In today’s interconnected world, the protection of information systems has become an absolute priority for companies, regardless of their size.
At the heart of this security battle is Active Directory (AD). This is the Microsoft directory through which most organizations manage user identities and control access to resources.
In the context of constantly evolving threats, ensuring a high level of security for your Active Directory is no easy task. New user accounts, role changes, and changes in IT teams add to the complex dynamics of AD, making securing it a constant challenge.
What services are typically included in an AD MSSP?
Managed Security Service Provider (MSSP AD) Active Directory relies on tools designed to analyze Active Directory configuration and security and detect attacks.
This type of offering often begins with an initial adjustment based on the results obtained from the analysis tools. Some AD MSSPs also offer the implementation of an AD security model, including AD tiering and Group Policies (GPOs) to strengthen the configuration of domain member machines.
The second mission of the AD MSSP consists of detecting attacks targeting Active Directory (Kerberoasting, AS-REP Roasting, DCSYNC, DCSHADOW, Kerberos Pass The Ticket) and warning of Active Directory configuration deviations. All of this Active Directory monitoring is done in real-time and allows for continuous remediation if needed.
Implement and maintain Active Directory configuration and security analysis tools
The AD MSSP service typically uses tools such as Crowdstrike Falcon Identity Protection, Microsoft Defender for Identity, PingCasle Enterprise, SentinelOne Singularity Ranger AD, Semperis Purple Knight, Semperis DSP, and Tenable Identity Exposure. They allow you to periodically or continuously analyze the security configuration of your Active Directory (depending on the tool used).
Regular scans (real-time for some tools) provide a clear view of AD’s security status, allowing potential vulnerabilities to be quickly identified and addressed before they are exploited by malicious actors.
More importantly, these audits help identify and respond to new threats that may arise in the Active Directory lifecycle.
Initial and ongoing remediation of Active Directory
Active Directory configuration is always evolving. The creation of new user accounts, the delegation of permissions to service accounts for a new business application, the departure and arrival of new Active Directory administrators are all reasons that make AD dynamic and complex to secure.
Therefore, an AD directory that is well protected at time T can very quickly become vulnerable at T+1. Therefore, it is important to determine an initial plan of action to protect the AD directory. This plan should be updated and reviewed periodically.
Subscribing to an MSSP AD offer allows you to remediate Active Directory vulnerabilities in real time.
Implement a custom AD security model
It is possible to protect Active Directories using security models like that of ANSSI, that of Microsoft (Red Forest) or that of the Harden community (Harden AD). The latter is based on a model with 5 AD levels and more than ninety protected GPOs. It also offers an entire system for delegation of rights and best practices for compliance.
However, there is no guarantee that all of these security measures will continue in the months or years after the model is deployed.
Possible deviations from the template include adding accounts to the Domain Administrators group. This change is prohibited except for the icebreaker account.
Another example: adding an account directly to the company admins group allows you to bypass the login restrictions / AD stacking strategies that are at the heart of the model.
All of these discrepancies could indicate an attempted attack or configuration error that could potentially be used to compromise a company’s information system. Therefore, active monitoring of such deviations is essential.
Detect configuration inconsistencies with the AD security model and generate an alert at your SOC level: when an AD security model matches the AD MSSP
With specialized tools and deep expertise, AD MSSPs are able to quickly discover these gaps with the AD security model. This continuous monitoring ensures that any deviation from established security practices is quickly corrected, thereby strengthening the organization’s security posture over time.
This therefore creates a very strong complementarity between the AD security model used to significantly strengthen the security level at a point in time and the AD MSSP solution to maintain that security level over time.
The ability to detect AD-targeted attacks and generate an alert at your SOC level: beyond prevention
AD security models like that of ANSSI or the Harden AD community, for example, are designed to protect administrative accounts and prevent inappropriate configurations. However, in an environment where attacks can occur at any time and in various forms, simple prevention is no longer sufficient.
The ability to detect attacks targeting Active Directory such as Kerberoasting, AS-REP Roasting, DCSYNC, DCSHADOW, Kerberos Pass The Ticket in real time therefore becomes a crucial element of the security strategy.
AD MSSP uses tools like Crowdstrike Falcon Protection, Microsoft Defender for Identity, SentinelOne Singularity Ranger AD Protect, and Tenable AD.
The latter excels in this detection capacity, specifically monitoring Kerberos and LDAP protocols, but also suspicious activity in AD in search of warning signs of an attack.
For example, a sudden increase in account deletions or an unexpected addition of a user to a sensitive group can trigger an alert, allowing security teams to intervene quickly. This proactive approach complements preventative measures in place, providing an additional layer of security needed to protect company resources.
In an ever-changing security landscape, Active Directory represents both a valuable asset and a potential point of vulnerability for businesses.
Apart from securing it, the challenge is therefore to maintain a good level of security in the long term. Adopting an MSSP AD service is a strategic step to ensure effective management and protection of your Active Directory.