If attackers are able to get into your internal systems and Active Directory, one of the first things they might do is to give users elevated privileges which result in group membership changes. Good Active Directory monitoring solutions are configurable like an alarm system. The system would alert you almost immediately when such changes occur.
Monitor Users or Groups
If you configure the software to monitor an important user’s group membership for example, it should let you know almost immediately if something changes. The same is true for monitoring a group’s members. In this way, you could get an email or SMS/secure message when these changes happen. Web Active Directory’s PeoplePlatform is an example of a solution that is configurable to perform this function. You can configure what emails or messages go where as a result of which changes have happened in your directory.
Timing is Important
When a system is comprised, the time that it takes to respond and mitigate damages can be very important. Someone in your system for a longer time can create more havoc. This is another reason why real-time or near real-time monitoring is very important. If your “domain admins” group is compromised, for example, if you can get in quickly and fix it you might be able to escape unharmed.
Not all Events are a Result of a Hack
One thing we have learned as a company from working with our customers over 15 years is that not all triggered events for our customers are a result of a data breach. Group membership in LDAP is hierarchical. Someone can be a member of a group which itself is a member of another group, etc. Those relationships can become quite complex. Over time, if you innocently add someone to a group you may simply be unaware that this person will have more privileges than they should have. These deliberate membership changes will also trip monitoring alarms you set with PeoplePlatform protecting you from accidental privilege-creep.