All an attacker needs is time and motivation to break into your network. But our job is to prevent him from doing this, or at least to make this task as difficult as possible. You need to start by identifying weaknesses in Active Directory (hereinafter referred to as AD) that an attacker can use to gain access and move around the network without being noticed. Today in the article we will look at risk indicators that reflect the existing vulnerabilities in the cyber defense of your organization, using the AD Varonis dashboard as an example.
Attackers use certain configurations in the domain
Attackers use many tricks and vulnerabilities to get inside the corporate network and elevate privileges. Some of these vulnerabilities are domain configuration settings that can be easily modified once they are identified.
The AD Dashboard will notify you immediately if you (or your sysadmins) didn't change your KRBTGT password last month, or if someone authenticated with the built-in default administrator account (Administrator). These two accounts provide unlimited access to your network: attackers will try to gain access to them in order to easily bypass any distinctions in privileges and access permissions. And, as a result, to get access to any data that will interest them.
Of course, you can discover these vulnerabilities yourself: for example, set a reminder on your calendar to check, or run a PowerShell script to collect this information.
Varonis Dashboard Updated automatically to provide a quick view and analysis of key metrics that highlight potential vulnerabilities so you can take immediate remedial action.
3 key risk indicators at the domain level
Below are a number of widgets available on the Varonis dashboard, the use of which will significantly increase the protection of the corporate network and IT infrastructure in general.
1. Number of domains for which the Kerberos account password has not changed in a significant amount of time
The KRBTGT account is a special account in AD that signs everything . Attackers with access to a domain controller (DC) can use this account to create , which will give them unlimited access to virtually any system on the corporate network. We encountered a situation where, after successfully obtaining a Golden Ticket, an attacker had access to the organization's network for two years. If your company's KRBTGT account password hasn't changed in the last forty days, the widget will notify you.
Forty days is more than enough time for an attacker to gain access to the network. However, if you ensure and standardize the process of changing this password on a regular basis, it will make it much more difficult for an attacker to break into a corporate network.
Keep in mind that according to Microsoft's implementation of the Kerberos protocol, you need to KRBTGT.
Going forward, this AD widget will remind you when it's time to change the KRBTGT password again for all domains on your network.
2. Number of domains that recently used the built-in administrator account (Administrator)
According to - System administrators are provided with two accounts: the first is an account for everyday use, and the second is for scheduled administrative work. This means that no one should use the default administrator account.
The built-in administrator account is often used to simplify the system administration process. This can become a bad habit, resulting in hacking. If this happens in your organization, then it will be difficult for you to distinguish between the correct use of this account and potentially malicious access.
If the widget shows anything other than zero, then someone is not working correctly with administrative accounts. In this case, you need to take measures to correct and restrict access to the built-in administrator account.
After you have achieved the zero value of the widget and system administrators no longer use this account for their work, then in the future, any change to it will indicate a potential cyber attack.
3. The number of domains that do not have a group of protected Users (Protected Users)
Old versions of AD supported a weak encryption type - RC4. Hackers hacked into RC4 many years ago, and it is now a very trivial task for an attacker to hack into an account that is still using RC4. The version of Active Directory introduced in Windows Server 2012 introduced a new type of user group called the Protected Users group. It provides additional security tools and prevents users from being authenticated using RC4 encryption.
This widget will show if there is no such group in any domain of the organization so you can fix it, i.e. enable the protected users group, and use it to protect the infrastructure.
Easy targets for attackers
User accounts are the number one target for attackers, from early infiltration attempts to ongoing privilege escalation and concealment of their activities. Attackers look for simple targets on your network using basic PowerShell commands that are often difficult to detect. Remove as many of these soft targets from AD as possible.
The attackers are looking for users with passwords that never expire (or who don't require passwords), technology accounts that are administrators, and accounts that use the old RC4 encryption.
Any of these accounts are either trivial to access or generally not monitored. Attackers can take over these accounts and move freely inside your infrastructure.
