Insider Threats: The Unknowns of Active Directory Security

There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.

Donald Rumsfeld

 At one point in my career the security boundary was defined by the outside of the network vs the inside.  We setup domains and forests with a particular architecture as these too were how we defined security boundaries.  A lot has changed.  Today we can no longer define the security boundary as we once did.  Today the security boundary is the identity.  Our security teams need to be concerned about security in a very different way than they did in the past.  I really look at all threats to the network as a threat coming from the inside.  I say this because the main objective of an attacker is to get inside the network and steal data.  Once through the perimeter we have an insider threat.  However, while a malicious attacker is one type of threat we also need to be concerned with threats that come from our corporate user population.  These threats can be both intentional and unintentional.  Let’s explore each of these and a few options on how to mitigate.

The Threats

The Hacker:  This group of individuals has the goal of penetrating your network and in general to steal data.  Normally the attack starts with a phishing scam of some sort.  From there they install malicious software that can log keystrokes as you log into your network.  The phishing email could also redirect you to a spoofed site where you login and thus your credentials captured. 

Next the hacker will look for security vulnerabilities on the perimeter of your network.  Unpatched systems like web servers are a good target for the attacker.  Large databases of software and system vulnerabilities exist so finding the right exploit is not a difficult task.

Persistence is the next goal of the attacker.  Attackers will use pass-the-hash and pass-the-ticket techniques to gradually elevate their permissions.  Once they gain admin access to the network they will create new accounts and add themselves to privileged groups so they can maintain access.

The Intentional Malicious Employee:  This group has a few goals and really depends on the state of the employee.  Perhaps a sales person is leaving the company and plans on taking customer data with them to their next job which could be a competitor.  This group of employees could also be interested in stealing trade secrets or perhaps just making life difficult by destroying data and other resources.

The Unintentional Malicious Employee:  This group is not trying to do anything wrong.  However, through just plane ignorance or carelessness this group can cause big issues on the corporate environment.  Depending on which report you read this group can account for about a third of the breaches on the network. 

Now What?

So we have identified some of the threat agents in our environment.  Now we need to determine ways to mitigate and detect these issues.

  1. Auditing and Alerting – This is key. Auditing administrative group and privileged accounts is critical.  If a hacker tries to elevate their permissions by adding themselves to a series of nested group that gives them access to an admin group, we need to be alerted.  We should also review activity of privileged accounts regularly.  For example, you could get a daily\weekly report that shows all activity for the account you use to administer the network.  If everything looks OK you can move on.  If you see something suspicious you can investigate. Quest Change Auditor for Active Directory is a solution that can accomplish this task.
  2. Data Attacks – This could apply to hackers or our intentional malicious user. In the scenario where a user is going to leave the company or is running a side business selling company data we need to be able to detect the activity associated with this attack.  The employee or hacker would search the network for data and in the process would generate success and failed access events on the file system.  If there are a large number of failed access events in a relatively short period of time we should be alerted to this issue.  Normally, users access the data that is part of their job and do not generate a significant number of failed access events. Quest Change Auditor for File Systems (Windows, EMC, NetAPP) can alert administrators when an unusually large number of failed access attempts occur and we can then take action.  We will know the username, workstation, time and the location of the data they are trying to access and what was done to the data.  In addition we could use Quest Desktop Authority Suite to lock down access to removable drives making it more difficult to have data walk out the door.
  3. Recovery - They Just Trashed the Place! Now this could have been done intentionally or unintentionally.  Perhaps an administrator incorrectly deleted a few GPOs during a clean-up.  A junior admin with too many rights just ran a script and incorrectly modified a couple attributes on a huge number of users.  These are all things that occur more often than we like to think.  So, now what? Quest Recovery Manager for Active Directory allows you to recover from these events.  In a few minutes you can have the attributes restored for the users that were incorrectly modified or restore the deleted GPO.  In a more serious disaster situation Quest Recovery Manager for Active Directory Forest Edition can recovery from a full forest disaster in hours, not days.

Understanding the activity in your Active Directory Forest and getting notified when things fall outside the norm is an important part of managing a secure Active Directory environment.  Because we will not be able to stop 100% of the attacks or eliminate all errors caused by users or administrators we should have a plan to recover from these events.  The last thing we want to do is develop our game plan while we are under attack or trying to recover from an event.  Good planning, testing and the right set of solutions will be well worth the time and money spent.