February 2021 was a moment in time where federal agencies were knee deep in modernizing their IT infrastructures to accommodate the digitized new normal of their processes, workflows, and services. But while the federal government was busy digitally transforming their systems, adversarial nation-states were executing sophisticated cyber-attacks against federal agencies, in attempts to breach their networks and exploit stolen controlled unclassified information (CUI).
On February 2, 2021, the National Institute of Standards and Technology (NIST) responded to this threat by releasing Special Publication 800-172 which provided guidance to federal agencies on how to protect CUI and how to mitigate attacks and advanced cyber threats from nation-state adversaries.
During a recent online event, Quest Software’s Principal Strategic Systems Consultant, Bryan Patton, gave audiences a glimpse into how Quest has been working to align its solutions to meet NIST’s overarching cybersecurity framework of how to identify, detect, protect, respond, and recover federal agencies’ identity systems, such as Active Directory, from a destructive cyber-attack.
Identify
The first step in NIST framework is to identify. When federal agencies have the ability to discover and identify network vulnerabilities, they can strengthen their cybersecurity posture by putting controls in place to ensure that the same exposure will not rear its head on the network again. Identifying these indicators of exposure (IOEs) can also enable agencies to prioritize the identified attack paths that run a higher risk of being exploited by a hacker who seeks to own a federal operating environment.
Quest has partnered with SpectorOps and its Bloodhound Enterprise (BHE) solution to arm federal agencies’ with capabilities designed to identify network IOEs. SpectorOps specializes in identifying where AD exposures and attack paths, up to Tier Zero. Tier Zero houses federal agency assets that – if compromised – can have the greatest impact to an organization. To ensure the utmost protection of Tier Zero assets, they must be deep vaulted.
Through SpectorOps’ BHE solution, federal agencies can automate continuous attack path mapping, which will regularly chart every relationship and connection in AD. BHE also delivers a full, real-time understanding of the state of an agency’s AD, exposes new and existing hidden attack paths, and prioritizes which risks an agency should be addressing first to help reduce the highest risk of exposure as soon as possible.
BHE also supports agencies’ with attack path choke point prioritization, by identifying the optimal location to block the greatest number of pathways. Agencies can then rank these finite set of choke points by collective risk reduction and minimize remediation efforts.
Insider threats are also posing a growing risk within organizations. Malicious cyber actors are now attempting to hire people inside an organization who have first level AD permission as internal access brokers. This is a threat that agencies cannot ignore, especially if they work inside an environment where there are users who have unnecessary first level access permissions. BHE can identify all of these vulnerable access points to ensure that only the required personnel have access to those segments of the network.
Detect, Protect, Respond
After an agency identifies the attack paths within its AD environment, the next step is to determine whether or not the attack path has been used to compromise the network. This step is not one that is completed once a year, monthly, or even weekly. Truly mature detection processes require continuous monitoring for AD anomalies.
Quest’s AD Risk Assessment Suite continually monitors federal agency AD environments for all indicators of compromise (IOC). While BHE can indicate areas of exposure, the Risk Assessment Suite continually monitors, detects, and identifies areas that have been compromised.
Once an agency has identified IOCs within AD, it is imperative that the IT team immediately respond by limiting the impact of the breach. Quest can assist organizations in protecting their AD environments and limiting any impact of breaches that do occur inside the network. And all of Quest’s solutions are designed and developed to meet the standards that both NIST and CISA are advising today.
In order to effectively protect a federal agency’s most sensitive Tier Zero Group Policy Objects (GPOs) that BHE has identified, Quest recommends that agencies implement a two-person, version-control system when making a change at the Tier Zero level.
GPOADmin can assist agencies by automating manual, time-consuming GPO management tasks. The solution also ensures regulatory compliance with advanced GPO auditing and tracking, enhances internal change control processes, and integrates and extends an agency’s native tools.
Recover
The last piece of the NIST framework is for federal agencies to have a recovery plan in place if a breach were to occur. Quest’s Recovery Manager for Active Directory (RMAD) Recovery Edition cuts down on recovery time, delivers secure hybrid AD recovery, and ensures agency continuity with limited interruption.
Government agencies must begin shifting away from defensive recovery mindsets toward cybersecurity. Nation-state threats against federal networks are real and on the rise. If a cyberattack were to occur, federal agencies who have prioritized maintaining compliance with the five pillars of the NIST framework will be in the best position of limiting any damage caused by an attack and will be able to begin recovering and reinstating an agency’s AD environment immediately.
