Priority for Effective Action - A Practical Model for quantifying the Risk of Active Directory Attacks

While Active Directory is widely used by enterprises as the backbone of their network, compromising it also means controlling an entire organization for attackers. However, we can usually find that attackers have compromised Active Directory for malicious purposes through various news sources. From our study, we have found that this has caused a gap between the defensive and offensive sides. First, defenders are not sufficiently informed about the attack vectors for Active Directory. Without this visibility, defenders have no clue what needs to be taken care of, leaving the attacker the chance to leverage these overlooked attack vectors. Thus, even if defenders are aware of the potential attack vectors, mitigations cannot be efficient without knowing the severity of the risks for prioritizing the work. As an incident can happen anytime, attackers may still use an attack vector that has not yet been mitigated.

To solve the above challenges, we first inventory all the attack vectors from our knowledge of Active Directory. Defenders can use this inventory to enumerate the Active Directory attack vectors for visibility. In addition, we propose a practical model specifically targeting Active Directory for quantifying the risk of attack vectors based on this inventory. So, defenders can use the quantified risk to prioritize mitigation and effectively reduce the risk. Furthermore, we have also developed a way to quantify the risk of an attack path that is chained by multiple attack vectors. This enables defenders to comprehensively evaluate the overall risk and then reduce AD attack surface risks in the AD environment in order of risk result, maximizing the reduction of time and human cost against AD attacks.

About the Speakers