CrowdStrike White Paper

HARDEN YOUR
AD SECURITY
 CrowdStrike White Paper 2

HARDEN YOUR AD SECURITY

Cybersecurity visibility and enforcement starts with Active Directory (AD). Identity
and Access Management (IAM) - via AD, Active Directory Federated Services
THREATS TO ACTIVE
(AD FS), or another Identity Store - is the nerve center of an enterprise, governing DIRECTORY SERVICES
how users and accounts access applications and assets. From this central point,
organizations create and maintain user credentials and assess application, network,
and behavioral traits, as well as create new logical segmentation strategies based Default settings and simple
on identity and risk. Any security compromise of AD undermines the entire identity passwords
management infrastructure, leading to potential data leaks as well as potential
system corruption, takeover or ransomware, or destruction. Inappropriate access for roles
and employees
Your Active Directory governs whether access should be granted or not – but the
world is more complex than the standard allow/deny settings. By adding risk analysis
through context and threat scoring to basic identity and access management Lack of visibility into elevation
authentication functions, the Falcon Identity Protection solution helps security of privilege
teams to make pre- access decisions before potential damage occurs, and enforce
frictionless conditional access on all requests. Risk-based conditional access No behavior analysis or logging
principles pave way for identity segmentation, with policies built around the context of anomalies
of identity, behavior and the dynamic risk of user (includes human and service
accounts) credentials.
Lateral movement in the
environment

PROTECTING WITH FALCON IDENTITY PROTECTION Ransomware and supply chain

threats from compromised
Falcon Identity Protection, an integral part of the CrowdStrike Falcon® platform, credentials
quickly discovers all users and user types in your extended network (regular,
privileged, service accounts) and employs advanced AI/ML techniques to
produce continuous insights and behavior analytics to enable hyper-accurate
detections as well as automated protection and remediation in real-time for
identity-based attacks. The adaptive capabilities of the platform allow you to
automate responses with the right type of enforcement or notification based THREAT DETECTION
on identity, behavior, and risk across your multi-directory identity stores.

This conditional access ensures the right level of security is delivered to either
stop a threat or validate the credential to let users get on with their work.
Falcon Identity Protection realizes enterprise security infrastructures are
not one-size-fits-all, and most networks are increasingly both on
premises and hybrid, or even moving entirely virtual. NTITY PR
IDE O
TEC
FA L C O N

Falcon Identity Protection supports teams of all sizes and

TION

maturity levels. As you get started on your journey to real-time

threat prevention, Falcon Identity Protection adapts with
your organization as it grows and changes, whether it
be hybrid or entirely in the cloud. Best of all, you can get
started with the benefits of Falcon Identity Protection in
as little as two hours and gain immediate and ongoing IDENTITY / ACCESS PREVENTION
benefits.
 CrowdStrike White Paper 3

FALCON IDENTITY PROTECTION FOR YOUR NETWORK

 etect and block AD/

D
Azure AD threats
Control attacker
USERS / ENDPOINTS / SERVICE ACCOUNTS tools and dangerous
protocols
Continuous behavioral
analysis
DCS / FEDERATION
Risk scoring
Adaptive enforcement
SERVERS / ASSETS / APPS / CLOUD and user engagement

BRINGING ENFORCEMENT TO AD
Enforcement at the authentication infrastructure opens up more flexible enforcement
options than trying to control at the application or share level. Instead of blocking a
connection outright, a user’s privileges could be evaluated and reduced or held to
role-based accesses. This could keep the user productive, while limiting higher-risk
behaviors. Enforcement means keeping a constant activity trail for all privileged
and service accounts, with immediate identification for anomalous traffic or unusual
resource connection requests.

Additionally, organizations need to be able to automatically challenge suspicious BENEFITS

or risky behavior in real time. For example, a user behaving suspiciously or a
programmatic account attempting to connect to a new server (as per the recent
Sunburst attack) could be required to pass a multi-factor authentication (MFA) or two Continuous unified attack
path with adversary-focused
factor authentication (2FA) challenge before access is granted to a critical server.
approach across AD and
This flexible approach simplifies many of the deployment challenges of monitoring Azure AD
internal user behavior.

