Better access management and better ways of securing user credentials are key to preventing an Active Directory (AD) breach. Because once a hacker gets onto the Active Directory server, they have free rein of the organization's most valuable assets.
Active Directory: One identity source for all access types
Roughly 90% of organizations worldwide use Active Directory as the user identity repository, acting as the primary source of trust for identity and access.
As we all know, Microsoft developed Active Directory for Windows domain networks, Active Directory provides authentication services to verify the user is who they say they are, authentication and authorization to access resources on the network and group policy processing to enforce security settings across clients and servers in the organization.
Today as businesses extend their architecture outside of traditional perimeters, many more users are dependent on RDP connections and a VPN access strategy for remote access. VPNs rely upon an on-premises corporate identity source, usually Active Directory, to authenticate users accessing the corporate network.
Why access is key to prevent attacks
Security attacks on Active Directory are not a matter of if, but rather when. In almost every successful attack, Active Directory is manipulated, encrypted or destroyed. Why? Because there are only a handful of vital IT assets that allow hackers to spread after an initial breach, and one towers above them all: Active Directory.
According to Verizon's annual Data Breach Investigations Report, compromised or stolen credentials are involved in almost 80% of successful data breaches. They serve as an entry point into an organization’s network and its information assets. An attacker is powerless to do anything in your organization unless they are able to compromise a set of internal Active Directory credentials.
Now this first access is often a low-level endpoint with no rights to access anything of value. It acts however, as an initial foothold to start lateral movement (the process of jumping machines to locate and access a system with valuable data).
In fact with the exception of perimeter attacks (where attack methods like SQL injections need no credentials to access data), all layers of access within your environment require a logon at some point. Endpoints require logons for access, lateral movement of any type requires authentication to access a target endpoint, and access to data itself first requires an authenticated connection.
Simply put, no logon, no access!
Read more about how the City of Keizer uses UserLock to enhance access security following a ransomware attack.
Compliance also starts with securing access
Many countries also require enterprises to care about securing identities and preventing unauthorized access. Regulations such as GDPR, HIPAA and Sarbanes-Oxley hold organizations accountable for controlling access to personal, customer or employee information. This single word "access" represents the process of someone using an account to actively connect to a system and open/read/copy/download sensitive data — an action that begins with that person logging on.
The logon is the most compelling point at which to both monitor compliance, as well as (providing you have the proper security solution in place) to stop potentially inappropriate access (again, read: compliance breach) from ever happening.
Access management for Active Directory environments
The concept of effective access management centers around five primary functions – all working in concert to maintain a secure environment:
Two-factor authentication: Regulating user access involves authentication to verify the identity of a user. But authentication using only a strong user name and password doesn’t cut it anymore. Two-factor authentication combines something you know (your password) with something you have (a token or authenticator application).
Access restrictions: Policies can be added on who can logon when, from where, for how long, how often, and how frequent. It can also limit specific combinations of logon types (such as console- and RDP-based logons).
Access monitoring: Awareness of every single logon as it occurs serves as the basis for the enforcing policy, alerting, reporting, and more.
Access alerting: Notifying IT, and users themselves, of inappropriate logon activity and failed attempts helps alert on suspicious events involving credentials.
Access response: Allows IT to interact with a suspect session, to lock the console, log off the user, or even block them from further logons.
By putting these sets of functionality together, access management puts a protective layer at the forefront of your network, ensuring use is appropriate.
Why access management?
Now, you might ask yourself, why Access Management and not something else, like Next Gen Antivirus or Endpoint Security. It’s a valid question. Unlike most security solutions, which attempt to reside at the point of the malicious actions, Access Management seeks to seamlessly insert itself into the process, stopping the threat action before it happens.
1. The logon functions are at the core of every attack
As said before, common to every type of attack is the need to logon. Whether accomplished using a remote session, via PowerShell, leveraging a mapping of a drive, or by logging on locally at a console, your network requires that a user authenticate themselves prior to being given any kind of access.
2. Automated controls actually stop an attack
This is one of the most important aspects of your security strategy. Nearly every security solution on the market says they stop attacks. Be careful here — does the solution just alert IT to a threat potential (which only stops an attack once IT intervenes, or perhaps just minimizes the attacker’s exposure, but didn’t actually stop the attack), or does it actually take action and stop the attack?
Unlike security solutions that require an attacker to perform some kind of inappropriate action, such as attempting to access sensitive data, making copies to a USB stick, or attaching files to web-based email, identifying a potential attack with access management occurs before any access of any kind is achieved, let alone leveraged.
Should a logon fall outside a set of established restrictions, it can automatically block access or prompt again for a second factor of authentication. Or if already connected, immediately log a user off forcefully and lock the account, putting a stop to the attack before any malicious actions are taken.
3. Accuracy to limit false positives
The dreaded part of any security solution is the potential for a storm of alerts that turn out to be false positives. With so many users logging on — and at just about any time of the day — it’s critical that IT have solutions in place that are certain about the attack potential.
