CyberWire Daily - CyberWire Pro Interview Selects: Carolyn Crandall of Attivo Networks.
Episode Date: November 26, 2021Our team decided to extend our Thanksgiving holiday and thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, ...exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview October 27th, 2021 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner speaks with Carolyn Crandall of Attivo Networks on what organizations should be focused on to protect AD. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Ativo Networks recently released research highlighting the gaps in security for Active Directory
and that many organizations are struggling to identify the best tools and techniques to do so.
Carolyn Crandall is Chief Security Advocate and CMO at Ativo Networks.
Active Directory, it's remarkable for it being the main directory services of most organizations.
However, it's not often thought about. It's more relegated to kind of a plumbing maintenance. But
what's been seen in so many major attacks today is that attackers are getting in and they're exploiting Active Directory.
And because it really is the keys to the kingdom, they're then able to conduct these massive attacks and demand very large ransomware payments.
And so what is happening is organizations are needing to rethink how they protect their Active Directory and try to find ways to kind of build that castle
and remote around Active Directory, especially in today's distributed world. It's just now there's
no longer a perimeter border. So now you've got to think about it as far as identities and how
they'll access this resource and how to better protect it, given that that's how they'll be
trying to exploit it and get in. So what are you and your colleagues there at Ativo tracking in terms of how folks are coming
at Active Directory? So we track it on many fronts. We like to follow the attacker. And if
you start at the endpoint, you look at the exposed credentials and how the attacker is able to find
the attack paths and the access into
Active Directory. And they're looking for everything from the credentials that may be left there so
that they get privileged access. And then they're looking for other exposures and vulnerabilities
to be able to get in so that they can take control. And once they are able to get control,
then they're able to do things like download mass amounts of malware.
They can reset security policies.
They can do things to hide their tracks.
They can delete backups.
They can do all kinds of damaging things.
And so once you hit that Active Directory level, you're looking at the visibility to those exposures.
the visibility to those exposures. Plus, you're also looking at the live attack activity in order to see when those things such as a mass account change is being made or mass password
changes or things like DC shadow or DC sync type of attacks or those favorite golden ticket type
of attacks that can be quite deadly. And so you're really looking for that activity to be able to detect it before any real
damages can be done. And how do users get insights onto that? I mean, what are your recommendations
in terms of detection methods? Yeah, a lot has changed. I mean, before a lot of people would be
using, you know, logs and other things to look for unusual behavior. But unfortunately, there's just not
enough AD administrators and time, quite honestly, to do this in the manual way that's been done
before. And so what you've seen in the last year is a lot of automation coming around automated
Active Directory security assessments. And you can use tools for that. So there you can see
And you can use tools for that.
So there you can see visibility to vulnerabilities and also the exposure. So not just, you know, are you patched, but also where those misconfigurations are there.
And then there's also some really cool two levels of technology.
One is to see if an attacker is trying to enumerate Active Directory.
And then there's also cool concealment technology that's
out today that actually hides the Active Directory objects from the attacker, and then will misdirect
them. And they do this by feeding it disinformation. And it's amazing because if the attacker's using
their typical tools, like say Bloodhound or Mimikatz, they're going to do their query,
they're going to get the information back that
they think they're supposed to get. And so they're going to take action, but it's really
disinformation that can just steer them into a decoy. And here they kind of spill their beans,
right? Now they get all the information collected on their TTPs and they get information so they can
shut down that attack, but also get counterintelligence on how that attacker is attacking them.
So it's super efficient.
It throws off the real attackers.
We see it all the time with pen testers, and the red teams come back and say,
hey, I got into your Active Directory.
And now, fortunately, the defenders are like, well, no, not really.
Here's every step you took from 20 command sets in about what you're doing.
So it's really fascinating technology.
Yeah, sounds like a good bit of fun as well. So what are your recommendations then for
organizations who want to get started down this journey? They want to better protect their active
directory assets. Where should they begin? Yeah, so I think first, take a step back and
understand the word identity, right?
There's consumer identity.
There's enterprise identity.
There's identity, which has been made synonymous with access management.
And why I make this differentiation is that, yes, you should do password policies.
You should do single sign-on.
You should do MFA.
But it is not enough for
protecting your credentials in your Active Directory environment. And so the first thing is,
is get visibility. And again, follow the attacker. They're going to start at the endpoint. So can you
see those exposed credentials? Can you see the attack path? Can you see how an attacker would
get to your Active Directory? Next is get the visibility to see the exposures that are in Active Directory
and reduce the attack surface.
So that's kind of step one.
Remove the attack surface at the endpoint, remove it at Active Directory.
Take a look also at the cloud.
So now with all the cloud infrastructure entitlements
and the over-provisioning that's happening out there
is be able to understand those.
So the who and the what. So who can get to what access or resource? And then from a resource standpoint,
especially given non-human identities, what can get to that? And make sure you can shut down those
attack paths. And then once you've reduced that attack surface, the next thing is that live attack
detection. You want to know if somebody is in tampering with your Active Directory.
And it's a really no excuse situation anymore, right?
You know, if it is your crown jewels and it can change and cause such damaging harm to your organization,
that whether it's driven by compliance or insurance policies, things are going to get tighter.
And not protecting your active directory
could be seen as negligent behavior. And so we know it's coming in 2022, a lot of changes around
it. So I definitely encourage businesses to get ready for it and to change their security
architectures. It's not hard to do, not expensive to do either, but get ready for the things that
are going to be
expected around Active Directory protection, because it's just not acceptable not to protect
that valuable of a resource anymore. That's Carolyn Crandall from Ativo Networks. Thank you.