ACTIVE DIRECTORY SECURITY:

AD MONITORING AND
PROACTIVE SECURITY
DETECTION COMBINED
 2

The term “Active Directory security” generates a few different reactions,

depending on who you ask. To fully understand its significance, we must separate
the unique concepts related to AD security. These include:

Security scanning and evaluation Attack pathway detection

Similar to a pentest, this assumes that existing
security misconfigurations and attack pathways
exist in every AD. The scan and evaluation locate
them.
Security hardening
This is proactively ensuring that settings and
configurations are configured with a security-
first mindset.
Change monitoring
This is the continued monitoring and archiving
of all changes that occur in the AD environment
(users, groups, OUs, GPOs, etc.).
Historical reporting
This is the ability to run detailed queries against
a DB of changes that have occurred in AD over
time to see trends, changes, and even track down
attack actions.
Attackers rarely look directly at basic settings
for their attacks. Rather, they search for
misconfigurations and vulnerable backend
processes which they can leverage to move
laterally and gain privileges. Attack pathway
detection finds the same routes the attacker
wants and sends alerts as they open up.
Attack detection
Attacks such as DCSync, DCShadow, and
password spraying need to be detected as they
are initiated so they can be stopped immediately.
Threat hunting
Most attackers create a multitude of backdoors
into AD when the opportunity presents
itself. Therefore, if a single misconfiguration
or malicious action is detected, security
professionals can perform threat hunting actions
to see if any other backdoors were initiated.

Compliance reporting
This is the process of producing reports on
current and historical settings and actions within
AD that ensure basic security practices are being
followed.
ACTIVE DIRECTORY SECURITY: AD MONITORING AND PROACTIVE SECURITY DETECTION COMBINED 3

AD monitoring solutions
AD monitoring solutions typically rely on security logs for their information and reporting. This reactive
approach is excellent for change monitoring and compliance reporting. After all, their goal is not to detect
attacks or misconfigurations but to see all changes occurring within AD for later analysis. AD monitoring
solutions do a very good job with:

• Change monitoring

• Historical reporting

• Compliance reporting

Of course, these activities are essential for most organizations since they need to generate reports for
auditors and executives to pass audits and meet internal guidelines.
 4

Weaknesses of AD monitoring solutions

What these solutions omit is looking at the AD security environment through the eyes of the attacker.
Attackers do not want to be tracked (no logs generated), do not want to stand out (impersonation of another
user, group, computer, or process is ideal), and do not want to trigger an event that can easily be spotted.

Detecting attackers who function at this level requires more a proactive approach than a reactive one.
Recon tools like BloodHound and Infection Monkey give the attacker visibility over the paths they need
to compromise privileged groups/users. Attackers can use these pathways by leveraging tools and
techniques like Mimikatz, Kerberoasting, impersonation, and more.

Unfortunately, AD monitoring solutions are not equipped to look for these tools or attack vectors. It’s no
surprise, as many of the concepts are far from linear and require the complex incorporation of ACLs,
group memberships, attributes, user rights, and more. It takes an analysis solution (hint: Tenable.ad) to
dynamically calculate attack pathways in real time and see what the attacker sees.

Tenable.ad: Proactively securing AD

The Tenable.ad approach is to perform the same recon and analysis actions the attacker performs, but in
the following manner:

• No agents • Automatically and persistently analyzing

• No privileges
• Nothing installed on any DC
• Initial scanning and evaluation of
existing misconfigurations and
attack pathways into the existing AD
environment
new attack pathways
• Real-time alerting and SIEM/SOAR
integration for immediate response
• Ongoing attack detection
• Threat hunting to ensure all backdoors
and misconfigurations are found
ACTIVE DIRECTORY SECURITY: AD MONITORING AND PROACTIVE SECURITY DETECTION COMBINED 5

Every AD has misconfigurations and settings an attacker can leverage. Finding and fixing these security
flaws is paramount to eliminating attack pathways.

Since AD is constantly evolving, consistent monitoring of any change within AD, along with immediate
analysis of the change causing a new attack pathway, is also critical. With hundreds, if not thousands, of
changes occurring in AD, users, groups, OUs, GPOs, etc. every day, new attack pathways are being
created. Tenable.ad informs you of these immediately.

Not all attacks are thanks to misconfigurations, so these attacks must be seen in real time to stop them
ASAP. Password spraying and brute-force attacks can’t be negated. However, being able to detect them
as they happen is essential. DCSync and DCShadow, which don’t log events, go unseen by AD monitoring
solutions. Tenable.ad gathers information from the DC replication stream to highlight these attacks in
real time.

Key takeaway
There are major benefits to having an AD monitoring solution
in nearly every organization. The power of producing reports
for auditors and management is vital. That said, AD monitoring
solutions fail to provide the depth required to secure AD to
the level an attacker is leveraging future threats. The need
to mitigate existing threats is also essential, and detecting
attacks as they occur provides an organization the chance
to stop them. AD monitoring solutions come up short in both
these areas. Tenable.ad fills the gaps to ensure Active Directory
can be protected before and during an attack.
6100 Merriweather Drive
12th Floor
Columbia, MD 21044

North America: +1 (410) 872-0555

www.tenable.com

COPYRIGHT 2021 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER
CONTINUOUS VIEW AND LOG CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, LUMIN, ASSURE, AND THE CYBER EXPOSURE
COMPANY ARE TRADEMARKS OF TENABLE, INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.