In a recent Food Engineering article entitled “BlackMatter ransomware targets food/agriculture sector,” the Cybersecurity and Infrastructure Security Agency (CISA) recommends—among others—limiting access to resources over the network, that is, removing unnecessary access to administrative shares, and if these shares must be accessed, privileges should restricted to only the necessary service or user accounts needed to perform continuous monitoring for anomalous activity.

Unfortunately, most network systems need to be easy to access and exceptionally secure at the same time. These two paradoxical necessities all too often butt heads, and when administrators settle for the ease of use, cybersecurity goes out the door, leaving a system open to nefarious operators and executable programs.

In a Microsoft Technical Document, “Active Directory Domain Services Overview (AD/DS),” which applies to Windows Servers 2022 going back to 2012, the second paragraph says: “Active Directory (AD) stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.”

In the fourth paragraph, the document states: “Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network. Policy-based administration eases the management of even the most complex network.”

Opening the door to your network

Active Directory is known as holding ‘the keys to the kingdom,’ which is why BlackMatter and other nefarious actors have been targeting Active Directory in order to leverage the information within it so bad actors can spread their ransomware, according to Derek Melber, chief technology & security strategist, Tenable. “By compromising Active Directory, bad actors can encrypt the data and effectively hold organizations, and their systems, hostage.”

As an aside, BleepingComputer.com reported on November 3, 2021 that the BlackMatter ransomware group is shutting down “after members have gone missing and increased pressure by law enforcement.” Unfortunately, BlackMatter victims are not off the hook as its infrastructure is still live, and according to BleepingComputer.com, BlackMatter’s affiliates are moving victims to the LockBit ransomware negotiation site. So whether it’s BlackMatter or another ransomware actor, Active Directory is—and will continue to be—under attack by nefarious actors.

How BlackMatter and nefarious actors work Active Directory

BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found, adds Melber.

“BlackMatter enumerates not only computers, but also users, service accounts, groups and more to find other attack paths that lead to privilege escalation,” says Melber. This means that the Local Administrator Password Solution (LAPS) needs to be implemented, password reuse is prohibited, privileged accounts from Active Directory are not allowed to log on to workstations or servers, and resources (shared folders) are secured and removed if not needed.

Once bad actors have compromised Active Directory, it’s game over, says Melber. Organizations, particularly critical infrastructure providers, need to secure their Active Directory environments to cut the attack path off from the very beginning.

Securing your network

Securing AD in a Microsoft Domain can seem like an oxymoron. Can you actually have ease-of-access and use for those who need access and secure AD at the same time? Wouldn’t—though not convenient—a simple file server with dedicated user shares in a peer-to-peer network be safer—where no user logins are stored on one or more servers in an AD network? Maybe that would be practical for a simple small office network, but certainly not at enterprise scale. And while a Linux-based server system may seem more secure to some people, if the Linux system is also running LDAP and SMB protocols to be compatible with Microsoft AD networks, then it hardly matters—or so it would seem.

To work through some of these AD conundrums, I asked Melber for some pointers on securing AD-based networks and detecting and preventing interlopers from entering the system—because once inside the network, these adversaries could easily work themselves into control networks that may be interconnected to the business system.

FE: OK, let’s start with the basic question. Can you actually have ease of use/access and rock-solid cybersecurity in a Microsoft AD/DS network?

Derek Melber: Rock-solid security is possible, but it requires dedicated and continuous work. AD is incredibly complex, and as a result, it’s typically under-managed and security holes are left open. It’s a herculean task to keep on top of all the administrators, systems, group accounts, resource permissions and trust relationships. The directory also is constantly changing through day-to-day operations, making it even harder to manage and know if a change opened up an attack path. AD has numerous configuration options and settings to accommodate innumerable situations for user access and permissions, which means even more opportunities for oversights and discrepancies to be taken advantage of by attackers.

With all of that in mind, in order to feel comfortable about your security posture, you must clean up any misconfigurations that exist in AD now and then constantly monitor and analyze new changes to ensure no new attack paths have opened up.

FE: CISA in its advice to network admins pointed out steps to make AD more secure, but at the same time, these steps seem to limit ease of use—especially for admins. What are your basic recommendations for securing an AD network?

Melber: As I mentioned, keeping AD secure can be complicated and require dedication. I recommend kicking off the process by breaking things down—ensure all of the aspects of AD (users, attributes, groups, etc.) are secured to give yourself digestible tasks to work with. Focusing on both lateral movement and privilege escalation is a good place to start. This means that endpoints should be protected with LAPS and MFA. Also, you should supplement the MFAs by also using the principle of least privilege across all endpoints. This prevents lateral movement, blocks default administration and denies access where necessary. For privilege escalation, this means that all user and group accounts that have privileges in AD need to be secured and ensure there is no configuration drift.

FE: If you’re running Linux servers configured for LDAP and SMB in an AD network, you have the same AD issues, correct? Or would Linux servers be a better choice?

Melber: If AD is involved, this is the issue. The main issues with AD are within the AD database, not the OS itself. So, if Windows or Linux is used, that is really not a factor. Honestly, Linux has many vulnerabilities and misconfigurations that have led to exploits over the years too. If a human can build it, a human can break it!

