LDAP Monitoring for Security

LDAP Monitoring
LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory (AD). AD, by contrast, is a directory services database, and LDAP is one of the protocols you can use to talk to it. Because Microsoft provides no easy way to monitor LDAP queries, to see the query that was issued and where it came from, insider threat actors can leverage this blind spot to perform reconnaissance activities – the first phase of every targeted attack!

Network Reconnaissance
Reconnaissance techniques employed by threat actors are the same as those used by penetration testers and serve the same purpose; they are used to gather intelligence, define scope, and identify weaknesses. Active reconnaissance from outside threats typically involves port scanning in order to find weaknesses in the target system (i.e., which ports are left vulnerable and/or if there are ways around the firewall and routers). Insider threats, however, are already beyond those perimeter defenses and are focused on taking over accounts, elevating privileges and locating sensitive data.

Enrich SIEM with LDAP Events
Identifying reconnaissance activities of insiders has been greatly helped with the advent of security information and event management (SIEM) tools. Modern SIEM technologies have improved their ability to scale to collect, index and report on terabytes of any machine-generated data; however, SIEMs are only as good as the information they receive. Most SIEMs provide basic data enrichment such as GeoIP lookups to determine whether an event is associated with a particular country. That information is of little use when facing insider threats; so the need to enhance SIEM data with LDAP events becomes a necessity to help analysts make intelligent, informed decisions about alerts and cybersecurity events.

Kill Chain Reconnaissance
LDAP enriched SIEM events provide security analysts with the detailed view required to expose the elaborate attack process of an inside threat actor. By improving detection of reconnaissance activities, security professionals gain an understanding of their overall defensive capabilities, as well as identify gaps in coverage by tools. Reconnaissance, as it happens, can be very difficult to detect without the context that LDAP enrichment of security events adds to the equation. But when defenders identity reconnaissance activities, even if the attacker has made his or her way further through the kill chain, it can reveal the intent of the insider threat.

Secondary LDAP Threat Vectors (JNDI)
Other lesser known and more targeted activities have been observed leveraging LDAP via enterprise web applications. These attacks were used successfully against both the White House and NATO. What is particularly nasty (and clever) about this attack vector is its use of the Java Naming and Directory Interface (JNDI); an API to access directory and naming services such as LDAP. This threat vector can be used against both internal and external assets. Successfully identifying these types of attacks often only happens after the fact as the LDAP activity goes uncorrelated with other security events.

LDAP Monitoring: Next Steps
Of all the possible ways to enrich security alerts, LDAP monitoring is a significant one, but also one of the hardest to do successfully. There is a reason LDAP monitoring is being used by some of the most successful information security teams. It is a powerful addition to any information security program that is able to harness its true potential and resolve complex attack scenarios.

For more information on how to get started with LDAP monitoring, please click here.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*