From state and local governments to Federal agencies and the private sector, Active Directory (AD) – Microsoft’s proprietary directory service – is a key component of identity management, enabling administrators to manage permissions and access to network resources for every user across the enterprise.
Because of its widespread deployment in government networks and its role as gatekeeper, Active Directory stands between cyber adversaries and the data they seek. Recent breaches have shone a light on Active Directory as a threat vector that adversaries are trying to exploit – making it a top security priority for government technology teams. It is also a key component of a zero trust architecture, which is central to President Biden’s recent cybersecurity executive order outlining steps to move towards a more secure government.
MeriTalk recently connected with Derek Melber, chief enterprise cybersecurity strategist at Tenable, which helps organizations understand and reduce their cyber exposure, to discuss Active Directory vulnerabilities, their impact on government, and how security teams can fortify their Active Directory to limit breaches.
MeriTalk: On a scale from one to 10, how important is the security of Active Directory to the overall security posture of the state and local government agencies?
Melber: I’m going to break the one-to-10 rule immediately and say it’s an 11. Having been in use for over 20 years, Active Directory is the prevailing identity management technology for most organizations, including state and local governments. In fact, Active Directory is used by 90 percent of Fortune 1000 organizations as their primary method for authentication and authorization, according to market research firm Frost & Sullivan. That kind of usage means that once adversaries identify the vulnerabilities of the Active Directory in one organization, those hacking techniques will work in all those other organizations too. We’re seeing a significant uptick in attacks. That makes securing Active Directory an immediate requirement for state and local government agencies.
MeriTalk: One of the most high-profile Active Directory compromises involved the U.S. government’s Office of Personnel Management (OPM) in 2015. Was that a wake-up call for government? How have approaches to Active Directory security changed since then?
Melber: It was a three-alarm wake-up call, but a lot of work remains. The OPM breach was facilitated by an Active Directory privilege escalation technique that was used to install a remote access tool allowing the attackers to navigate OPM’s systems. Once the bad actors were inside, they had access to millions of personnel records, including background checks and fingerprints for workers with classified privileges. This breach led to a congressional investigation, which certainly sparked awareness of what can happen if you aren’t securing your Active Directory.
Malicious activity roughly started in the late 2010s, and it’s morphed from denial of service, to ransomware and to impersonation as seen with the OPM breach. Adversaries today don’t want to be seen. They want to look exactly like other real users to gain access to the environment, which is where Active Directory comes into play. If you look at any of the recent ransomware attacks, they all used Active Directory to gain access to the data they’re seeking without being seen. The code of these attacks looks to see if the compromised device is joined to Active Directory. If it isn’t joined to Active Directory, the attack ceases on that device and moves on. That’s how important Active Directory is.
Throughout my career, the golden solution to security has always been continuous monitoring. Now technology teams are looking for real-time monitoring. Real-time assumes continuous monitoring, but adds the ability to gather, analyze, and alert teams to events when they happen. I’m just now starting to hear people say that we need real-time visibility, we need to know who is hitting Active Directory when they hit it. That recognition is the greatest change I have seen, and it’s coming at a time when adversaries are getting better and better at dodging visibility.
MeriTalk: Because Active Directory is so widely used and has been in place for so long, how difficult is it to secure?
Melber: There are two ways to go about securing Active Directory. One is relatively easy, while the other is extremely difficult. The difficult way is through built-in tools and point-in-time solutions that require manual analysis. While these solutions may be needed for compliance regulations and reporting, they aren’t suited for real-time monitoring to ensure Active Directory security – Active Directory is too broad, goes too deep, and is constantly changing. Often, someone has to be driving these solutions. Then, when the data comes in, someone needs to analyze it then make decisions. By the time the process is complete, everything will have changed and it has to be done again. This leads to event fatigue, where so many events come from so many different places that real problems get buried.
The easy solution is implementing real-time, automated monitoring tools where the technology does the monitoring and analysis 24 hours a day, seven days a week. These solutions offer technology teams the real-time knowledge they need to act against suspicious activity before adversaries have a chance to gain access to the agency’s network.
MeriTalk: What are the biggest challenges state and local governments face when they’re trying to secure Active Directory?
Melber: It absolutely comes down to the visibility. There’s so much complexity in government systems due to the constant change of those environments over the years. There’s a saying in the industry: “Junk in equals junk out.” That means if you have a misconfigured environment that you upgrade, the new environment will also have misconfigurations. I truly believe one of the best things state and local governments can do is to go into their Active Directory now and mitigate existing problems.
Technology teams need to be proactive about their Active Directory security. Implementing automated monitoring to gain visibility can be done pretty quickly. It’s just getting to that point, with the necessary support from the senior level. Automated monitoring also supports a zero trust architecture, so implementing this technology reduces the overall risk, not only for Active Directory security, but also for overall enterprise security.
MeriTalk: Let’s talk about little bit about Tenable’s solution for Active Directory security. How does Tenable.ad work?
Melber: Tenable acquired a company called Alsid earlier this year, and its technology forms the backbone of Tenable.ad. It offers two architectures – on-premises as well as cloud.
Let’s talk about how it works. There are two components of Active Directory – the AD database and SYSVOL, which incorporates group policy. Most state and local governments use group policy to configure users, computers, applications – anything and everything that can be configured. Tenable.ad pulls this information into its database so it can analyze it. Tenable.ad analyzes relationships, rather than settings, which is unique.
Tenable.ad uses graph theory, a mathematical modeling technique, to evaluate every part of Active Directory with a security implication – users and computers and their attributes, access control lists, groups, and members – for attack paths. The attack paths are then floated to the surface so that the agency’s IT and security teams can see them.
In the beginning, Tenable.ad uncovers misconfigurations no matter how long they have been there, giving agencies a clear path to secure their Active Directory. After that, it monitors those attack paths in real time to spot anomalies.
A really unique thing about Tenable.ad is that it only needs read-only access – no agents or privileges are required. Nothing is installed on a domain controller in Active Directory, so the solution doesn’t become the security problem, like we saw with SolarWinds.
MeriTalk: State and local governments have a plethora of security solutions already in place. How does Tenable.ad work in tandem with other solutions?
Melber: There isn’t a single solution or magic bullet that will solve every security issue. Most state and local governments have a multitude of entry points – laptops, desktops, phones, printers, etc. Those entry points are typically protected using other security solutions. They then also have security on their applications. If they are really ahead of the security curve, they’ve started implementing zero trust protocols to prevent unauthorized lateral movement.
If those endpoints are compromised in any way, whether through a cyberattack, impersonation or an internal threat, the first place the attacker typically goes is Active Directory. That’s where Tenable.ad comes in. Many organizations rely on their security operations center (SOC) to do the heavy lifting of identifying security issues across the enterprise, and relying on traditional, built-in Active Directory monitoring solutions creates a significant security gap. Tenable.ad bridges that divide by delivering precise, context-aware information to the security information management system, so the SOC gets real-time awareness into potential Active Directory security issues.
If we can configure Active Directory correctly, agencies will reduce the attack surface, and their risk will plummet. We will see a significant reduction in breaches as a result.