One primary focus area for improving your cybersecurity posture should be the domain controller. Domain controller compromises affect governments, organizations, and businesses alike. Ransomware still leads the headlines in terms of quantity, but exfiltration and weaponization of intellectual property should be a focus area for your organization to not only protect personally identifiable information (PII) but to avoid regulatory consequences like hefty fines.
At Pondurance, we spend considerable time analyzing common attack patterns to better reduce compromise, shorten dwell time, and prevent damaging breaches for our clients. In doing so, we identified the compelling common factors associated with most successful large-scale breaches, and the biggest business impact is the domain controller compromise. In this whitepaper, we analyze domain controller compromises, common techniques for unauthorized access, and tips for preventing an attack on your domain controller.
Prioritize the domain controller as a potential attack vector
A domain controller is a server that enables security authentication requests and allows host access to domain resources. It authenticates users, stores user information, and enforces security policies for a domain.
From an overall business perspective, relatively small investments focus on creating a strategy around domain controller security and ongoing monitoring and testing, and those may be some of the best dollars spent in your security program. When prioritizing assets, many overlook the domain controller as a critical asset, but in most cases, it should be at the top of the list. Several exploit paths are attributable to the success of a compromise, often blurring the lines between conduit, condition, and cause. For example, business email compromise is still a leading exploit path for getting an attachment onto a user’s system.
Limited security awareness training is another factor that contributes to the propagation of a number of systems and data compromises, including unauthorized system access and ransomware. The nature of the root cause is also worth examining when considering the capability to broaden system access and ransomware deployment across an enterprise. That’s where the compromise of the domain controller comes into play. While completely eliminating unauthorized access and ransomware may not be an immediate reality, despite the hardening of the domain controller, reducing or eliminating the spread within your organization can be the difference between a nuisance and a business-crippling situation.