Securing Active Directory against ransomware in the public sector

Ransomware isn't just a private-sector problem. Government and public sector organizations face the same threat actors, often with tighter budgets and older infrastructure. Strong Active Directory (AD) security, starting with multi-factor authentication (MFA) but going beyond it, is where government IT teams should start.

Since 2020, ransomware has hit government organizations across the US and UK, including state governments and local councils. In the UK, high-profile attacks crippled the Royal Mail, and the British Library for months.

At first glance, government seems like an odd target. Many public sector organizations are unlikely, or outright forbidden by regulation, to pay ransoms.

• Disruption: One explanation is that commercial ransomware gangs have merged in countries with nation-state actors bent on disruption for its own sake.

• Budgetary constraints: Attackers tend to exploit sectors with known weaknesses. Government is a sector where cybersecurity budgets are usually tight in ways that attackers might assume make security gaps or oversights more likely.

• Legacy systems: Adding to this is the government sector's well-documented reliance on older technology, with widely known security vulnerabilities.

Past assumptions about attacker motivations no longer hold. For ransomware groups, the public sector has become a consistent, attractive target. No organization is exempt.

Targeting public sector organizations is no different from the attack modus operandi for any other sector.

The first stage is to look for a point of compromise, often a weak account credential. Once a compromise has been achieved, the attackers have a foothold from which to try and move invisibly behind the organization’s defenses.

In on-premise networks, one of the first internal targets will be an organization’s Active Directory (AD) Domain Controllers (DCs). AD is the foundation of network identity and access. Compromise a domain controller, and attackers can see and control almost everything on that network.

This can be difficult to detect or stop. AD lacks built-in monitoring, which means that security teams only realize that a compromise has happened when it’s too late to do anything about it.

Several high-profile ransomware groups are known to target AD, but the same is true for any ransomware actor. AD is always a target after a bridgehead has been established.

Defending AD requires organizations to do two things:

• Defend the vulnerable credentials used to gain an initial foothold in the network, and

• Build a deeper internal defense around AD itself.

In on-premise environments, this can be a challenge.

The standard defense against credential theft is MFA. But implementing MFA in an on-premises AD environment often requires complex middleware or migration from AD to third-party identity providers (IdPs). Even when it is successfully implemented, this approach doesn’t protect AD itself if attackers breach MFA.

UserLock solves both problems without requiring AD migration or a cloud identity provider. It runs on-premises, on a single server, and applies MFA and access controls directly on top of existing AD policies.

UserLock applies MFA, user monitoring, and privilege control on top of existing AD policies.

Importantly, UserLock’s MFA can be applied by session and connection type.

Applying MFA to UAC prompts helps protect against lateral movement. If an attacker compromises one account and tries to use credential-harvesting tools to move through the network, they'll need to authenticate at each step, including for administrator accounts.

However, MFA is not enough on its own, which is why UserLock also implements a second layer: session-based and contextual access controls.

Access controls limit the attack surface available to ransomware actors once an account is compromised.

As well as limiting concurrent session risk (multiple connections opened by a single user), users can be restricted by workstation, device, IP range, organizational unit (OU), department, country, or time.

UserLock can also restrict which connection types a user account can access, for example, workstation, terminal, Wi-Fi, VPN, IIS, and SaaS.

Monitoring unusual access patterns is central to AD defense. Active Directory has no built-in account monitoring, which means IT teams must implement their own controls.

UserLock addresses this by allowing administrators to monitor user access using alerts. If a user tries to access an unauthorized resource, administrators will immediately be alerted to unusual access.

To avoid alert overload, administrators can customize these alerts across a range of criteria such as connection type, user, group, Organizational Unit (OU), time or IP range, and outcome (whether a connection was blocked or MFA rejected).