Current research regarding cyberattacks shows that hackers target Groups in Active Directory, Azure AD and Office 365. Why are groups so attacker-friendly?
The CrowdStrike 2019 Global Threat Report discusses how long it takes for attackers that have compromised a single endpoint to move laterally within your network. The Russians have the best average time at a little under 19 minutes. To accomplish this task, groups of cybercriminals need to follow a rather specific kill chain of tasks. So specific, that there’s an entire attack framework devoted to it. Within that framework, there are several points at which additional access is necessary. These include moving laterally within the network, gaining access to Active Directory (AD) Domain Controllers, and granting themselves access to resources. To accomplish this, attackers ultimately rely on active directory , azure ad & MS 365 groups to help provide them the access they need.
So, why are groups of interest to cyber attackers?
There are 5 reasons why Active Directory , Azure AD and MS 365 Groups are so popular with cybercriminals bent on gaining access to either exfiltrate your data or hold it for ransom:
-
Groups are the basis for granting access
With the exception of one-off permission assignments, groups have long-been the gateway for granting access to applications, systems, and data. Unchecked and outdated, without the proper tools, active directory or azure ad groups are an easy target for cybercriminals.
-
Groups already have access
Which is easier if you were a hacker: explicitly granting a compromised user account with the necessary permissions to access, say, your Hyper-V environment, or adding a user to a group that has been granted the access previously. It’s obvious the latter is much easier.
-
Groups often have too much access
Over time groups become repurposed, older permission assignments aren’t removed, groups get renamed, etc. After years of existence, a given group often provides more access than you would know about.
-
Nesting is the Attacker’s Friend
Groups make a good hiding spot, as attackers will leverage group nesting with in your security groups to further obfuscate the addition of a user object to a group by first creating another group and nesting it as a member of the group granted permissions to the target resources.
-
Who looks at groups? That’s Right: Nobody
Think about it – unless you are performing proper group attestation on a regular basis, validating group memberships and permissions assigned to the group, having an extra member in a group will go completely unnoticed.
GroupID Helps Keep Hackers Away
Eliminate these five blind spots: Automated attestation and lifecycle management have been a part of GroupID for over 20 years. Because groups post a risk to organizations, it’s necessary to include some form of group lifecycle management into play within the organization. Utilizing assigned owners of specific groups, IT can lead an attestation team periodically through a process where each group’s assigned permissions and memberships should be attested to. This way, IT is certain each group is configured properly and that no inappropriate members exist.
Cybercriminals are betting on your organization turning a blind eye to the mismanaged state of groups – both on-premise and in the cloud. Ransomware is one method used to leverage this access – so don’t be a victim. GroupID gives IT an easy, out-of-the-box tool for easily managing groups and always offers Free Trials. Don’t wait: It’s time to take a look at the state of groups throughout your network. By doing so, you’ll reduce the attack surface and make it more difficult for attackers to successfully complete an attack.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.