Introduction to Microsoft Advanced Threat Analytics: It is incredibly important to identify applications, servers, and sensitive accounts that should be using encryption. What we find all too frequently, however, is that passwords are being sent in plaintext in most enterprises. Here’s what you need to know about identifying these vulnerabilities and, more importantly, how to fix them fast. We’ll use Microsoft Advanced Theat Analytics using LDAP as an example.
Lightweight Directory Access Protocol (LDAP) is an “IETF industry standard, application protocol for accessing and maintaining distributed directory information over an IP network.” In other words, the directory services are needed to share information about apps, users, systems, networks, and services to develop Internet and Intranet-based applications. Unfortunately, secure practices of LDAP aren’t always followed or configured by developers. And, in many cases, IT shops aren’t even aware of the problem until Microsoft Advanced Threat Analytics (ATA) shines a light on the issue.
The screenshot below displays services running on a server exposing account credentials in plaintext through the LDAP. The function that exposes the credentials in plaintext is the Simple Bind or authentication phase. It’s easy for developers and application owners to enable authentication through more secure methods (such as Kerberos) or tunnel LDAP through Transport Layer Security (TLS).
Microsoft Advanced Threat Analytics
In this example, you’ll see a sensitive admin account using the LDAP Simple Bind protocol sending passwords in plaintext. ATA discovers the source, respective leaked credential, and the destination LDAP domain controller.
TA also detects credential exposures for non-sensitive service accounts to allow customers to discover these previously unknown risks to their environment.
Once all applications and services are identified and fixed you can even disable Simple Bind. Check out this Group Policy for more information. Many of our customers find the culprits are non-Windows clients performing these nefarious LDAP binds, and as my previous post illustrated, ATA is device agnostic and will still detect these risks.
Red teams and attackers hunt for plaintext passwords – it makes their job easy to penetrate your network and move laterally to hunt for additional privileges. Unfortunately, compromising a service account can also lead to paths enabling not just lateral movement but also privilege escalation. Blue teams and network defenders armed with ATA can see which apps are running LDAP with passwords in the clear and fix them immediately. You can’t fix what you can’t see, but ATA easily brings these issues to light for you to address quickly.
Anyone eavesdropping on the network can read this password. Why do we have this problem? Because application developers and IT admins are using LDAP Simple Bind to asynchronously authenticate a client to a server using a plaintext password. For application compatibility, Active Directory’s default settings don’t force SSL/TLS encryption when performing a Simple Bind; however, it does support the more secure approach. Because encryption is not required by default, application developers may choose the path of least resistance and develop the applications using LDAP Simple Bind instead of implementing LDAP over SSL (LDAPS). To force SSL/TLS, check out this Group Policy about enforcing Simple Bind.
ATA is a user and entity behavioral analytics (UEBA) detection product that identifies advanced persistent threats on your network. It will issue alerts if it sees suspicious activities including recon, lateral movement, reuse of compromised credentials, privilege escalation, and domain dominance and it is one of the only tools to concentrate on detecting the adversary in their post-exploit phase (detecting them after they’ve already established a foothold). Having this level of visibility into the suspicious activity of your users, entities, and machines is critical for any enterprise.
Microsoft Advanced Threat Analytics is an on-premises product and part of the Enterprise Mobility + Security Suite or Enterprise CAL Suite.