In the end, the directory infrastructure is the logical center of the enterprise where Real-time threat mitigation
all users and accounts gain access to resources. By bringing a security layer to the through risk-based MFA
authentication infrastructure, organizations can get visibility into all behavior with a
simple update to internal DNS settings.
User analytics that examine
changes in behavior and

ADDING BEHAVIORAL INTELLIGENCE enforce policies automatically

Continuous and hyper-

Virtually all modern attacks, like ransomware, rely on compromising a victim’s identity accurate threat prevention
in order to spread within the network and access forbidden data. The 2020 Verizon powered by the world's
Data Breach Investigation Report illustrates that credential misuse is involved in over most advanced cloud native
80% of online attacks, whether via endpoint and social engineering acquisition or by platform
website application attack to gain system credentials.
 CrowdStrike White Paper 4

Privileged user credentials or service accounts are the ultimate target as these provide an
attacker nearly full control and lateral access over the network. As a result, understanding
a user’s role and privileges in the organization is critical not only for setting smart security
policies, but also for detecting signs that the credential has been compromised to cut off
active attacks.

Organizations need to understand their own security posture. There are constant questions
about identity and access that security needs to know:

Is an account using a password previously compromised in another breach?

Is the account's password shared with other accounts?
Is the user connecting from an unmanaged or insecure device? From where?
Was a credential set up then never used?
Is a service account attempting a connection via RPC or RDP to an unusual destination?

These are a few examples of attributes and activities that illustrate the role of the account as
well as potential risks tied to a specific connection attempt.

Both inherent risks like weak passwords and deviations from normal behavior can potentially
indicate the user is doing something risky or possibly has even been compromised by an
attacker. Bringing enforcement controls to the authentication infrastructure provides new
options and flexibility to meet these needs.

ADAPTIVELY PREVENTING THREATS

The ability to compromise valid credentials and identities has become a fundamental aspect
of virtually every phase of a modern attack. And while a compromised account may be
present in the form of anomalous user behavior, there are many adversary techniques that are
unambiguously malicious.

As an example, attackers are using tools like Mimikatz to steal credentials and gain a foothold
on the network. Attackers then move laterally within a network by using techniques such pass-
the-hash (PtH), Pass-the-Ticket, relay and replay attacks or even threats like Maze, Sunburst
or Conti ransomware. Attackers also use a variety of reconnaissance techniques such as
account scanning and credential spraying in order to find new targets or credentials, while
methods such as Golden Ticket attacks can allow an attacker to achieve near-permanent
persistence within a network.

These techniques are the difference between a threat that is limited to a single host and a
persistent threat which can expose the entire enterprise and all of its assets. However, these
progressive multi-step attacks also provide multiple opportunities for security to detect
the threat and halt the progress before major damage is done. By monitoring behaviors on
the network and AD infrastructure, security can detect the behaviors of PtH or other attack
techniques and tactics..

Falcon Identity Protection detects these lateral movement techniques as well as the use of
risky protocols and abnormal behavior, which identifies devices and accounts that are likely
compromised. These accounts can then be challenged via MFA/2FA or blocked based on
policy to halt the progress of an attack.
 CrowdStrike White Paper 5

RELAY ATTACKS ABUSE CREDENTIALS BY INTERCEPTING AND RELAYING VALID CHALLENGES

AND RESPONSES IN NTLM, SMB, AND OTHER PROTOCOLS

TARGET

ATE
OT I
NEG

8-A
E
ENG
LM

PPR
T

ALL

OV
2-N

7-N

E
E
CH

CAT

E
TLO
TLM

NTI

GO
3-N

THE
1-NTLM NEGOTIATE

N
AU
TLM
6-N

4-NTLM CHALLENGE

5-NTLM AUTHENTICATE

CLIENT ATTACKER DOMAIN CONTROLLER

LEVERAGING EXISTING ARCHITECTURE

There are many ways of inserting conditional access into the identity repository
and no two networks are ever identical. Whether you use AD with Kerberos (or
even deprecated protocols like NTLM or LDAPs), or Azure AD with Windows
Virtual Desktop (WVD) as a gateway to your domain services, the principles of
conditional access and MFA/2FA remain the same. Adding a layer of protection in
front of the authentication infrastructure, including the domain controller, provides
important flexibility in leveraging your existing infrastructure while improving
security and business productivity. The ability to integrate, share and extend
identity information and risk information across point solutions already existing in
your network is key to securing your identity store (AD/Azure AD) wherever it lives.

