Page 124 - Cyber Defense eMagazine September 2022
P. 124
10. Monitor for unusual activity
You can’t secure what you can’t see! Monitoring is essential for understanding shifts in your security
posture and finding the earliest indicators of compromise. Consider these aspects when developing your
monitoring strategy:
• Implement a security incident and event management SIEM) solution with user and entity
behavior analytics (UEBA) capabilities.
• Monitor privileged groups for membership changes.
• Watch for access control list (ACL) changes to sensitive objects.
Prevention and the path to recovery
With these 10 actions, organizations of any size can significantly reduce their attack surface and protect
their Active Directory instances. Why is securing Active Directory so important? It’s central to establishing
and maintaining trust in your environment. It’s also central to attackers gaining control. Successful attacks
center on an attacker’s ability to steal AD credentials or compromise an AD account with malware. Once
they have that, they can escalate privileges to gain access to anything in your systems. Anything you can
do to prevent that access and ensure that you have a path to a faster recovery if something does happen
is well worth it.
One quick and painless way to assess your AD security stance is to download and run the free Purple
Knight utility. The tool doesn’t require any special permissions, giving you an “attacker’s view” of your
Active Directory—and any gaps that might admit malicious actors. You get an overall security score as
well as individual scores across several categories, including Kerberos, Group Policy, and account
security. Plus, Purple Knight returns a list of security indicators—both indicators of exposure and
indicators of compromise—so that you know where to focus efforts to beef up your defenses.
Anything you can do to prevent malicious access to AD and ensure that you have a path to a faster
recovery if something does happen is well worth the time spent.
About the Author
Sean Deuby brings 30 years’ experience in enterprise IT and hybrid identity to
his role as Director of Services at Semperis. An original architect and technical
leader of Intel’s Active Directory, Texas Instrument’s NT network, and 15-time
MVP alumnus, Sean has been involved with Microsoft identity since its
inception. Since then, his experience as an identity strategy consultant for many
Fortune 500 companies gives him a broad perspective on the challenges of
today’s identity-centered security. Sean is an industry journalism veteran; as
former technical director for Windows IT Pro, he has over 400 published articles
on AD, hybrid identity, and Windows Server. Sean can be reached online at [email protected],
@shorinsean and at https://www.semperis.com/.
Cyber Defense eMagazine – September 2022 Edition 124
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.