The frequency and sophistication of cyber crime is growing everyday in line with the increasingly digital workplace.
John Worrall, chief marketing officer of CyberArk asserts that saying the world is becoming a more dangerous place for businesses and their networks would be “a safe understatement”.
Protecting Active Directory has taken on a new sense of urgency, and it's no wonder, as based on what CyberArk has seen in the field, it can take an attacker who has hijacked a privileged credential less than 12 minutes from initial infiltration to being able to take over a domain controller, which hosts the services that constitute Active Directory.
According to Forrester Research, “Active Directory's growing importance also means it's a tempting target for hackers who attack Active Directory infrastructure to elevate privileges and pilfer data.”
Additionally, based on the M-Trends 2016 report, Mandiant's Red Team, on average, is able to obtain access to domain administrator credentials within three days of gaining initial access to an environment.
Once domain administrator credentials are stolen, it's only a matter of time before an attacker is able to locate and gain access to desired information and execute a complete network takeover.
John Worrall explains the journey of a typical cyber attack.
“When you talk to any of the forensics teams doing these investigations, they'll tell you that an attack often starts out at an endpoint, like a typical business user, not an IT administrator,” Worrall says. “The first task of the attacker then is to actually provide themselves with credentials that will give them access to servers and ideally to the active directory environment and more specifically domain controllers.
From there, it's all a downhill slide for your business infrastructure.
“Once the attacker has access to the domain controller, they actually control the creation of new identities, they can grant new permissions to identities they already have access – in the case of ‘Golden Ticket' they can actually get this master key to the identity system within an organisation and no one will know they have it, despite them having unlimited access.
By this point, they essentially own your infrastructure and can do just about anything they want.
Is there a solution?
CyberArk are exclusively focused on securing privileged accounts – those keys to the IT Kingdom, essentially user accounts that are placed in every single device, application, database and others that are within the IT infrastructure to enable the administrative team to deploy and manage them.
“I can't emphasise enough the importance of securing your domain controllers and your active directory infrastructure,” Worrall says. “If you look at the most damaging attacks, every single one of them suffered a compromise at the domain controller.
New real-time threat detection and containment capabilities help organisations secure against cyber attacks targeting Microsoft Active Directory infrastructure. These features enable incident response teams to visualise the threat and shut down in-progress attacks – including Kerberos authentication attacks like “Golden Ticket,” which can lead to a complete network takeover and massive business disruption.
“What we've done is take the proactive control technology we have through our existing solution for privileged account security, and we added new capabilities to privilege threat analytics that specifically looks for very unique and highly-damaging attacks against the infrastructure,” Worrall says. “The new release from CyberArk features targeted analytics and the ability to analyse network traffic to better detect indications of an attack early in the lifecycle, including credential theft, lateral movement and privilege escalation.
If those accounts remain in the control of your trusted IT staff, all is great. If they happen to fall in the hands of the attacker, then they actually take control of the asset, the network and your business.
“CyberArk is all about preventing that initial takeover, while layering in real-time detection capabilities so that if for some reason an account gets compromised, we can detect that malicious activity quickly and actually invalidate those credentials - it's kind of a nice closed-loop system.
If you would like to know more about how to protect your organisation from Golden Ticket attacks, download this white paper today.