In recent Incident Response engagements, Pondurance has seen a troubling trend as attackers focus on the domain controller as a source of compromise. Pondurance predicts that in 2021, domain controller compromises will become one of the primary focus areas for improving security for the industry and will include governments, organizations and businesses alike. While DC’s as a target isn’t a new concept, how to better protect them in a focused way is novel to many. Ransomware will lead the headlines in terms of quantity, but exfiltration and weaponization of intellectual property will become a focus area for many technology-based companies and those in the defense ecosystem.  

Personal Identifiable Information (PII) will be widespread and compromises here will drive high fines and significant regulatory consequences. Pondurance has spent considerable time analyzing common attack patterns to more quickly detect events, shorten dwell time and help mitigate negative outcomes. In doing so, we have noted the compelling common factor associated with the vast majority of large scale successful breaches and those with the biggest business impact is the compromise of the domain controller (DC).  

The most common way a controller is initially compromised is through security hygiene issues (i.e. unpatched systems, open ports, misconfigurations, stolen credentials, bad user behavior). However, we have recently seen more sophisticated and highly organized attacks to break through even the most protected and advanced environments and we expect this trend will continue. While compromising a DC is not the only way, it is a common tactic attackers use to quickly gain access, such as in the Microsoft Windows Active Directory Domain and non-Windows domain controllers established via identity management software such as Samba and Red Hat FreeIPA.   

We believe a compromised domain controller is by far the most common denominator related to large scale breaches and sophisticated cyber attacks. As the trend of this type of attack increases in frequency and evolves, it is critical that your organization stay aware of current attack patterns and steps you can take to reduce your exposure. By following key prevention steps and developing a detection and response plan, you can lower the probability of a successful cyber attack through your domain controller. 

Read our latest whitepaper on protecting your domain controller: The Domain Controller…An Achilles Heel

Doug Howard

Chief Executive Officer,


Doug has over thirty years of experience as a technology leader and innovator in security with a highly-developed background in business development, M&A, operations, engineering, marketing, sales, and executive leadership. In his previous role at RSA as Vice President of Global Services and IT Innovation, he provided leadership support for RSA’s strategic vision and global operational execution, various Dell Governance Programs and the M&A exit to STG from Dell.

Former member of the U.S. Air Force, Doug holds a Bachelor’s degree in Management and Marketing from Strayer University.

Sign Up for Our Communications