New EMA Research Confirms Active Directory Is Under Attack

Enterprise Management Associates (EMA) has now released a new research report commissioned in part by Attivo Networks. This report focused on Active Directory (AD), the directory-based identity services platform used by more than 90% of global Fortune 1,000 companies.

AD has become a hot target for today’s cybercriminals, with representatives from Mandiant recently indicating that nearly all of the attacks their team investigates involve Active Directory in some way. Because of AD’s important role in identity management, user authentication, and privileged access control, understanding how today’s organizations respond to this threat is critical.

In commissioning the report, our goal was to shed light on how organizations identify and adapt to attacks targeting AD. Do they recognize the threat vectors that adversaries are using? Can they detect attacks targeting AD early in the attack cycle? What protections have organizations implemented to keep AD secure? In answering these questions, we hope to provide a complete picture of the threat landscape of AD and better understand how prepared today’s organizations are to deal with this growing threat.

If You Use Active Directory, You Are at Risk

The prevalence of Active Directory means it isn’t just large organizations at risk: EMA found that 50% of organizations studied in the report had experienced an attack on Active Directory within the past one to two years. Over 40% said that attackers have successfully breached their AD implementation, highlighting that adversaries aren’t just trying to attack AD—they are successfully breaching it at an unacceptable rate.

Fortunately, most organizations have noticed this trend and are taking positive steps to address it. The EMA report found that 86% of organizations plan to increase their investment in AD protection technology. They listed the increased prevalence of attacks targeting AD as the top reason for that investment. Other reasons include:

  • the increase in remote work,
  • expansion of cloud usage, and
  • prevalence of other advanced attacks like ransomware 2.0.

The report also identified more specific Active Directory security challenges. EMA found that the three types of AD attacks that organizations fear most are data protection API abuse (61%), domain trust exploitation (52%), and AD privilege escalation (37%). Furthermore, enterprises listed delegated admins inheriting special permissions (45%), privileged admins (42%), and service accounts or application accounts (12%) as the riskiest AD threat vectors. The repeated mention of privilege escalation and overprovisioning issues underscores that effective AD protection begins with better permission control and access management.

Assessing Preparedness and Existing Challenges

The EMA report assessed the steps enterprises are taking to protect themselves and the challenges preventing them from acting. Just over two-thirds of organizations (68%) indicated that they attempted penetration testing exercises on their AD implementation over the past 18 months. Unfortunately, they also reported that the penetration testers successfully exploited AD exposures 82% of the time. While it is encouraging that organizations are conducting these tests, it highlights the dangerous vulnerability of AD and the need for stronger protections.

Enterprises provided a range of answers when asked what they were doing to protect against advanced attacks like ransomware 2.0. Nearly two-thirds indicated that they employ AD attack detection tools (64%) and endpoint detection and response (EDR) tools (64%), while just over half use antivirus/endpoint protection platforms (EPPs) (55%). Other notable protection measures mentioned by those in the report include user and entity behavioral analytics (UEBA) tools (40%), SIEM and log analysis tools (36%), and identity detection and response (IDR) tools (27%). Given the relative newness of the IDR category, the fact that a significant portion of enterprise users have already adopted it speaks volumes about how quickly it has become a necessity.

It is not difficult to see why IDR is rising in prominence. The enterprises included in the report cited several challenges they face when it comes to remediating Active Directory exposures, including the difficulty of minimizing downtime (46%), lack of visibility into exposures (38%), the need to research the exposure (37%), changing control requirements (37%), and the lack of appropriate data (37%). While IDR cannot address all of these challenges on its own, it does close many coverage gaps left by today’s most common security tools. These include providing additional visibility into exposures, live attack detection, and a wealth of valuable data for defenders.

Arm Your Organization with Knowledge

The findings highlighted above paint a concerning picture. Today’s cybercriminals continue to target AD at an astonishing rate—in part, no doubt, because of the overwhelming success rate of these attacks. Understanding the challenges that organizations face when it comes to preventing these attacks is critical. It can help cybersecurity experts better design tools and resources to provide the necessary security gap coverage to stop AD attacks in their tracks. The introduction of IDR has already proven to be a significant step in the right direction.

The EMA report contains a wealth of information, including additional insight into why organizations continue to use AD and how they are currently working to reduce the AD attack surface. You can read the report, ‘The Rise of Active Directory Exploits: Is it Time to Sound the Alarm?’, by visiting

Attivo's Identity Suite
Ready to experience Attivo Networks, the market’s leading identity security suite?