Active Directory Security and the Insider Threat [New White Paper]

“I’m fed up with insider threats. Don’t those people have better things to do than to launch a cyberattack against our Active Directory?”

I’ve lost count of the number of times I’ve heard CIOs, IT directors and other cybersecurity professionals pose that question. Unfortunately, there is just one simple answer:

“No, they don’t.”

So we’d all better get used to it.

Whether it’s a cyberattack, data breach or other lapse of internal security, the danger of the insider threat is growing. As if the bad guys’ pursuit of your financial and personally identifiable information (PII) weren’t enough, they’re also coming up with more and more unsavory ways of getting to your AD.

A few weeks ago, researchers showed how to steal AD credentials over the Internet while a user is visiting a web page, reading an email in Outlook or opening a video in Windows Media Player. Attackers could use those stolen credentials to authenticate on any of your Windows servers where the user has an account, including in the cloud.

Why? Because they don’t have anything better to do.

You, on the other hand, have plenty of better things to do than to spend all day playing whack-a-mole against insider threats. That’s why we wrote “Managing the Insider Threat with Active Directory Security,” a new white paper on the anatomy of an AD insider threat.

Insider threats and Active Directory

Insider threat” doesn’t necessarily mean that your employees, contractors or visitors are out to get you. Most of the time it means that some insider you trust is a weak link — opened the wrong attachment, missed the employee security training, clicked on the wrong link, got phished — and inadvertently gave a malicious outsider a break.

Those outsiders can give themselves access to all kinds of resources on your network and in the cloud, such as customer information, billing data, financials and human resource info. It’s as if someone stole a key card to your executive offices as was able to wander through offices and poke around in desk drawers.

But a few security guards in the right places can tell when a bad guy is wandering around your office and put a stop to it. It’s different with cybersecurity – there’s no such thing as a report that spells it all out for you, as in the image below:

The biggest danger to Active Directory from insider threats is that it’s hard to tell when a bad guy is lurking in your network. By the time he gets to AD, he can usually cover his tracks and stay hidden a long time.

New white paper – Managing the Insider Threat with Active Directory Security

Do you know how an insider threat and attack against AD plays out? We’ve outlined one for you in a new white paper on cybersecurity, “Managing the Insider Threat with Active Directory Security,” by Alvaro Vitta, one of our principal AD security consultants.

See what motivates JSmith, a hypothetical but dismayingly realistic Windows administrator, to take advantage of his elevated access privileges and perpetrate an insider threat against Acme, a hypothetical but dismayingly realistic company. Read how he progresses through each step in his nefarious cyberattack:

  1. Creating a bogus account
  2. Obtaining Domain Admin privileges
  3. Accessing the file servers
  4. Setting up eavesdropping
  5. Cleaning up behind himself

Learn what attackers like JSmith look for and exploit in Active Directory and the Windows security scheme. Take notes, plug up your own similar vulnerabilities and see how tight AD security is also an essential part of governance, risk management and compliance (GRC).