New guidance on detecting and mitigating AD compromises released

The Australian Cyber Security Centre (ACSC) has released new guidance titled Detecting and mitigating Active Directory compromises. The guidance aims to provide strategies to help organisations mitigate the 17 most prevalent techniques used by malicious cyber actors to target Active Directory and gain access to their networks.

Detecting and mitigating Active Directory compromises builds on recent updates to the Information Security Manual (ISM) and includes a checklist with Active Directory security controls for organisations.

Microsoft’s Active Directory is the most widely used authentication and authorisation solution in enterprise information technology (IT) networks globally. This makes it a valuable target for malicious cyber actors and it is routinely targeted as part of attacks on enterprise IT networks.

Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships and permissions, support for legacy protocols, and lack of tooling for diagnosing Active Directory security issues. These issues are commonly exploited by malicious actors to compromise Active Directory. Its susceptibility to compromise is, in part, because every user in Active Directory has sufficient permission to enable them to both identify and exploit weaknesses. These permissions make Active Directory’s attack surface exceptionally large and difficult to defend against attack.

Gaining control over Active Directory gives malicious cyber actors privileged access to all systems and users that Active Directory manages. With this privileged access, they can bypass other controls and access systems at will, including email and file servers, critical business applications, and extended cloud-based systems and services.

They may persist for months or even years inside Active Directory. Evicting them can require drastic action, ranging from resetting all users’ passwords to rebuilding Active Directory itself. Responding to and recovering from a compromise is often time consuming, costly and disruptive.

Defending against malicious cyber actors requires a combination of prevention and detection mitigation strategies. Organisations need to prevent as many Active Directory attacks as possible, while at the same time detecting them when those attacks occur.

The full advisory can be read here.

Image credit: iStock.com/Olemedia