Using customized policy-driven controls, Access Management is configured based on the normal use of the environment, only providing alerts when a logon is out of policy.
4. Seamless integration with Active Directory for IT teams
Access Management integrates with the existing logon process to extend, not replace security. Solutions that work along the existing Active Directory infrastructure don’t frustrate IT teams. They are simple to implement and intuitive to manage.
5. Easy adoption by end users
If security overwhelms and stifles productivity, users can’t do their job and the solution is already dead on arrival. Access management offers security behind the scenes, protecting the users and the environment until the moment the user is truly conflicting with security protocol.
6. Training-less implementation
Could you imagine if you had to train every single user how to use some new security solution? Such an idea is a complete non-starter. Access Management should require zero training, making implementation easy in any type of organization.
7. Supports the zero trust model
With "never trust, always verify" as its principle, the zero trust model recognizes the need to see and verify everything accessing and going on in the network. Customized two factor authentication prompts and granular access restrictions can be created to specifically put more stringent limits, alerts, and responses on those with higher risk.
8. Cost effectiveness
If you agree with the "when" not "if" premise, then you already know your security strategy is incomplete and requires more investment. Security doesn’t have to come at a high cost — but it does have to be effective in relation to its cost. Access management ensures (in the case of security spend) the most security protection with the least amount of money spent.
The myths of two-factor authentication and what it means for companies who go without
Once an attacker logs in to your system using an employee’s legitimate login details, your anti-virus, anti-intrusion, firewall and other technologies are not going to flag anything unusual. Those tools believe that the person accessing your network is exactly who they say they are.
The sobering reality for companies without two-factor authentication (2FA) is that when employees fall for phishing scams or share passwords, you are wide open to attack.
Despite the obvious threat, a few years ago, IS Decisions' survey of IT decision-makers found that just 38 percent use 2FA to strengthen network credentials. Today we continue to see other research that show things haven’t much changed.
So why the reluctance in adopting 2FA?
Myth Number 1: 2FA is only for large enterprises?
No. A common misconception exists that a company needs to be a certain size to benefit from 2FA. Adopting a 2FA solution should be a key security initiative for any company, regardless of size. The data they want protecting is no less sensitive, the disruption no less serious. It doesn’t have to be complex, costly or frustrating!
Myth Number 2: 2FA is just for privileged users
No again. Many companies continue to rely only on local Windows credentials as they see most employees as not having access to critical, sensitive, protected or otherwise valuable data. Requiring them to use 2FA to log on seems a bit of an overkill. But the reality is that those employees' companies might consider "non-privileged" — regular users doing their jobs — actually do have access to data that can harm the company. The simple act of a nurse selling a celebrity patient’s data to a tabloid demonstrates the value of data, and the potential harm to the organization that can come from it being inappropriately used.
Additionally, external attacks rarely start with a privileged account that has access to the data you want to protect. The number one tactic used in hacking attacks is stolen credentials; cyber-criminals leverage any account that falls victim to phishing scams to laterally move within the organization to identify, access, and exfiltrate valuable data.
Myth Number 3: 2FA is not a perfect solution
No, but its close! Like any security solution, the use of two-factor authentication is not perfect. Recently the FBI issued a warning on events where hackers were able to bypass 2FA. The two main authenticator vulnerabilities are:
Channel Jacking, which involves the takeover of the communication channel used for the authenticator, and
Real-Time Phishing, which uses a machine-in-the-middle to intercept and replay authentication messages. Experts agree considerable costs and effort are needed for such attack types.
The vast majority of attackers which encounter 2FA will simply move on to their next (easier) victim than try to bypass this security. There’s also simple precautions you can take to avoid certain vulnerabilities by choosing 2FA authenticators that do not rely upon SMS authentication. (The National Institute of Standards and Technology (NIST) discourages SMS and voice in its latest Digital Identity Guidelines.
Despite its recent warning, the FBI maintains that 2FA is still effective and remains one of the simplest steps a company can take to harden security.
Myth Number 4: 2FA impedes employees’ productivity
The challenge, as with any new technology, is to implement access controls in such a way that least impedes the productivity of users. Employees won’t tolerate methods that are too disruptive. They will find ways to circumvent security controls and access resources more conveniently. Without this sensibility it not only slows down adoption, it can bring it to a screeching halt!
Therefore flexibility is needed for any 2FA solution. Administrators may want to avoid prompting the user for 2FA each time they log in. A great way to do this is to do improve identity assurance with contextual controls. Transparent to the end-user they make use of environment information to further verify all users’ claimed identity but don’t impede on employee productivity. Contextual factors can include location, machine, time, session type and number of simultaneous sessions.
Secure your Active Directory resources at the logon
Effective MFA and access management solutions offer seamless, secure logins to their entire Windows Active Directory network. So business continues as usual, but IT gets the clarity and control necessary to automatically shut down suspicious activity at the point of entry.