Active Directory was compromised, now what?



Similar documents
Privilege Gone Wild: The State of Privileged Account Management in 2015

Beyond the Hype: Advanced Persistent Threats

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Privilege Gone Wild: The State of Privileged Account Management in 2015

Understanding Enterprise Cloud Governance

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Agilent OpenLAB. Data Store. Disaster Recovery Plan

How To Manage A Privileged Account Management

AD Self-Service Suite for Active Directory

Symantec Enterprise Vault Technical Note. Administering the Monitoring database. Windows

Pass-the-Hash. Solution Brief

Top 10 Most Popular Reports in Enterprise Reporter

Enterprise Reporter Report Library

Use QNAP NAS for Backup

Object Level Authentication

An Oracle White Paper July Introducing the Oracle Home User in Oracle Database 12c for Microsoft Windows

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

How To Configure A Microsoft Virtual Server On A Microsoul.Com (Windows) 2005 (Windows 2005) (Windows Vvirtual) (Powerpoint) (Msof) (Evil) (Microsoul) (Amd

Quest InTrust for Active Directory. Product Overview Version 2.5

Dell One Identity Cloud Access Manager Installation Guide

Navigating the NIST Cybersecurity Framework

8.3. Competitive Comparison vs. Microsoft ADMT 3.1

Active Directory Change Notifier Quick Start Guide

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Secure Cross Border File Protection & Sharing for Enterprise Product Brief CRYPTOMILL INC

Copy Tool For Dynamics CRM 2013

How Do Threat Actors Move Deeper Into Your Network?

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

Dell Statistica. Statistica Document Management System (SDMS) Requirements

Introduction to Version Control in

CA Nimsoft Monitor Snap

Defender Delegated Administration. User Guide

Virtualization Case Study

As threat actors target various types of networks, companies with improperly configured network infrastructures risk the following repercussions:

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

Symantec Backup Exec Management Plug-in for VMware User's Guide

Data center and cloud management. Enabling data center modernization and IT transformation while simplifying IT management

Symantec Event Collector 4.3 for Microsoft Windows Quick Reference

formerly Help Desk Authority Quest Free Network Tools User Manual

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Defender 5.7. Remote Access User Guide

The Business Case for Security Information Management

Keeping Tabs on the Top 5 Critical Changes in Active Directory with Netwrix Auditor

HITS HR & PAYROLL CLOUD MODEL WHITEPAPER

SolarWinds Technical Reference

Dell Statistica Statistica Enterprise Installation Instructions

Dell InTrust Preparing for Auditing Microsoft SQL Server

Active Directory Manager Pro New Features

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

Foglight Experience Monitor and Foglight Experience Viewer

SURVEY REPORT SPON. Identifying Critical Gaps in Database Security. Published April An Osterman Research Survey Report.

Quick Connect Express for Active Directory

DIGIPASS Authentication for Windows Logon Product Guide 1.1

Reference Architecture: Enterprise Security For The Cloud

Streamlining Web and Security

Understanding & Improving Hypervisor Security

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Strong Authentication for Microsoft TS Web / RD Web

Go beyond basic up/down monitoring

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

43% Figure 1: Targeted Attack Campaign Diagram

Protecting against cyber threats and security breaches

DIGIPASS Authentication for GajShield GS Series

The Essentials Series: Enterprise Identity and Access Management. Authentication. sponsored by. by Richard Siddaway

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Protecting Data with a Unified Platform

Dell InTrust Preparing for Auditing Cisco PIX Firewall

NCD ThinPATH Load Balancing Startup Guide

SPEAR PHISHING UNDERSTANDING THE THREAT

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

FireSIGHT User Agent Configuration Guide

Active Directory Auditing: What It Is, and What It Isn t

Dell InTrust 11.0 Best Practices Report Pack

Migrating Cirrus. Revised 7/19/2007

For Active Directory Installation Guide

A brief on Two-Factor Authentication

Solving the Security Puzzle

How To Protect Your Active Directory (Ad) From A Security Breach

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Microsoft Dynamics GP. Electronic Signatures

Privileged Account Access Management: Why Sudo Is No Longer Enough

Symantec Backup Exec 2010 R2. Quick Installation Guide

Achieve Deeper Network Security

8.7. Target Exchange 2010 Environment Preparation

formerly Help Desk Authority Upgrade Guide

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

Transcription:

Need to know details for Administrators Active Directory was compromised, now what? Author Bob Bobel

