Beyond the Gate: Zero Trust and the Defense of Active Directory

When Marks & Spencer went dark last April, it wasn’t just another outage. The British retailer had shut down its online services to contain a ransomware attack aimed at its core identity backbone.

Researchers now link the incident to Scattered Spider, a loose-knit crew of U.K.- and U.S.-based attackers, some as young as 16. The group used DragonForce, a ransomware affiliate service that makes cybers attacks as easy as renting malware and extortion tools.

Adding insult to injury, DragonForce even emailed M&S CEO Stuart Machin directly, bragging about the breach and demanding payment.

What made this incident different wasn’t the motive, but the method — and the heightened danger it represents. Rather than spreading gradually across end-user systems, the attackers moved directly toward the domain controller, the system that governs identity and trust across the enterprise.

It marks a new phase in how ransomware groups work. Rather than spreading indiscriminately, attackers are increasingly zeroing in on identity systems to accelerate impact. Examining how that shift played out — and how it can be stopped — reveals why identity has become the new center of gravity in ransomware defense.

‍

‍

‍

When the heart of identity is unsecured

‍Investigators have confirmed that the M&S attackers exfiltrated the NTDS.dit file — the crown jewels of Microsoft Active Directory.  

Active Directory runs on domain controllers — the servers that store and enforce the entire identity system. In plain terms, they stole the domain controller database, the system that decides who inside a company is trusted, what they’re allowed to access, and how every other system verifies identity.  

The heist was the digital equivalent of walking out of a bank, not just with the vault’s contents but with the keys, the blueprints, and the authority to print new money at will.  

The attack xposed a reality that organizations may not want to admit publicly: attackers know that compromising a domain controller is the fastest and most reliable path to breaching an entire enterprise.

The M&S attack also shows how modern threat actors often think. Once they get inside a network, they don’t linger on end-user machines or look for stray servers to encrypt. They often laser-focus on finding a path to the domain controller.

This is because Active Directory is the system that holds everything together — user accounts, service accounts, permissions, authentication tickets, and the trust relationships that bind huge corporate environments. It’s a path that a Zero Trust approach would have shut down.

“If you control the domain controller, you control the identity infrastructure of the organization,” said Michael Adjei, director of systems engineering at Illumio. “You can give yourself what’s called god-like permissions to control over every system that trusts it.”

That insight echoes warnings from CISA.

“If an attacker reaches the domain controller, they don’t just get access. They inherit the entire identity fabric of the organization,” Adjei said. “Accounts, permissions, tokens, service credentials: everything flows from Active Directory.”  

The Change Healthcare breach: a foothold no one stopped

Something similar happened in a Change Healthcare breach disclosed in February 2024, one of the largest healthcare cyber incidents in U.S. history.

Attackers, believed to be ALPHV Blackcat affiliates, gained an initial foothold through a remote server that lacked multi-factor authentication. Then they moved laterally through the environment, escalated privileges, and finally reached systems tied to the company’s core identity infrastructure.

The results were catastrophic: weeks of outages, billions in losses, nationwide pharmacy disruption, and data exposure affecting nearly 200 million people.

UnitedHealth Group CEO Andrew Witty paid the ransom, reportedly about $22 million in Bitcoin.  

But the payment didn’t bring the data back. Witty confirmed Change Healthcare recovered nothing — a familiar outcome in ransomware cases and a key reason experts warn against paying at all.  

The U.S. State Department is offering $15 million for intel that helps identify or track down the leaders behind ALPHV/BlackCat.

How the breach accelerates: path to the domain controller

The breach shows the real cost of an identity-layer failure combined with a lack of Zero Trust controls: one gap, a rapid lateral attack, and nationwide disruption that no ransom can reverse.

Once inside, threat actors don’t need to hit every system — they only need an east-west path of least resistance without controls.  

With nothing to contain the breach, they move laterally toward the domain controller, take hold of the victim’s core identity systems, and turn a single foothold into full-on compromise.

Adjei explained that most domain controller breaches start with something small, such as an unpatched system, a misconfigured identity control, or an old service account with too many privileges. Those gaps give attackers a quiet foothold and a chance to map the environment from the inside.

From there, the reconnaissance looks ordinary: group lookups, domain trust checks, Kerberos queries, and service enumeration. None of them may trigger alarms by itself. But together, these steps reveal the most important target in the network: the domain controller and the identities that can reach it.

“The danger is that many organizations assume their domain controller is safe because it sits behind monitoring or physical isolation,” Adjei said. “But attackers rarely go at it directly. They follow whatever internal path is open — a weak credential, a reachable system, or a flat east-west network that never blocks their movement.”  

The pattern in both M&S and Change Healthcare breaches makes the point clear: when attackers can reach Active Directory, escalation is inevitable.

“You need graph-based visibility, not just logs,” Adjei said. “You must understand relationships between entities — how account A talks to system B, which authenticates through the domain controller. That’s where dependency mapping becomes critical.”

Securing the identity core through segmentation

Domain controllers cannot sit on an open network. When everything can reach them, attackers can, too.  

‍Segmentation creates simple, strong Zero Trust boundaries around these systems. It blocks unnecessary east-west traffic and removes the easy paths attackers use to move deeper.

The first step is to see how everything connects. Map which systems talk to Active Directory and which accounts rely on it. With that view, you can limit access, so only the systems that truly need the domain controller can reach it.

A Zero Trust approach to segmentation should also work across every environment — cloud, data center, and endpoints. Without it, attackers could conceivably move through all of them.  

A segmented identity core stops a small breach from becoming a full compromise.

Improving detection and response for lateral movement

Most attacks become serious only after the first foothold.  

That’s why detection needs to look beyond the initial breach. Strong security starts with clear context: you must see how workloads, accounts, and the domain controller relate to each other.

Next, focus on lateral movement signals. These include strange connections between systems, unusual traffic patterns, or an identity reaching something it never touches. When detection highlights only the important events, teams can act faster with less noise.

The last step is fast containment. Detection and segmentation should work together to isolate a system the moment it behaves in a risky way. This stops an attacker from moving toward the identity core and reduces the blast radius of any breach.

‍Experience Illumio Insights free today to learn how to see and stop domain controller attacks before they spread.