How do you improve cybersecurity for your identity infrastructure? Part 1

Entitlements

Active Directory (AD) entitlements are key to keeping your organization secure. AD is the primary method to provide authentication and authorization for 90% of the Global Fortune 1000 companies and organizations of all sizes. It is often synchronized to the cloud or federated to provide access to cloud applications and resources as well. AD security issues can result in costly service disruptions and potential data breaches or even non-compliance.

Minimize The Attack Surface

To restrict unfettered access, delegated AD security is implemented through separation of duties and based on the principle of least privilege. This should result in users only having the necessary rights on only the data that they need to do their jobs. Reducing the number of accounts that have unrestricted or too broad access minimizes the surface attack area and the risk of misuse.

Validate Access

Organizations need to see where users or groups have rights in the environment as part of their credential hygiene process. This is done to verify the appropriate permissions are set for the user’s role. It is also needed to ensure that permissions have been revoked when a user changes roles or leaves the organization.

Find High Risk Permissions

Organizations also need to look for high risk permissions. These include items identified in MITRE ATT&CK mitigation configurations and MITRE D3FEND countermeasures for AD. In addition to these frameworks, you must also look for common mistakenly set permissions like the group “everyone” with full control permissions. Also, you need to validate sensitive AD operations such as modify Domain Controllers, FSMO role changes among others. These permissions should be restricted to Tier 0 accounts. Challenges of Managing and Hardening Entitlements Setting Active Directory (AD) permissions can be done several ways. They can be set directly, with PowerShell, the delegation wizard in Active Directory Users and Computers (ADUC) management console. Larger organizations may leverage Identity Access Management (IAM) and/or Identity Access Governance (IAG) systems to provision and deprovision users and rights. Typically, not every role or access need is covered by these systems. No matter how the permissions are set, over time, additional access is granted outside of these systems resulting in entitlement creep.

Organizations need to verify that only the appropriate permissions are set to maintain security. Manual verification through command line utilities or PowerShell does not scale. The ADUC effective permissions tab often has incorrect information and IAM and IAG systems do not have the complete picture. Another challenge is to find out who had what permissions in the past for forensics, audits, and compliance reasons.

Cygna Labs Entitlement and Security for Active Directory

Cygna Labs Entitlement and Security for Active Directory (ESAD) provides the ability to gather and report on AD entitlements and group membership. Search and report on latest or historical point in time collections. ESAD helps you to harden your environment and answer the following:

• Where does a user or group have rights in the environment?

• Who is a member of this group, now and in the past?

• Show where high-risk permissions are set in the environment?

• What permissions are set on this object?

You need to harden to reduce the risk of an attack and to minimize an attack’s impact. In part 2 we’ll look at detection and protection.