It’s time we turn our attention to monitoring and alerting on changes and suspicious behavior in your Active Directory environment. This is part 4 of my National Cyber Security Awareness Month series focusing on Active Directory security guiding principles.
So far in this series we’ve talked about how to reduce your Active Directory security attack surface by cleaning up users and groups, performing regular reviews and applying best practices to Group Policy Objects (GPOs). However, even when you batten down all the hatches against the threats outside, the bad actors can still get in through tactics like social engineering and phishing or good ol’ insider recruitment of insider threats (just peruse the U.S. Department of Justice Intellectual Property Task Force news feed).
Below is the entirety of my series with links to those already published:
- Part 1: IT security is national security
- Part 2: Reduce your attack surface
- Part 3: revisit group policy management often
- Part 4: CONSTANT VIGILANCE a.k.a. monitor and alert
- Part 5: Quickly investigate, remediate and recover
On to monitor and alert!
CONSTANT VIGILANCE in Active Directory
You’ve heard this enough already regarding Active Directory security – you must be continually on watch or guard against a threat. The phrase “CONSTANT VIGILANCE” comes from the Harry Potter book series by J.K. Rowling, specifically as shouted by the bizarre and paranoid auror Alastor “Mad-Eye” Moody. The irony with this character is that for most of inaugural book (Harry Potter and the Goblet of Fire), Moody was in fact not Moody but someone who co-opted his image to gain access to Hogwarts and kidnap The Boy Who Lived.
Do you SEE the similarities to a bad actor in your Active Directory? Compromised account. Impersonating an insider. Intent on doing bad things?
When you’re considering your role as an Active Directory administrator in securing your network, remember, all an attacker needs to steal your organization’s intellectual property is an account, rights and access.
Also remember, Microsoft reports that 95M AD accounts are the target of cyberattacks every day2 and that 10M Azure AD login attempts each day are cyberattacks.3
The problem with CONSTANT VIGILANCE
Many organizations are already employing Active Directory monitoring and alerting with a specific AD auditing tool or a SIEM solution. The problem isn’t collecting the data, its making sense of it. After all, the vast majority of the audit data you collect represents normal, legitimate activity, such as successful logons and authorized data access events. Abnormal activity accounts for a very small percentage, and truly suspicious activity is an even smaller fraction. How can you isolate the signal from the noise?
Approach #1: Rule-based threat detection
Most threat detection tools use rules that identify specific events that are potentially concerning. For example, a rule can trigger an alert when a user tries and fails to authenticate seven times within five minutes, or any time a user is added to a sensitive security group.
But while a rule-based strategy will definitely alert you to some potential threats, it has several critical drawbacks:
- It generates far too many false positives.
- It captures only the activity defined by a rule and no anomalous activity outside of that rule
- The rules need to be constantly tuned.
Approach #2: Pattern-based threat detection
Instead of relying on security analysts to pre-identify the threat conditions and alerting on individual events, pattern-based threat detection uses the model and baselines to alert only when something is truly outside the norm. Specifically, pattern-based detection employs machine learning to quickly establish behavioral similarities between users, devices, applications and so on, and to identify outliers or anomalous patterns against the context of normal activity.
Effective Active Directory monitoring and alerting
As you evaluate user threat detection solutions for Active Directory, keep your larger goals in mind. You need a solution that will enable you to spot anomalous activity that indicate a compromised system or account, data leak or exfiltration or insider abuse, while generating relatively few false positives. Also it should help you focus on the biggest threats first and give you the information necessary to complete your investigations in time to prevent or at least limit damage.
Here are the key features to look for in a solution to help you achieve those goals:
- Advanced user and entity behavioral analytics (UEBA) — Look for a solution that can analyze historical data to create user behavior baselines, and then uses the constant stream of incoming data to update and improve those models (not created rules).
- Data enrichment and correlation — Look for a solution that correlates events, unifying multiple anomalies and supporting information into a single alert to reduce the volume of alerts and facilitate analysis.
- Risk scoring and prioritization — Potential threats should be prioritized by risk level to ensure analysts can identify and investigate the most serious threats first.
- Clear contextual information — Each potential threat should be presented to show the sequence of events and their relationships, to facilitate quick investigation and response.
- Analyst input — The solution should enable the analyst to provide input that feeds back into the risk scoring and prioritization model.
Next steps
Getting threat detection right is important to CONSTANT VIGILANCE. It’s critical to find a threat detection solution that hones in on the patterns outside the norm and reduces the noise of false positives generated by legitimate activity. Change Auditor Threat Detection is an advanced security solution that uses advanced machine learning, UEBA, anomaly detection, event correlation and risk scoring technologies to identify true threats in your environment and facilitate quick, effective response.
And if you think no one is really trying to hack into your AD, or you know they are and you’re trying to understand why, then watch the on-demand webcast that explores WHY your role in securing your organization is indeed a matter of national security.
Sources:
- Photo by Caleb Oquendo from Pexels.com
- https://www.zdnet.com/article/active-directory-czar-rallies-industry-for-better-security-identity/
- https://news.softpedia.com/news/microsoft-sees-over-10-million-cyberattacks-per-day-on-its-online-infrastructure-503774.shtml