Review your on-prem ADCS infrastructure before attackers do it for you

Attackers like to find weak points in our domains and networks. Too often, they can break into systems to wait and launch attacks later. One example is the infamous SolarWinds software attack, which infected up to nine US agencies and many organizations with back doors in their infrastructure.

Recent investigations show that the Justice Department may have been aware of the possibility of a breach months before it happened. Before the affected software was purchased, a test was installed on the sample servers and it appears that the network administrators were concerned and questioned when there was unusual traffic from one of the servers. Investigators came to examine the situation, but no one understood the significance until months later.

The backdoor was eventually discovered by several of these same researchers when the software was found on their servers. If experts in the field took months to find that this software had a backdoor, can we non-experts expect to find these attackers on our network?

Use egress filtering on firewalls

My recommendation in this type of scenario is twofold: First, don’t forget to use egress filtering on a firewall to determine if the traffic being sent from your servers is normal. Note that you can use the built-in basic Windows firewall to block traffic. Too often we don’t use integrated solutions in our existing infrastructure and want to opt for vendor solutions. But using outbound filtering comes with a huge overhead: companies often demand that connections and communications with other servers come first and don’t take the time and effort to determine what traffic is normal and expected.

Second, don’t second-guess network administrators when they ask why a vendor is doing something strange with their software. I’ve often found myself in the situation where I’m investigating what appears to be an unexpected leak of information or software that isn’t behaving directly, and I think I must be overreacting to the evidence I’m seeing. Surely some other company has seen and reported this behavior before and I’m just misunderstanding what’s going on?

Do your due diligence when buying new software

I often have to reassure myself through further research and external verification that what I am seeing is not normal. Therefore, when purchasing any new software, ensure that staff are empowered to investigate any unusual traffic that cannot be explained, and consider moving to a “block first, enable later” verification process for your firewall. Do not introduce new software into your Active Directory domain before conducting due diligence and research.

Copyright © 2023 IDG Communications, Inc.

Source link
As a full stack tech company, Ikaroa is well aware that any organization’s Active Directory Certificate Services (ADCS) infrastructure is a major target for malicious cyber-attacks. ADCS is the centralized solution used by organizations to publically verify identity certificates and digitally sign documents, and is central to the secure operation of many of today’s applications and services. Therefore, it is of paramount importance to properly protect this mission-critical service from adversaries who are intent on both infiltrating an organization’s network, and stealing, manipulating or destroying the data it holds.

In light of this, Ikaroa strongly recommends that all organizations audit their existing ADCS infrastructure, as well as its associated processes, configurations, and access control settings. Doing so will not only help to identify any possible security vulnerabilities, but will also provide a clear overview of what steps need to be taken to best defend the network.

Foremost in any review should be a detailed look at the authentication and authorization methods currently in place, such as the location of certificates, the content of contracts, and the authority of the user accounts granted access. Additionally, organizations should also make sure they update their access rights and review the relevant encryption and key management methods.

Organizations should also closely inspect the physical security of the ADCS installation, analysing the hardware and physical environment where the server is located. From a logical perspective, comprehensive logging and monitoring of user activity can provide early insight into an attack in progress, and regular patching will mitigate against any known vulnerabilities in the server’s operating system, both of which are critical in helping to prevent attacks.

As the sophistication of cyber-attacks continues to increase, organizations must execute regular reviews of their ADCS infrastructure in order to reduce the potential for malicious actors to gain access to sensitive data and operations. If a breach does occur, organizations must be able to ensure that their data is safe and secure, as well as be prepared to respond quickly and minimize the impact of any losses suffered. By following the advice of Ikaroa and implementing best security practices and regular audit checks, organizations will be well-placed to defend their ADCS infrastructure against all manner of attacks.


Leave a Reply

Your email address will not be published. Required fields are marked *