Search
Close this search box.

Automate Compromised Password Remediation with Active Directory Guardian

ADG IDLink featured Image

For the criminal underground, getting access to systems and networks is a primary objective, and over the past several years, we’ve seen adversaries move towards automation and advanced cybercrime enablement services to increase their chances of success.

Criminal tactics are now frequently built around next-gen technology like automation, AI, and custom-made tools for the sole purpose of evading detection, influencing how (and how fast) they collect passwords and other valuable data, how they check the validity of stolen credentials, and how they programmatically distribute stolen information to their other criminals.

As criminals turn to automation, so have defenders. And SpyCloud’s Active Directory Guardian – powered by our proprietary identity analytics – gives teams an important competitive advantage in the race against the clock.

How Active Directory Guardian protects your employees – and your business

Active Directory Guardian automates detecting and remediating exposed passwords

Security teams used to look at alerts and manually check to see if the exposed passwords were in use by employees. Adversaries responded by checking stolen passwords faster after they got access to them. Without an automatic, high-volume, high-fidelity system to automate that workflow for defenders, the chances of protecting against credential-based attacks goes down dramatically.

SpyCloud’s Active Directory Guardian automates the remediation of stolen credentials – and now offers enhanced enterprise protection by identifying any exposed employee passwords, including those actively in use, those used in past roles, or those associated with personal accounts.

With the latest version of Active Directory Guardian, you can:

Scan using SpyCloud’s IDLink identity analytics for even more powerful coverage of exposed accounts. Your results will return all known exposed passwords for that employee across all their accounts.

When to use Active Directory Guardian

Here are some common scenarios that Active Directory Guardian is able to automate for your team.

01

Employee reuses Active Directory credentials on third-party sites

People reuse passwords to make their lives easier. Unfortunately, that’s also the easiest way for criminals to take over employee access. It’s also become one of the easiest things to automate for adversaries. When they get an email with a password from a third party database breach, they already know the email it belongs to and can try it to see if it works.

Active Directory Guardian enables you to check Active Directory passwords that have been exposed and are tied to employee emails and then automatically force a password reset.

02

Employee reuses their work password – this time, with their personal accounts

Some employees think that, so long as they aren’t using their work email address, reusing a password for an account registered under their personal email address is perfectly safe. In reality, it’s easy for an attacker to connect the employee’s personal alias, jsmith@gmail.com, to their work email, jsmith@employer.com. It’s much harder for your security team to do the same, especially for hundreds or thousands of Active Directory users.

Active Directory Guardian helps you monitor for this type of scenario at scale in two ways:

SpyCloud Active Directory Guardian detects when employees reuse exposed passwords across a variety of accounts.

03

Your employee shares online accounts –and passwords –with their family

Let’s say your employee’s Active Directory password is Sprinkles1, named after the family dog. Your employee reuses that same password across certain online accounts that their whole family can access. Easy to remember, easy to share.

Unfortunately for you, your employee’s kids are saving their brainspace for school, so they use the same memorable password they already know and like across their social media accounts, gaming sites, and online forums, dramatically increasing the chances your employee’s password will appear in a third-party breach.

By using Active Directory Guardian to check your Active Directory passwords for breach exposures, you can shield your organization from the risk posed by your employee’s risky password habits.

04

Your employee switches up their favorite password for ‘extra security’

Sometimes your employee switches things up with a few trivial changes to a favorite password, whether to get around password complexity requirements or to create a “more secure” password that they can still remember. The passwords in your employee’s arsenal include sprinkles, Sprinkles, Spr1nkles, Spr!nkles, and (for extra-extra-important accounts), Spr!nk13s.

Your employee doesn’t think of these “fuzzy” variations as password reuse because they’re not exact matches. In reality, they may as well be. Unsophisticated criminals have access to advanced crimeware that can check for common password variations like these, making fuzzy password reuse a security risk for your enterprise.

Active Directory Guardian helps here, too. If your employee uses a fuzzy variation of a password that has been exposed in a third-party breach, malware infection, or successful phishing attack, you can detect and automatically reset with Active Directory Guardian.

For even more powerful coverage of exposed accounts for employees, you can scan AD credentials with both IDLink analytics and fuzzy matching. With both scan options enabled, IDLink analytics will understand all the known exposed passwords for that employee across all their accounts, and can then apply fuzzy logic to the full set. You get the best of both worlds, flexibility and coverage working hand in hand to protect that access.

05

Your employee chooses a common password, like the name of their favorite sports team or the name of your company

Your employee shapes up and stops reusing passwords. Thanks to some inspiration from their favorite sports team, they come up with password they’ve never used before on any site: Longhorns#1.

Unfortunately for your employee, they’ve chosen the same password as many other Longhorns fans, several of whom have been included in third-party breaches. Once a password makes its way into lists that criminals can load into account checker tools, it creates a potential exposure for your organization.

Luckily, Active Directory Guardian offers the option to check your users’ passwords against every password in our recaptured database, independent of username. Even though your employee has never been involved in a breach using this specific password, Active Directory Guardian can flag this password to help you identify weak, expected, or compromised passwords in accordance with NIST’s recommendations.

Active Directory Guardian also includes a banned password list that your team can add to, enabling you to detect and reset passwords that an attacker might expect users at your organization to choose. Using context-specific passwords like the name of your company is such a common approach that the NIST password guidelines specifically recommend checking for it.

Active Directory Guardian only sends the first 5 characters of the password hash to check for any matches in SpyCloud’s recaptured database.

“Active Directory Guardian has saved us more than 1,000 hours. It has significantly lowered the amount of time multiple teams had to spend searching the dark web to confirm compromise — let alone remediate it.”
– Principal IT Security Architect at EBSCO Industries

Automation wins when powered by identity analytics

Ultimately, as security practitioners, our goal is to do our best to protect our users and the organization. The most effective way to do that is to use the best available data and to automate where appropriate, as much as possible.

The more we can let machines do what they do well, the more bandwidth we have to move the needle on security in other parts of our organizations. Active Directory Guardian is able to automate that remediation.

Interested in learning more about Active Directory Guardian?

Download the Active Directory Guardian datasheet to learn more about scanning and remediation options.

Using a different directory store? Learn more about our other Identity Guardian offerings including Entra ID Guardian or Okta Workforce Guardian.

Check for exposed employee data

Use our dark web exposure tool to identify exposed employee data that could be putting your business at risk.

Keep reading

Explore SpyCloud's revamped Enterprise Protection Dashboard, offering security teams powerful visibility and tools to combat identity threats.
SpyCloud Investigations with IDLink analytics is the ultimate force multiplier for analysts. See what’s possible and get a demo today.
Discover how your team can accelerate threat actor attribution with SpyCloud Investigations.
Table of Contents
Check your darknet exposure

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

The 2024 Malware & Ransomware Defense Report is here. Read it now

X
Search
Close this search box.