Merely put, all businesses are weak to assault paths and nearly assured to face them.
Microsoft Energetic Listing (AD) is simply actually arduous to safe.
That’s the overall discovering of a 2024 5 Eyes report written by cybersecurity businesses from the US, Australia, New Zealand and the UK. Particularly, it says Energetic Listing’s assault floor is “exceptionally large and difficult to defend against.” This has been widespread information amongst safety professionals for many years. Penetration testers and attackers often abuse identification assault paths in AD to interrupt into networks whereas avoiding detection.
However the situation is beginning to get wider consideration. Latest government orders and Cybersecurity and Infrastructure Safety Company suggestions have tasked authorities businesses with bettering the safety of their AD environments. They’ve their work minimize out for them — right here’s why and the way they need to go about it.
What are assault paths?
First, a fast definition. Assault paths are chains of person identities and privileges in Microsoft Energetic Listing and Entra ID (previously Azure AD) that may be exploited with methods like Kerberoasting or password spraying. Attackers can use assault paths to maneuver laterally, escalate privilege or set up persistence. They’re a particularly widespread assault tactic; our consulting crew finds they performed a job in almost each information breach they analyze. Attackers can use them to maneuver from object to object to finally get management of tier zero belongings like area controllers. Then they may give themselves no matter entry they should full their goal (which could possibly be stealing delicate information, deploying ransomware, and so forth.).
Why are they an issue for presidency businesses?
Merely put, all businesses are weak to assault paths and nearly assured to face them. AD has been utilized by almost all authorities businesses for many years, and people utilizing Azure GovCloud are utilizing Entra ID as nicely. Adversaries know that AD is a dependable goal particularly within the public sector, as diverse listing hygiene practices and years of technical debt make for simpler targets. Abusing an assault path is usually tough for defenders to detect as a result of it resembles regular habits or makes use of legitimate credentials. Some AD assaults can steal authentication tokens to bypass MFA or different safety precautions. All of this is dropped at bear in opposition to authorities businesses. They’re focused by adversaries of all ranges, together with extremely skilled and well-funded nation-state teams.
Additionally, Energetic Listing is vulnerable to compromise due to its age. It’s over twenty years previous, so its weaknesses are well-known. It helps many legacy protocols and has many default settings that work in adversaries’ favor. Human error, misconfigurations, over-privileged customers and AD’s complicated permissions all construct up over time (which will be a long time for some businesses). These produce assault paths — an exponential variety of assault paths, actually. Massive organizations can simply have 1000’s, if not hundreds of thousands, of assault paths. All these flaws make AD straightforward to assault, and tough to defend.
One other situation is the shortage of tooling for diagnosing Energetic Listing safety points. Understanding the dangers in an AD atmosphere requires understanding which customers have which privileges. However AD makes it very tough to find out this. In a single instance, AD reported 31 principals added to a neighborhood admins group. However a few of these principals have been teams, and people teams had different teams nested inside them. My colleague discovered that 733,415 customers had these native admin rights as soon as all these teams have been unrolled. Identification and entry administration admins and safety groups have been doing the very best they will, however they’ve been handicapped by a scarcity of instruments.
Penetration checks aren’t a superb resolution to the issue of assault paths (though they’re a superb resolution to different issues). A pen check can uncover a handful of assault paths at most. If these are fastened, attackers nonetheless have a whole bunch or 1000’s of different assault paths to select from.
Managing assault paths as a defender
Regardless of these weaknesses, AD will be secured. A few of my colleagues who focus on AD safety have developed a way for doing so. It entails mapping the AD atmosphere, discovering choke factors the place a single change can take away many doable assault paths, after which remediating them. The secret’s prioritizing choke factors in order that defenders know what to concentrate on first. In my expertise, a wholesome proportion of all assault paths in an atmosphere will be eliminated with comparatively easy configuration adjustments that don’t have any downsides. The issue is the shortage of visibility, relatively than the repair itself. As soon as defenders find out about the issue and the right way to resolve it, they will make large progress.
These efforts additionally hook into a number of government orders and proposals. The Government Order on Enhancing the Nation’s Cybersecurity requires businesses to maneuver towards a zero belief structure, which entails understanding AD privileges. Mapping AD within the technique above provides businesses the data they might want to implement zero belief insurance policies. It additionally permits them to grasp the precise threat of their AD atmosphere for operational intelligence. It additionally helps businesses transfer towards the latest Zero Belief Maturity Mannequin from CISA and meets a number of of their suggestions for auditing AD permissions, separating administrator accounts from person accounts, and implementing the precept of least privilege.
Open-source instruments to do that embrace BloodHound, PingCastle and Purple Knight (that are really useful within the 5 Eyes report). Some industrial merchandise have begun to emerge as nicely, together with a couple of which have acquired FedRAMP Excessive certification.
I started my profession as a cyber operator within the U.S. Air Power, so I do know from private expertise that bettering AD safety will make a significant distinction within the safety posture of our authorities. Whereas it’s not straightforward, it’s doable.
Jared Atkinson is CTO at SpecterOps.
Copyright
© 2026 Federal Information Community. All rights reserved. This web site just isn’t meant for customers situated throughout the European Financial Space.
