Why Organizations Need to Secure Directory Services in a Hybrid Deployment from Attack Paths
By Justin Kohler, Director of BloodHound Enterprise at SpecterOps
Microsoft Active Directory is one of the most common identity and access management platforms in the world, which unfortunately makes it a prime target for attackers. Attack Paths in Active Directory (AD) can give attackers nearly unlimited access to the rest of the network, allowing them to steal sensitive information and deploy malware while avoiding detection. Like many other things in security, the task of securing AD gets more complex as organizations move workloads to the cloud. The public cloud providers have their own IAM infrastructure (Azure AD & Azure Resource Manager in Azure, IAM and AWS Organizations in Amazon Web Services, etc.) that organizations need to defend along with on-premises AD. Hybrid environments allow attacks to move from on-premises AD to the cloud or in reverse, making use of weak spots in both. Comprehensive protection is the best way to ensure the organization’s sensitive data remains safe.
Here are five reasons that organizations need to secure directory services in a hybrid deployment.
- As cloud use grows, attackers are following the data
In October 2021, Microsoft reported that Azure and other cloud services grew 50% year over year in Q4 2021 and have grown between 47% and 62% every quarter since Q2 2020. The Covid-19 pandemic accelerated the shift to the cloud across many industries, and the momentum hasn’t slowed down. As data has moved to the cloud, malware has followed. A survey of CISOs conducted by IDC in mid-2021 found that 98% of respondents suffered at least one cloud data breach in the previous 18 months as opposed to 79% in 2020. There’s every reason to believe that adversaries will continue to target the cloud aggressively in 2022. Security and cloud teams should ensure they are not leaving gaps that attackers can exploit in their identity and access management infrastructure that make it easier for adversaries to target them.
- The rapid rate of change in the cloud creates uncertainty and risk
Cloud platforms are still being actively developed, which means the underlying software changes frequently, Cloud products and tools get merged with other products, removed, or overhauled on a regular basis. This volatility increases security risk because it prevents security experts, whether they work in-house, for a service provider, or as a consultant, from understanding the cloud platform in detail. Every time something changes, security pros need to re-learn how it works, what its weaknesses are, and how to protect it. Until they do, they’re more likely to make mistakes, overlook security gaps or implement insecure misconfigurations. Since cloud platforms are relatively new compared to on-premises software, the talent pool and library of third-party resources for securing them are small to start with. These factors make the cloud especially risky, and force organizations to continuously revise their cloud security policies – increasing the changes something will slip through the cracks.
For comparison, Microsoft Active Directory has been used for identity and access management on-premises for two decades. There are a huge number of AD admins that understand the software inside and out and an enormous library of third-party resources to help them do their job quickly and safely. While many organizations still struggle to secure AD on-premises, AD security in the cloud has additional barriers to security that make it even more important that security and cloud teams take it seriously.
- The cloud has a larger attack surface and authentication is more complex than
Cloud authentication systems are easier for attackers to exploit in some ways. First, they simply have a larger attack surface. These systems are exposed to the internet by default, where on-premises AD is closed to the internet by default. With on-premises AD, adversaries first needed access to the network through a user’s credentials. In the cloud, they don’t even need that.
The systems that assign permissions to specific users or groups in the major cloud platforms also tend to be more complex than they are in on-premises AD. For example, Azure AD uses at least three separate systems to manage identity and access: Azure Active Directory, Azure Resource Manager, and the Azure API Apps permissions system. Unfortunately, these systems can often conflict and make it unclear which system is the source of truth. This makes it more difficult for security teams to audit who has access to valuable systems, which in turn makes it harder for them to find and close down Attack Paths.
The more difficult it is to assign permissions, the more likely that Cloud or AD engineers will give blanket permissions to large groups of users or give a problem user admin access to just make everything work. After all, their main task is to ensure employees have access to the systems they need to do their jobs. This complexity creates additional attack paths and undermines the expertise of security and Identity Access Management engineers.
- Attacks can move from Azure to on-prem AD
Attack Paths in AD don’t just stay on-premise or in the cloud; they can cross between environments. For example, adversaries can move laterally from on-premise AD to Azure AD, escalate privilege within Azure, and then move back from Azure to on-premise. They can do this by abusing Microsoft Endpoint Manager to move laterally from an Azure tenant to an on-prem AD domain. This abuse becomes possible when Windows devices have been Hybrid-Joined to both the Azure tenant and the on-prem Active Directory domain. This attack can be carried out by Azure tenant authenticated users — no special privileges or roles are needed. Abusing one of the three endpoint management systems to execute PowerShell scripts on hybrid-joined devices requires either the “Global Admin” or “Intune Administrator” roles. This is why it’s vital to protect Active Directory both on-premises and in the cloud – because both of them give attackers a way in.
- Attack Paths open orgs up to dangerous attacks like ransomware
Attack Paths are a way for adversaries to get powerful access that lets them steal sensitive data, deploy ransomware or other malware, achieve persistence in the network or add backdoors that will allow them to instantly re-gain privileged access in the future. An adversary that is well versed in attacking AD (and most adversaries are) can gain privileges and move freely across Attack Paths leaving minimal risk of discovery from defenders, achieve persistence, and gain the keys to the kingdom. Ransomware is a particularly active threat at the moment; approximately 37% of global organizations said they were the victim of some form of a ransomware attack in 2021, according to IDC’s “2021 Ransomware Study.” The FBI’s Internet Crime Complaint Center received 62% more ransomware reports year-over-year in the first half of 2021. To reduce their vulnerability to all these attacks and stop problems like ransomware at their source, organizations should work on eliminating the Attack Paths in their AD environment.
Identity and access management on-premises and in the cloud are two sides of the same coin. Organizations with a hybrid infrastructure model must protect both in order to keep their users and data safe.
About the Author
Justin Kohler is the director for the BloodHound Enterprise product line at SpecterOps. He is an operations expert who has over a decade of experience in project and program development. After beginning his career in the US Air Force, he worked for several consulting firms focused on process and workflow optimization and held positions at Microsoft and Gigamon. He enjoys building and leading teams focused on customer delivery at Fortune 500 companies.
Justin can be reached online at @JustinKohler10 and at our company website https://bloodhoundenterprise.io/