For the criminal underground, getting access to systems and networks is a primary objective, and over the past several years, we’ve seen adversaries move towards automation and advanced cybercrime enablement services to increase their chances of success.
Criminal tactics are now frequently built around next-gen technology like automation, AI, and custom-made tools for the sole purpose of evading detection, influencing how (and how fast) they collect passwords and other valuable data, how they check the validity of stolen credentials, and how they programmatically distribute stolen information to their other criminals.
As criminals turn to automation, so have defenders. And SpyCloud’s Active Directory Guardian – powered by our proprietary identity analytics – gives teams an important competitive advantage in the race against the clock.
How Active Directory Guardian protects your employees – and your business
Active Directory Guardian automates detecting and remediating exposed passwords
Security teams used to look at alerts and manually check to see if the exposed passwords were in use by employees. Adversaries responded by checking stolen passwords faster after they got access to them. Without an automatic, high-volume, high-fidelity system to automate that workflow for defenders, the chances of protecting against credential-based attacks goes down dramatically.
SpyCloud’s Active Directory Guardian automates the remediation of stolen credentials – and now offers enhanced enterprise protection by identifying any exposed employee passwords, including those actively in use, those used in past roles, or those associated with personal accounts.
With the latest version of Active Directory Guardian, you can:
- Scan with SpyCloud’s proprietary IDLink identity analytics to detect and remediate employee directory credentials from any exposures related to them, work or otherwise
- Automatically reset weak and compromised passwords
- Dynamically generate common changes to the exposed passwords, for “fuzzy matching,” checking for what criminals frequently automate themselves
- Automatically apply remediation policies for exposed passwords, depending on the type of exposure or source of the matched password
When to use Active Directory Guardian
Here are some common scenarios that Active Directory Guardian is able to automate for your team.
01
Employee reuses Active Directory credentials on third-party sites
People reuse passwords to make their lives easier. Unfortunately, that’s also the easiest way for criminals to take over employee access. It’s also become one of the easiest things to automate for adversaries. When they get an email with a password from a third party database breach, they already know the email it belongs to and can try it to see if it works.
Active Directory Guardian enables you to check Active Directory passwords that have been exposed and are tied to employee emails and then automatically force a password reset.
02
Employee reuses their work password – this time, with their personal accounts
Some employees think that, so long as they aren’t using their work email address, reusing a password for an account registered under their personal email address is perfectly safe. In reality, it’s easy for an attacker to connect the employee’s personal alias, jsmith@gmail.com, to their work email, jsmith@employer.com. It’s much harder for your security team to do the same, especially for hundreds or thousands of Active Directory users.
Active Directory Guardian helps you monitor for this type of scenario at scale in two ways:
- The first is by using SpyCloud’s IDLink identity analytics engine to pull back known passwords of the employee, from both work and personal accounts. This gives Active Directory Guardian a powerful way to automatically protect employee accounts by knowing the broader context of their password use and exposure.
- The second way Active Directory Guardian can protect employees from shared passwords across accounts is by enabling you to check your users’ Active Directory passwords against the entire SpyCloud database. You can easily detect if a user’s AD password has ever been detected in a third-party breach, malware infection, or successful phishing attack, whether or not it was combined with their Active Directory username.
SpyCloud Active Directory Guardian detects when employees reuse exposed passwords across a variety of accounts.
03
Your employee shares online accounts –and passwords –with their family
Let’s say your employee’s Active Directory password is Sprinkles1, named after the family dog. Your employee reuses that same password across certain online accounts that their whole family can access. Easy to remember, easy to share.
Unfortunately for you, your employee’s kids are saving their brainspace for school, so they use the same memorable password they already know and like across their social media accounts, gaming sites, and online forums, dramatically increasing the chances your employee’s password will appear in a third-party breach.
By using Active Directory Guardian to check your Active Directory passwords for breach exposures, you can shield your organization from the risk posed by your employee’s risky password habits.
04
Your employee switches up their favorite password for ‘extra security’
Sometimes your employee switches things up with a few trivial changes to a favorite password, whether to get around password complexity requirements or to create a “more secure” password that they can still remember. The passwords in your employee’s arsenal include sprinkles, Sprinkles, Spr1nkles, Spr!nkles, and (for extra-extra-important accounts), Spr!nk13s.
Your employee doesn’t think of these “fuzzy” variations as password reuse because they’re not exact matches. In reality, they may as well be. Unsophisticated criminals have access to advanced crimeware that can check for common password variations like these, making fuzzy password reuse a security risk for your enterprise.
Active Directory Guardian helps here, too. If your employee uses a fuzzy variation of a password that has been exposed in a third-party breach, malware infection, or successful phishing attack, you can detect and automatically reset with Active Directory Guardian.
For even more powerful coverage of exposed accounts for employees, you can scan AD credentials with both IDLink analytics and fuzzy matching. With both scan options enabled, IDLink analytics will understand all the known exposed passwords for that employee across all their accounts, and can then apply fuzzy logic to the full set. You get the best of both worlds, flexibility and coverage working hand in hand to protect that access.
05
Your employee chooses a common password, like the name of their favorite sports team or the name of your company
Your employee shapes up and stops reusing passwords. Thanks to some inspiration from their favorite sports team, they come up with password they’ve never used before on any site: Longhorns#1.
Unfortunately for your employee, they’ve chosen the same password as many other Longhorns fans, several of whom have been included in third-party breaches. Once a password makes its way into lists that criminals can load into account checker tools, it creates a potential exposure for your organization.
Luckily, Active Directory Guardian offers the option to check your users’ passwords against every password in our recaptured database, independent of username. Even though your employee has never been involved in a breach using this specific password, Active Directory Guardian can flag this password to help you identify weak, expected, or compromised passwords in accordance with NIST’s recommendations.
Active Directory Guardian also includes a banned password list that your team can add to, enabling you to detect and reset passwords that an attacker might expect users at your organization to choose. Using context-specific passwords like the name of your company is such a common approach that the NIST password guidelines specifically recommend checking for it.
Active Directory Guardian only sends the first 5 characters of the password hash to check for any matches in SpyCloud’s recaptured database.
Automation wins when powered by identity analytics
Ultimately, as security practitioners, our goal is to do our best to protect our users and the organization. The most effective way to do that is to use the best available data and to automate where appropriate, as much as possible.
The more we can let machines do what they do well, the more bandwidth we have to move the needle on security in other parts of our organizations. Active Directory Guardian is able to automate that remediation.
Interested in learning more about Active Directory Guardian?
Download the Active Directory Guardian datasheet to learn more about scanning and remediation options.
Using a different directory store? Learn more about our other Identity Guardian offerings including Entra ID Guardian or Okta Workforce Guardian.
Check for exposed employee data
Use our dark web exposure tool to identify exposed employee data that could be putting your business at risk.
Keep reading
