on. As in the real world, gaining such a level of access is rare, but potentially catastrophic for an
organisation.
However, even if they gain lower-level access to Active Directory, threat actors can start working their
way through a system and escalating their privileges until they hit the motherlode. In fact, Active Directory
is critical to every step of the cyber kill chain from reconnaissance, to denial of service, to exfiltration.
Knowing your weaknesses
Active Directory employs Kerberos as its primary authentication security mechanism. Kerberos uses
tickets, also known as Ticket Granting Tickets (TGTs), to authenticate users. While Kerberos offers
incredibly powerful protection through strong cryptography and third-party ticket authorisation, there are
still a number of vulnerabilities threat actors can exploit to access Active Directory.
Aside from the Golden Ticket attack mentioned above, popular Active Directory attack methods are Pass
the Hash; Pass the Ticket; and the Silver Ticket. Many of Active Directory’s vulnerabilities are down to
the almost archaic NTLM encryption, which is very weak by today’s standards. For instance, in Pass the
Hash, threat actors can use brute force to uncover the password of an NTLM hash to authenticate to
Active Directory. In fact, to perpetrate a Golden Ticket attack, cybercriminals need the NTLM hash of the
hidden KRBTGT account that encrypts the authentication tokens to the domain controllers.
Aside from the technical weak points, threat actors will try to exploit the human element to break into an
organisation’s systems. When looking to extract login credentials from staff, cybercriminals will use
deceptive emails that either contain malicious links and attachments or purport to be from someone
official demanding a username and password.
Proactive security
There are a number of steps an organisation can take to prevent cybercriminals accessing their Active
Directory and stealing the keys to the kingdom. The first is to know everything there is to know about your
own Active Directory. What are the naming conventions? Security policies? Who are the users? And so
on. Knowledge is power and by having this information to hand means that you have the power to better
protect Active Directory.
This knowledge must be kept up to date with the use of regular monitoring so that any unusual logins or
changes can be spotted and acted upon. To monitor everything on Active Directory in a thorough and
timely way would be almost impossible to manage manually. Fortunately, automation can serve as a
watchdog and alert the security team to any suspicious behaviour or activity.
Also worth considering is placing those valuable domain controllers on a server that is not directly
connected to the internet. This will make life harder for attackers as their lateral movement and potential
to escalate privileges will be curtailed.