04 October 2021
By Sean Deuby, director of services
Covid-19 has often been cited as the catalyst accelerating pre-existing trends in the past 18 months, with ecommerce and automation two of many multiple markets championing this school of thought.
The widespread shift to remote and hybrid working models, however, was less acceleration and more holistic transformation born out of necessity. Prior to the pandemic, only 4% of Europeans worked from home, but when the pandemic struck this figure rose to 88% of staff.
As organisations were forced to adapt almost overnight, IT professionals were called into action, taking a variety of different approaches to ensure the continuance of operations on a remote basis. Those in more heavily regulated markets such as financial services enhanced their virtual private networks (VPNs) as a means of maintaining access to SaaS applications through the corporate network. Meanwhile, more agile markets and enterprises that were previously considering shifting to cloud-first IT policies were compelled to adopt them when staring down the barrel of a national lockdown.
In both instances, cloud-based single sign on (SSO) capability – providing users with remote access to their corporate networks with the same credentials they use on premises – is vitally important to security.
To achieve SSO, a hybrid identity architecture that projects an organisation’s credentials into the cloud service is required. Yet hybrid identity presents its own challenges.
Not only is it more complex, most hybrid identity architectures depend upon Microsoft Active Directory (AD) – the most widely used on-prem identity system in the world, and a foundational piece of IT infrastructure for roughly 90% of companies globally.
The problem with Microsoft AD is that it was rolled out over two decades ago, in an era where the IT landscape looked
entirely different. Simply put, Microsoft AD is not prepared for today’s intense threat environment.
Hybrid identity was a key vector in the SolarWinds breach
AD was designed to make resources easily discoverable to domain users, and therefore still supports several legacy applications that require insecure authentication protocols such as NTLM. Over time these legacy-based security gaps can accumulate, creating a series of configuration weaknesses and multiple hard-to-protect points of potential entry for a cyber attacker.
A prime example of an AD-related breach is the SolarWinds attack, one of the most malicious supply chain attacks seen to date, which first came to light in late 2020.
After successfully infiltrating SolarWinds’ systems, the threat actors implemented malicious code into its Orion software – a network management tool used by 33,000 of the company’s customers.
When the next regular Orion software update was released, the tampered code created a back door that allowed the hackers to access the IT systems of 425 Fortune 500 companies and US government agencies, where they were able to deploy even more malware.
Crucially, AD was used to conduct internal reconnaissance, elevate privileges, and gain administrator access to the organisation’s domain. In turn, the SAML signing key of the organisation’s AD FS servers was stolen, enabling the execution of a Golden Ticket attack against its Microsoft 365 environment to gain access to corporate email.
Response is as important as prevention
Albeit an extreme example, the SolarWinds attack is just one of countless AD-related incidents that happen every year.
According to Mandiant researchers, approximately 90% of all businesses are exposed to security breaches as a result of AD mismanagement, while 9 in 10 of all attacks involve AD in some capacity – either as the initial attack vector, or a means of manipulating and elevating privileges.
But AD is not going away. If on-premises operations exist, AD will prevail.
So, what is the solution?
At Semperis, we’ve created Purple Knight – a free, easy-to-use assessment tool that companies of all sizes can leverage to perform AD-centric security analysis. Yet this assessment is just the first step.
Organisations need an end-to-end strategy for defending against cybercriminals before, during, and after an attack. In addition to tools for identifying security gaps, security and identity teams need solutions for detecting attackers that have breached the network and are moving laterally through the system. Catching threat actors before they unleash malware can be tricky: Many malicious AD changes fly under the radar of traditional SIEMs.
Once the system is breached, organisations understandably focus on resuming business operations as quickly as possible. But that approach can backfire: Threat actors will often reside in a network for weeks or months, understanding exactly what value they might be able to extract before detonating a malware payload. Without appropriate response planning, AD domain controllers restored from traditional server backups will more than likely contain the same malware – thus starting the attack cycle all over again.
Shift to remote work raises the stakes for defending against cyberattacks
As the shift toward at-home working continues, and the network perimeter dissipates, identity has become a primary line of defence against cyberattacks. It is therefore vitally important that companies understand this shift.