You’re Just 7 Minutes Away from an Infinite Toxic Loop in Your Network

Sometimes deliberate actions can lead to unforeseen consequences. Case in point: Active Directory.

In an Active Directory environment, the database is exposed, by design, to every endpoint connected to the domain. This is how Microsoft designed Active Directory to work. But what’s good for IT is not necessarily good for security. This arrangement provides attackers all the necessary information to elevate their privileges to domain admin within 7 minutes of compromising a domain connected endpoint.

Our industry is obsessively focused on keeping attackers out of the network, chasing after new methodologies to stop attackers from compromising the endpoint. But as an industry, we still lack understanding into what attackers are doing after they manage to compromise the endpoint. In no small part, that’s because we’re not asking the right questions. Such as why does just one compromised endpoint easily bring down an entire network? And why is no one asking how attackers can rapidly and stealthily spread inside a targeted network and gain access to every asset they want?

Let’s recall that in mid-2014 attackers created an open-source code, fully automated framework to manipulate Active Directory. Use of this framework subsequently spread because of its ability to hide so well within Active Directory that the only real way to get rid of attackers was to rebuild the affected Active Directory domains from scratch.

That ought to have been a wakeup call to raise more awareness around Active Directory and consider more carefully what attackers are after once they compromise the endpoint. What we should have realized is that even after an attacker gets detected in the network and is blocked, the enterprise remains in danger.

The Infinite Toxic Domain Loop

Once a domain admin account is compromised, attackers can access any asset in the domain and leverage this access to conquer the entire enterprise. Using domain admin privileges, the attacker gains access to all domain controllers, servers, application services, databases, file shares, endpoints and devices in the domain; and, all other trusted domains, all users’ personal information, and the credentials of every domain account. Very powerful, eh?

However, before attackers use stolen admin credentials, they also seek ways to hide them ensuring their reuse, even after getting detected and kicked from the domain. Preserving persistency in a domain environment is accomplished using sophisticated methods such as exploiting the misconfiguration of domain controllers and GPO, and dumping the entire hash database of the organization. It is a crucial part of the attack cycle, and attackers strive to complete this phase to preserve their “investment”.

Because of the enormous opportunity for attackers to generate persistency spots on Active Directory domains, it’s difficult for enterprise security teams to remove them after they have managed to gain domain admin privileges.

This leaves security teams in the unfortunate situation of what we call an “Infinite Toxic Domain Loop (or ITL).” This is a situation equivalent to stirred sugar in hot water. We know that separating and removing melted sugar from water is an arduous, if not impossible task. In a similar way, even after an attacker gets detected the only way to remove compromised privileged access, including persistency spots, is to either rebuild the entire Active Directory domain/forest or perform a comprehensive domain credentials clean-up process. So, what do these security processes entail?

• An Active Directory re-build requires creating new domain controllers (DCs) for each domain, then re-joining every end user and object to the new domains - a very hard and expensive task that can take months to accomplish.
• The comprehensive domain credentials clean-up option entails restricting all access to the domain controllers during the recovery phase, checking for malware on all domain controllers, resetting all user, domain controller and service account passwords in the domain, resetting the krbtgt account twice, executing complete DC replication, and re-approving connections to the DCs. By taking these steps, the attacker is unable to use their old compromised credentials now that the Kerberos tickets are invalid, and passwords and hashes have changed.

Unfortunately, it’s just very hard to limit Active Directory without causing problems for the network. An organization might try manual intervention to limit the exposure, but that’s not an effective way to resolve the issue. The only vendor in the world that provides real-time prevention to this problem is Symantec with Threat Defense for Active Directory, a solution targeting this specific problem.

“Kicking” the attacker out of the domain is not enough anymore. Once attackers elevate their privileges to Domain Admin, the enterprise security teams are left facing an Infinite Toxic domain Loop (ITL) that continues unless the organization undertakes the steps I’ve outlined. It’s up to enterprise security teams to focus on post-exploitation prevention and reducing any dark corners where attackers might try to hide.