We recently asked renowned Ransomware Expert Allan Liska: “Do you have any recommendations for securing active directory?” See his response in this video, and in case you’ve missed it, here’s the transcript:
James Green:
So once attackers gain entry to a network, the next thing they’re looking to do is escalate privileges, take control of the network and be able to do what they want. The Holy Grail would be to have domain administrator accounts, where they pretty much have access to everything. And unfortunately, as we’ve seen in lots of postmortems of attacks, that’s not that hard for attackers to do. They’re pretty quick, to be able to get access to that. It would be great if we could stop them from being able to do that, so do you have any tips or recommendations for securing active directory, and specifically, keeping your admin account safe?
Allan Liska:
Yeah. So there are a few things. One is… You’re absolutely right. There are a lot of red teaming tools, such as Mimikatz, that are designed, not only to avoid detection, but also to get those passwords, to get the administrative account, so you can gain access to the domain controller. And so there are a few things that you can do to protect yourself. One, you should be looking for those tools. So they’re a common set of tools that ransomware actors use to try and gain that access, and you should be constantly scanning for those tools, and alerting if they’re being used in the network, because it’s either a ransomware actor, or it may be one of the red teamers, if you have a red teamer that is trying to do pen testing of your network. It may be them. Either way, you’ve either caught a red team or you’ve caught a ransomware actor.
It’s all good. Nobody uses those for legitimate reasons. And then you want to segment out. You want your network segmented in general, and this is hard. And we talk about this all the time, but for a lot of organizations, it means completely rearchitecting everything, which is a pain, but it really is important to create different network segments for different roles, so that even if you can’t stop the ransomware attack, you can at least limit the damage that it can cause.
And when we talk about network segmentation, we’re talking about either through VLANS or Firewalls or wireless LANS, where you really say, okay, this is the accounting network. This is the engineering network here. This is the sales network, et cetera. And those networks don’t talk to each other, because they don’t need to talk to each other. We often see what happens when a city is hit.
And somebody in the accounting department of the city gets hit with ransomware attack, and the ransomware actors are able to encrypt files in the courts, and police files, and so on. They basically have access to everything once they’re in there. So you want those network segments, but then you also want to segment your active directory, as well. And the way you do that is create active directory trees where each network segment has its own active directory servers and domain controller that only sees that network. So even if the ransomware actors do gain access to it, they’re limited, again, in the damage that they can cause.
Now the other thing that you want is, what ransomware actors like to do, is they like to gain access to the domain console access. So not just admin access, but they actually want to gain console access, because that’s how they can do a lot of their reconnaissance. So you want to limit the ability of your domain administrators to connect to the domain controller from anywhere other than a segmented admin network. So you have a separate admin network that that has views, one way views, into all the different network segments, but if an admin controller is sitting on a machine in accounting and tries to connect to the domain controller, even with the right username and password, they’re still not able to connect to it. It has to come from the admin network. Again, it’s a pain. It often involves rearchitect and admins learning new behavior, but it goes a long way towards saving your network, and keeping the ransomware actor from gaining that access to the main controller.
James Green:
So segmentation broadly, to reduce the blast radius, as well as specifically segmenting where you can perform admin activities from?
Allan Liska:
Right. Those are two really, really big steps that help limit the power of a ransomware actor to gain control.
James Green:
You mentioned tools to look for specifically, that are just a common part of the toolkit. Is there anywhere that maintains a list of those tools, or how should people build the list that they’re watching for?
Allan Liska:
You probably can find it on ransomware.org.
James Green:
Perfect.
Allan Liska:
So yes, there are a wide list from a lot of different sources. And there are often what we call rules for detecting it, so Yara rules or Sigma rules, that you can deploy, whether it’s in your SIM or whether it’s in your EDR, to look for those tools automatically. And again, we’ll have links to those on the ransomware.org site.
James Green:
Great. Thanks so much, Allan.
Allan Liska:
No problem.
Interested in viewing more videos about Ransomware? Visit our Ransomware Video Gallery