C a y o S o f t w a r e N e e d 2 K n o w. P a g e 2 About the Author As a Product Management Director, Bob is responsible for driving innovation and strategy for Security, Compliance and Identity products. Bobel combines his twenty+ years of IT management and enterprise software experience to provide strategic vision to high-performance teams through times of growth and change. Bobel previously held Product Management roles at enterprise software companies Netwrix Software and Quest Software Inc. (Acquired by Dell in 2012) While at Quest, Bobel s role included creating the first true Active Directory centric Identity Management platform ActiveRoles Server. A frequent traveler, Bob resides in Ohio with his wife and two children. Email: bob@cayosoft.com LinkedIn: linkedin.com/in/robertbobel Twitter: @rbobel

C a y o S o f t w a r e N e e d 2 K n o w. P a g e 3 Overview Microsoft s Active Directory (AD) provides a secure and stable directory service on which many organizations depend to provide user authentication and authorization. Because AD represents the preverbal keys to the kingdom it typically receives the appropriate level of care and feeding required maintaining it. Despite proper upkeep, there is still a chance that an Advanced Persistent Threats (APT) may be successful and compromise your Active Directory. Because of the nature of APTs a wide range of attacks vectors may be tried that may or may not attempt to subjugate AD directly. The result is that a successful compromise may go undetected for some time until the attacker decides to exploit the compromise by stealing data or making critical systems unavailable. Most administrators are now resigned to the fact that their network will be hacked. It s just a matter of time. It s no secret that there is a lot of activity around cyber security, and the most serious and damaging breach that could happen to any organization is a compromise of their Active Directory (AD) environment. AD is at the heart of many missile critical services, including desktop logins, file & print sharing, email & other communications and collaboration. And once the compromise happens, it can have far reaching effects. Plus, attackers are much more sophisticated, using various tactics to penetrate and then stay hidden within your environment. Reducing the immediate threat Domain Admins role A quick way to reduce the threat to Active Directory is to reduce the number of privileged accounts that can make major changes to Active Directory. This is especially important for AD users who have the Domain Administrators privilege. Because of the Active Directory design, many organizations have dozens or many dozens of users who hold this role. There are several management solutions on the market today that will allow administrators to perform day-to-day tasks without requiring the Domain Administrator s role. Another critical way to reduce the threat to your production environment is to ensure your directory auditing and monitoring solutions are up to the task. Why re-establishing AD after a critical compromise goes beyond normal recovery Because a critical compromise may only be uncovered long after it was introduced the validity and security of backup data because changes made via. the compromise may be indistinguishable from day-to-day administrative changes. The sheer volume of changes made from the time of the compromise s introduction to the current state of the directory data make it virtually impossible to identify the changes intentional vs. non-intentional. The best option and certainly the fastest option is to remove the compromise and maintain your directory data is to migrate the data to a new sanitized directory on clean servers.

C a y o S o f t w a r e N e e d 2 K n o w. P a g e 4 More on Advanced Persistent Threats An Advanced Persistent Threat (APT) typically refers a conspiracy by a group of foreign government attempt or complete some a cyber-attack. What makes these threats particularly scary is after the group or foreign government perpetrating these attacks the compromise may not be exploited until such time as maximum damage can be achieved or when the highest value theft can be achieved. Additional information: For more information on Advanced Persistent Threats see: http://en.wikipedia.org/wiki/advanced_persistent_threat Windows Credential Editor - If you don t think people can get past your complex AD password, check out http://www.ampliasecurity.com/research/wcefaq.html. Conclusion It may be a simple matter of time before your directory gets hacked so you should develop a strategy to deal with the possibility. Because Active Directory is central to key infrastructure services, data and applications AD s mission critical nature must be fully understood. Remember this is a cyber-arms race, and the bad guys only have to win once to get in - you must win every day.

C a y o S o f t w a r e N e e d 2 K n o w. P a g e 5 Cayo Software To get additional practical whitepapers from Cayo Software, please visit www.cayosoft.com. Copyright 2013 Cayo Software Inc. ALL RIGHTS RESERVED. This document is protected by copyright. No part of this document may be reproduced or transmitted for any purpose other than the reader's personal use without the written permission of Cayo Software, LLC. WARRANTY The information contained in this document is subject to change without notice. Cayo Software makes no warranty of any kind with respect to this information. Cayo SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Cayo Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS Cayo and Cayo Software are trademarks of Cayo Software, LLC. in the United States of America and other countries. Other trademarks and registered trademarks used in this document are property of their respective owners. Netwrix is a registered trademark of Netwrix Software. Dell, Quest Software and ActiveRoles are registered trademarks of Dell Computer Corporation. For additional information please see our web site at (www.cayosoft.com)

C a y o S o f t w a r e N e e d 2 K n o w. P a g e 6 This page intentionally left blank

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information