Reducing Active Directory Attack Surface to Minimize the Risk of Ransomware

Introduction

Ransomware has taken the media by storm in recent years and caused fear among many business leaders. In response, many organizations are rushing to assess their ability to detect, respond to, and recover from ransomware events.


I have reflected on several cases IBM X-Force IR investigated in recent months and concluded that one of the best things organizations can do to minimize the risk of ransomware is to lock down access control and harden their Active Directory deployment. Credential harvesting and privilege escalation are critical steps in the attack lifecycle. Threat actors cannot exfiltrate data and deploy ransomware without privileged credentials.


This blog discusses how your organization can prevent a threat actor from escalating privileges to Domain Admin after an initial compromise.


What is Attack Surface Reduction?

An attack surface is the area of your technology stack exposed to potential exploitation and unauthorized access. An attack surface is present in almost every component of your technology stack, including:

  • The application area exposed directly to the Internet, such as the front-end

  • Infrastructure and middleware components, including web servers and operating systems hosting those web servers

  • Backend-end components, such as databases and application servers

  • Enterprise services, such as Active Directory Domain Services

Attack Surface Reduction focuses on reducing potential exploitation areas to prevent unauthorized access. Examples include reducing the entry points into the network, hardening systems, and locking down access control mechanisms to allow system access to authorized users only.


This blog post focuses on reducing the attack surface of your Active Directory deployment to better protect your organization against credential harvesting techniques.


Ransomware Attack Lifecycle

Before discussing specific Active Directory hardening measures, let’s briefly go over the typical ransomware attack lifecycle. Recently, my colleague, John Dwyer, mapped out the attack stages and the tactics employed by a threat actor during a recent ransomware case we investigated. The mapping is outlined in Figure 1 below.

Figure 1 - Ransomware Attack Lifecycle*.


I want to draw your attention to the steps highlighted in blue. They represent privilege escalation through credential harvesting at the following stages:

  • Initial compromise where the threat actor gained elevated privileges on the local system to establish a foothold and move laterally.

  • Enumerating and dumping credentials on member servers to further escalate privileges and gain domain admin (DA) access to the Windows environment.

  • Finally, using the DA credentials to deploy ransomware across the Windows environment.

Credential harvesting and privilege escalation are critical to the attack lifecycle. Without elevated privileges, it is extremely difficult for a threat actor to move laterally, exfiltrate data, or deploy ransomware. For this reason, I argue that securing access to Active Directory and hardening systems against credential harvesting, such as credential dumping, should be the top priority for every organization.


Reducing Active Directory Attack Surface

Reducing the attack surface of an Active Directory deployment is not an easy task. It requires careful planning, execution, and control validation. Based on my experience with post-breach remediation, an incremental approach focused on immediate, tactical, and strategic measures is the most effective. This post provides examples of specific controls you can implement at each of those phases. I also encourage you to consult Microsoft documentation for details as many of the recommendations are based on best practices prescribed by the vendor.


Immediate Controls

Immediate controls are measures that organizations can implement as part of day-to-day operations with low anticipated effort and cost. These include:

  • Prohibit workstation and server logins with Enterprise Administrator (EA) and Domain Administrator (DA) accounts

  • Monitor privileged accounts for abnormal activities, such as interactive logons with service accounts

  • Disable interactive logon for service accounts

  • Deploy the Microsoft Local Administrator Password Solution (LAPS) to manage the local administrator accounts and ensure the password is randomized across systems

  • Audit Active Directory security groups and group policy objects (GPO) and remove orphaned accounts and unnecessary privileges

  • Remove accounts from the DA group and delegate administrative privileges through security groups

  • Disable workstation-to-workstation communication on ports such as TCP 445 (SMB)

Tactical Controls

Tactical controls are short-term measures that often require budget and dedicated projects ranging from one to six months of anticipated effort. These include:

  • Separate administrative accounts into tiers to create buffer zones and minimize the risk of lateral movement when a threat actor compromises an account

  • Deploy a secure administrative host, also referred to as jump server, for access to trusted security zones from untrusted network segments

  • Implement multi-factor authentication (MFA) for interactive logons

  • Implement management service accounts to address password management issues associated with service accounts

  • Restrict software execution on jump servers and domain controllers

  • Design a delegation model for administrative tasks based on the principle of least privilege

Strategic Controls

Strategic controls are long-term measures that require budget and dedicated projects that typically take six months or longer. These include:

  • Implement Privileged Access Management (PAM) to manage and secure the credentials for privileged accounts.

  • Move domain controllers to a dedicated network segment and lock down access to that segment through network firewall rules. Also, only allow interactive logon to domain controllers from hardened jump servers.

  • Implement network segmentation to reduce the possibility of lateral movement.

  • Migrate applications from NTLM authentication to Kerberos

Conclusion

Credential harvesting and privilege escalation are critical to ransomware and any other infrastructure-level attacks. Threat actors cannot easily exfiltrate data and deploy ransomware without privileged credentials. For this reason, organizations need to focus on locking down access control and hardening Active Directory to minimize the risk of a successful ransomware attack. This task is not easy. It requires careful planning, execution, and control validation. However, it is worth the effort, and certainly, it is a more manageable undertaking than recovering environments in a heroic effort after a successful ransomware attack.


* Graphic acknowledgements: IBM X-Force IR and John Dwyer.