With the objective of boosting cybersecurity measures, the Cybersecurity and Infrastructure Security Agency (CISA), together with various international cybersecurity agencies, has published an extensive manual concerning the detection and reduction of Active Directory breaches.
Authored jointly by the Australian Signals Directorate (ASD), the National Security Agency (NSA), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the National Cyber Security Centre (NCSC-UK) of the United Kingdom, this guidance seeks to educate entities about the standard methods utilized by malicious individuals to target Microsoft Active Directory.
Active Directory stands as the foundation of authentication and authorization in business IT networks worldwide, offering services like Active Directory Domain Services (AD DS), Active Directory Federation Services (AD FS), and Active Directory Certificate Services (AD CS).
Nevertheless, its pivotal role renders it a key focus for cyber intruders. The guide underscores that the vulnerability of Active Directory to breaches stems from its permissive default configurations, intricate connections, support for outdated protocols, and the absence of adequate diagnostic tools for addressing security concerns.
Typical Techniques Exploited by Malicious Individuals
The manual outlines 17 typical techniques employed by malicious individuals to infiltrate Active Directory.
Primary Techniques Comprise:
Kerberoasting: This involves exploiting user entities set up with a service principal name (SPN) to acquire their ticket-granting service (TGS) tickets, which can be deciphered to reveal the plaintext password.
Authentication Server Response (AS-REP) Roasting: This method targets user entities that do not necessitate Kerberos pre-authentication, enabling perpetrators to decrypt the Authentication Server Response (AS-REP) ticket to obtain the password.
Password Spraying: A forceful attack method where intruders endeavor to log in using standard passwords across various accounts.
MachineAccountQuota Compromise: Leveraging the default quota of machine entities that can be produced by a user to attain unauthorized entry.
Unconstrained Delegation: Permitting intruders to impersonate any user within the domain.
Strategies for Mitigation
The manual furnishes robust mitigation approaches to shield against these risks:
Enforcing Microsoft’s Corporate Access Model: This stratified model certifies that Tier 0 user entities (those with significant access) do not expose their credentials to lower-tier systems and that Tier 0 computer entities are solely managed by Tier 0 user entities.
Reducing SPNs: Diminishing the quantity of user entities configured with SPNs to curtail the attack surface for Kerberoasting.
Requiring Kerberos Pre-authentication: Configuring all user entities to mandate Kerberos pre-authentication to mitigate AS-REP Roasting.
Utilizing Group Managed Service Accounts (gMSAs): Automatically altering passwords and employing intricate, unpredictable passwords to safeguard service accounts.
Monitoring and Logging: Comprehensively log and scrutinize events like TGS ticket requests to identify suspicious activities.
Detecting Active Directory breaches can be demanding due to the semblance between legitimate and malicious operations.
The manual suggests utilizing tools like BloodHound, PingCastle, and Purple Knight to comprehend and pinpoint misconfigurations and vulnerabilities.
It also proposes scrutinizing particular event IDs, such as 4769 for TGS ticket requests, to identify potential Kerberoasting actions.
The publication of this manual underscores the urgent necessity for entities to prioritize the security of their Active Directory environments.
By grasping the typical techniques employed by malicious individuals and implementing the recommended mitigation approaches, entities can significantly bolster their cybersecurity stance and safeguard against potentially disastrous breaches.
As cyber threats evolve continuously, remaining informed and proactive is essential for preserving the integrity of corporate IT networks.
The post CISA Releases Active Directory Security Guide to Mitigate Cyber Attacks appeared first on Cyber Security News.