Conversational Hybrid AD Security Detection & Alerting

Keeping Watch on Hybrid AD Security

If you're like most organizations, your AD environment either is, or soon will be, a hybrid AD environment. That is, you utilize the Azure AD connector and sync AD up into Azure AD for use either by applications hosted in Azure, or by Office 365.

As pointed out in Conversational Hybrid Active Directory Security, the "parent" to this book, by extending your AD out beyond the logical "walls" of the organization, and into the cloud, you also increase the risk of misuse of AD accounts and both the on-prem and cloud-based resources they can access.

The security of such a hybrid AD environment requires constant watch over inappropriate access, misuse of accounts, and any kinds of changes made to your on-premises AD that may assist an attacker (whether external or an insider) in finding and exfiltrating sensitive or critical data.

Which brings me to the title of this book – particularly the part about detection & alerting. If you don't have any kind of proactive detection of improper actions taken in AD or Azure AD, nor a means of alerting you to when they occur, you're managing your AD/AAD environment with blinders on. Think about it – not only are you unaware when potentially bad things are happening, but, even worse, you're not even making an effort to be vigilant!

Now, for some of you, it simply may be too overwhelming - there are countless actions to monitor that each correspond to multiple events, making it difficult at best to even start. So, like the cartoon above, you simply stick your head in the proverbial sand and hope everything's ok.

But, in reality, your AD is not ok.

Unrecorded changes are being made daily that potentially impact the security of your AD environment. Changes to group memberships, delegated AD permissions, passwords, and more – all without you being any the wiser.

So, what's needed is a two-fold strategy where you first define the kinds of actions you deem inappropriate, actions that may indicate a change to the current state of security (and, therefore, need to be detected), and then strategically set up alerting of the proper staff of said detection.

But with so much data that can be generated from changes made in AD, it's reasonable to ask what should you be watching for and be alerted to?

In an effort to do away with the activity noise and focus on ensuring the security of your hybrid AD, let's organize the activity you should be monitoring into four categories:

  1. Changes to critical objects
  2. Changes to access
  3. Changes to policy
  4. Changes that may indicate an active threat

I'll walk you through each just a bit to provide some insight into the kinds of specific actions you need to be detecting.

1. Changes to Critical Objects

Let's start by breaking this one down into two questions – What's considered a critical object? and Which changes should you detect?

What defines a critical object varies among organizations. Sure, there's the administrator account and the various "Admins" groups in AD you definitely need to keep an eye on. But beyond that, what's "critical"?

Here's a short list of the objects you should be detecting changes to:

  • Administrator
  • Domain / Enterprise / Schema Admins groups (and nested group members)
  • Groups given permissions to financial data, intellectual property, personnel information, and any other data of external value (e.g. customer lists, credit cards) – and don't forget nested groups!
  • High-profile user accounts of users with influence in the company

While not comprehensive, the list above does cover a lot of ground. As to the issue of what kinds of changes should be detected, the answer depends on the type of object:

  • User Objects – Focus detection efforts on changes to passwords, password settings, enabled/disabled values, group memberships, SIDHistory, and attributes related to any kind of SSO/IAM/MFA solution.
  • Group Objects – Detection should revolve around changes to group members and members of Managed By and Manager can update membership values, and nesting of groups.

2. Changes to Access

Cyber attackers don't just take the quick and easy route, hoping to luck out and gain access to a domain admin account. They believe in the slow and steady game, where they will gain entry through even a low-level account and work their way up to as much elevated access as possible. Part of this process can include delegating access to objects in AD as a means to potentially elevate another compromised account or to compromise another endpoint.

So, what access changes should you be detecting?

Focus your detection efforts on permission changes to the following objects:

  • Any of the critical objects previously mentioned
  • Domain Controllers OU
  • Organizational Units, in general
  • Group Objects (both Security and Distribution)
  • Mailboxes (whether on-prem or in Office 365)

While these changes on their own aren't necessarily threatening to the organization, each change has the potential to facilitate further actions (such as changing a user's password, or adding a user to a group with access to intellectual property) that definitely are a threat.

3. Changes to Policies

Changes to policies can be an effective stepping stone for attackers to gain control over yet another account or endpoint on the network.

This is why you need to be detecting changes to any kind of policy that may impact security, no matter how benign it may appear to be. You should be detecting changes to:

  • GPOs – Particularly the Default Domain Policy, the Default Domain Controllers Policy, and any policy that impacts a material portion of the organization
  • Event auditing settings within GPOs
  • Password policies
  • Account lockout policies
  • User Rights Assignment settings (both logon rights and privileges)

Like changes to access, these types of changes are necessary steps in the quest to gain access to needed applications, systems, and data.

4. Changes that (may) Indicate an Active Threat

Nearly all of the previously mentioned changes to be detected are leading indicators of a potential threat.

That reset of the CEO's password may just be the CEO asking IT to reset it. But there are actions that are far more suspicious that require you to err on the side of "it just might be a threat". These include:

  • Creation of multiple consecutive new accounts (whether in AD, AAD, or in Office 365), especially after hours
  • Changes made directly to AAD (when you're doing a one-way Dirsync from your on-prem AD)
  • Logons outside of normal working hours
  • Correlated suspicious actions (such as the same account logging onto multiple servers within a short timeframe)

Each of these can, like the CEO password, just be someone in IT doing their job. But, given that we're talking about actions that are out of band, these require immediate attention.

Those last two in the list may require a third-party solution that provides some level of analysis to identify when an action should be considered suspicious.

What About Alerting?

So, most of this book has been focused squarely on what changes need to be monitored for and detected when they occur. But if no one is ever notified, does it even matter?

Alerting is a necessary part of the detection process. And it's much more than just sending an email.

Alerting should provide as close to "real-time" notification as possible. Typical approaches include SIEM solutions that assimilate lots of disparate log sources and quickly provide alerting. But this method can generate a lot of alert "noise" based on basic criteria. Instead, alerting should leverage intelligence that provides context, insight and guidance - from sources both inside and outside Hybrid AD – as to what the core issue really is… and what to do about it.

The Big Takeaways

With AD (and, therefore, AAD) constantly changing, without keeping a watchful eye on each and every change, it's impossible to know when inappropriate activity occurs. That's why you need to, pretty much, be watching everything.

And since we all know that's impossible as well, I've attempted to outline at least some of the changes in your hybrid AD environment to watch out for.

By putting some of this in place – whether using native tools, or a more powerful third-party solution – you'll at least be in a place where you know when potentially bad things may be happening… and can do something about it.

Quest: Masters of Detection

Knowing how to spot just the right change is no easy feat; a deep understanding of events generated and how to interpret them makes all the difference.

Quest Change Auditor enables you to audit, alert, and report on all changes made to Active Directory, Azure AD, Exchange, Office 365, Windows Server, SQL Servers, as well as LDAP queries against AD, and more – all in real time and without enabling native auditing.

Quest Change Auditor Threat Detection proactively detect threats based on modeling normal user behavior patterns and looking for abnormal activity.

Quest InTrust is an event log management (ELM) solution that consolidates log data from a myriad of sources, looking for changes found in the log data, and alerting IT when specific events are found. The benefit of InTrust is an ability to consolidate not just AD data, but also logs from other sources that can be used to provide further context around suspect events.

With visibility into changes made on-premises or in the cloud, Quest solutions provides correlated detection and alerting across all of your hybrid AD and Windows environment. And having the ability to correlate disparate IT data from numerous systems and devices into an interactive search engine means faster incident response time and easier forensic analysis, if and when something should occur.