Secured your Active Directory? EASM is your next password security step. 

It’s important to lock down the basics first when it comes to cybersecurity. You could purchase a state-of-the-art security system for your house – but it’s still going to be targeted by criminals if you leave the doors and windows wide open every time you go out. It’s the same when it comes to password security, we really do need to start with an organization’s front door: the Active Directory.  

If your Active Directory is wide open to credential-based attacks, then that’s the problem that needs solving first. But once those fundamentals are covered, you can think about taking your security to the next level – like understanding the reasons behind leaked credentials and looking into individual cases or groups of users. This is where external attack surface management (EASM) comes in and adds a new dimension to your defensive arsenal.  

What do we mean by a secure Active Directory? 

First, let’s clarify what we mean by a ‘secure’ Active Directory. You should have a policy in place that prevents end users from creating weak passwords that are vulnerable to brute force and dictionary attacks. The policy should block common phrases like ‘admin’, keyboard walks like ‘qwerty’, and use a custom dictionary to block words and phrases common to your own organization and industry. On top of that, the policy should guide and encourage end users to create passphrases (they’re easier to remember than passwords) that are over 15 characters in length.  

Weak passwords might be blocked from your Active Directory, but strong passwords can become compromised too – especially through password reuse. Your organization should have a tool that can continuously scan your Active Directory for compromised passwords. For example, Specops Password Policy has a Breached Password Protection feature that runs a daily scan of your Active Directory against our database of over 4 billion unique compromised passwords. Our database is updated daily and includes lists of known breached credentials, passwords from our real-time attack monitoring system that monitors live brute force attacks, plus malware-stolen data from our human-led Threat Intelligence team.  

It’s vital that your Active Directory accounts are secure (hopefully with Specops Password Policy!) since they’re the most vulnerable and provide the most access to your organization. Not sure whether your basics are covered? Run a read-only scan of your Active Directory for password-related vulnerabilities and get an exportable report with our free tool: Specops Password Auditor. But if you’re confident the front door is locked, there’s absolutely value in investigating the possible causes of credential leaks – so let’s dive into EASM. 

How EASM works  

Your attack surface is made up of the parts of your organization that are ‘exposed’ to the public via the internet. This includes IP addresses, DNS records, application endpoints, websites, APIs, remote (administrative) access points, databases, encryption details, file sharing services, and even stolen credentials for sale on the dark web. It’s a lot to consider. Essentially, your attack surface includes anything that could be used by an attacker to gain access to the sensitive systems or data within your organization. 

Even in a relatively small organization, an attack surface can get big easily, especially as time progresses. It’s hard to keep track of the various SaaS applications, endpoints, and mixes of old and new infrastructure spread out across geographically-scattered organizations. This is where EASM can help. Without needing much to get started, an EASM solution can give you an accurate view of both the known (and unknown) assets across your entire attack surface. This is different to vulnerability scanning, which just scans your known assets.  

EASM solutions use automated and continuous discovery to proactively identify vulnerabilities, misconfigurations, and other security issues. It can let you scope your online presence and identify potential blind spots or unknown assets that may be vulnerable to attacks. Security teams can also use risk scoring and reporting capabilities to help them prioritize and remediate issues based on their potential impact. Most importantly, when attackers carry out their reconnaissance to assess vulnerabilities in your attack surface, they’ll see it’s ‘clean’ and likely move onto an easier target.  

Five ways EASM can boost your password security  

EASM solutions can proactively monitor for leaked credentials, detect compromised accounts, prioritize their response, and take appropriate remediation actions. This helps organizations mitigate the risks associated with credential leaks and strengthen their overall cybersecurity defenses against password attacks. Here are five key areas EASM can support your password security: 

