In this presentation taken from the webinar by the same name of Krystian Zieja of CQURE, learn how to boost your security and response for Active Directory by zeroing in on AD changes.
Key areas covered include how to:
- Monitor and inspect specific situations with security implications in AD
- Leverage Active Directory built-in tools to spot attacker in your environment
- Build a system that can alert and simplify the manual review process
You can catch the full on-demand webinar here:https://www.beyondtrust.com/resources/webinar/unearth-active-directory-threats-bury-enterprise/
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
Unearth Active Directory Threats Before They Bury Your Enterprise
1. Unearth Active Directory Threats before
they Bury your Enterprise
@paulacqure
@CQUREAcademy
CONSULTING
Krystian Zieja
CQURE: Security & Infrastructure Expert
2. What does CQURE Team do?
Consulting services
High quality penetration tests with useful reports
Applications
Websites
External services (edge)
Internal services
+ configuration reviews
Incident response emergency services
– immediate reaction!
Security architecture and design advisory
Forensics investigation
Security awareness
For management and employees
info@cqure.us
Trainings
Security Awareness trainings for executives
CQURE Academy: over 40 advanced security
trainings for IT Teams
Certificates and exams
Delivered all around the world only by a CQURE
Team: training authors
5. Current status: Problem definition
More and more successful attacks
Attackers stay longer inside our
network
It is hard to detect them
With time they gain more privileges
6. Tier 2
Workstation
& Device
Admins
Tier 0
Domain &
Enterprise
Admins
Tier 1
Server
Admins
1. Beachhead (Phishing Attack, etc.)
2. Lateral Movement
a. Steal Credentials
b. Compromise more hosts &
credentials
3. Privilege Escalation
a. Get Domain Admin credentials
4. Execute Attacker Mission
a. Steal data, destroy systems, etc.
b. Persist Presence
Compromises privileged access
24-48 Hours
Enterprise: Typical Attack Chain
7. Identity is the new security “perimeter”
Active Directory and Administrators control all the assets
8. Identity is the new security “perimeter” under attack
One small mistake can
lead to attacker control
Attackers Can
• Steal any data
• Encrypt any data
• Modify
documents
• Impersonate
users
• Disrupt business
operations
Active Directory and Administrators control all the assets
9. Active Directory: What it is?
Active Directory provides:
authentication
authorization
accounting
It is crucial to detect unwanted
behavior as fast as possible
12. Auditing: Start doing that right!!!
Because you will need that
information
Request for audit data are never
timely
IT department human resources are
limited
Do we have that data??
17. Auditing: Account Logon
Account Credential Validation:
Success and Failure
Audit Kerberos Authentication Service
Success and Failure
Audit Kerberos Service Ticket Operations
Success and Failure
18. Auditing: Account Management
Audit Computer Account Management
Success only
Audit Distribution Group Management
Success only
Audit Other Account Management Events
Success only
21. Auditing: DS Access
Active Directory Service Changes
Success only
Active Directory Service Access
Success only
Set SACL on important objects and rights
Detect mimikatz’s dcsync
23. Auditing: Privilege Use
Audit Sensitive Privilege Use
Success and Failure
Trick: To get events for “Backup files and
directories” and “Restore files and
directories” – You must configure “Audit
the use of backup and restore privilege”
25. Auditing: Problems
Active Directory Audit Events are:
hard to collect
hard to analyze
hard to extract information
modification of attribute in AD
results in two events
26. Auditing: Solutions
Use Central Logging Server
Forward all your logs to central server
Configure parsing to make logs
searchable
Setup alerting
28. PowerBroker Auditing & Security Suite
Centralized real-time change auditing of
Active Directory, File Systems,
Exchange, SQL and NetApp
Entitlement reporting for AD and File
Systems
Continuous backup and recovery for AD