In the quest to gain access and control over your network, the bad guys always take the path of least resistance – Active Directory groups. Read on and learn why are groups so attacker-friendly.
The CrowdStrike 2019 Global Threat Report discusses how long it takes for attackers that have compromised a single endpoint to move laterally within your network. The Russians have the best average time at a little under 19 minutes. To accomplish this task, groups of cybercriminals need to follow a rather specific kill chain of tasks. So specific, that there’s an entire attack framework devoted to it. Within that framework, there are several points at which additional access is necessary. These include moving laterally within the network, gaining access to Active Directory (AD), and granting themselves access to resources. To accomplish this, attackers ultimately rely on groups to help provide them the access they need.
So, why are groups of interest to cyberattackers?
There are 5 reasons why groups in AD are so popular with cybercriminals bent on gaining access to either exfiltrate your data or hold it for ransom:
- Groups are the basis for granting access – With the exception of one-off permission assignments, groups have long-been the means by which multiple users are granting access to applications, systems, and data. So, they are a natural target for cybercriminals that will provide the easiest way to gain access to the very same internal resources.
- Groups already have access – Which is easier if you were a hacker: explicitly granting a compromised user account with the necessary permissions to access, say, your Hyper-V environment, or adding a user to a group that has been granted the access previously. It’s obvious the latter is much
- Groups often have too much access – Over time groups become repurposed, older permission assignments aren’t removed, groups get renamed, etc. After years of existence, a given group often provides more access than you believe it does in the first place.
- Nesting is the Attacker’s Friend – Groups make a good hiding spot, as attackers will leverage group nesting to further obfuscate the addition of a user to a group by first creating another group and nesting it as a member of the group granted permissions to the target resources.
- Who looks at groups? That’s Right: Nobody – Think about it – unless you are performing proper group attestation on a regular basis validating group memberships and permissions assigned to the group, having an extra member in a group will go completely unnoticed.
Because groups post a risk to organizations, it’s necessary to include some form of group lifecycle management into play within the organization. Utilizing assigned owners of specific groups, IT should lead an attestation team periodically through a process where each group’s assigned permissions and memberships should be attested to. This way, IT is certain each group is configured properly and that no inappropriate members exist.
Cybercriminals are betting on your organization turning a blind eye to the mismanaged state of groups – both in AD and even within the cloud. It’s time to take a look at the state of groups throughout your network, pulling back the reigns of overpermissions, bloated memberships, and zero accountability. By doing so, you’ll reduce the attack surface and make it more difficult for attackers to successfully complete an attack.
