Suril Desai

In this two-part blog series, we examine how advancements in artificial intelligence (AI) are transforming the cybersecurity landscape. In our first article, we discuss how threat actors now employ AI to automate the creation of code exploits for known (one-day) and unknown (zero-day) vulnerabilities. This capability not only quickens the pace of attacks but also significantly enlarges their potential impact. In our upcoming blog, we will address AI-enabled polymorphic malware and ransomware, designed to slip past traditional, signature-based detections. The emergence of such technologies calls for a revolutionary approach to cyber defense strategies to effectively counter these evolving threats.

A large enterprise faced a critical insider threat when a rogue administrator exploited a service account and script used for managing user accounts in Active Directory (AD). The attacker attempted to disable user accounts, including an Acalvio honeytoken account strategically placed to attract unauthorized access. This triggered an immediate, high-fidelity alert that enabled the SOC team to identify and stop the attack before it caused significant disruption. The organization avoided a major outage, underscoring the power of deception technology to stop real-world threats undetected by traditional security solutions.

Endpoint security remains a cornerstone of modern cybersecurity strategies, primarily driven by Endpoint Detection and Response (EDR) solutions. While EDR has become a widely adopted safeguard for user and server environments, it has a set of detection gaps that need to be complemented. The increasingly sophisticated tactics of adversaries demand a robust, layered approach to threat detection that transcends traditional methods. This is where cyber deception comes into play as an indispensable complement to EDR, reinforcing the defense-in-depth strategy essential for comprehensive threat protection.

The NSA, CISA, and allied cybersecurity agencies from the Five Eyes intelligence alliance, including the UK Government, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre have released comprehensive guidance to mitigate threats against Active Directory (AD), highlighting 17 common attack techniques used by adversaries. Given AD’s fundamental role in central authentication and authorization, it is an attractive target for attackers aiming to elevate privileges and gain unauthorized access to critical systems and sensitive data. The report is available at: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3917556/nsa-jointly-releases-guidance-for-mitigating-active-directory-compromises/

Threat actors are continuing to gain sophistication and stealth, with 2024 seeing an escalation in the magnitude and impact of breaches. Recent research from the CrowdStrike Threat Hunting Report 2024 highlights the increase in living off the land exploits, insider threats, identity compromise, and cloud-specific threats as modern adversaries evolve to bypass traditional security solutions. At Fal.Con 2024, from September 16-19 in Las Vegas, Arsen Darakdjian, Senior Vice President of Global Cybersecurity from Paramount, will join me in a breakout session to discuss how technological innovations in deception technology are defending against these evolving threats.

In the rapidly evolving world of cybersecurity, traditional Identity Threat Detection and Response (ITDR) systems are foundational in safeguarding organizational assets. Yet, these systems frequently display critical gaps, especially when faced with sophisticated, identity-based threats and the exploitation of system vulnerabilities. These traditional systems rely heavily on signature-based detection, anomaly behavior analysis, and logs, which may not effectively distinguish between legitimate activities and sophisticated malicious tactics. As attackers continue to evolve their techniques, especially in exploiting third-party components and using stolen credentials, the limitations of traditional ITDR become apparent. Why attacks succeed: despite the deployment of traditional monitoring approaches on Active Directory (AD) and cloud identity stores, identity-based attacks are continuing to escalate at an alarming rate. Attackers have evolved with stealthy techniques that exploit gaps in traditional ITDR for credential misuse and privilege escalation, such as: Cached credentials: are copies of user authentication data stored locally to speed up re-authentication processes, including passwords, session tokens, and Kerberos tickets. While they enhance system performance and user convenience, they also provide attackers with a potential goldmine. Cybercriminals leverage tools like Mimikatz, LaZagne, Seatbelt, and other credential dumping utilities to extract these credentials from various caches (like Windows Security Accounts Manager (SAM), Local Security Authority Subsystem Service (LSASS) cache, and browser caches), enabling them to persist within networks, move laterally across systems, and escalate privileges. The subtlety of these attacks often allows them to bypass traditional security measures, which struggle to differentiate between legitimate and malicious use of these credentials. Third-party sync agents and identity stores beyond AD: organizations are increasingly adopting a hybrid identity architecture with cloud identity providers (IdP) for identity federation. To keep AD in sync with the cloud IdP, synchronization agents are deployed. Additionally, organizations have servers such as Active Directory Federation Services (ADFS) and Active Directory Certificate Services (ADCS) that have trusted access to AD. Attackers target the third-party sync agents to gain access to domain credentials, leveraging the lack of monitoring on these agents to obtain access to privileged credentials. Stealthy attacks that evade traditional detection mechanisms: attackers have evolved, with stealthy attacks such as offline attacks, client-side attacks that evade traditional detection approaches based on monitoring AD network traffic and logs. Offline attacks such as Kerberoasting, client-side attacks such as Silver Ticket attacks are being used with increasing frequency by attackers. These attack techniques do not result in anomalous network traffic or event log traces, resulting in detection gaps through traditional ITDR approaches. Adversary in the middle (AITM) attacks: attackers gain access to domain credentials through AITM techniques such as LLMNR poisoning and use these credentials for lateral movement. Traditional ITDR is unable to detect malicious use of the valid credentials. Cyber deception emerges as a critical solution to these challenges. It introduces deceptive elements, such as honey accounts and honeytokens, strategically placed within the identity stores and endpoints to lure and detect attackers by triggering undeniable indicators of an incursion. This proactive defense mechanism not only enhances detection capabilities but also provides actionable intelligence, enabling more effective and rapid response. By addressing the inherent weaknesses of conventional detection methods, especially in the context of cached credentials and stealthy identity attack techniques, cyber deception creates a more resilient and adaptive security posture against the increasingly complex threat landscape.

