The FBI has released FBI Flash CU-000167-MW warning that BlackCat/ALPHV ransomware-as-a-service (RaaS) group has compromised at least 60 entities globally. As with the majority of cyberattacks, BlackCat/ALPHV’s end game is an Active Directory attack.

Top on the FBI’s list of recommended mitigations is reviewing your Active Directory environment for unrecognized user accounts and other indicators of compromise. Auditing and hardening permissions and implementing an Active Directory recovery plan are also vital steps on the list.

Does your organization have robust protection to cover all three stages of the Active Directory attack cycle—before, during, and after a cyberattack? One great starting point: Download and run the free Purple Knight Active Directory security assessment tool to uncover security gaps and prioritize corrective actions. We’ve also assembled a quick resource list for more information about some of the exploits common to this type of cyberattack—and steps you can take to strengthen your identity security posture.

Discover Active Directory vulnerabilities

Finding and fixing Active Directory vulnerabilities is challenging because of the complexities of legacy environments, the sheer number of settings, and the expanding threat landscape. Check out these resources from our identity security experts to start closing AD security gaps:

Learn more about lateral movement and escalation of authentication and permissions flaws in Do You Know Your Active Directory Security Vulnerabilities?.
Discover how attackers exploit Group Policy, how to monitor Active Directory for malicious changes, and how to develop a proactive recovery plan in How to Defend Against Active Directory Attacks That Leave No Trace.
Read about RaaS behavior as deployed by Darkside, a suspected previous version of some of the malicious players behind the BlackCat attacks, in How to Defend Against Ransomware-as-a-Service Groups That Attack Active Directory.
Learn how to spot a dangerous server setting that could open your Active Directory to attack in Unconstrained Delegation in Active Directory Leaves Security Gaps.
See how attackers use Discretionary Access Control Lists (DACLs) to hide membership and evade detection in How Attackers Can Use Active Directory Primary Group Membership for Defense Evasion.

Develop an effective, comprehensive Active Directory recovery plan

Proactively protecting AD from attack is the first step in improving security posture. But you also need a tested AD recovery plan that you can deploy in the event of an attack. According to Enterprise Management Associates, 50 percent of organizations experienced an attack on AD in the last 1 to 2 years, and more than 40 percent of those attacks were successful. Shore up your AD DR plans with these guidelines:

Find important recovery tips in The Dos and Don’ts of AD Recovery.
Find ways to minimize the Active Directory attack surface, develop an effective recovery plan, monitor for signs of compromise—and roll back unauthorized changes in Your Zero Trust Strategy Depends on Active Directory Integrity.
Want more in-depth details for evaluating your AD recovery plan? Download Does Your Active Directory Disaster Recovery Plan Cover Cyberattacks?.

Protect the keys to your kingdom

With the increase in ransomware and other cyberattacks, protecting Active Directory and Azure AD is more important than ever. Need to help decision makers understand the value of Active Directory–specific security? The Practical ROI of a Quick Active Directory Recovery dives into just how much is at stake. In short, unless you have specific solutions in place to address Active Directory and Azure AD before, during, and after an attack, your entire organization continues to be at risk.


More resources

Understanding and Protecting Kerberos – The Soft Underbelly of Cybersecurity_register | Semperis
Rise of Active Directory Exploits | Semperis
The Top 10 Actions Every Organization Should Take to Protect their AD from Attacks_register | Semperis


The post Combatting a BlackCat Ransomware Active Directory Attack appeared first on Semperis.