Microsoft Active Directory and Entra ID control access, privilege, data and operational continuity, making them prime targets for attackers. Because ransomware groups are targeting Active Directory first, identity system resilience is a business survival issue.
This insight is according to Matt Hawkins, Senior Solutions Architect at Semperis, who was speaking during a webinar hosted by Solid8 Technologies and Semperis, in partnership with ITWeb.
Hawkins said: “The traditional perimeter is gone and identity is really the only control plane left. Eighty-three percent of ransomware attacks compromise the IAM infrastructure, and 80% of all breaches involve credential abuse, but the average initial hybrid Active Directory security score we find within organisations is only 61% – a failing grade. There's a lot of work that needs to be done to better secure that. With Active Directory, we’re talking about technology that's 26 years old, and if Active Directory is connected to Entra ID, the attacker’s path of escalation becomes quicker.”
Noting that most customers run business operations with hybrid identity infrastructure and use both Active Directory and Entra ID, Hawkins said organisations should strengthen security by implementing good identity processes and good trust security, strengthening Kerberos, deterring lateral movement, securing privileged users and groups, hardening privileged access, securing dependencies, hardening domain controllers, continually monitoring for unusual activity and backing up Active Directory.
Organisations should also build resilience with continuous exposure management; modernisation and attack surface reduction; and machine identity discovery and monitoring.
Hawkins said: “In addition, it is important to know how to survive an attack and get back to a trusted and functional state.”
His recommendations were to develop a step-by-step recovery plan, including pre-recovery communication plans and out-of-band communication. Before a cyber incident, organisations must clarify how backups are protected and how to get to them, prepare for full forest cleanup and recovery, and verify, scale out and wrap up plans.
“Organisations must prepare for recovery, ensuring they have covered every domain, especially the root domain. We recommend backing up two domain controllers per domain and testing those backups regularly,” he said. “Use supported backup methods from Microsoft, ensure that backups are malware free and keep offline copies of backups stored on immutable storage.”
He also advised: “Know the attributes’ sources – many Active Directory environments are populated by external systems, like HR. You should also prepare for Active Directory recovery by having disaster recovery passwords readily accessible to you, you should know your DNS topology and passwords, and you should reduce the number of OS versions in Domain Controllers, as too many will increase complexity.”
Hawkins highlighted the Semperis identity resilience platform – a comprehensive hybrid layered defence approach to Active Directory security and crisis response – with automation to help shorten recovery time by up to 90%.
Semperis also offers Purple Knight and Forest Druid – free tools to help organisations bolster Active Directory resilience. Purple Knight is an assessment tool for Active Directory, Entra ID and Okta, which scans the identity environment for over 185 indicators of exposure or compromise, and offers guidance on prioritising and remediating risks. Forest Druid is a first-of-its-kind Tier 0 attack path discovery tool for Active Directory and Entra ID environments. Forest Druid uncovers vulnerable Tier 0 assets, locks down excessive privileges and discovers the most dangerous attack paths to Tier 0 assets.
Share
