Cybersecurity defense is a moving target. New and sophisticated attack variants are continuously appearing, APTs are constantly revising their strategy and seeking weaknesses in business security implementations, making it imperative for enterprises to continuously refine their security stack. Organizations often use either siloed security tools or a combination of multiple cybersecurity products that collect huge volumes of data, independently. This results in disparate and disconnected systems.
While standard security solutions offer capabilities for detecting and preventing a range of Active Directory attacks, they provide a limited solution for advanced threat defense against Active Directory.
Cybersecurity requires an integrated strategy that augments standard security tools with an Advanced Deception Platform to effectively protect enterprises from Active Directory exploits.
Acalvio ShadowPlex offers a differentiated, best-in-class AI-based deception solution for Active Directory security. The combination of deceptions with AI-powered analytics serves as a powerful mechanism to protect the enterprise from known and new variants of Active Directory exploits, such as AS-REP Roasting, DCSync, Kerberoasting, Unconstrained Delegation, Pass-the-Hash among others. This approach is built on Acalvio’s unique and powerful Active Directory Protection Kill Chain.
What are the Current Defense and Detection Systems?
Most detection and security systems today are based on agent-based behavioral detection, AD event log monitoring, SIEM-based event correlation, SOC triaging, and manual investigation and aftermath threat hunting. While these methods do offer a certain degree of defense capabilities, when it comes to securing critical infrastructure components like Active Directory needs a more compelling Active Defense strategy. The MITRE Shield is an active defense knowledge base that encourages the use of limited offensive action and counterattacks to deny attack progress. The Shield Matrix lists multiple tactics spanning channel, collect, contain, detect, disrupt, facilitate, legitimize, and test. Using Deception techniques across all of these tactics for detection, engagement and counterattack takes the center stage in the matrix. This is a compelling framework to build a stronger, proactive AD defense strategy.
Certain deception solutions in the market offer AD protection using non-scalable solutions such as creating complete fake AD forests, hiding real production assets and domain controllers on parts of the network segment, intercepting DNS lookups, or deploying a large number of deceptions on enterprise endpoints’ memory. Such solutions cannot offer holistic AD protection covering multiple bases and are largely static and cannot cover a complex and diverse enterprise network that comprises a variety of OSes, Aure, or Hybrid AD models.
What is Acalvio’s Solution for Active Directory Security?
A superior strategy for AD protection is one based on Deception. The best AD protection strategy is the one that prevents an attack on the enterprise’s core infrastructure as much as possible by:
- Providing continuous visibility into potential attack surfaces
- Proactively ferreting out latent threats using threat investigation and advanced analytics
- Predicting the attacker’s path and slowing down their movement
- Confusing or diverting the attacker, predicting and detecting the TTP at every stage, and
- Ultimately, even changing the attacker’s perception of the network.
Acalvio ShadowPlex is an autonomous deception platform that provides an AI-based deception solution for Active Directory protection. ShadowPlex’s strong capabilities include deep visibility into the network assets and AD misconfigurations using automatic AD discovery. Advanced AI algorithms provide situational awareness of possible threat vectors lurking on the network and their distance from the critical assets, along with possible attack paths. ShadowPlex combines threat intelligence from various sources using pre-built integrations and builds an attacker’s view of the network that can be invaluable for the defense teams to reduce the attack surface proactively.
ShadowPlex leverages its pre-built integration with Active Directory to auto-discover, tag, and analyze entities registered in AD. It can then register deceptive entities at the right level in the enterprise AD. The solution adopts a proactive security posture by leading attackers towards deceptions, providing defenders with more time to detect and respond to the attack.
ShadowPlex supports on-premises AD deployments, Azure AD and Hybrid AD deployments and provides pre-packaged deception playbooks for AD protection. ShadowPlex’s playbooks incorporate deep knowledge of the threat landscape and TTPs used by sophisticated threats. A rich palette of deceptions enables casting a wider net with automatic key deception placements on the network.
How Can Acalvio ShadowPlex Help in Securing Active Directory?
Active Directory attacks are performed in multiple phases – ranging from reconnaissance to lateral movement to data exfiltration. Each phase is related to a specific type of activity in a cyber-attack. Each phase also presents an opportunity to stop the cyber-attack in progress. Acalvio provides an extensive set of capabilities to protect Active Directory environments and detect APT threats, initial access and privilege escalation, along with additional AD offensive techniques.
Acalvio’s Active Directory security solution provides pre-attack stage visibility for Active Directory through a capability known as “Active Directory Insights”. This provides an “as-the-attacker-sees-it” visibility into the AD attack surface with a 100+ point analysis of AD.
Acalvio provides a rich set of deceptions, known as Honey Accounts and honeytokens , that are leveraged to detect AD threats. To an attacker, Honey Accounts look like real user accounts and service accounts in AD. And HoneyTokens look like real account profiles on endpoints. These deceptions are designed to detect a large set of AD threats, including initial access/reconnaissance, privilege escalation, and advanced techniques leveraged by APT threat actors.
Examples of Honey Accounts
- User account of an IT/helpdesk administrator
- SQL Server service account
Examples of HoneyTokens
- Account profiles in RDP cache
- Account profiles in LSASS memory cache
Acalvio also provides pre-packaged deception playbooks for AD protection. Acalvio’s playbooks incorporate deep knowledge of the threat landscape and TTPs used by sophisticated threats. The playbooks are designed to detect attack techniques such as:
- Deep Reconnaissance/AD Enumeration
- Domain Trust Abuse, Privilege escalation
- Credential abuse/replay attacks
- Kerberos attacks (such as Delegation attacks, Kerberoasting, AS-Rep Roasting, Silver Ticket/Golden Ticket exploits)
- Post-exploitation and late-stage kill chain attacks (such as DCShadow and DCSync attacks)
Timely detection of Active Directory attacks is crucial in limiting the impact on business operations. Through a combination of Deception Technology and AI, Acalvio ShadowPlex provides rapid detection, advanced threat investigation, analysis, and automated response capabilities designed to proactively reduce the attack surface and protect the enterprise Active Directory against attacks without adding unnecessary complexity, cost and IT overheads.
Contact Acalvio to schedule a demo of the Active Directory protection solution.
Authors
Dr Satnam Singh is currently leading security data science development at Acalvio Technologies. He has more than a decade of work experience in successfully building data products from concept to production in multiple domains. In 2015, he was named as one of the top 10 data scientists in India. To his credit, he has 25+ patents and 30+ journal and conference publications. Apart from holding a PhD degree in ECE from University of Connecticut, Satnam also holds a Masters in ECE from University of Wyoming. Satnam is a senior IEEE member and a regular speaker in various Big Data and Data Science conferences.
