Page 124 - Cyber Defense eMagazine September 2022
P. 124

10. Monitor for unusual activity

            You can’t secure what you can’t see! Monitoring is essential for understanding shifts in your security
            posture and finding the earliest indicators of compromise. Consider these aspects when developing your
            monitoring strategy:

               •  Implement  a  security  incident  and  event  management  SIEM)  solution  with  user  and  entity
                   behavior analytics (UEBA) capabilities.
               •  Monitor privileged groups for membership changes.
               •  Watch for access control list (ACL) changes to sensitive objects.



            Prevention and the path to recovery

            With these 10 actions, organizations of any size can significantly reduce their attack surface and protect
            their Active Directory instances. Why is securing Active Directory so important? It’s central to establishing
            and maintaining trust in your environment. It’s also central to attackers gaining control. Successful attacks
            center on an attacker’s ability to steal AD credentials or compromise an AD account with malware. Once
            they have that, they can escalate privileges to gain access to anything in your systems. Anything you can
            do to prevent that access and ensure that you have a path to a faster recovery if something does happen
            is well worth it.

            One quick and painless way to assess your AD security stance is to download and run the free Purple
            Knight utility. The tool doesn’t require any special permissions, giving you an “attacker’s view” of your
            Active Directory—and any gaps that might admit malicious actors. You get an overall security score as
            well  as  individual  scores  across  several  categories,  including  Kerberos,  Group  Policy,  and  account
            security.  Plus,  Purple  Knight  returns  a  list  of  security  indicators—both  indicators  of  exposure  and
            indicators of compromise—so that you know where to focus efforts to beef up your defenses.

            Anything you can do to prevent malicious access to AD and ensure that you have a path to a faster
            recovery if something does happen is well worth the time spent.



            About the Author

                                    Sean Deuby brings 30 years’ experience in enterprise IT and hybrid identity to
                                    his role as Director of Services at Semperis. An original architect and technical
                                    leader of Intel’s Active Directory, Texas Instrument’s NT network, and 15-time
                                    MVP  alumnus,  Sean  has  been  involved  with  Microsoft  identity  since  its
                                    inception. Since then, his experience as an identity strategy consultant for many
                                    Fortune 500 companies gives him a broad perspective on the challenges of
                                    today’s identity-centered security. Sean is an industry journalism veteran; as
                                    former technical director for Windows IT Pro, he has over 400 published articles
            on  AD,  hybrid  identity, and  Windows  Server. Sean  can  be  reached  online  at  [email protected],
            @shorinsean and at https://www.semperis.com/.





            Cyber Defense eMagazine – September 2022 Edition                                                                                                                                                                                                         124
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
   119   120   121   122   123   124   125   126   127   128   129