What Is Active Directory Monitoring and Why Is AD a Target for Hackers?

What Is Active Directory?

Active Directory is a directory service from Microsoft used in corporate settings to manage and store details about network resources, explains Lisa Plaggemier, executive director of the National Cybersecurity Alliance.

“These resources include users, computers, printers and services,” she says. “AD provides administrators a platform to organize these resources, regulate access and enforce security protocols.”

Jeff McJunkin, a principal instructor at the SANS Institute and founder of cybersecurity firm Rogue Valley Information Security, says that “the vast majority of organizations” use AD for
“managing their computers, user accounts, group memberships within their environment and a lot of management of those users and computers and servers.”

What Is Active Directory Monitoring?

Active Directory monitoring, Plaggemier says, “is the process of vigilantly observing the health and security of the Active Directory environment.” Organizations may do this by tracking alterations to user privileges, identifying failed login attempts, observing for uncommon activity and guaranteeing optimal system performance, she says.

“The primary objective of AD monitoring is to uphold system integrity, availability and security,” Plaggemier adds.

AD monitoring often is not something that is set up by default, according to McJunkin. “But it turns out if an attacker inside your environment wants to gain control of a server, and you use Active Directory, that is very commonly the system they will abuse,” he says.

Watch to Learn More About Building Cyber Resilience

“If an attacker gains access to something like the built-in domain admins group, you will have a new group member in many cases, and monitoring would, as one easy example, let you know that, ‘Hey, look, there’s a new domain admin with a username of HackerHacker. We probably should have some alerts based upon that.’” 

Typically, however, that monitoring is not always active, McJunkin says, and organizations will only know that something is amiss if an attacker breaks production on AD or a staff member lodges a complaint. Then, IT security teams investigate.

AD monitoring tools let organizations know that changes are occurring to Active Directory, says Rob Clyde, board director for ISACA and executive chair of the board of directors for White Cloud Security. If AD monitoring is done well, it will include anomaly detection tools, Clyde says, to scan for strange details or changes that aren’t in the audit log and didn’t go through a normal process.

“But you could still tell from one point in time to the next that the change occurred,” he says. “How did that happen? It’s like making an accounting change without having it show up in a general ledger.”

Why Is Active Directory a Target for Hackers?

When it comes to the centrality of AD, “the bad guys know this,” Clyde says.

“Ultimately, the goal for them, and probably the highest-value target, is the Active Directory administrators,” Clyde says. “Once a hacker can become that person, then they can actually change the Active Directory and add in a new account with all privileges or access whatever data they were after.”

Gaining access to the Active Directory system “can enable a malicious actor to compromise the entire network,” Plaggemier says.

“This could involve creating new user accounts with elevated privileges, altering existing accounts or even completely deleting accounts, leading to significant disruption in the organization’s operations,” she notes.

Active Directory can also serve as “a treasure trove “of information for hackers,” she says. The system often stores usernames, endpoint names, group memberships and other data, which attackers can extract from the system and leverage for future attacks.

“The complexity of Active Directory, while a strength, can also become a weakness because its highly configurable nature can make it challenging to sufficiently secure,” Plaggemier says. “Organizations lacking robust security practices could inadvertently leave vulnerabilities open for exploitation.”

Click the banner to learn how your organization can increase its ransomware recovery capabilities.

How to Safeguard Active Directory from Cyberattacks

There are many tools that organizations can use to guard against AD attacks, experts say. Clyde emphasizes the importance of XDR, or extended detection and response systems.

XDR offers a multilayer approach and includes endpoint and network detection tools that are correlated, he notes. “By adding those things, you’re going see malicious code, you’re going see people trying to obtain privileges,” he says. “You’re going to see people trying to do various types of attacks through the network to probe your network.”

Organizations also can look to tools that specifically monitor for changes in Active Directory. These tools typically use machine learning or statistical methods to establish a baseline of normal activity, then flag any actions that deviate from that, Plaggemier says.

One action in particular is user and entity behavior analytics, which focuses on detecting anomalous behavior by users or other entities in the system. These tools might flag things like multiple failed login attempts, unusual access patterns or changes to user privileges.

DISCOVER: How will AI affect cybersecurity in coming years?

Another technology that organizations can use is security information and event management, which aggregates log data from multiple sources, including Active Directory. This data can detect anomalies and generate alerts.

Further, companies can turn to network traffic analysis tools to monitor network traffic for signs of malicious activity, Plaggemier says. “While not specifically tied to Active Directory, they can help detect attacks that target the system,” she says.

Clyde recommends that organizations should think of it as a trade-off. If all possible privileges go through Active Directory, he says, “the beauty is that there’s one place to administer it, kind of ‘one ring to rule them all,’ which is the way Active Directory is normally put in.”

Still, “you may want to consider that certain types of things and certain admin functions actually don’t go through Active Directory,” he says. “That way, even if the AD administrator is compromised, the bad guys can’t get access to everything.”