Despite the seismic transition to cloud computing, 90% of Global Fortune 1,000 companies still rely on on-premises Active Directory (AD) for authentication and access management. While startup companies today have the option to go cloud-native, the AD domain controller is still a staple component throughout SMB enterprises. The ubiquitous presence of AD is one of the reasons it’s commonly targeted by threat actors.
AD is Microsoft’s directory service solution. A directory service is a hierarchical structure containing information about various objects on the network, such as user and computer accounts, user and computer groups, printers, servers and shared volumes. (Don’t confuse Active Directory Services with Azure AD, which is a flat directory structure and utilizes web-based services).
This logical grouping of objects in AD is referred to as a domain. AD structure relies on at least one dedicated server, called a domain controller (DC), to create and host a domain. A DC serves as both a central repository of all domain objects and a centralized authenticator for them, as all users and devices authenticate through an assigned DC.
Any modifications made to any of the domain objects by a domain administrator are performed on a DC. Companies often implement more than one DC within their enterprise for redundancy purposes, and to distribute the authentication load for users across a company’s IT estate.
Ransomware attack strategies have evolved over time. During their infancy stage, many ransomware attacks were implemented in an almost haphazard fashion that depended on a little bit of luck. Strategies have matured since then, and today’s ransomware organizations often perform reconnaissance upon infiltrating a targeted network before implementing the actual attack.
Because nearly any AD user account has read access to directory services, an attacker using a standard user account can gather information about the domain. Besides information, hackers need high-privilege access to properly scale their payloads. They obtain this access by compromising AD administrator accounts.
Once a high-privilege account is compromised, an attacker can use that account to create new privilege accounts or escalate the privileges of an existing user to move laterally through the network. They can also use these escalated privileges to change the permissions of data volumes, and modify or disable security policies that would inhibit their attacks.
By obtaining privileged access to AD, a threat actor can make the necessary changes to the domain to pave the way for an attack. In addition to the ability to weaken the security structure of the domain, a DC can also serve as a mechanism to deploy the malware, as every AD-joined computer is connected to it.
Hackers can also take advantage of replication arteries that connect all the DCs to infect them all. Besides using DCs as a super-spreader, ransomware actors try to encrypt the DCs themselves. By putting a company’s DCs out of commission, all user accounts lose the ability to authenticate to the domain and access resources, thus bringing internal domain operations to a standstill.
AD provides the foundation for all your accounts and internal domain assets. This makes it a prime target for ransomware attacks and why it is so imperative to create a strategic security plan to protect your AD infrastructure.