Retailers Need to Close Active Directory Security Gaps

Retail operations are an increasingly popular target for cybercriminals. The growth of online shopping, self-checkout systems, point-of-sale transactions and other digital processes has created numerous opportunities for attackers.

Employing tactics ranging from social engineering to credit card skimming, criminals can attack anywhere along the supply chain, from payment system providers to customers. The biggest scourge, however, has been retail-sector ransomware attacks, which grew by 67% in 2022.

And the most common jumping board for cyberattacks on retail? Active Directory (AD).

AD — whether on-premises AD, cloud-based Azure AD, or a hybrid of the two — is the primary identity store for 90% of businesses, so it’s an optimal starting point for cybercriminals looking to get a foot in the door. Compromising user credentials gives attackers the access and opportunity to move laterally through the network. That’s because AD is so tightly connected to systems throughout an organization, including in-store systems, online shopping sites, warehouses, third parties and company email and back-office systems.


For example, in one of the most notable ransomware attacks — the Egregor attack on Kmart — the ransomware group exploited AD to gain access, then spread its ransomware payload throughout most of the environment.  

Because AD serves as the backbone of many environments, an attack that takes down AD can effectively halt operations. Therefore, smart retail teams prioritize solutions and processes that significantly reduce that risk by identifying AD security gaps, detecting attacks and quickly implementing recovery plans that can help the organization regain control of their operations.

Three Steps to Securing AD

Retail security teams looking to protect against identity-based attacks should focus on three areas: hardening the AD attack surface, detecting attempted attacks and planning for a fast, secure AD recovery.

1. Prioritize AD security gaps caused by misconfigurations and lapses.
Finding the gaps in security is, of course, the first step in closing them. In AD, these gaps are mostly caused by misconfigurations and lapses in security hygiene. One example is overprivileged accounts, such as when a group is granted administrative privileges inherited by every user. Accounts with weak or plaintext passwords present another easy target, as do older accounts that are no longer used. Misconfigurations involving legacy systems and privileged access for service accounts are other often-overlooked vulnerabilities.

Cybercriminals can exploit these vulnerabilities in AD to escalate privileges, move about the network, evade defensive measures and access sensitive information. In a ransomware attack, that access also enables them to encrypt critical data and systems.

Better security hygiene and processes can help close the gap. A comprehensive assessment tool can also identify these weaknesses, enabling the organization to take corrective steps. Continuous, automated monitoring can help identify misconfigurations as they appear.

2. Monitor and respond to intrusions and attacks.
Gaining access to a network is often only one of the first steps in an attack. Cybercriminals can lurk inside for days, weeks or months before executing their malware, usually when it can do the most damage, such as during holiday sale seasons. While inside, an attacker can use AD to escalate privileges, access more of an organization’s systems and move from on-prem AD to Azure AD and other systems.

Continuous, AD-specific monitoring provides visibility into the network. Such insights can uncover signs that an attack is underway — even a more sophisticated attack that bypasses security agents and doesn’t leave a trace in security event logs. Detecting attacks that are in progress but haven’t yet locked up systems or done other damage can often enable retail organizations to stop those attacks before they cause revenue loss or reputational damage.

3. Provide AD-specific backup and timely recovery.
No security is invulnerable, a fact that has led many organizations to adopt an “assume breach” mentality. This strategy is based on the idea that your network has already been breached or will be soon. This approach leads to more active security measures, such as continuous monitoring for signs of intrusion. It also emphasizes the importance of recovering quickly from an attack.

A ransomware attack can have far-reaching ramifications, not only halting retail operations and costing a company revenue but jeopardizing customer satisfaction and a company’s reputation and putting customer data at risk (which can lead to reparations and lawsuits). However, reducing the time it takes to recover can limit the damage by bringing business operations back up to speed quickly.

Restoring AD, a critical asset in the company’s digital infrastructure, is essential to recovering from a ransomware attack. Unfortunately, that can be difficult for in-house teams to accomplish independently and typically requires days or weeks of concerted effort. And research shows only about one in five organizations have a tested recovery plan for AD.

An automated AD backup and forest recovery solution can simplify recovery of the entire AD forest. Robust solutions enable a fast rebuild of AD forests on clean servers. Ideally, such solutions can also prevent the reintroduction of ransomware by ensuring that AD backups are complete and malware-free. As a result, the time to fully recover AD can be reduced from days or weeks to minutes, minimizing the interruption to business processes.

A More Secure Retail Sector

Ransomware and other cyberattacks pose a serious threat to retail businesses. Yet Active Directory, an essential infrastructure component that reaches into every aspect of a company, is often overlooked in cybersecurity efforts. Implementing automated solutions and workflows that find gaps in AD, detect intrusions and speed recovery is critical to ensuring that business operations can withstand modern cyberattacks.

Mickey Bresman is CEO and Co-founder of Semperis, a leading provider of enterprise identity protection, threat research and incident response services headquartered in Hoboken, N.J. Among the top three fastest-growing cybersecurity companies in the U.S., according to Inc. 5000, Semperis is widely recognized to offer the industry’s most comprehensive hybrid directory protection technology and services. Beginning his technical career in the Navy, Bresman’s comfort zone is on the front lines helping organizations thwart and respond to cyberattacks. The long-time cybersecurity expert and entrepreneur has an extensive track record of driving revenue growth and scaling organizations across the globe. Prior to founding Semperis, Bresman held the position of CTO at YouCC Technologies, a Microsoft Gold Partner integration company. As a cybersecurity thought leader, he has been quoted or featured in many major publications, including Forbes, CNBC and others. He has a B.A. in Technical Management and a Minor in Electronic Engineering.

Feature Your Byline

Submit an Executive ViewPoints.

Featured Event

Join the retail community as we come together for three days of strategic sessions, meaningful off-site networking events and interactive learning experiences.


Access The Media Kit


Access Our Editorial Calendar

If you are downloading this on behalf of a client, please provide the company name and website information below: