François AmigorenaIn early 2024, the BlackCat ransomware attack against Change Healthcare caused massive disruption across the U.S. healthcare sector. It later emerged that the cause of this major national incident was traced back to compromised credentials used to remotely access a Change Healthcare Citrix portal. Access to the portal wasn’t secured with multi-factor authentication (MFA).
Using this access, the attackers moved laterally within Change Healthcare’s systems to exfiltrate data and, eventually, deploy ransomware — with consequences that continue to impact millions of Americans.
The incident is one of many recent attacks highlighting Active Directory vulnerabilities, underlining why managing the threat of privilege abuse in Windows Active Directory (AD) is essential to securing today’s networks.
Without the right protections, attackers can compromise any standard user account in AD and elevate privileges to gain far more powerful and dangerous access.
On-Premise Active Directory Security Vulnerabilities
For adversaries, no target has more value than Windows Active Directory, the foundation of most organization’s identity and access management systems. Although the Change Healthcare breach is a well-known incident, it’s hardly the only example. Numerous other cyberattacks have exploited similar weaknesses in AD.
Unfortunately, one reason for AD security vulnerabilities is that the size and complexity of the platform mean that many aspects of securing AD are not straightforward. This is especially true for on-premise AD accounts, where organizations must assemble security on their own.
Attackers try to compromise non-privileged AD accounts to get inside the network. Once they’re in, they can open Pandora’s box of tools and techniques to further manipulate AD from within. As the Change Healthcare example underlines, the most exposed part of this is through user accounts and credentials.
This issue of credential and user compromise is central to AD security. This makes the way accounts are managed, monitored, and secured a fundamental part of defending AD.
Good AD defense isn’t only about stopping attackers at the initial access point. It’s also about making it difficult to move laterally inside the network if they do get in.
Exploiting and Elevating Privileges in Active Directory
The idea of privileges in AD is easy to misunderstand. Normally, we think of privileged access as relating exclusively to special accounts such as those operated by admins that confer system-level powers.
Actually, AD has an array of privileged user accounts. Each has slightly different access rights, including enterprise admins, domain admins, schema admins, group policy admins, backup admins, account admins, and application service accounts. In some cases, an administrative account might perform more than one of these roles.
Why have so many admin types? The answer is that, as with network management in general, good AD administration is based on the principle of least privilege security. Every account should only have the privileges needed to do the job assigned to it. This is especially important where those privileges confer admin-level powers.
This raises the important fact that all accounts in AD — including the humblest user accounts — have some privileges. In AD, even the most basic privilege is a privilege that poses a risk and therefore needs to be controlled.
The soft underbelly of AD is the ability of an attacker to elevate privileges. Attackers routinely compromise an ordinary Active Directory user account and elevate its privileges to reach more sensitive areas of the network. This reminds us not to underestimate the importance of securing all AD accounts.
How do attackers elevate privileges? Numerous techniques exist, including exploiting software vulnerabilities or internal misconfigurations and hijacking internal AD processes. But today’s attackers just as often use network tools to identify and target privileged account credentials. The attackers then assume the privileges of these accounts to expand their access.
How to Stop Privilege Abuse and Secure Active Directory Access
Securing AD requires multiple layers of security, including defending against phishing attempts, enforcing strong passwords, and securing all accounts using MFA.
It’s key to monitor and audit privileged account access and admin actions and to set up alerts if an admin account modifies policies. This protects against external attacks and insider threats alike.
However, because AD management is never one-size-fits-all — even for privileged users —admins must be able to apply policies granularly so that this type of account can be permitted either to “read” or view group properties or members without changing them, or to “write” and modify them.
Apply MFA on User Account Control (UAC) Prompts
By default, UAC (user account control) prompts at the admin level require only a password. Adding MFA to this hugely reduces the vulnerability of the attack surface and packs a strong punch in the fight against privilege abuse and AD compromise. If you can set up alerts on UAC prompts, you’ll also more quickly detect threat actors trying to move through the network.
Defending Active Directory Does Not Stop at the Logon
Defending AD isn’t easy. It’s a large and complex platform that assumes organizations will assemble additional layers of security. To succeed, defenders must address wide-ranging threats including credential compromise, lateral movement, privilege abuse, insider threats, and more.
Critically, defenders must stop onboarding solutions solely to check off compliance and cyber insurance requirements. They also must ensure their solutions offer the security necessary to prevent the above threats. Some solutions check boxes, others offer effective security that also happens to check boxes — the latter are harder to find.
What’s the takeaway here? Even if you’ve implemented MFA to secure the logon, ensure you can control and monitor what happens once a user gains access.
Organizations don’t dedicate as much effort to defending internal actions inside AD as they do initial access. Real-world cyberattacks tell us this is a mistake. What happens after an attacker gains access is just as important as the initial compromise.
About the Author
François Amigorena is the founder and CEO of IS Decisions, a global software company specializing in access management and MFA for Microsoft Windows and Active Directory environments. After a career at IBM and a subsidiary of la Société Générale, Francois became an entrepreneur in 1989 and has never looked back. François can be reached