FE: Would Linux file shares formatted in ext4 be any safer than NTFS in an AD/SMB network? That is to say, if Linux ext4 drives are accessible through SMB, then they look just like Windows shares, making them vulnerable, too. Correct?

Melber: I don’t see NTFS as the issue. Sure SMB has been exploited, but again, it is SMB not the OS that the files are located on. Attackers are not going after the ACL or permission, they are attacking objects to gain privileges or credentials, so they can access resources freely, regardless of where they are stored.

FE: Would the use of advanced routers/firewalls and managed switches help to establish security? If so, how would you implement them?

Melber: Security is not a point solution, but a layering. Routers/firewalls and managed switches are part of that, but not really related to AD.

FE: What detection tools (hardware and/or software) are available to spot nefarious activity on an AD network? Are these systems using AI technologies to spot activities that don’t belong?

Melber: “Detection” is a blanket word. Let’s break this down into a few parts. First, detection is required within AD to know if a setting or configuration (which is needed) is weak and can be exploited. This is the preventative part of AD security. Second, there is detection of an attack. Against AD there are some advanced attacks that are very difficult to detect: DCSync, DCShadow, Golden Ticket, etc. Unfortunately most tools that can detect issues and attacks in AD require agents on every domain controller and usually require privileges. The only solution on the market that requires no agents and no privileges (read only access) is Tenable.ad.

FE: Often, hackers have been able to be on a network for weeks at a time without being noticed. How do you find them? How do you figure out how they broke into the network in the first place? When and how do you lock them out of the network?

Melber: Attackers often only need to compromise one machine in a network to get access to AD, and from there, they can run rampant. They can leapfrog between accounts until they get administrative control and then they can pose as legitimate IT users, authenticate using valid credentials, create new accounts, change user access controls, escalate privileges and move from on-premise to Azure Active Directory in the cloud — all without being detected because they appear to be legitimate, trusted users.

In order to find them, you must monitor for malicious and abnormal activity. This means keeping an eye out for attackers exploiting misconfigurations and impersonating accounts/users. Oftentimes these changes appear like normal behavior to the naked eye, so ensuring your team is equipped to identify them is of the utmost importance. Attacks also must be monitored. From simple methods like password spraying to more advanced methods like DCShadow, they must be addressed immediately to prevent backdooring.

Regardless of the method or level of sophistication, speed is crucial when monitoring and remediating this network activity.

Most organizations find out about a breach by ending up with all of their data being encrypted by ransomware.

FE: What training should network administrators have to make their AD networks safer from outside penetration?

Melber: AD is used in most organizations (90 percent of the Fortune 1000), providing attackers the proverbial keys to the kingdom. It’s much more serious than a compromised endpoint and more prone to attack due to the volume of misconfigurations and constant changes within the directory. Yet, most IT departments are neglecting its security. Until organizations make it a priority to harden AD, we’ll be seeing attackers using it as a key resource in their toolkit just like they did with the SolarWinds attack. The stakes for any organization are too high not to address the security issues in Active Directory, the intelligence at the core of their IT infrastructure.

As for training, every organization needs to have an AD admin that is educated on the finer aspects of AD and security. Not knowing can hurt you! This can be helped with solutions that give the AD administrators insights into misconfigurations, why they are an issue, and how to remediate them. Tenable.ad is full of insights and guidance for administrators and security professionals.

FE: What training should network users have to keep them and their networks safe from nefarious groups like BlackMatter?

Melber: This takes a full team to protect against any allied group. These groups are looking to enter at any point, so every aspect of the network and all devices need to be patched and configured in a secure fashion. It is not training as much as ensuring that every aspect of the network is understood and measures are taken to secure the entry points.

FE: How do you determine if these network interlopers have wandered into controls networks? Do you have any recommendations on protecting controls networks from business networks? What about one-way data such that it travels only from controls to business systems?

Melber: Operation technology (OT) networks are now being tied to AD for control and management purposes. OT and AD both have a similar makeup in that they can have vulnerabilities and misconfigurations, so both need constant attention. If both OT and AD are given the attention they deserve, the attackers will have a smaller attack surface and movement between them will be negated. However, if either is left open and not secured, then exploitation and movement between them will be quite easy.

Detection of malicious actors in AD and OT are the same. Malicious changes, unwanted changes, and attacks need to be monitored and detected constantly and automatically. If a bad actor is already in OT or AD, then it is nearly impossible to know where backdoors were placed.

Due to the way networks work, one-way communications can be difficult, but not impossible. However, when it comes to AD, devices need to talk to AD and AD needs to send info to devices. So, two-way communication is nearly required.

About Derek Melber

Derek Melber is a leading technical instructor, author and consultant who comes to Tenable by way of the Alsid acquisition. He is a 16-time Microsoft MVP with deep knowledge of Group Policy, Active Directory, desktop management and Windows security. As a public speaker and technology evangelist, he has educated AD administrators in over 30 countries about how to efficiently and effectively secure Active Directory and Azure AD. He has published a broad range of educational content, including books, articles and videos, that demystify the most complex and technical subjects in an energetic and understandable style.

Resources:

“Active Directory Domain Services Overview,” Microsoft Docs, 07/29/21, https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview

“BlackMatter ransomware moves victims to LockBit after shutdown,” Lawrence Abrams, BleepingComputer, November 3, 2021, Website accessed November 7, 2021