contents · web viewmicrosoft's active directory (ad) provides a secure and stable directory...

Your Active Directory was compromised, now what?Cyber Security: Re-constituting Active Directory after a critical compromise or detection of an Advanced Persistent Threat

Written by: Bob Bobel & Dmitry Kagansky

Your AD was compromised, now what?

ContentsContents................................................................................................................................................................................ 2

Overview............................................................................................................................................................................ 3

Advanced Persistent Threat..............................................................................................................................................3

Why re-establishing AD after a critical compromise goes beyond normal recovery..........................................................4

Reduce the immediate threat............................................................................................................................................4

Synchronizing Sanitized data between the directories......................................................................................................4

Synchronizing Sanitized data between the directories......................................................................................................5

Preparing a mirrored directory...........................................................................................................................................5

Post compromise cut over to the Mirrored Forest.............................................................................................................5

2


About the AuthorsBob Bobel joined Quest with its acquisition of Aelita Software, where his responsibilities included customer and partner enablement and Product Management for Active Direc-tory and Identity Management products. Bobel has over 20 years experience in the IT industry and has worked with customers, partners and developers around the world on best practices in Active Directory management. Bobel continues to share his knowledge and experience by writing regularly. Prior to joining Quest, Bobel taught Microsoft technologies at The Ohio State University and was an entrepreneur providing consulting and training to organizations that relied on Microsoft technologies. Bobel was among the first to be Microsoft Certified on Windows NT when it was launched in 1993, and shared this knowledge in a variety of Windows infrastructure and networking consulting projects. Bobel also holds and is working on several patents related to distributed security management.

Dmitry Kagansky joined Quest in 2005 as an identity management architect for Quest's North American commercial team, later managing the identity and access management technical team. In early 2008, he and his family relocated to the UK, where he worked with many public and private sector clients across Europe before returning to the U.S. in late 2009.

Prior to Quest, Mr. Kagansky held both technical and management positions with tradi-tional companies such as Xerox, Thompson Technologies and Cabot Corporation as well as startups such as Ask Jeeves, eTour.com and Ockham Technologies. His experience ranges from development and QA, to data warehousing and system administration. In addition, he has taught undergraduate classes on web development and data manage-ment at the University of Georgia.

OverviewMicrosoft's Active Directory (AD) provides a secure and stable directory service on which many organizations depend to provide user authentication and authorization. Because AD represents the preverbal keys to the kingdom, it typically receives the appropriate level of care and feeding required to maintain it. Despite proper upkeep, there is still a chance that an Advanced Persistent Threat (APT) may be successful and compromise your Active Directory. Because of the nature of APTs, a wide range of attacks vectors may be tried that may or may not attempt to subjugate AD directly. The result is that a successful compromise may go undetected for some time

Quest Public Sector, Inc.

IT organizations in govern-ment face all of the chal-lenges in private sector IT, plus an ever-changing barrage of statutory, regulatory, and compliance requirements. Add to all of that the constant expectation to do more with less funding and staff – and the directive to do it better and faster! With a long track record of delivering outstanding results for more than 15 million government and higher education end users, Quest Software Public Sector has helped federal, state, and local government agencies – as well as higher education institutions – apply Quest Software solutions to solve the toughest IT management problems and simplify their infrastructures. 3


until the attacker decides to exploit the compromise by stealing data or making critical systems unavailable.

Most administrators are now resigned to the fact that their network will be hacked. It's just a matter of time. It's no secret that there is a lot of activity around cyber security, and the most serious (damaging?) breach that could happen to any organization is a compromise of their Active Directory (AD) environment. AD is at the heart of many mission critical services, including desktop logins, file & print sharing, email & other communications and collaboration. And once the compromise happens, it can have far reaching effects. Plus, attackers are much more sophisticated, using many (various?) tactics to penetrate and then stay hidden within your environment. At this point, it is a proverbial arms race, and the "bad guys" only have to win once to get in.

Reducing the immediate threatA quick way to reduce the threat to Active Directory is to reduce the number of privileged accounts that can make major changes to Active Directory. This is especially important for AD users who have the Domain Administrators privilege. Because of the Active Directory design, many organizations have dozens or many dozens of users who hold this role. There are several third party role based management solutions on the market today that will allow administrators to perform day-to-day tasks without requiring the Domain Adminis-trator's role. These solutions should at a minimum have a three-tiered architecture and provide Roles, Rules and Workflow capability specifically for Active Directory.

A second way to reduce the threat to your production environment is to ensure your direc-tory monitoring solution is up to the task. (Need something on Change Auditor here)

More on Advanced Persistent ThreatsAn Advanced Persistent Threat (APT) typically refers a conspiracy by a group of foreign government attempt or complete some a cyber attack. What makes these threats particu-larly scary is after the group or foreign government perpetrating these attacks the compro-mise may not be exploited until such time as maximum damage can be achieved or when the highest value theft can be achieved.

For more information on Advanced Persistent Threats see: http://en.wikipedia.org/wiki/Ad-vanced_persistent_threat

4


"Once you realized your directory was "owned" the only way you will feel secure again is to migrate your data to a new directory on new servers."

– Anonymous Customer, Sr. AD Architect

Begin at the beginningBefore this paper gets into the steps of re-establishing Active Directory, it’s important to review the most common way in which a breach can occur. Gone are the days of “script kiddies” guessing at passwords, and blindly finding access left by a careless administrator. Administrators are now more security conscious, and savvy. But so are the attackers, who are often organized and well-funded groups, using a mature, and developed methodology.

