A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Active Directory Security: “Drift Happens” Breadcrumb Home Insights Blog Active Directory Security: “Drift Happens” August 17, 2021 New threats, vulnerabilities and attack types emerge constantly. Active Directory is usually central to the attack. Security teams should immediately secure existing hardware, operating systems, applications, software and Active Directory. New ransomware variants, new exploits, more tactics… it seems like attackers come up with something novel every week. There’s a silver lining, though. With every new attack and breach, followed by the analysis of the attack process, we see patterns. By analyzing these patterns and addressing what the attacker relies on, we can disrupt the hackers and reduce the overall security risk. Pattern #1 Attackers initially compromise enterprises by one of two attack methods. First, they exploit vulnerabilities within the hardware, operating systems, software, applications, etc. of the devices they target. We all know that patching is essential, but it’s just like taking our vitamins – we may forget (or we just don’t see the benefits until it is too late). Second, hackers leverage misconfigurations related to hardware, operating systems, software, applications, etc. Thousands of security settings need to be configured, but they often aren’t secured correctly. With simple queries the attacker can determine what’s running on the device they’ve connected to, allowing them to know exactly what misconfigurations to look for. Securing these configurations before the attacker can see them is essential. Pattern #2 Current security tools and practices aren’t sufficient to secure our networks. The following tools and practices are useful, but leave major gaps in security: Pen testing Assessments Audits AD monitoring SIEM solutions User behavior analytics AI EDR and AV Many of these solutions are point-in-time, meaning the results are outdated within days of the results. Other solutions might be more continuous, but they aren’t digging into the depths of the network infrastructure to provide info at the level the attacker is working. Pattern #3 Regardless of the entry point, Active Directory is always a next step. Over and over again we see the forensic proof that Active Directory was leveraged to move laterally and gain privileges in order to deploy ransomware. RYUK, SolarWinds and XingLocker (a variant of MountLocker) specifically require Active Directory to be involved. Attackers know how to enumerate and analyze Active Directory, so they rely on it for a successful breach and deployment of malicious software. It’s also central to authentication and resource access, which is another key reason attackers love to leverage AD. The Solution First, the direct solution to protecting your network and data is to target what attackers are targeting: Active Directory security and vulnerability management. First, existing hardware, operating systems, applications, software and Active Directory must be secured. If the attacker is aiming to enumerate and analyze any and all aspects of your network, that’s something that needs immediate attention. Second, all the work securing your network and devices shouldn’t go to waste. Once you’ve patched and secured configurations, these efforts need to be maintained constantly – that means 24x7 continuous and automatic analysis of all vulnerabilities and configurations. Think of it as keeping your attack surface as small as possible nonstop. Finally, the ability to detect attacks is vital. Simpler attacks such as password spraying and guessing need to be detected as soon as they start so they can be shut down immediately. Even more advanced attacks like DCSync, DCShadow and Golden Ticket also need to be detected as they occur. These advanced attacks are used for persistence and backdoors, as well as to open up new attack paths the hacker can leverage. Common tools can’t correctly detect everything. More sophisticated solutions are needed to fill these gaps in monitoring and detection. By: Derek Melber Chief Technology and Security Strategist | Tenable Derek Melber is a leading technical instructor, author and consultant. He is a 16-time Microsoft MVP with deep knowledge of Group Policy, Active Directory, desktop management and Windows security. He has educated AD administrators in over 30 countries about how to efficiently and effectively secure Active Directory and Azure AD as well as publishing a broad range of educational content, including books, articles and videos, that demystify the most complex and technical subjects surrounding this space. Share: Threat Partner Series
Would you like to speak to an advisor? Let's Talk Cybersecurity Provide your contact information and we will follow-up shortly. Let's Browse Cybersecurity Just looking? Explore how Optiv serves its ~6,000 clients. Show me AI Security Solutions Show me the Optiv brochure Take me to Optiv's Events page Browse all Services