Why are attackers after AD credentials?

 

What is AD? Imagine a box filled with every computer, user, application and service that runs in an organization's network. That box is AD, a critical application because it stores large amounts of data, and controls and organizes everything residing in it. AD is of high value to attackers because within it they can find identity-related information, including user permissions, passwords, and devices in the network.

To gain a foothold into your network, all the attacker needs to do is to compromise the domain user credentials of one of the thousands of accounts that might reside in your AD.

This explains why the bulk of cyberattacks today involve targeting the employee credentials of the increasing number of remote workers. 61% of all the attacks in 2021 involved credential data1. With remote work, Active Directory platform has become more vulnerable to attacks as it tries to serve the authentication request from users who use their unsecured personal devices to connect to corporate network and or use their home or other public wifi-networks to establish a connection. Also, the number of cloud applications and services organizations use are only growing and enabling authentication for these services through AD is a priority for many organizations. If the AD passwords in use are weak or are compromised passwords, then they put AD under great risk. These challenges have made AD more vulnerable than ever before.

In the next chapter, we will see, when the security defenses are not configured properly, how easy it is for attackers to compromise accounts using just one technique and the various tools that they use.