Sadly we have seen money siphoned from companies and massive losses in productivity due to Ransomware, one question we have been asking lately is, “how is your Active Directory hygiene?” It doesn’t come as a surprise that in the fast pace of operating an enterprise ecosystem and the operational tasks that are required each day that AD hygiene is getting overlooked. The continuous turnover of staff, admin rights being issued and not monitored, and the proliferation of service accounts being used by third party applications/vendors is introducing risk. Time is needed for upkeep of your most vulnerable infrastructure; the cleansing process needs attention on the priority list.
As we analyze the anatomy of a Ransomware attack, the common theme that we see is success by threat actors escalating through the MITRE ATT&CK matrix unabated. Actionable steps are important and that is where AD hygiene will play an important pre-emptive role. Escalation of privileges by threat actors is critical to disrupt, and AD hygiene can dramatically limit the attack surface and either prevent/delay the dreaded end game intended by the threat actor by eliminating the escalation of privileges through AD hygiene. Attacks are going to happen, but controlling the controllables through AD hygiene will enable your other tools in the security stack to, “Do Their Job”.
Here is a list of items we are thinking about when it comes to your AD hygiene posture and the key role it plays in the journey to a Zero Trust model.
- Do you enforce any type of password policy?
- Have any of your account passwords been compromised on the darkweb?
- Do you have any service accounts that are no longer needed?
- Do you have a handle on stealthy admins, privileged and stale accounts?
- How is RDP/remote access used within your environment and do you enforce any type of conditional access when using remote access services?