Active directory: The crown jewels for insider attacks
Active directory: The crown jewels for insider attacks

Unfortunately, it is becoming less and less surprising for organisations to discover that a data breach wasn't an external attack, but an internal one. In fact, a global study by Ponemon Institute that examined 383 companies across 12 countries found that hackers and criminal insiders were responsible for 48 percent of data breaches. Incredulously, according to the study, the average total cost of a data breach equalled US$ 4 million (£2.9 million) - a 29 percent increase from 2013. 

Just last year, there were more data breaches in the first half of 2017 than the whole of 2016, and whether accidental or malicious, it is becoming more commonplace for lapses in internal security to result in headline-grabbing data breach scandals. With the General Data Protection Regulation (GDPR) incoming, and data law becoming more stringent, enterprises are now under immense pressure to secure their sensitive data – especially from the growing threat of insider attacks.

Brace for impact

Insider attacks resemble many crimes, for example: cross border economic espionage; well-planned conspiracies to steal trade secrets; and copying personal data to sell on the black market. No matter the reason behind it, if an organisation isn't prepared, the costs and damage to reputation can be significant. 

According to an 2017 Insider Threat Report, 74 percent of companies feel that they are vulnerable to insider threats, with seven percent reporting extreme vulnerability. The same report suggests that 53 percent of companies estimate remediation costs of US$ 100,000 (£72,000) and more, with 12 percent estimating a cost exceeding US$1 million (£720,000). 

For an attacker to gain the most ransom and return on investment, they look to infiltrate systems that include the most sensitive files. Therefore, a network that compromises a collection of the company's information and employee's sensitive data is destined to be the first port of call for an internal threat actor. 

Why Active Directory?
Active Directory (AD) is the primary authentication and authorisation directory for over 90 percent of the world's enterprises and some 500 million active user accounts, making it a common target for cyber-attacks. In fact, more than a whopping 95 million AD accounts are under cyber-attack on a daily basis, according to Microsoft. 

As adoption for Microsoft Office 365 continues to grow, the complexity of securing AD increases. There are over 10 billion Azure Active Directory (AAD) authentications annually, and 10 million of those are attempted cyber-attacks. Used by all Office 365 applications to authenticate users, AAD serves as the central nervous system that makes Office 365 possible. However, every Office 365 instance requires a separate AAD tenant — which is yet another environment IT must manage and secure. 

In short, any access gained through on-premises AD can have repercussions not just within AAD; they can also reach well into any web-based applications leveraging AAD. Therefore, a continuous lifecycle methodology with an end-to-end hybrid AD security solution is critical for any organisation. 

Release the airbags 

There is no slam-dunk approach to AD security, but organisations can guard against insider threats to AD by following a set of key practices. The first step in reducing risk is to clean up the network systems. This begins with the IT environment. By mitigating the number of forests and domains within a network, an organisations' IT surface area becomes reduced and therefore less accessible to attack. Limiting the amount of permissions accessible into a sensitive network hardens the access control and further minimises the risk that valuable data could be compromised. 

Other key practices include:
Hardening access control to sensitive systems;
Alerting immediately on suspicious activity; 
Automate, enforce and remediate security policies;

Plan, test and implement business continuity processes

It is important to remember that once the IT network is properly secured and risk is at a minimum, then organisations must monitor the actions of everyone with access, as, security is not a one-time configuration event, but an ongoing process.  

As an internal source has low barriers to entry with any organisations' sensitive data – the ramifications of an internal attack is massive. With GDPR around the corner, and the risk of a €20 million fine, as well as public humiliation – the incentive for businesses to secure their AD against data breaches has never been so high. 

Active Directory underpins not just an organisation's security model but is also the key to providing the services and facilities that GDPR demands. An outage as a result of changes during an internal or external attack of AD will often result in a failure of services customers require and are entitled to. As a result they may well become an organisation of interest for the Data Protection authorities.

To minimise the insider threat, adhere to incoming data legislation, and protect against data breaches, Active Directory security must be prioritised – otherwise, it could very well be the Achilles heel that brings the company to its knees. Without the proper processes and security lifecycle methodology in place, all it takes is a disgruntled employee or someone not properly trained in IT to cost an organisation millions, and more importantly, its reputation. 

Contributed by Colin Truran, principal technology strategist, Quest Software. 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.