Managing the Insider Threat with Active Directory Security

The insider threat to Active Directory security is real, pervasive and costly. The predominance of AD in enterprises around the globe makes it an appealing target for adversaries who can exploit technical limitations and human factors to launch data breaches from the inside out.

The financial cost of a data breach from an insider attack, including the time and money to restore security to systems, is considerable. About one fifth of companies believe that the cost could exceed $5 million, but more than half of companies candidly admit that they have no idea how high or low to estimate their potential losses from an insider attack.

This paper focuses on Microsoft Active Directory (AD) as a prime target for attackers because of AD’s importance in authentication and authorization for all users. Readers will see how a typical insider threat unfolds and take away Active Directory security best practices that minimize the risk of the insider threat to the availability, confidentiality and integrity of AD.

Unauthorized access to AD is like having a stolen key card: Once attackers are inside the building, they can take the elevator, wander through offices, open desks and look through drawers. With so many accounts under unrelenting attack from within and without, the insider threat to AD is clear and present.

We value your time - here is a snippet of the content you will receive inside of this white paper.

Anatomy of an Insider Attack Against Active Directory
Consider this fictitious story describing how an insider threat caused by weak security controls can affect AD. As the end of support for Windows Server 2003 approaches, a medical products retailer named Acme hires JSmith under a four-week contract to help upgrade its environment to Windows Server 2012. PBrown, the AD administrator at Acme, adds JSmith to the domain administrator group. On Friday of JSmith’s second week, Acme terminates the contract, but nobody tells PBrown to remove JSmith from the administrator group. The following Monday, PBrown finds out that JSmith is no longer working for Acme and removes the contractor from the administrator group. The following steps describe what happens over the weekend.

1. Creating a bogus account 
Unhappy that Acme terminated his contract prematurely, JSmith looks for ways including illicit ones to make up the income he had counted on earning. From a friend, he learns of a black-market site where he can make quick money selling credit card data. JSmith logs in to Acme’s network from home using his administrator credentials and creates a new administrator account for himself. To keep the creation of the new account from attracting attention, he calls it corpsvcbk1, following Acme’s naming convention for backup service accounts. He counts on being able to use corpsvcbk1 in case Acme removes or resets the password on his original admin account.

2. Obtaining Domain Admin privileges
JSmith notices a group called CorpOperations, which is a member of the Domain Admins Group. He creates a new account in the group and calls it corpsvcbk1. He then covers his tracks by adding it to the nested CorpOperations group, which gives him indirect Domain Admin privileges without raising alerts. (Acme’s generic monitoring system
is configured to monitor only direct changes to the Domain Admins group.)

We hope you enjoyed a small piece of the content that you will receive by signing in or completing the form on the right.  You will receive access to the rest of this content and many other resources.

Download Your Free White Paper