One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8627964 |
| Date de publication | 2024-12-20 08:29:10 (vue: 2024-12-20 14:08:03) |
| Titre | Reclaiming Active Directory from the Cybercriminals |
| Texte | Recently, the authors at government cybersecurity agencies in Australia, Canada, New Zealand, the United States and the U.K. put together an important report, Detecting and Mitigating Active Directory Compromises. When you read it, hold on to your security hats. The report dives deeply into the complexity of Active Directory (AD) and its associated security challenges. It\'s a no holds barred overview. And if your organization has had AD in place for more than a few years, this report will likely raise concerns about the vulnerabilities and misconfigurations that are lurking inside your AD instance. Of course, now that you know, you should probably do something about them. A key to cybercriminals\' success The ongoing joke in the cybersecurity industry is that since AD is so useful to threat actors, shouldn\'t it be considered an important tool for them just like Mimikatz, Bloodhound, Impacket and others? This joke hints at a larger truth, which is something that the authors highlight in their introduction: “Malicious actors commonly enumerate Active Directory for information after gaining initial access to an environment with Active Directory. Using the information gained, they seek to understand the structure, objects, configurations and relationships that are unique to each organisation. By doing this, malicious actors sometimes gain a better understanding of the organisation\'s Active Directory environment than the organisation itself.” Why is security and hygiene around AD so important? Because threat actors repeatedly prove that it is. This year alone there were many notable, publicly disclosed breaches that depended on exploiting and using AD for lateral movement and privilege escalation. The list of these large-scale breaches includes: Microsoft breach by Midnight Blizzard TeamViewer compromise by Cozy Bear Black Basta ransomware attacks Threat actors need to move laterally from their initial compromise through the middle of the attack chain to their ultimate goal, which is most typically data exfiltration or deploying ransomware. Given this, it\'s easy to see why access to and exploitation of AD is so critical to their success. Barriers to sidestepping AD Are you thinking of getting rid of AD and moving to the cloud to sidestep all these AD security challenges? Certainly, some organizations go down this route. For startups and small businesses, the 100% cloud approach can be a viable strategy. However, it can also be a massive undertaking because migration is so complex. Identity and access management must be redesigned from the ground up. There are compliance and regulatory requirements (including data residency). Then, there are the issues of workforce adaptation and the operational disruption that happens during the transition. And all this is costly, too. With so many barriers to change, it\'s likely that AD and its associated security challenges are here to stay for most organizations for the foreseeable future. A way forward A key reason that organizations are in this difficult situation in the first place is that there has been a historical lack of governance of AD implementations. This issue has been growing for years, decades even, at most organizations. And it\'s the result of a host of related issues. AD admins come and go. Business priorities and associated applications change. Entitlement shortcuts are implemented and never removed. Mergers and acquisitions happen. In the midst of all this, AD cleanup is rarely prioritized. Consequently, its permissions and configurations become so complex and interdependent that administrators are often afraid to start the cleanup process. They often don\'t know what business process they risk breaking. And they don\'t know what risks are the highest priority and which accounts and entitlements lead directly to their crown jewel IT assets. What organizations need most is a system that continu |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | 100 able about access accounts acquisitions active actor actors ad adaptation addresses administrators admins afraid after agencies all alone also any applications approach are around assets associated attack attacks attempting australia authorities authors bad barred barriers basta bear because become been before better black blizzard bloodhound breach breaches breaking bring brings broader broadest business businesses but can canada category certainly chain challenges change check cleanup cloud come commonly complex complexity compliance comprehensive compromise compromises concerns configurations consequently considered continuous continuously costly course cover coverage cozy critical crown cybercriminals cybersecurity damage data decades deeply defense depended deploying detect detecting detection difficult directly directory disclosed discovers disruption dives doing don down during each easy emerging enable endpoints entitlement entitlements enumerate environment escalate escalation even exactly example exfiltration expect expert exploitation exploiting favorite first forensics foreseeable forward from future gain gained gaining get getting given goal good governance government ground growing had happen happens has hats have help here highest highlight hints historical hold holds host how however hygiene identity impacket implementation implementations implemented important includes: including industry information initial inside instance interdependent introduction: investigators issue issues itdr its itself jewel joke just key know lack large larger lateral laterally lead learn like likely list lurking malicious management many massive means mergers microsoft middle midnight midst migration mimikatz misconfigurations miss mitigating more more most move movement moving must need never new nod not notable now objects often one ongoing operational order organisation organization organizations other others out overview page pams part permissions perspective perspective pick place pointer priorities prioritized prioritizes priority privilege privileges probably process proofpoint prove provide provided publication publicly put raise ransomware rarely read reader real reason recently reclaiming redesigned regulatory related relationships remediates removed repeatedly report requirements residency response result rid risk risks route same scale security see seek served shortcuts should shouldn sidestep sidestepping since situation small solution solutions some something sometimes specific start startups states stay strategy strong structure success success such support suspecting system systems teamviewer than that them then there these think thinking threat through time to together too tool transition truth typically ultimate unbiased understand understanding undertaking unique united use useful using vendors viable view visibility vulnerabilities want way web well what when which why will wish without workforce would year years your zealand “dr” “malicious ” |
| Tags | Ransomware Tool Vulnerability Threat Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.