In recent Incident Response engagements, Pondurance has seen a troubling trend as attackers focus on the domain controller as a source of compromise. Pondurance predicts that in 2021, domain controller compromises will become one of the primary focus areas for improving security for the industry and will include governments, organizations, and businesses alike. While using domain controllers as a target isn’t a new concept, knowing how to better protect them in a focused way is novel to many. Ransomware will lead the headlines in terms of quantity, but exfiltration and weaponization of intellectual property will become focus areas for many technology-based companies and those in the defense ecosystem.  

Personal identifiable information (PII) will be widespread, and compromises with PII will drive high fines and significant regulatory consequences. Pondurance has spent considerable time analyzing common attack patterns to more quickly detect events, shorten dwell time, and help mitigate negative outcomes. In doing so, we have noted the compelling common factor associated with the vast majority of large-scale, successful breaches and breaches with the biggest business impact is the compromise of the domain controller.  

The most common way a domain controller is initially compromised is through security hygiene issues (i.e., unpatched systems, open ports, misconfigurations, stolen credentials, bad user behavior). However, we have recently seen more sophisticated and highly organized attacks to break through even the most protected and advanced environments, and we expect this trend will continue. While compromising a domain controller is not the only way, it is a common tactic that attackers use to quickly gain access, such as in the Microsoft Windows Active Directory Domain and non-Windows domain controllers established via identity management software such as Samba and Red Hat FreeIPA.   

We believe a compromised domain controller is by far the most common denominator related to large-scale breaches and sophisticated cyberattacks. As the trend of this type of attack increases in frequency and evolves, it is critical that your organization stay aware of current attack patterns and steps you can take to reduce your exposure. By following key prevention steps and developing a detection and response plan, you can lower the probability of a successful cyberattack through your domain controller. 

Read our latest whitepaper on protecting your domain controller The Domain Controller…An Achilles Heel

Doug Howard

Chief executive officer | PONDURANCE

Doug has over 30 years of experience as a technology leader and innovator in security with a highly developed background in business development, mergers and acquisitions, operations, engineering, marketing, sales, and executive leadership. In his previous role at RSA as Vice President of Global Services and IT Innovation, he provided leadership support for RSA’s strategic vision and global operational execution, various Dell governance programs, and the mergers and acquisitions exit from Dell to STG.

A former member of the U.S. Air Force, Doug holds a bachelor’s degree in management and marketing from Strayer University.