Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


5 Ways to Protect Active Directory with Varonis

Active Directory, Data Security

The fastest way to break into someone’s network is through Active Directory (AD) – it’s the key to the entire kingdom. If you need access to any server, you need to ask AD for permission.

Varonis monitors Active Directory to protect you from a myriad of cybersecurity threats. By combining knowledge of AD, file server activity, and perimeter telemetry, Varonis can detect threats in AD before they become full-blown data breaches.

Technical note: Active Directory and Directory Services are often used interchangeably: Active Directory is Microsoft’s implementation of Directory Services, or LDAP.

How Does Varonis Monitor Active Directory?

Varonis gathers and stores the security event logs from your Domain Controllers (DC). We analyze the AD log data in context with file activity, VPN activity, DNS requests, and Proxy requests to paint a clear picture of normal and abnormal behavior. Varonis analyzes user behavior patterns over time and compares known behavior patterns to current activity – if there’s AD activity that looks suspicious, or deviates from the norm for a particular user (or type of user), it triggers an alert. Security teams use these alerts to detect active threats, while leveraging the Varonis UI to investigate how the incident occurred in the first place.

How Varonis Detects Credential Theft

Credential theft, the unlawful use of someone else’s login credentials, is one of the more common methods used to infiltrate networks. It’s always easier to steal a password than it is to brute force attack or hack through Kerberos. No matter how much you train users in cybersecurity principles and build out cybersecurity protections, your users remain the chink in your armor. On any given day, any given user can accidentally click a phishing link. Which means on top of all that training, it’s important to monitor for possible credential theft. Here are a few threat models that catch evidence of credential theft.

Threat Model: Abnormal access behavior: possible credential stuffing attack from a single source

How it works: Varonis detected multiple failed attempts to login with invalid user names or passwords from a single device.

What it means: Either an attacker is trying to find a valid username to use in a brute force password attack, or they have a list of usernames from a prior data breach that they’re using to guess a valid username/password combination – which makes it a credential stuffing attack. The good news is that at this point, they do not have access to your network, and you can proactively shut them down.

Where it works: Directory Services

Threat Model: Abnormal behavior: unusual amount of devices accessed

How it works: Varonis continuously scans Directory Services for logins, comparing historical behavior patterns to the current data. In this case, the attacker has a user’s credentials, and they are probing the network to figure out what devices they can access with that account.

What it means: An attacker might be leveraging a user account in order to exploit their assets – on multiple devices. At a minimum, you need to change a password and figure out how this account got hacked. You might need to do some digging to figure out where else the attacker accessed to make sure there are no data breaches.

Where it works: Directory Services

How Varonis Detects Privilege Escalations

Once attackers have access to your network, they will try to expand their access to Administrative or Domain Admin privileges. That type of activity – attempts at elevating access – is known as privilege escalation. Attackers use the privileges they already have to steal higher privileged access. There are several methods to gather more access and enable lateral movement through the network. Here are a few threat models that will detect attempts at privilege escalations.

Threat Model: Membership changes: admin groups

How it works: Varonis categorizes users and groups into four buckets: privileged, service, executive, and user. Privileged groups have admin level permissions to at least a few, if not most of the resources in your network. This threat model is looking for any members that were added or deleted to admin (privileged) groups.

What it means: Someone either added or removed a user from an admin group. An attacker might add an admin to a group in order to get more access – or they might delete an admin to deny access, potentially preventing a response to the attack. If they made this change outside of change control, it could be evidence of a privilege escalation in a cyberattack.

Where it works: Directory Services

Threat Model: Failed privilege escalation detected via vulnerability in Kerberos

How it works: Varonis monitors domain user logins for evidence of a Silver Ticket attack. Each login contains details that Varonis analyzes for possible attempts to circumvent Kerberos authentication.

What it means: An attacker tried to exploit a Microsoft vulnerability in their Kerberos implementation that lets attackers elevate their permissions using a forged TGS. Check out Microsoft CVE-2014-6324 for all the details. Patch your DCs for this CVE and lock the attacker out of your network STAT!

Where it works: Directory Services

How Varonis Detects Lateral Movement

Assuming the attacker made it this far undetected – they may start looking around for sensitive data they can steal. We refer to this phase of the cyber kill chain as lateral movement, as the attackers are moving laterally across your network using the stolen access. Varonis identifies and monitors your sensitive data stores and AD to catch such shenanigans. Varonis identifies where sensitive data lives and categorizes each AD account as a service, executive, privileged, or user. Based on knowledge of what kind of data each account is accessing Varonis can make informed decisions and analysis about current user activity.

Threat Model: Abnormal behavior: unusual amount of logons to personal devices

How it works: Each time the attacker accesses a new server on the network, they generate a new login event. Varonis watches those login events for abnormal behavior, and a user hitting multiple servers in a short amount of time – especially ones that they have never accessed before – will raise a red flag.

What it means: Someone is behaving out of the ordinary, and it’s possible an attacker has compromised this user account. It might mean that they’ve accessed the network – and are now looking for data to steal.

Where it works: Directory Services

How Varonis Protects You From Encryption Downgrades

Strong encryption is vital to keeping username and passwords safe on our network, but unfortunately it’s not a foolproof solution. The latest versions of AD use AES encryption to protect Kerberos tickets, but attackers have figured out how to make AD use the much easier to crack RC4 encryption instead. This is an encryption downgrade attack – or a Skeleton Key attack – and Varonis has a threat model that detects this kind of threat.

Threat Model: Encryption downgrade attack

How it works: Varonis monitors AD logins, and each AD login contains some information about what encryption level used to login. Any increase in the number of logins at lower encryption levels triggers an alert.

What it means: The attackers are likely trying to reduce the encryption level in order to bypass Active Directory. They might have been able to deploy a skeleton key, which – you guessed it: allows them to authenticate as any user.

Where it works: Directory Services

How Varonis Detects Threats Against Kerberos

If you are using AD, you are using Kerberos; if you are using Kerberos there are a few vulnerabilities you need to be aware of. Varonis is watching for activity related to those vulnerabilities.

Threat Model: Potential pass-the-ticket attack

How it works: Varonis analyzes Active Directory logs for evidence of access to a resource that bypassed the standard Kerberos process and proper authorization.

What it means: Someone is trying to break into your network – unless your new interns are on the Red Team. An attacker is likely using a stolen ticket to get access to resources. One possible attack is the Golden Ticket attack, which means you have a lot of clean-up work ahead of you to contain that threat.

Where it works: Directory Services

With hundreds of built-in threat models, DatAlert detects everything from golden ticket attacks to abnormal lockout behavior to DNS poisoning. You can take automatic action to disable a compromised account, kill active sessions, and even send alerts to your SIEM for further analysis and correlation.

Understanding Active Directory is vital to protecting companies from data breaches, and active monitoring of Active Directory can be the difference between an attempt and data theft.

Get a 1:1 demo of Varonis and discover how we do data security differently.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.