Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

How to Strengthen Active Directory and Prevent Ransomware Attacks

How to Strengthen Active Directory and Prevent Ransomware Attacks

Ransomware attacks do not always follow the same steps, but addressing these three trends will allow you to secure Active Directory and disrupt attacks.

Attacks are plaguing organizations around the world every day. New ransomware variants, new exploits, more tactics … it seems the attackers come up with something new every week. But, there is a silver lining. Every new attack and breach offers an opportunity to analyze the process the attacker took. From this analysis, we see three distinct trends emerging. By analyzing these trends and securing the tools an attacker is mostly likely to rely on to be successful, security professionals can reduce risk.

Trend 1: vulnerabilities and misconfigurations

Ransomware attackers are initially compromising enterprises by one of two attack methods:

  • Attackers are exploiting vulnerabilities within the hardware, operating systems, software, applications, etc. of the devices they target. We all know that patching is essential, but it can be like remembering to take our vitamins: we often forget or can't be bothered because we don't see the benefits until it is too late. So, we'll say it again: patch your systems (and take your vitamins, too!).
  • Attackers are leveraging misconfigurations related to hardware, operating systems, software, applications, etc. Just as there are thousands of vulnerabilities to patch, there are thousands of security settings to be configured, many of which are not secured correctly. With simple queries, an attacker can determine what is running on the device they've compromised, allowing them to know exactly which misconfigurations to look for. Securing these configurations before the attacker can ever see them is essential.

Trend 2: gaps in existing tools and practices

Current security tools and practices are not sufficient to secure our networks. The following is a list of common tools and practices. While each of these is useful, they all leave security teams with major gaps in coverage:

  • Pen testing
  • Assessments
  • Audits
  • Active Directory monitoring
  • SIEM solutions
  • User Behavior Analytics
  • Artificial Intelligence
  • Endpoint Detection and Response (EDR) and antivirus (AV)

Many of these solutions offer point-in-time visibility, meaning the results are quickly outdated. Other solutions might be more continuous, but they are not digging into the depths of the network infrastructure to give information at the level the attacker sees.

Trend #3: Active Directory is a pathway

Regardless of the entry point a ransomware attacker targets, Active Directory is always involved as a next step in the attack. Over and over again we see forensic proof that Active Directory was leveraged to move laterally and gain privileges in order to deploy ransomware.

For example, RYUK and XingLocker (a variant of MountLocker) specifically need Active Directory to be involved, otherwise these attacks fail. Attackers know how to enumerate and analyze Active Directory, so they rely on it for a successful breach and deployment of their malicious software. Active Directory is at the center of authentication and resource access for most organizations, which is another key reason attackers love to leverage it.

The solution: three steps for reducing ransomware risk

Bucking these three trends, and addressing the key tools in your infrastructure that are most likely to gain the focus of the attackers, will help you see and target what the attackers are targeting. The following three steps are foundational for securing Active Directory and managing vulnerabilities to reduce the risk of ransomware.

  1. All of the environment needs to be secured, immediately. Easy to say, not so easy to do. The existing hardware, operating systems, applications, software and Active Directory itself all need to be secured. Security professionals should expect an attacker to enumerate and analyze any and all aspects of the network and prepare accordingly.
  2. The work invested in securing your network and all devices should not go to waste. Once you have patched and secured configurations throughout the network, including Active Directory, these efforts need to be maintained constantly. That means 24X7 continuous and automatic analysis of all vulnerabilities and configurations needs to occur. Think of it as continuously keeping your attack surface as small as possible.
  3. The ability to detect attacks is vital. Simpler attacks, such as password spraying and guessing, need to be detected as soon as they are started, so they can be shut down immediately. Likewise, even more advanced attacks, like DCSync, DCShadow and Golden Ticket, which are all used to leverage Active Directory, need to be detected as they occur. Due to the nature of these attacks, many commonly available tools cannot correctly detect them. Yet, these advanced attacks are used for persistence and backdoors, as well as to open up new attack paths. Sophisticated solutions are needed to fill these gaps in monitoring and detection.

Learn more

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.