Dan Bowdrey, Semperis: “Active Directory is the forgotten system”
Active Directory is one of the most attractive targets for bad actors. And despite being used by hundreds of thousands of companies, it still holds many vulnerabilities that put your most valuable data at risk.
Active Directory allows users to store large chunks of directory data on the network. That data can include anything from passwords to physical addresses and personal details. Because of the critical nature of the information it stores, and because it handles authorization across all company endpoints, it is one of the most useful systems for cybercriminals to target.
We reached out to Dan Bowdrey, UK Sales Director at Semperis, to discuss what an increasing reliance on Active Directory means for organizations and how they can best secure themselves against threat actors.
Can you tell us a little bit about what you do? How did the idea of Semperis originate?
Semperis provides the next generation of solutions in Hybrid Identity protection and resilience. The brainchild of a former Microsoft Premier Field Engineer whose real-world experience of dealing with catastrophic enterprise identity events - both cyber-related and corruption-related - led to the identification of serious gaps in protection and recovery. From this, a cyber-first security-focused solution was born to protect organizations from modern identity-focused cyberattacks such as ransomware.
Securing Active Directory is the main goal at Semperis. Can you explain what it is and why it is so difficult to protect?
Microsoft Active Directory has been around for over 20 years. Its flexibility and ease of integration enabled it to become a globally adopted directory (identity) service for over 90% of the world’s organizations. The very attributes that led to its global popularity are now its Achilles heel combined with years of mismanagement, poor configuration, and the transient globally dispersed nature of administration.
How do hackers exploit Active Directory? What are the most common attack methods?
Active Directory identities are used to grant employees access to key company IT resources, data, applications, and email. Once hackers gain control of an identity, they can elevate its permissions to a high level and begin to compromise the systems available to them. Common techniques to achieve this include Shadow Admin attacks, Phishing, and DC Shadow exploitations.
In your opinion, why is the recent rise of ransomware often described as a great threat to Active Directory?
Ransomware gangs know that Active Directory is the forgotten system lacking in security focus across many organizations. It was never designed with cloud computing in mind, yet most organizations operate in a hybrid scenario meaning a combination of on-premises and cloud identities. Once an on-premises account is compromised, the ability to move vertically to cloud data becomes relatively straightforward.
Have you noticed any new tactics used by threat actors during the pandemic?
Remote working brings new risks to organizations. Locking computers while walking away to make coffee, speak to colleagues, or taking a break in the office was easily enforced and indeed common practice but not so for the home workers. The lines of the corporate world and home life have blurred, and the use of phishing and shoulder surfing tactics have become widely used.
With hybrid workspaces here to stay, are there any details that might get overlooked while organizations adjust to this new environment?
When adjusting to new ways of working, as always, it’s a case of understanding what you don’t know aboutIn the case of hybrid workspaces, this includes audit legacy and recent accounts as well as elevated permissions that could be exploited on accounts. Ensure that multifactor authentication (MFA) is enabled on all accounts, especially accounts with elevated permissions. Deploy a security-focused solution to ensure that bad actors’ techniques are blocked.
Talking about the future, what security threats do you think will emerge in 2022?
Looking at trends, Active Directory remains a rich picking ground for cyber gangs, especially those that are state-funded. We see this in the UK, with key infrastructure providers and education establishments continuously under attack. The repeat attack business model has also become a trend we are seeing where organizations will pay higher ransomware demands for a second or third attack.
Is there a specific industry that has the highest risk of falling victim to cyberattacks?
Organizations that hold large amounts of personal customer data, that own sensitive or valuable intellectual property, and organizations whose reputations have been built on providing financial services are prime targets for cyber gangs.
Would you like to share what’s next for Semperis?
Semperis will continue to apply our deep expertise in Active Directory security to help organizations protect their hybrid identity environments. A recent Gartner report stated that organizations will be managing hybrid environments for the foreseeable future (they predict that only 3% of businesses will be completely cloud-based by 2024). In the meantime, securing environments with both on-premises Active Directory and Azure Active Directory is tricky—the security paradigm is completely different between the two. Semperis already supports threat detection for Azure Active Directory. On the near horizon, we’ll have backup and recovery for Azure AD resources, which is a critical part of recovering the business after a cyber disaster. Looking further out, we’ll continue to build solutions that improve the security posture for organizations managing complex hybrid identity environments—which cybercriminals love to exploit, as in the SolarWinds breach.