Hybrid Active Directories: Another Frontier for Data Breaches

Posted by Mark Greisiger

A Q&A with Quest

More organizations are adopting Microsoft’s cloud-based Azure Active Directory (AD) but maintaining on premises AD deployments to support legacy systems or applications without internet access. We call this a hybrid Active Directory deployment.  Hybrid ADs may pose a security risk if not managed properly. Unexpected changes to the AD environment, such as changes in user privilege, multiple logins in rapid succession, and logins from unusual locations often provide the first indication of an external or internally initiated breach. We spoke to Keri Farrell, Brad Kirby and Matthew Vinton from Quest about this particular concern for organizations and how they can shore up security measures to avoid data loss.

Think about Active Directory as the white pages within your organization that enumerates all of the users within…Hybrid AD, means that the Active Directory is housed both on premises and in the cloud (Azure AD) with all or a portion of users being synchronized between them.

Can you explain for what a Hybrid AD is, and why a hacker might target it?
BK: Think about Active Directory as the white pages within your organization that enumerates all of the users within. It allows you to assign permissions to users and groups and choose what applications and files they might have access to. Hybrid AD, means that the Active Directory is housed both on premises and in the cloud (Azure AD) with all or a portion of users being synchronized between them. For most organizations, today, we see accounts being managed on premises and synchronized to Azure AD, but we are also starting to see more organizations deploy users directly to the cloud. In higher education, for instance, full time students and faculty often require on premises AD accounts as well as an Azure AD account to allow full access to university services, while alumni may only have accounts in Azure AD and have access only to cloud services.

MV: The synchronization the Brad discussed is one of the areas organizations need to pay attention to. When users are synchronized from on premises Active Directory to Azure AD their privileges can travel with them, so you want to make sure that the privileges that they have on premises are appropriate for the cloud. If not, organizations may find themselves in a position where cloud users have unintended permissions that may place the organization at risk.

What are some possible repercussions of a breach from this attack vector?
BK: The directory service, usually Microsoft Active Directory, is the “crown jewels” for a hacker because it allows access to your network, data and devices. An attacker may be a disgruntled employee that wants to cause trouble or it might be a serious hacker that wants to steal or destroy important company data. While the native security built into Active Directory and Azure AD is state of the art, it’s important implement AD management processes that prevent human error or security breaches from causing real problems.
KF: The cost of these attacks can be in the millions. In our own surveys we’ve found that customers are most concerned about modifications or deletions to the directory and insecure passwords.

How can a customer mitigate hybrid AD exposure?  
BK: It’s a matter of adopting best practices in several quadrants. First is being able to understand when changes actually occur, for instance, being able to flag when an individual’s permissions have been changed or their account may have been compromised. You need to have the ability to backup and restore user groups and attributes so that if changes are made you can roll back to the original state in a non-disruptive fashion. And you want to provision users in such a way that they can only view and access the on premises and cloud-based files, data, and applications relevant to their job function. And now, with so many organizations moving large chunks of their infrastructure to the cloud, it’s a hybrid world and you need a tool set that comprehends both on-premises resources and cloud resources.
KF: And for those situations in which a breach has occurred a cleanup is required, our recovery solutions allow companies to see what’s changed in the environment and roll back to the last know good state.  It’s like an insurance policy for they hybrid AD infrastructure.

In summary… 
We would like to thank these three Active Directory experts from Quest for the insights into this cyber risk issue. Given the popularity of Microsoft solutions and the broad adoption of Microsoft Actiev Directory and Azure AD, it’s not hard to see why bad guys would choose to target it to gain a toehold into the corporate network. It is definitely an asset that needs to be treated with the respect it deserves.