Active Directory (AD) handles sensitive organization data like user credentials, personal information of employees, security permissions, and more. Because of this, AD is prone to being targeted by cyber attackers. Malicious actors are constantly coming up with new attack strategies, making it a challenge for organizations to secure their AD environment. This is why it’s essential that every organization formulates a cyber defense strategy to combat cyber threats and protect their AD.
With the rapid pace and increasing trends of cyberattacks, having a common framework for your defense strategy helps you keep up with the changing threat landscape. Devising a defense strategy requires knowledge about the usual pathways that the attackers use, so that incoming attacks can be identified and acted on. The MITRE ATT&CK framework is one of the most popular tools used for building an extensive security plan to secure AD.
MITRE ATT&CK framework: How can it be used to protect AD?
The MITRE ATT&CK framework is being widely adopted across industries as it is perceived to be beneficial for organizations to map out techniques and tactics that are used by adversaries. The MITRE ATT&CK Matrix includes details of the attacker behavior in the form of tactics and techniques: the aim of the attacker and how they plan to achieve it.
Currently there are 14 tactics and 191 techniques with 385 sub-techniques. Each technique includes specific details about how the attackers operate, such as the privileges needed, how to identify the commands associated with the technique, and more.
Here are some of the techniques used by attackers to exploit AD:
|
ID |
Name |
Description |
|
TI037-.003 |
Network Logon Script |
Adversaries may use network logon scripts automatically executed during logon initialization to establish persistence. Network logon scripts can be assigned using AD or Group Policy Objects (GPOs). |
|
T1136-.002 |
Domain Account |
Adversaries try to create a domain account to maintain access to victim systems. Domain accounts are managed by Active Directory Domain Services through which access and permissions are configured across systems and services that are part of that domain. |
|
T1484-.001 |
Group Policy Modification |
Adversaries may modify GPOs to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group Policy allows for centralized management of user and computer settings in AD. |
|
T1207 |
Rogue Domain Controller |
Adversaries may register a rogue domain controller to enable manipulation of AD data. |
A deep understanding of the tactics and techniques used by adversaries helps in acting proactive when safeguarding your AD. Our e-book on MITRE ATT&CK tactics and techniques for a secure AD provides deep insights on:
-
What MITRE ATT&CK is
-
What the ATT&CK Matrix is
-
Why you should leverage the MITRE ATT&CK framework
-
MITRE ATT&CK tactics you should know about to secure your AD
-
How to improve AD security by choosing the right IAM tool to implement the MITRE ATT&CK framework
