Active Directory Advice from Down Under: Is It Too Difficult and Costly to Protect It?
Microsoft's Active Directory (AD) is perhaps the most widely used directory and identity management system worldwide. Used by both small businesses and large enterprises, attackers know they can count on it to escalate privileges, move laterally, and persist across the network. Active Directory requires expert knowledge to maintain and secure, something many organizations lack. By default, the platform actually constitutes an exceptionally large attack surface, difficult to defend against. So it's no wonder that Active Directory is perhaps the biggest ransomware enabler in actual breaches.
Confirming this, the Mitre Att@ck framework lists over 50 attack techniques directly or indirectly associated with Active Directory deployments. These techniques are employed across various stages of an attack, including initial access, persistence, privilege escalation, and lateral movement.
In a recent advisory, cyber officials from the Australian Signals Directorate (see here) compiled a comprehensive list of Active Directory compromises. The challenge of protecting AD is reflected in the advisory’s length—a full 60 pages. From kerberoasting and password spraying to golden/silver tickets and dumping ntds.dit, the report outlines various exploitation mechanisms as well as the mitigation techniques organizations can deploy to defend against attacks.
The introduction clearly explains how AD facilitates attacks. First, every account in Active Directory actually has sufficient permissions to discover and exploit vulnerabilities. Legitimate capabilities, such as the ability to discover resources (e.g., printers, file shares, co-worker accounts, groups, etc.), also enable malicious users to gather critical information more easily and move laterally. Attackers know this and take advantage, making AD’s attack surface too broad and difficult to defend.
Second, the complexity and opacity of the relationships within Active Directory—between different users and systems—often obscure glaring opportunities for attackers. These hidden relationships are what attackers exploit, sometimes in trivial ways, to gain complete control over an organization’s network.
Even if an organization implements mitigation for all the attack techniques, detecting compromise can still be challenging, time-consuming, and resource-intensive. Organizations with mature security policies, robust SIEM, and strong Security Operations Center (SOC) capabilities still struggle to detect attacker infiltration into AD networks. This is because many Active Directory compromises exploit legitimate functionality and generate events that appear identical to those from normal activity. Identifying malicious activity often requires correlating events from multiple sources and analyzing discrepancies, making detection even more difficult.
Reading the report, one wonders why so many organizations (especially SMBs) still rely on a platform with such a large attack surface, so difficult to defend, and so often exploited by ransomware operators.
