone was when I wrote Active Directory Security Risk Factors and What to Do About Them (Part 1). Just by doing their job of listing information and answering queries, directory services become key information resources for hackers as well as cyber-defenders.

Imagine having a Google-like search tool that would automate the process of using legitimate directory queries to discover the paths of privilege through AD to the “crown jewel” IT assets. It exists. Tools such as PowerSploit and Bloodhound make it easy for an ethical hacker to find and close down weaknesses in access control – or for threat actors (using compromised accounts) to plan further steps in their cyberattack.

Figure 2 below illustrates some hybrid AD attack scenarios. The bad news is that cloud environments such as Office 365 / Azure are more vulnerable to brute force attacks since the login prompts are exposed to the Internet. Once an Azure AD account is compromised, an Office 365 user’s domain-joined machine could immediately put the on-premise AD environment at risk as well. From there, the figure shows how the rot could spread into AD, and back to Azure AD again, provided the attacker had some skills and exploit tools to work with.

Figure 2: Hybrid Infection and Infestation

The good news is that, up until this point, tools like Bloodhound and PowerSploit for Azure AD may be hard to find. But we must assume they, or something similar, could become available. Perhaps they would need to operate in a “low and slow” mode to fly under the radar of Microsoft’s security analytics, as well as master the enumeration and attack techniques unique to Azure AD.

The Big Gotcha – Revisited

More good news for hybrid AD defenders: As a managed service, Azure AD is easier to defend than AD. Many AD controls – like reducing the number of domain controllers (DCs) and deploying physical DC security, DC security baselines, and firewalls for DCs – are unnecessary for Azure AD. And once customers have multi-factor authentication (MFA) and Microsoft E5 subscription level security analytics, they can stop worrying about the brute force attacks so much.

However, as I wrote previously: “Many preventative controls are subject to The Big Gotcha: DAs create the rules in AD and can change them. A malicious or policy-violating DA insider, or an attacker with DA privileges, can override most of the preventative controls.”

Even in the Azure AD environment, customers must still protect against an attacker capturing an account with a privileged role in Azure AD, such as the Global Administrator (GA) Role. If that happens, all bets are off.

Deploy Procedural Controls

Just as in the AD environment, procedural controls to protect against mis-assignment or abuse of the privileged administrator roles in Azure AD are critical. Procedural controls should ensure that any change to these roles only occurs through well-established approvals that your monitoring / auditing solution can check for.

It is the combination of procedural controls to stabilize the directory environment, audit to check that controls are working, and a response or rollback capability that gives defenders a second chance. Audit and a second chance are just as important in the hybrid environment as they are in Active Directory itself.

For a deeper dive on this subject, check out my on-demand webinar, Mastering Hybrid Active Directory Auditing.

Additional AD Security & Auditing Resources

Active Directory Audit and Response: Giving Cyber Defenders a Second Chance (blog)

Active Directory Security Explained & 7 Best Practices (blog)

Real-Time Auditing and Recovery for Windows Environments (solutions page)

Active Directory Audit: Why and How (on-demand webinar)

Dan Blum

Cybersecurity Strategist and Author

Dan Blum is an internationally recognized strategist in cybersecurity and risk management. He was a Golden Quill Award winning VP and Distinguished Analyst at Gartner, Inc., has served as the security leader for several startups and consulting companies, and has advised 100s of large corporations, universities and government organizations. He consults with clients on identity management, PAM, risk management, and other topics. He's made his new book Rational Cybersecurity for Business: The Security Leaders' Guide to Business Alignment freely available for Open Access via Apress, or on Amazon.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 25, 2021

Customer Tips & Tricks: Remote Support for Android

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.