Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

How to Strengthen Active Directory and Prevent Ransomware Attacks

Ransomware attacks do not always follow the same steps, but addressing these three trends will allow you to secure Active Directory and disrupt attacks.

Attacks are plaguing organizations around the world every day. New ransomware variants, new exploits, more tactics … it seems the attackers come up with something new every week. But, there is a silver lining. Every new attack and breach offers an opportunity to analyze the process the attacker took. From this analysis, we see three distinct trends emerging. By analyzing these trends and securing the tools an attacker is mostly likely to rely on to be successful, security professionals can reduce risk.

Trend 1: vulnerabilities and misconfigurations

Ransomware attackers are initially compromising enterprises by one of two attack methods:

  • Attackers are exploiting vulnerabilities within the hardware, operating systems, software, applications, etc. of the devices they target. We all know that patching is essential, but it can be like remembering to take our vitamins: we often forget or can't be bothered because we don't see the benefits until it is too late. So, we'll say it again: patch your systems (and take your vitamins, too!).
  • Attackers are leveraging misconfigurations related to hardware, operating systems, software, applications, etc. Just as there are thousands of vulnerabilities to patch, there are thousands of security settings to be configured, many of which are not secured correctly. With simple queries, an attacker can determine what is running on the device they've compromised, allowing them to know exactly which misconfigurations to look for. Securing these configurations before the attacker can ever see them is essential.

Trend 2: gaps in existing tools and practices

Current security tools and practices are not sufficient to secure our networks. The following is a list of common tools and practices. While each of these is useful, they all leave security teams with major gaps in coverage:

  • Pen testing
  • Assessments
  • Audits
  • Active Directory monitoring
  • SIEM solutions
  • User Behavior Analytics
  • Artificial Intelligence
  • Endpoint Detection and Response (EDR) and antivirus (AV)

Many of these solutions offer point-in-time visibility, meaning the results are quickly outdated. Other solutions might be more continuous, but they are not digging into the depths of the network infrastructure to give information at the level the attacker sees.

Trend #3: Active Directory is a pathway

Regardless of the entry point a ransomware attacker targets, Active Directory is always involved as a next step in the attack. Over and over again we see forensic proof that Active Directory was leveraged to move laterally and gain privileges in order to deploy ransomware.

For example, RYUK and XingLocker (a variant of MountLocker) specifically need Active Directory to be involved, otherwise these attacks fail. Attackers know how to enumerate and analyze Active Directory, so they rely on it for a successful breach and deployment of their malicious software. Active Directory is at the center of authentication and resource access for most organizations, which is another key reason attackers love to leverage it.

The solution: three steps for reducing ransomware risk

Bucking these three trends, and addressing the key tools in your infrastructure that are most likely to gain the focus of the attackers, will help you see and target what the attackers are targeting. The following three steps are foundational for securing Active Directory and managing vulnerabilities to reduce the risk of ransomware.

  1. All of the environment needs to be secured, immediately. Easy to say, not so easy to do. The existing hardware, operating systems, applications, software and Active Directory itself all need to be secured. Security professionals should expect an attacker to enumerate and analyze any and all aspects of the network and prepare accordingly.
  2. The work invested in securing your network and all devices should not go to waste. Once you have patched and secured configurations throughout the network, including Active Directory, these efforts need to be maintained constantly. That means 24X7 continuous and automatic analysis of all vulnerabilities and configurations needs to occur. Think of it as continuously keeping your attack surface as small as possible.
  3. The ability to detect attacks is vital. Simpler attacks, such as password spraying and guessing, need to be detected as soon as they are started, so they can be shut down immediately. Likewise, even more advanced attacks, like DCSync, DCShadow and Golden Ticket, which are all used to leverage Active Directory, need to be detected as they occur. Due to the nature of these attacks, many commonly available tools cannot correctly detect them. Yet, these advanced attacks are used for persistence and backdoors, as well as to open up new attack paths. Sophisticated solutions are needed to fill these gaps in monitoring and detection.

Learn more

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training