Instead of making decisions based on individual sessions or incidents, Falcon

Identity Protection uses the combined intelligence of all of an organization’s
security investments providing true conditional access control based on identity
and risk. Falcon Identity Protection takes that risk score, or evaluates risky
behavior, and enforces conditional access for the user. For example, consider
a relay attack which intercepts and relays valid challenges and responses in
NTLM, SMB, RPC, RDP, and other protocols. Whether the enterprise uses Okta,
PingFederate, RSA, or another MFA/2FA tool, when Falcon Identity Protection
senses the attack it enforces step-up authentication to challenge the user and
prevent lateral movement through a network.
 CrowdStrike White Paper 6

ABOUT CROWDSTRIKE
FALCON IDENTITY PROTECTION
CrowdStrike Holdings, Inc. (Nasdaq:
Falcon Identity Protection developed the industry’s first security platform CRWD), a global cybersecurity leader,
has redefined modern security with one
bringing real-time layers of threat prevention to an organization’s authentication
of the world’s most advanced cloud-
infrastructure. This allows organizations to stop cyber attacks, insider native platforms for protecting critical
threats, and enforce policies across the extended enterprise based on areas of enterprise risk – endpoints and
cloud workloads, identity and data.
identity, behavior, and risk. Falcon Identity Protection offers real-time visibility
of identity-based attacks and anomalies, and enforces risk-based MFA/ Powered by the CrowdStrike Security
conditional access. Cloud, the CrowdStrike Falcon®
platform leverages real-time indicators
Falcon Identity Protection operates in real time alongside Active Directory of attack, threat intelligence, evolving
adversary tradecraft and enriched
and Domain Controllers. From this strategic vantage point, Falcon Identity
telemetry from across the enterprise
Protection leverages advanced AI/ML techniques to continually learn to deliver hyper-accurate detections,
the behaviors that are both common and essential to the enterprise, automated protection and remediation,
while proactively detecting the malicious actions of attackers. Our built-in elite threat hunting and prioritized
observability of vulnerabilities.
intelligence automatically surfaces weaknesses such as password issues, risky
user behavior, and all associated devices. The solution automatically identifies Purpose-built in the cloud with a single
all privileged users including those with privileges outside of the traditional lightweight-agent architecture, the
Falcon platform enables customers
administrator groups in Active Directory, including service accounts. to benefit from rapid and scalable
deployment, superior protection and
Falcon Identity Protection continually tracks the actions and behaviors of all of performance, reduced complexity and
these credentials on premises or in the cloud for signs of malicious or abnormal immediate time-to-value.
behavior. Falcon Identity Protection is powered by CrowdStrike Security Cloud,
CrowdStrike: We stop breaches.
the world’s largest unified, threat-centric data fabric, which correlates trillions
of security events per day leveraging the industry’s leading threat intelligence Learn more:
and enterprise telemetry. When it sees suspicious activity, Falcon Identity https://www.crowdstrike.com/

Protection can challenge the behavior in real-time before access is granted to Follow us: Blog | Twitter | LinkedIn |
Facebook | Instagram
verify the user's identity and, if needed, reset the password based on the risk
and enterprise policy. This allows organizations to automatically resolve any Start a free trial today:
false positives without preventing valid access, and logically align real-time https://www.crowdstrike.com/free-
trial-guide/
security enforcement with the needs of the business.
© 2022 CrowdStrike, Inc. All rights
reserved. CrowdStrike, the falcon logo,
CrowdStrike Falcon and CrowdStrike
Threat Graph are marks owned by
CrowdStrike, Inc. and registered with
the United States Patent and Trademark
Office, and in other countries.
CrowdStrike owns other trademarks
and service marks, and may use the
brands of third parties to identify their
products and services.

Request a Demo

Learn more www.crowdstrike.com