In our last two blog posts we talked about the common problems our consultants find on red team engagements, and we did some analysis of the sources of one of the most common problem areas – poor credential handling. This broke down into a variety of individual issues such as bad passwords, passwords left in readable files and how the organisation handles local administration of systems. See the blog posts Analysing Red Team Findings and Top Findings from Red Team Engagements for the full breakdown.
But how to identify these problems outside of a red team engagement?
A red team is complex, lengthy, and should be the crowning activity once you believe security is in a good state. It’s an expensive way to identify that a core security control such as your Active Directory configuration is the weak point in the organisation’s defences.
Unfortunately, this is what happens in 85% of red teams we perform.
To help address this we are launching a new service targeted directly at testing Active Directory installations for common problems. Our Active Directory Attack Resistance service targets the 3 main areas that weaknesses can arise in:
- Password quality. Although enforcing minimum password quality is one of the first controls configured using AD, many organisations circumvent this for ease of use when practical processes such as forgotten passwords or setting a new employee’s temporary password come to be set up. To test an enterprise’s effectiveness at password management we attempt to crack as many passwords as possible using an offline approach and assess password change practices. We then identify and report on detrimental practices and patterns in the organisation in relation to password setting and usage.
- Credential harvesting. One of the common weaknesses identified through both red teaming and experience in responding to breaches in the wild, is that valid credentials are often found unsecured on network shares in an organisation. In this part of the test we search the network for these and related misconfigurations.
- Enterprise configuration Review. Due to the large number of objects, groups, security groups, organisational units, etc. involved in a working Active Directory installation, it is common to find unintended combinations and stale accounts which result in the creation of a path for an attacker to gain domain administration level access. This part of the assessment looks for these misconfigurations and gives high level actions to address these routes to domain administration.
If you want to know how your core network and controls would fare when under attack get in touch today!