Semperis Report Sheds Light On Active Directory Security

Securing identity environments is more crucial than ever as both the attack surface and the threat landscape continue to expand. The 2023 Purple Knight Report by Semperis explores the security landscape of Active Directory (AD), and offers both alarming findings and hopeful insights for organizations.

Let’s take a closer look at the highlights of this report and its implications for AD security.

Why Active Directory Security Is Essential

Before we dig into the findings from the 2023 Purple Knight Report, it’s important to understand why Active Directory security matters.

“Having weaknesses in Active Directory is like having a main gate but not consistently ensuring it’s locked, explained Marcus Carey, Principal Research Scientist with ReliaQuest and co-author of the Tribe of Hackers series of books. “Active Directory guards the entrance to an organization’s crown jewels. Just as we wouldn’t neglect the primary entryway to our homes, we need to prioritize the foundational layers of our digital infrastructure.”

Carey continued, “Improving this aspect of security requires better practices and an ongoing commitment to training and awareness. It’s a collective endeavor where everyone, from security professionals and IT teams to everyday users, plays a pivotal role in fortifying our digital defenses.”

Understanding Purple Knight

Developed by directory service professionals at Semperis, Purple Knight is a community-based Active Directory security assessment tool that provides organizations with a holistic understanding of their AD security position. Since its inception in 2021, Purple Knight has been downloaded by over 20,000 organizations.

The tool evaluates the AD environment against over 150 security Indicators of Exposure (IOEs) or Indicators of Compromise (IOCs). Post-assessment, users are presented with an illustrative report that includes an overall score, a breakdown of seven category scores, and expert recommendations for remediating identified vulnerabilities.

I spoke with Michelle Crockett, Senior Director of Product Marketing at Semperis, about Purple Knight and the latest report. She explained that Purple Knight gives users a crash course in how AD is vulnerable and how to fix it, and highlighted that the output from Purple Knight provides clarity and spells things out graphically so it’s easier to communicate with executive leaders.

Crockett emphasized, “This report clearly lays out where their problems are and what we can do to fix it. We need to all get together and make a difference here.”

Semperis’ Motivation

Given the complex nature of Active Directory environments, many organizations lack clarity on potential vulnerabilities. Semperis CEO, Mickey Bresman, shed light on the company’s motivation, stating, “We saw that many companies don’t have a good understanding of the Active Directory exposures that adversaries are able to use against them.”

By offering Purple Knight as a free tool, Semperis aims to empower security teams, especially those with limited AD expertise, to recognize their AD security status and subsequently enhance it.

Main Insights from the 2023 Purple Knight Report

• Average Scores & Yearly Comparison: In 2023, organizations recorded an average score of 72 on their initial AD security assessments. Although an improvement from the 61% reported in 2022, this still represents a concerning C grade. The continuous low scores signify that many businesses remain challenged in spotting and rectifying security vulnerabilities, leaving them susceptible to cyberattacks.
• In-depth Category Findings: Within the seven AD categories evaluated by Purple Knight, the account security category saw the lowest average score at 61%. Additionally, 55% of organizations identified five or more vulnerabilities in the Azure AD category. The introduction of a new Azure AD category, which checks for vulnerabilities like inactive guest accounts and misconfigured conditional access policies, saw 13% of organizations recording five or more security indicators.
• Remarkable Improvement After Remediation: On a brighter note, when organizations implemented the expert remediation guidance from their Purple Knight assessments, they reported an average score boost of 40%, with some even experiencing enhancements of up to 64%.

Focus on What Matters

Beyond simply utilizing Purple Knight’s results for remediation, the tool can also be used to discover previously unknown vulnerabilities and present security stances to leaders. It can also help compensate for a deficit of in-house AD expertise, or prepare for further assessments like penetration tests.

Despite consistent alerts from experts and IT teams regarding AD-specific threats, many organizational leaders are not placing the requisite emphasis on AD security. This indifference leaves organizations increasingly exposed to AD-centric cyberattacks.

Tammy Mindel, Security Product Manager at Semperis, has been integral to the Purple Knight project essentially since it launched. She stressed the value of using Purple Knight on a regular basis. Running it once is useful, but that point-in-time snapshot might be irrelevant a month from now—or even a week from now.

“That is the problem for many organizations—it’s what we call ‘configuration drift’—anything devolves into chaos if you don’t pay attention to it,” shared Mindel. “I think having a report that runs very quickly—scans your environment quickly, it’s pretty light, it reads and doesn’t write, there’s nothing scary about it, it’s not calling home, it’s not reporting any data to us—that makes it a pretty easy decision for a lot of organizations to say, ‘At bare minimum, let’s run this thing once a month and just make sure that nothing new has cropped up, that there aren’t new problems we’ve introduced—that we’re not going backwards, at least.’”

John Hernandez, President and General Manager at Quest, agrees. “Active Directory assessments and expert guidance are helpful, but they are a point in time. Sprawl and misconfigurations are as reliable as taxes. Securing Active Directory and the Tier Zero assets it connects to requires continuous, automated, and measurable controls applied. Tier Zero assets are those that keep the company operational and the ones that cause the biggest impact when attacked.”

Strengthening Active Directory Security

The data from the Semperis 2023 Purple Knight Report underscores the pressing need for organizations to intensify their focus on Active Directory security. While the advancement in scores from 2022 is a positive sign, there’s still much work to be done. With tools like Purple Knight and the expert insights they provide, organizations are better equipped to fortify their defenses against the looming cybersecurity threats.