Using Clever Deception to Secure Your Active Directory

If you ask any enterprise cyber security professional which tools are the most essentialto an organizational protection profile, you should expect to hear reference to familiar solutions such as two-factor authentication, server logs, firewall rules, intrusion detection systems, encryption and the like. And these are certainly important factors in the reduction of cyber security risk – ones that every enterprise should include in the security architecture mix.

But if you ask any enterprise cyber security intruder which tools are the most essential to an organization protection profile – and I have asked this question on many occasions – and you will hear something different. My experience is that the best cyber intruders, from the full spectrum of hat colors, will make immediate reference to those ubiquitous Microsoft Active Directory services, including domain, lightweight domain, federation, certificate management, and rights management.

It is these services – you will hear – that provide the clearest roadmap to the enterprise once external access has been obtained via an advanced persistent threat (APT). And it is these services that elite hackers depend on to find the organizational crown jewels that brought them to the target local area network in the first place. They offer a means for creating a topological understanding of where the enterprise maintains its servers, users, credentials, and other important assets.

So why wouldn’t enterprise security teams jump quickly to Active Directory Services when asked about what is essential? It’s not like they haven’t seen advanced actors use Active Directory in lateral enterprise LAN traversal. The answer, unfortunately, lies in the organizational evolution one finds in virtually every information technology (IT) ecosystem in modern business environments. And it is an evolution that is characterized by two parallel trends.

First, enterprise security teams have been given more responsibility for essential protections. Their budgets and staff are larger, but always with the provision that they do their work without introducing outages or negative impact. And second, IT operations teams have retained control of the most fundamental infrastructure services, and no service is more essential to the enterprise than Active Directory. Break this service, and you have more than likely broken the entire company. So security teams rarely control this function.

As a result, Active Directory controls in the enterprise are all-too-often overlooked entirely by enterprise security teams, who are forced to relegate decisions for the attendant services to an IT operations team that might or might not care much about cyber security. In the best case, the IT operations team will cooperate and ensure some level of protection; but in the worst (and more common) case, the Active Directory Services will be given completely inadequate attention. And we see APT attacks continue unfettered by fancy security controls.

Sadly, neither of these situations is sufficient. Instead, both enterprise security teams and IT operations teams must agree to leapfrog existing security solutions and move immediately to world class solutions that have the ability to stop elite hackers. This is a tough message – namely, that poor attention to Active Directory Services must skip the adequate stage and move directly to the state-of-the-art stage. But with APTs abounding in the enterprise and actors jumping immediately to Active Directory Services, this step must be taken.

Active Directory Obfuscation

One company providing a unique and effective solution to dealing with Active Directory weaknesses is Javelin Networks. The company, which traces its legacy to the Israeli Defense Force, focuses on embedding deception on the host to introduce uncertainty for an advanced actor seeking Active Directory credentials. It also includes the possibility of creating real-time notification of unusual behavior, which offers the possibility of catching live APT actors in the act.

The way the Javelin Networks tool works is evocative of the old tarpits (such as Labrea) many of us were using back in the 1990’s to create fake networks to slow down scanners. The general concept is that when an intruder or malware expects to see something simple, the tarpit concept – and the approach used by Javelin – is to create the impression that there is, in fact, much more there, thereby reducing the odds that the actor will be successful in moving laterally into the organization without detection. This is done by introducing virtual deceptive content and entries into the host memory that will create problems for intruders. This is different from honeypots, as Javelin Network’s approach does not require adding elements to the topology or adjusting the Active Directory itself.

As most IT operations experts know, Active Directory provides the structure and support for a corporate Windows environment to properly function. Just about every IT service in a corporation, including virtual private network (VPN) remote access, single sign-on (SSO), and SharePoint usage, is controlled and protected using Active Directory. Some like to think of it this way: No administrator in a complex environment can possibly sit down and define access control and protection settings for every computer and service. Instead, the more acceptable and scalable approach is to perform lockdown using Active Directory services.

This implies that attackers will naturally gravitate to Active Directory in order to guide their lateral traversal as part of an advanced persistent threat (APT). Javelin Networks mitigates this security risk by introducing what can be viewed as a deceptive mask on Active Directory for the purposes of obfuscating the enterprise topology. The goal is for the good guys to see correct information from Active Directory, but for the bad guys to see something very different from their viewpoint, the compromised host.

Thus, for example, if the corporate environment includes a hundred servers supporting a couple thousand users, then the Active Directory Domain Controllers will include these user and computer accounts in their database schema. System administrators can thus query schemas for data about users and computers including names, identifiers, and so on. And this schema can be extended to add information about third-party software or other services such as Exchange.

Clearly, attackers would want to access this information to learn about the users and computers that might have the information desired as part of the APT initiative. If, however, they compromised an endpoint with a masked Active Directory protected by Javelin Networks, then they would be shown an intentionally and exponentially larger view of the corporate environment with many thousands of servers – most bogus, and many thousands of users, also designated in a manner intended to confuse and mislead an attacker performing reconnaissance on assets that do not exist.

This approach also creates the opportunity to generate alarms and alerts when some access is made to a bogus user or computer entry. In this sense, the deception complements security information event management (SIEM) tools and intrusion detection systems by helping to identify errant access across the enterprise while it is occurring. Very few existing security tools have this ability, and almost none include such embedded knowledge of what’s going on inside Active Directory Services as Javelin.

There are obviously challenges that must be dealt with in such an approach – and Javelin Networks is well aware of these challenges. Access to deceptive content must not, for example, complicate or confuse real system administrative activity. Similarly, changes to the embedded memory in the servers supporting Active Directory will make administrators nervous that integrity issues could arise if software problems are introduced. So the ability to co-exist real and fake processes is the true practical challenge in any type of deceptive computing, including Javelin Networks.

Concluding Remarks

The disclosure and soon integrity problems associated advanced persistent threats (APTs) are so severe that creative new security methods are clearly needed to reduce risk. Deception has been shown over the years to be one of the most effective techniques in warfare settings, so the idea of using obfuscation to reduce APT risk for the most essential enterprise data structure and set of services in the enterprises should seem not only reasonable, but essential.

It is thus recommended here that all Chief Information Security Officer (CISO) teams in industry and government take the time to seriously consider this type of deceptive solution for Active Directory. It might take some prodding with the IT operations team, especially since this is a new technique without great operational metrics from practical use (yet). But the extra work convincing that group to support a Javelin Networks deployment will be well worth the trouble when APT intruders next find their way into your network. Good luck.