  1. Threat Intelligence integration: EASM solutions often integrate with Threat Intelligence sources that monitor the dark web for leaked credentials. These sources collect and analyze huge amounts of data from various underground forums and marketplaces where cybercriminals trade and sell stolen credentials. This can help with investigation into the source of the leak. 
  2. Contextual information: EASM can provide key information about the context of leaked credentials. This includes details such as the origin of the leak, the timestamp of the breach, and the threat actor involved (if available). This information helps organizations understand the severity and potential impact of the credential leak, enabling them to prioritize their response and allocate resources accordingly. 
  3. Identifying risky users: There’s value in finding compromised passwords in an audit as the impacted end users can be notified to change their passwords. However, this doesn’t necessarily mean all of those users engaged in risky behavior. EASM with the help of Threat Intelligence can help give further context that can tell you which users are repeatedly taking careless actions and putting their credentials at risk.  
  4. Risk scoring: Risk scores can be assigned to leaked credentials based on various factors, such as the sensitivity of the compromised accounts and the potential impact on the organization. These risk scores help organizations prioritize their response and focus on addressing the most critical credential leaks first. By focusing on high-risk credentials, organizations can reduce the likelihood of a damaging attack. 
  5. Alerting and remediation: EASM solutions provide real-time alerts and notifications when leaked credentials are detected. These alerts can be sent to security teams, administrators, or affected users, prompting them to take immediate action. The EASM solution may recommend actions such as password resets, enabling multi-factor authentication, or blocking access to compromised accounts. This proactive approach helps organizations respond quickly to credential leaks and prevent unauthorized access to their systems and data. 

How EASM augments your existing password security 

A tool such as Specops Password Policy with Breached Password Protection might flag that a user within the organization is using a compromised password. From there, they’ll receive a notification informing them they need to change their password. However, an organization’s IT team might be interested in investigating further to fix the root causes of leaks and adjust their prevention measures. For example, lots of end users’ passwords being stolen by malware pose a different threat to passwords being leaked by third-party breaches. 

Consider a scenario where an end user’s password has been flagged, as continuous scanning has shown it to be compromised. The immediate threat has been remedied. However, an admin’s suspicion might be raised if the same small group of end users have had to change multiple compromised passwords throughout the year, at a far higher rate than the average employee. This could suggest a group of users that need additional training on how to create strong, memorable, unique passwords, or education about the risks of password reuse.  

There’s also value in knowing where the credentials have been found to narrow down the likely cause of the leak. Further investigation could show that the passwords were recently found in a botnet stealer software and put up for sale on the dark web. This might be probable cause to check the users’ devices for any botnet stealer infections of the specified type. The IT team may also want to update their antivirus or expand security and training awareness efforts on how to identify reliable download sources.  

Map your attack surface today

By adding the capabilities of EASM to your existing Active Directory password security solutions, you can proactively monitor for all leaked credentials tied to your organization’s domain, investigate the source of breaches, and target the right employees to educate about the risks associated with credential leaks. This helps mitigate the potential impact of credential-based attacks and strengthens overall cybersecurity defenses. Interested to see how EASM could work for your organization? Get a free attack surface analysis and we’ll map your current situation.  

(Last updated on November 8, 2024)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog

Related Articles

  • What is cybersquatting and how can you protect your brand?

    Impersonation fraud is one of the biggest threats facing today’s businesses — and the threat continues to grow. In fact, the US Federal Trade Commission reports that impersonation attacks, which includes misleading domain names (also known as cybersquatting), are increasing at the rate of 85% year-over-year and have cost organizations more than $3 billion. And the problem…

    Read More
  • Vulnerability testing vs. Penetration testing

    With the wide range of growing cybersecurity threats creating risks for businesses today, organizations must be proactive in their approach to cybersecurity. The days of reactive security and waiting for cybersecurity incidents are over. The sheer scope, scale, and damage path of today’s cybersecurity incidents are far too great to react passively. Instead, businesses must…

    Read More
  • Active Directory password hardening: How it’s done   

    Weak passwords are a problem waiting to happen – Verizon estimates that 80% of hacking-related breaches come from weak or stolen passwords. They’re the most common way for people to access their accounts and applications, making them an obvious attack route for bad actors. This risk prompts organizations to go through a ‘password hardening’ process…

    Read More