It’s an ordinary day for your business until you receive an alert. An attacker has gained access to your Active Directory. Now it’s time for a “response.” What will you do?Some of the more popular services offer what they call a “rollback.” The sales pitch says they can revert “unwanted AD object and attribute changes in minutes.”Are “minutes” fast enough? We don’t think so.
Anatomy of an attack
So what is an AD attack, anyway? An AD attack is a cyber attack specifically targeting a Windows Active Directory (AD) system. The attacker attempts to gain unauthorized access to a network by exploiting vulnerabilities within the AD system, often by compromising user credentials or leveraging weak security configurations to gain elevated privileges and/or persistent access to the network.In an AD attack, AD is simply the open door. Behind that door are your sensitive data and other systems. All an attacker needs to do to gain access to those resources is compromise AD. That’s why it’s a popular (and often effective) target.
Why automatic rollbacks are inadequate
With an AD attack, minutes are like miles. Even after a few seconds, an attacker could be deep into your system, effectively owning it. And once they’re in, there’s very little you can do to stop them. Simply by gaining access, they have the ability to make changes that will negate attempts to roll back and grant them access to your larger network. Worse, they can install back doors that you can’t close (assuming you can find them).The real danger of an AD attack, though, is in the way AD handles authentication. It uses a 1980s vintage third-party process called “Kerberos” that sends encrypted requests to attempt to verify user identities. When you successfully authenticate in AD, Kerberos issues you a “Ticket Granting Ticket” (TGT), which essentially grants you permission to request additional tickets to access specific network resources. Inside this TGT is an extension field that Microsoft takes advantage of to store a Privilege Attribute Certificate (PAC).* Every ticket you receive from Kerberos in AD contains this PAC.What’s in the PAC, you ask? Well, it’s the old Windows “NT Token.” It contains the Security Identifier (SID) for your user, along with every SID for all the groups or nested groups that your user is a member of at the time of authentication. It essentially outlines what resources you’re authorized to access across the Active Directory Domain, even resources in other Domains or Forests via trusts.Here’s the kicker: TGTs last for 10 hours. This means that for those 10 hours, whatever access you had at the time of authentication is still yours, regardless of any changes made to AD after you logged on, whether that’s via “automated” rollback or just because someone manually reversed the change. Once you’re granted a TGT, AD assumes you belong there for 10 whole hours.This type of attack can be automated and really just takes seconds. You need protection, not rollback.
Protection, not response
When it comes to cyber threats, protection is better than response. Get your environment security hardened with expert advice. Security Guardian identifies where AD is exposed so you can protect changes that could lead to compromise. This avoids the challenges of relying on rollbacks because, ultimately, rollbacks are too late.Let’s get something else clear. Both protection and automated rollback have one thing in common: You must identify the types of changes you want to protect or roll back before they happen. Automated rollback doesn’t give you a crystal ball to see what will happen in the future, and neither does protection. And you can’t just willy-nilly roll back or protect every possible change or you’ll bring legitimate changes that are required for your business to function to a halt. That’s no good. You need to choose ahead of time.This is why the Security Guardian suite is superior: SG brings deep knowledge of the exploits Advanced Threat Actors use and can prevent those changes from ever happening while still allowing normal changes to happen across the board. Further, Security Guardian integrates with our Change Auditor, so you can monitor and secure AD, even if you have not yet adopted Entra ID, which can double the attack surface and introduce additional opportunities for exploits.Combined, these two tools provide effective defense in depth for AD, allowing you to monitor changes and key user activity for any signs of a breach before it’s too late.
Included in the affected CPE Series router models were VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, according to Zyxel.