Earlier this month, we witnessed ( Reuters, TechCrunch, Washington Post, CNN etc. ) the US Department of Energy, several other government agencies, banks and other commercial organizations were hit in a global hacking campaign that exploited a vulnerability in widely used file-transfer software called MOVEit by Progress Software.

The CrowdStrike Global Threat Report for 2024 highlights a rapidly evolving cyber threat landscape. The sophistication and speed of cyberattacks are skyrocketing, with adversaries leveraging identity-based tactics, exploiting unmanaged device vulnerabilities, and even capitalizing on trusted relationships for initial access. Several key takeaways warrant attention in response to the disturbing trends highlighted in the report: 1. The increase in identity-based attacks signals a need for more sophisticated identity and access management solutions. 2. The susceptibility of unmanaged devices underscores the importance of comprehensive asset management and endpoint protection strategies. 3. The exploitation of trusted relationships stresses the importance of zero-trust architectures. 4. Adversaries continue to gain in stealth and speed, increasing their ability to complete their mission before becoming discovered

In cybersecurity, unmanaged endpoints represent a significant vulnerability within even the most meticulously planned defense strategies. These unprotected access points are attractive targets for identity-driven attacks. Organizations are unable to gain coverage for all the endpoints with endpoint security and detection tools; even those maintaining the highest levels of vigilance might only achieve around 80% endpoint security coverage. This leaves a consequential proportion of endpoints – about 20% – unmanaged and susceptible. In addition, there are a large number of peripherals and IoT devices, such as printers, cameras that are not compatible with endpoint security solutions and add to the pool of the unmanaged endpoints. These exposed endpoints, linked with the network and Active Directory (AD), offer an easy entry point for attackers to compromise the system, gain access to privileged credentials, and cause substantial damage. Recent research indicates over 25% of modern attacks originate from an unmanaged endpoint.

MGM Resorts was compromised by a threat actor, Scattered Spider (UNC3944). The threat actor gained control over the super administrator account of Okta, gained Azure administrative rights, and gained Domain Admin privileges over the Active Directory. The threat actor deployed the ALPHV ransomware on over 100 ESXi servers on premise. This caused an entire system shutdown, with MGM resorts losing millions of dollars, having to fall back to paper-based hotel admission and suffering tremendous damage to their reputation. The impact of this attack was severe. As the hospitality services experienced outages, customer service and experience took a nosedive, payment systems were down and the slot machines at their casino were completely inoperable.

Over 80% of cyber attacks involve identity compromise. This includes malware threats, Ransomware, and advanced persistent threat (APT) actors. Attackers leverage identities for Lateral Movement and to escalate privileges as part of an offensive campaign. Cyberattacks have become a persistent threat to organizations across sectors. As the cyber threat landscape grows more complex, attacks are becoming larger and more scalable. Attackers are making use of superior digital and economic resources, allowing them to develop attacks that are increasingly sophisticated stemming from a large variety of attack vectors. In this blog series, we look at identity-based attacks, the identity ecosystem, and the importance of identity security.