Once attackers break through the security perimeter, they will likely gain access to at least one account. Can you stop them from accessing sensitive data before you detect and stop the attack?
The Varonis AD Dashboard will point you to vulnerable user accounts so you can troubleshoot issues ahead of time. The more difficult it will be to get inside your network, the higher your chances of neutralizing the attacker before he causes serious damage.
4 Key Risk Indicators for User Accounts
Below are examples of widgets on the Varonis AD dashboard that indicate the most vulnerable user accounts.
1. Number of active users with passwords that never expire
It is always a stroke of luck for any attacker to gain access to such an account. Because the password never expires, the attacker has a permanent foothold within the network that can then be used to or movements within the infrastructure.
Attackers have lists of millions of user-password combinations that they use in credential spoofing attacks, and the likelihood that
that the combination for the user with the "eternal" password is in one of these lists, much greater than zero.
Accounts with non-expiring passwords are easy to manage, but they are not secure. Use this widget to find all accounts that have such passwords. Change this setting and update your password.
As soon as the value of this widget becomes zero, any new accounts created with this password will appear on the dashboard.
2. Number of administrative accounts with SPN
SPN (Service Principal Name) is a unique identifier for an instance of a service (service). This widget shows how many service accounts have full administrator rights. The value on the widget must be zero. Administrator SPNs arise because granting such rights is convenient for software vendors and application administrators, but is a security risk.
Giving the service account administrative rights allows an attacker to gain full access to an account that is not in use. This means that attackers with access to SPN accounts can operate freely inside the infrastructure and still avoid monitoring their actions.
You can fix this problem by changing the permissions for the service accounts. Such accounts should follow the principle of least privilege and have only the access that is really necessary for their operation.
With this widget, you will be able to discover all SPNs that have administrative rights, remove such privileges, and further control SPNs, guided by the same principle of access with the least privileges.
The newly appearing SPN will be displayed on the dashboard, and you will be able to control this process.
3. Number of users who do not require Kerberos pre-authentication
Ideally, Kerberos encrypts the authentication ticket with AES-256 encryption, which remains uncracked to date.
However, older versions of Kerberos used RC4 encryption, which can now be broken in minutes. This widget shows which user accounts are still using RC4. Microsoft still supports RC4 for backwards compatibility, but that doesn't mean you should use it in your AD.
Once you've discovered these accounts, you'll need to uncheck "no Kerberos pre-authorization required" in AD so that the accounts use more sophisticated encryption.
It takes a long time to discover these accounts on your own, without the Varonis AD dashboard. In reality, being up to date on all accounts that have been edited to use RC4 encryption is an even more difficult task.
If the value on the widget changes, this may indicate illegal activity.
4. Number of users without a password
The attackers use basic PowerShell commands to read the "PASSWD_NOTREQD" flag in the account properties from AD. The use of this flag means that there are no password or password complexity requirements.
How easy is it to steal an account with a simple or blank password? Now imagine that one of these accounts is an administrator.
What if one of the thousands of confidential files open to the public is an upcoming financial report?
Ignoring the required password requirement is another shortcut for system administration that was often used in the past, but is illegal and unsafe today.
Fix this issue by updating the passwords for these accounts.
Monitoring this widget in the future will help you avoid passwordless accounts.
Varonis evens the odds
In the past, collecting and analyzing the metrics in this article took many hours and required deep knowledge of PowerShell, requiring security professionals to dedicate resources to such tasks every week or month. But the manual collection and processing of this information gives attackers a head start for infiltrating and stealing data.
Π‘ you will spend one day to deploy the AD dashboard and additional components, collect all the vulnerabilities discussed and many other vulnerabilities. In the future, during operation, the dashboard will be automatically updated as the state of the infrastructure changes.
Carrying out cyber attacks is always a race between attackers and defenders, the attacker trying to steal data before security specialists can close access to it. Early detection of intruders and their illegal activities, combined with strong cyber defenses, is the key to keeping your data secure.
Source: habr.com