From our study, there is a gap between offensive and defensive side which makes Active Directory as easy target for attackers. To begin with, defenders are not sufficiently informed about the Active Directory attacks. With insufficient information about the Active Directory attacks, defenders lack the visibility for the potential threats in the environment to implement the defense such as getting the alerts to uncover an intrusion. Secondly, there are more challenges for securing the Active Directory even if defender has the visibility for the threats. With large amounts of assets and corresponding attack vectors, it is challenging for defenders to prioritize the threats to address. Without prioritization, it is impossible to efficiently reduce the risk in the shortest time possible. Thus, after investing the resources to address security issues, outcome cannot be certain with high confidence without comprehensive risk assessment. 

To solve these challenges for defenders, we started by inventorying all the attack vectors for Active Directory to provide the visibility of potential threats. Also, we proposed a risk model to practically calculate the risk of attack vectors for prioritization. Thus, based on the risks for attack vectors, we can quantify the attack paths for overall evaluation. After a deep dive into our risk model, we will present how the attack vectors and the attack paths can be applied to the model for risk quantification with a strategy to reduce the overall risk in an effective and comprehensive way.