Five Eyes Alliance Agencies Provide Guidance on Protecting Active Directory from Intrusions

• The agencies that are part of the Five Eyes Alliance released a document that addresses potential Microsoft Active Directory issues.
• The document tackles Active Directory vulnerabilities and common attack techniques, as well as mitigation strategies.
• Detection and response are also included in the document the five agencies released.

The Five Eyes intelligence alliance released a comprehensive guidance document (PDF) addressing the security challenges associated with Microsoft Active Directory, which is a key authentication and authorization solution for enterprises.

The agencies have outlined techniques used by threat actors to exploit it and offered detailed recommendations for mitigation. Also, securing privileged access is paramount, and the guidance recommends employing a tiered model, such as Microsoft’s Enterprise Access Model.

This model ensures that higher-tier users are not exposed to lower-tier systems, thereby securing privileged access pathways and enforcing proper control hierarchies.

The default settings and complex relationships inherent to Active Directory make it susceptible to attacks. Threat actors often exploit these vulnerabilities to gain control over enterprise networks, which can result in significant damage and necessitate costly recovery efforts.

The document identifies prevalent methods of compromise, including Kerberoasting, AS-REP roasting, password spraying, and MachineAccountQuota compromise. Advanced techniques like Golden Ticket, Silver Ticket, and Golden SAML also pose significant threats.

Detecting Active Directory compromises remains challenging due to the legitimate nature of many exploited functionalities. An effective detection method mentioned is the use of canary objects within AD, which can identify compromises directly rather than relying on event log correlations.

The guidance emphasizes that implementing these measures can significantly disrupt common attack vectors, forcing malicious actors to adopt more complex and detectable tactics. For organizations, enhancing their Active Directory security posture is not only about immediate protection but also about ensuring long-term resilience against evolving cyber threats.

The Five Eyes Alliance consists of the U.S., the U.K., Canada, New Zealand, and Australia, which are under an agreement to share signals intelligence (SIGINT) with each other. This can include communication intelligence (Internet activity, emails, text messages, and phone calls) and electronic intelligence (signals from surface-to-air missile systems and radars). The idea of Five Eyes Plus has also been introduced in recent years.