Active Directory Exposures Account For 80% Of All Exposures

Identity and credential misconfigurations represent a majority of security exposures across organizations

by Mihir Bagwe May 7, 2024 in Cybersecurity News, Firewall Daily, Vulnerabilities Reading Time: 4 mins read 0

605 SHARES 3.4k VIEWS Share on LinkedInShare on Twitter

Data sourced from over 40 million exposures that pose high-impact risks to numerous critical business entities revealed that typically accounts for 80% of all security exposures identified in organizations.

The research from XM Cyber in collaboration with the Cyentia Institute found that identity and credential misconfigurations fuel a striking majority of security exposures across organizations. Among these exposures, a third directly jeopardize critical assets, serving as a prime target for adversaries seeking to exploit vulnerabilities.

Active Directory Exposures Dominate the Attack Surface

Active Directory accounts for over half of entities identified across all environments, as per the report from XM Cyber.

Thus, a significant portion of security exposures lies within a company's Active Directory, a vital component for user-network resource connectivity. However, this critical infrastructure also presents an attractive target for attackers as it interests them with additional elevated rights.

“An attacker who has compromised an Active Directory account could use it to elevate privileges, conceal malicious activity in the network, execute malicious code and even gain access to the cloud environment,” XM Cyber explained.

“Many of these exposures stem from the inherent nature of dynamic configuration issues in Active Directory as well as the challenge of keeping it updated. This creates a blind spot that appears secure on the surface but hides a nest of problems that many security tools can't see,” the report said.

Misconfigurations and emerge as the top contributors to these exposures, introducing gaps that traditional security tools often overlook, such as issues in member management and password resets. These issues “present a challenge for nearly every organization,” XM Cyber said.

Techniques like , , relay and feature prominently in the list of top techniques identified by attack path analysis for AWS, Azure and GCP, and Tools like Mimikatz make these techniques even easier to execute and thus make it extremely popular.

Poor practices also make credential-related attack paths more easy and potent. XM Cyber said it identified highly privileged Active Directory credentials cached on multiple machines in 79% of organizations, and one in five of those have admin-level permissions on 100 or more devices.

Furthermore, poor endpoint hygiene afflicts the majority of environments, with over 25% of devices lacking EDR coverage or containing cached credentials, offering attackers ample entry points to establish footholds. These overlooked vulnerabilities in identity and endpoint security form a fertile ground for hackers, demanding urgent attention from organizations.

Zur Ulianitzky, Vice President of Security Research at XM Cyber, emphasized the necessity of broadening beyond vulnerabilities to encompass all potential adversary pathways, including misconfigurations and user behavior. The research revealed that a mere 2% of exposures exist on critical ‘choke points,' where adversaries exploit vulnerabilities to access crucial assets.

CVEs are a Drop in the Ocean

Despite organizations' focus on managing traditional software vulnerabilities tracked by CVE identifiers, these efforts barely scratch the surface. XM Cyber's analysis uncovered approximately 15,000 exposures per organization, with CVE-based vulnerabilities constituting less than 1% of this extensive exposure landscape.

Even concerning exposures affecting critical assets, CVEs represent only a minute fraction, highlighting significant blind spots in security programs fixated solely on vulnerability patching.

Exposed Critical Assets in the Cloud

Active Directory is the largest attack surface, according to XM Cyber, but the largest share of exposures to critical assets is in the cloud.

Cloud environments, amidst rapid adoption by organizations, are not immune to exposure risks. Over half (56%) of exposures affecting critical assets are traced back to cloud platforms, presenting a significant threat as attackers seamlessly traverse between on-premises and cloud environments.

This fluid movement poses a substantial risk to cloud-based assets, allowing attackers to compromise critical resources with minimal effort.

Exposure Risks Across Sectors

Industry-specific analysis from the report reveals discrepancies in exposure risks across sectors. Industries like Energy and Manufacturing exhibit a higher proportion of internet-exposed critical assets affected by exposures compared to Financial Services organizations, despite the latter's larger digital footprint.

Healthcare providers, facing inherent challenges in minimizing risk, contend with a median number of exposures five times higher than the Energy and Utilities sector, emphasizing the need for tailored exposure management strategies.

Exposure Management is currently beyond addressing only vulnerabilities and CVEs. Organizations need to adopt a holistic and ongoing Exposure Management approach, incorporating attack path modeling to pinpoint and resolve infrastructure weak points.

Emphasis should be placed on tackling identity issues, and cloud cyber hygiene, while advocating for tailored solutions according to industry and scale.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button