29 October 2020
On October 13th I moderated the anapur Virtual Dialog “Network Monitoring and Anomaly Detection”. During the breaks, some participants from industry talked about a really concerning issue: IT, IT-Security and GRC groups in their companies urge them to integrate their so far isolated production active directories in the corporate directory.
I have been involved in these discussion for 10 years and I never changed my answer:
Don’t do it!
This integration is dangerous. Active Directory simplifies lateral movement once an attacker created a foothold in your network. And it simplifies the distribution of malware through login scripts. Remind the Norsk Hydro attack from March 2019: Divisions with high vertical integration were more affected from LockerGoga than the Alumina production.
In their paper “Seven Strategies to Defend ICSs” from December 2016, DHS ICS-CERT, FBI and NSA provide a very clear active directory strategy:
Never share Active Directory, RSA ACE servers, or other trust stores between corporate and control networks.
For details see chapter 5, “Manage Authentication”.
Hope this helps in discussions with IT, IT-Security and GRC.
In his poem Ulysses, Alfred Tennyson brings it to the point:
Tho‘ much is taken, much abides;
and though we are not now that strength
which in old days moved earth and heaven;
that which we are, we are;
one equal temper of heroic hearts,
made weak by time and fate,
but strong in will to strive, to seek, to find.
And not to yield.