Protect Your Active Directory: Keep Your Data Secure and Stay DFARS/NIST Compliant
As cybercrime becomes increasingly sophisticated, more prevalent and more capable of untold damage, organizations (potential targets/victims) are becoming more proactive. Cybersecurity is quickly becoming a top priority and businesses are evolving their Active Directory (AD) ecosystems to be on the offensive when managing cyber risks to avoiding being vulnerable in the wake of its ever evolving threats. Recently, the DoD imposed additional requirements on defense contractors (and subcontractors) that process, store or transmit defense information. As of December 31, 2017, all Defense contractors and subcontractors, independent of size, that process, store, or transmit covered defense information must demonstrate compliance with DFARS Defense Federal Acquisition Regulation, clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting Supplement” and NIST (National Institute of Standards and Technology) SP 800-171. Miss any of these and you will not be compliant. If you’re not compliant you are at risk of incurring penalties and losing business with the federal government. Even you don’t handle CDI/CUI, you must still get an exception from the DoD, and may still need to comply with some parts of NIST 800-171.
Your organization’s Active Directory (AD) is the supreme tool for ensuring compliance. Hence, protecting your AD is now more critical and essential than ever. Your domain controller --a server running Active Directory Domain Services (AD DS)-- essentially represents the ”keys to the kingdom”, enabling centralized, secure management of an entire network, regardless of size. As daily news reports reveal, no organization with any kind of information technology (IT) infrastructure is immune from attack.
The "first step in preventing an attack on AD is to make sure that you gain visibility/audit-ability into all activities happening in AD. Perhaps "first and foremost is to be vigilant on managing your delegations. Under NIST SP 800-171, 3.1.2, to be compliant requires that you “limit information system access to the types of transactions and functions that authorized users are permitted to execute.” Who in your organization has control? Who has privileged access? If an attacker can gain access to a privileged account, he has access to useful information from which he can create a blueprint.
Additionally, in 3.1.2 you are required to “limit information system access to the types of transactions and functions that authorized users are permitted to execute.” That means your system administrator is the only person authorized to modify settings and adjust users access to various "les and documents. Infrastructure components, speci"c accounts, and server components are typically the primary targets of attacks against Active Directory, including permanently privileged accounts, VIP accounts, privilege-attached AD accounts, and domain controller. The system administrator will “prevent non-privileged users from executing privileged functions and audit the execution of such functions” (3.1.7). Your Managed Service Provider (MSP) should examine and validate access rights and privileges during their annual audit.
To meet compliance requirements, proactive and preventative measures that should be implemented for securing Active Directory include automatically terminating a user’s session when it has become inactive for a speci"ed period of time and requiring use of 2 (or more) forms of authentication to re-activate the session, or as section 3.1.11 indicates “terminate (automatically) a user session after a defined condition.”
Use your AD to “monitor and control remote access sessions” (3.1.12). It will help control which users access your network remotely for troubleshooting and support purposes. Your organization can consent to permit the MSP or system administrator to access the system remotely. This should require a username, password, and two-step or multi-factor authentication. Sharing of credentials amongst employees should not be allowed. The resulting implications could be disastrous.
Under NIST guidance 3.3.2 you are to “ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions." This means that a users actions on the network can be uniquely correlated to various logs (i.e., "rewall logs, system/event, etc.) on each workstation and server. This should also include processes or devices acting on the users behalf as stated in section 3.5.1: “Identify information system users, processes acting on behalf of users, or devices." This can be accomplished by identifying all information system users, processes, and devices with a user id and password, as well as an MS two-factor authentication (MS 2FA) mechanism.
Auditing is another essential component of your overall cybersecurity framework and strategy. With regard to AD, it’s important to know not just who is logging in, but what’s being done and how it’s being used once they’re in there. Potential threats can exist in your environment for months previous to a cyberattack and your audit logs will help alert you to any suspicious activity. Audit logs track access to applications, services and non-window devices.
NIST SP 800-171 mandates in section 3.3.1 that organizations “create, protect, and retain organizational information system audit records, to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activities.”
Your MSP should perform a regularly scheduled audit, preferably bi-annually, that includes your organizations internal information systems as well as other security settings and configurations. You are also required to "review and update audited events" (3.3.3). Any discrepancies revealed by the log monitoring platform should be investigated and addressed by your MSP who will also alert systems administrators with security responsibilities should an audit processing failure occur as required in section 3.3.4, “alert in the event of an audit process failure.” Section 3.3.5 requires that you "correlate audit review, analysis, and reporting processes for investigation and response to indications of inapporpriate, suspicious, or unusual activity."
Your log monitoring platform should be capable of storing all combined logs in an electronic format (so they can be reviewed digitally), providing audit reduction, generating reports on-demand (if needed for audit review, analysis, reporting requirements, and after-the-fact security investigations) to comply with 3.3.6 Provide audit reduction and report generation to support on-demand analysis and reporting.
Should you need to report a suspected “cyber incident” NIST SP 800-171’s Incident Response section (3.6.) provides details as to how your organization should handle the event. 3.6.1 requires that you "establish an operation incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activites." The incident must be reported to the DoD at https://dibnet.dod.mil within 72 hours of discovery as, as well as to the prime contractor (if applicable) “as soon as practicable.”
Adequately mitigating risks to AD to safeguard and prevent compromise of your organization’s information is a crucial step toward preventing a data breach and the resulting disruption and potential colossal damage. While attacks may be increasing in sophistication, adhering to and maintaining high security standards as they are de"ned in DFARS “Safeguarding Covered Defense Information and Cyber Incident Reporting Supplement” and NIST (National Institute of Standards and Technology) SP 800-171 will keep you in compliance.