Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Five Cyber Agencies Sound Alarm About Active Directory Attacks: Beyond the Basics

Abstract image of human head to represent Active Directory user

A landmark global report emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the second of our two-part series, we take you beyond the basics to highlight three key areas to focus on.

The landmark report Detecting and Mitigating Active Directory Compromises — released in September by cybersecurity agencies in Australia, Canada, New Zealand, U.K. and U.S. — shines a bright light on the risks organizations face if their identity and access management (IAM) system is targeted by cyberattackers.

In the first of our two-part series, we discussed five steps organizations can take to operationalize the report findings and develop a cybersecurity strategy for protecting their Microsoft Active Directory (AD) infrastructure. While these steps are important, stopping there misses crucial considerations that can further enhance security strategies.

Here, in part two, we look beyond the basics to provide three key areas cybersecurity leaders can consider in order to achieve full coverage, address modern attack techniques and secure Active Directory and its cloud-based counterpart Entra ID (formerly Azure AD) as part of a holistic identity security approach.

1. Implement full coverage for Active Directory in hybrid environments

While basic AD assessment tools provide valuable insights, they fall short in today's hybrid environments, where on-premises AD and cloud identities intersect. Point-in-time scans risk missing active threats like Kerberoasting, DCSync and password spraying — techniques that cyberattackers can execute repeatedly to evade periodic checks.

Why full coverage matters
  • Classic AD threats persist: Traditional attacks targeting AD authentication and replication remain powerful weapons for attackers, requiring constant vigilance.
  • Unified identity monitoring: Modern environments sync on-premises AD with cloud services. Changes in either domain can create vulnerabilities in the other, demanding unified visibility.
  • Cross-environment risks: Attackers combine classic AD exploitation with cloud service attacks. Monitoring must track permissions and configurations across this expanded attack surface.
  • Real-time response: Effective security requires immediate visibility into hybrid threats — from password spraying against synced accounts to privileged credential theft.
What to do
  • Enable unified monitoring: Use tools that offer continuous visibility across both AD and Entra ID to catch threats wherever they arise, maintaining seamless oversight.
  • Set up key threat alerts: Configure automated alerts for threats like Kerberoasting and DCSync, particularly for synced accounts, to react immediately to suspicious activity.
  • Map and review permissions: Regularly audit permissions across AD and Entra ID to spot gaps or misconfigurations that attackers might exploit.
  • Enforce multi-factor authentication (MFA) and conditional access: Strengthen high-privilege accounts with MFA and adaptive policies, aligning access controls to risk signals across both environments.

2. Address modern attack techniques

While the report from the five cybersecurity agencies — known collectively as the Five Eyes Alliance — highlights 17 AD compromise methods, these cover only the most common tactics. If attackers were only so simple! Their approaches are also exploiting AD's connections with Entra ID, software as a service (SaaS) applications and hybrid clouds. To stay secure, organizations must look beyond static techniques and adapt to today's dynamic threat landscape.

Why modernizing matters

Focusing only on known techniques can leave a lot on the table for today’s attackers, who leverage AD's complex integrations, developing methods that fall outside standard tactics yet pose serious risks. A comprehensive, adaptive security approach prepares teams to counter both established and evolving threats.

What to do
  • Update your threat model: Adapt threat assessments to include new, advanced techniques relevant to your network.
  • Foster a proactive culture: Encourage education on evolving threats and a flexible response approach.
  • Use real-time threat intelligence: Integrate real-time insights to detect and respond to emerging techniques.

3. Don't Overlook Entra ID

While the Five Eyes report highlights compromises in on-premises Active Directory, protecting cloud-based directory services, like Entra ID, is equally important as organizations expand into the cloud. Attackers are increasingly pivoting between on-premises AD and cloud-based directories to maximize impact, as demonstrated by recent breaches. In hybrid environments, attackers exploit the gaps between AD and Entra ID, often bypassing defenses that cover only one system. Think of your directory infrastructure as a house with two front doors: securing only one leaves the other exposed. For modern enterprises, unified security monitoring across AD and Entra ID is essential to prevent attackers from exploiting inconsistencies between on-premises and cloud defenses. Your identity security strategy is only as strong as its most vulnerable directory.

Why securing both AD and Entra ID matters
  • Consistent coverage across environments: As organizations adopt hybrid environments, the separation between on-premises and cloud-based IAM systems creates potential gaps. Unified security across both prevents attackers from finding weak points in transitioning from on-premises to cloud.
  • Strengthening your identity security strategy: Attackers target identity as a primary entry point. Treating AD and Entra ID as interdependent systems ensures that your entire identity framework is resilient, regardless of where the threat originates.
What to do
  • Set adaptive access controls: Use conditional access policies to assess user risk in real time, blocking high-risk login attempts automatically.
  • Monitor third-party access: Regularly review and control permissions granted to third-party apps, catching unsanctioned apps and shadow IT early.
  • Enforce least-privilege and OAuth limits: Restrict OAuth permissions to essentials, and identify over-permissioned accounts to maintain least-privilege across cloud and AD environments.
  • Enable real-time identity threat detection: Set identity protection policies to respond instantly to risky logins, such as by triggering MFA or blocking access on suspicious activity.
  • Continuously audit and adjust policies: Regularly assess conditional access and third-party permissions to keep your identity security strategy aligned with evolving threats.

Conclusion: Embrace continuous, identity-first security

Active Directory compromises remain a focal point for attackers. The Five Eyes report underscores its continued relevance and clarifies why identity is the modern control plane in exposure management. As you review the guidance, refrain from letting this become another checklist. Rethink how your organization is approaching its AD security. Do you have continuous monitoring, risk-based prioritization, least-privilege access and unified operations? Are you employing an identity-first security approach that naturally achieves compliance? Are you unifying protection across on-premises AD and Entra ID to close gaps attackers exploit?

Learn more

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.