SentinelOne Ranger AD Assessor

SentinelOne has recently announced the acquisition of Attivo Networks to bring new capabilities to its customers. Amongst these new features includes Ranger AD Assessor. In this blog post, we give you the rundown on the state of AD security and how Singularity Ranger AD Assessor can provide you visibility into your security gaps.

Why do threat actors target AD?

Microsoft estimates that 95 million AD accounts come under attack each day, with 94% of organisations having experienced an identity-related breach. AD is a key target for attackers as compromising AD can give them access to all network resources and the necessary rights and privileges to make changes. These changes could make it harder to detect any malicious activity.

Almost every major ransomware attack includes a step in which the attacker leverages AD for information, privileges, or both.

How are attackers targeting AD?

  • Misconfigurations and vulnerabilities – Attackers can quickly exploit unpatched applications, OS, and firmware on AD Servers, giving them a critical first-foothold within your environment.

  • Admin users and privileged access - AD allows administrators to grant access to specific applications and data based on employee roles. Roles are assigned to groups that determine access levels. It’s important to only allow the levels of access to individuals and roles need to perform their job functions.

  • Passwords - Brute force attacks on AD services often target passwords. Uncomplicated passwords and easily guessable passwords put your AD at risk.

  • Default settings - AD has a set of predetermined, default security settings created by Microsoft. These security settings may not be ideal for your organisation’s needs. Additionally, these default security settings are well-understood by threat actors, who will attempt to exploit gaps and vulnerabilities.

Many open-source and freely available tools, including Bloodhound and Mimikatz, make attacking and compromising AD dangerously simple. Attackers use these tools to identify accounts capable of granting them administrative rights and conduct their attacks in a way that allows them to elevate their privileges.