The following is a short review of the techniques used by these organizations. The tech-niques outlined can be used independent of one another, but the key to a threat being considered advanced is that it often uses a combination of these techniques to penetrate and maintain access. Because of this, the review below is written sequentially (serially???) but are often performed in differing order or in combination with other methods as well:

1. Targeting: Before an attack occurs, there is often reconnaissance performed not only on the network but on the key individuals who can help gain access to valuable resources. Many organizations, especially those in the Public Sector, publish many records publicly, including research findings, and other publications, compliance filings, and business interactions. In addition, key individuals themselves are much more available through social media, conference proceedings, and other relationships between the attacker and the target.

The targeting can vary, and a group may be attacked en masse, with the hope of getting an individual from a particular organization, or it can be directed at a smaller group of people, or even down to a single individual.

2. Phishing: Once a target is identified, the goal is to bait him into taking on some payload into the network to make the breach possible. Hyperlinks, and attachments, most commonly delivered through instant messaging, email or other online communication methods are most common here. The payload is often in the form a document or browser exploit, or through an executable, often disguised as something else.

3. Pass the Hash: Once the payload is delivered, and a beachhead is established, the real work for the intruders begin. It most often starts at the workstations, as that is the most common way to access the network. From there, the attack (delivered through the payload) looks to work it’s way up the chain, to “line of business” or “production” servers that house the organization’s data, and ultimately to the servers that are running with domain privileges. Getting to the last level is key, as it lets the attack become persistent, and very, very difficult to remediate with certainty.

4. Persistence: Once a set of accounts is compromised, the attacker can continue to return and harvest additional information. Whether that information is business intelligence, or additional accounts is a matter of necessity. In many cases, the return trips create more ‘rogue accounts’ and use harvested credentials, zombie RATs (Remote Access Tools) and even unsuspecting users’ own credentials within the organization.

5. SQL Injection:

5


Why re-establishing AD after a critical compromise goes beyond normal recoveryBecause a critical compromise may only be uncovered long after it was introduced, the validity and security of backup data because changes made via the compromise may be indistinguishable from day-to-day administrative changes. The sheer volume of changes made from the time of the compromise's introduction to the current state of the directory data make it virtually impossible to identify the intentional vs non-intentional changes. The best, and certainly fastest, option is to remove the compromise and maintain your directory data is to migrate the data to a new sanitized directory on clean servers.

Many of the benefits of performing a migration to a clean directory revolve around the fact that a new Security ID (SID) is generated for every object including users, groups and computers. By creating new SIDs, any access gained through the original compromise is cut off assuming the environment is updated properly. Every system that controls access using an Active Directory account must be considered during the clean up and most go beyond the scope of this simple paper. However it is important to at least explain the concept, which is the purpose of the next section entitled Updating Resource Ownership.

6


Updating Resource Ownership

How to: Migrating to a sanitized directoryIdeally, your environment will contain an un-compromised mirror copy of your Active Directory. It is important to ensure that only the base identity data be synchronized. When possible, un-sanitized security data should not be synchronized. Group memberships must be dealt with carefully and should be covered by a re-certification process before the group membership is allowed to be exercised in the mirrored environment. Groups can be disabled for security operations through a combination of settings and your management solution probably provides this as a default capability.

ACL

Resource AccessAttempted

ACLTokenCOMPAIR

Logon

TokenAccount SIDGroup SIDs

7


Phase 1: Preparing a mirrored directoryThis section is done in advance

1) Configure the Mirrored Forest infrastructure.a) Setup a Windows Server that will be used as the first Domain Controller in the mirror Forest.b) Configure the server with the necessary services to install a new Active Directory Forest.c) Promote the server as the first domain controller in a new domain in a new forest.

i) Note: It is probably best to configure the new domain with a new namespace so that the names-paces don't get confused between the original and the mirror directory.

2) Prepare the mirror environment by configuring identity synchronization from the Production Forest to the Mirror Forest. By continuously populating the mirrored directory, you will decrease the time needed to cut over to this new directory, as much of the core data will already be present, and not need to be moved.The frequency of the synchronization should be determined by choosing a time that reflects how up to date the mirror directory should be to maintain a good comfort level. (once a day is probably a good minimum)a) Configure user objects to be synchronized as disabled users.

Password synchronization is not recommended since the original exploit may have been introduced through a known password.

b) XXXX Configure computer objects to be synchronized.c) Configure synchronization of groups and their group memberships.d) Configure synchronization of contacts and other objects.

NOTE: The key step to intentionally omit is to not synchronize or populate any privileged groups. The assumption is the privileged groups are managed in such a way as to identify them, and exclude them from the synchronization. These groups will need to go through a re-certification process which is to be covered later in this document.

3) Configure a Management Servera) Install the Management solution and register the mirror domain.

Importing the Roles, Rules and Workflows from the production environment periodically will allow a smooth.

4) Configure a Security Migration Servera) This server will sit idle until a cut-over is necessary.

5) Configure a Monitoring Server

Phase 2: The cut over1) XXXX

Phase 3: Group and Access Re-Certification1) XXXX

8


Phase 4: Post migration cleanup 1) XXXX

Conclusion

9

contents · web viewmicrosoft's active directory (ad) provides a secure and stable directory...

Documents