Identity Threat Detection & Response
Acalvio Identity Threat Detection & Response (ITDR) solution includes visibility and management of the identity attack surface area and an effective deception-based solution to detect and respond against identity attacks. The first step in reducing the attacker’s chance for success is to identify the identity attack surface. For the attack surface that cannot be removed, ShadowPlex provides targeted cyber deception to detect and respond to identity compromise attempts.
Identity Attack Surface Visibility & Management
Identity Attack Surface includes identity repositories and credential caches on endpoints. ShadowPlex provides deep visibility into the attack vectors in both kinds of identity stores and proactive management of the identity attack paths.
ShadowPlex provides insights into the attack targets in on-premises AD deployments, Azure AD, and Hybrid AD deployments. ShadowPlex also provides visibility into M365® email attack surface area. ShadowPlex does not require special privileges or permissions on the domain to generate the attack surface insights and does not affect AD operations.
A credential cache holds credentials (or tickets) on an endpoint so that authenticating to a service or an enterprise asset multiple times doesn’t require repeated contacting the credential store or re-entering the credentials. When adversaries breach the enterprise network, it is rather simple to enumerate cached credentials and select an identity to compromise. ShadowPlex Endpoint Attack Surface Management capability provides in-depth visibility into identity caches.
All sophisticated attacks use pre-analysis tools that can zero in on identities to compromise once they are inside the enterprise and move within the network without being detected. ShadowPlex Attack Paths capability combines identity repository insights and the endpoint attack surface area with vulnerability data and observed exploits to identify attack paths involving exploitable chains of relations.
Identity Threat Defense
ShadowPlex provides early detection of identity attacks with precision and speed. ShadowPlex deploys blended and targeted deception in identity repositories and identity caches, to detect identity exploit attempts and lead attacks to decoys.
ShadowPlex AD attack detection uses a combination of decoy users, computers, and SPNs to detect sophisticated attacks against AD. Based on the attack type, ShadowPlex uses an AI module to automatically recommend the deception to deploy. By leveraging the insights gained from identity attack surface visibility, ShadowPlex can craft a set of precise deceptions that address the attack type and blend into the contents of the AD. ShadowPlex provides a pre-built curated palette of non-fingerprintable deceptions designed specifically to detect advanced Active Directory attacks
Endpoint Attack Surface Management
ShadowPlex also provides management of endpoint attack surface area to reduce the attack surface by removing the cached privileged credentials in various endpoint credential caches, as well as privileged local or domain identities. ShadowPlex also provides an option to replace any cached real credentials with deceptions.
In addition to credentials, endpoints may also have cached lateral movement pathways. These pathways enable attacks to easily move to other interesting targets without raising any alerts. ShadowPlex allows deletion of these cached lateral movement pathways and close this very important attack vector.
Active Defense against Identity Attacks
ShadowPlex has an extensive palette of identity deceptions to deploy in all endpoint credential caches to detect credential cache exploits and redirect attacks to decoys. This includes
- Privileged User Credentials and Profiles
- Pathways for lateral movement
- Security configurations
The endpoint identity deceptions are blended and personalized by an AI engine for each endpoint, and the deployment process leaves no fingerprints. The deceptions are customizable and extensible, including customer-specific applications. The deceptions are also automatically refreshed as endpoint configurations change.
Integration with Security Ecosystem
ShadowPlex integrates with a wide range of solutions such as SOAR, SIEM, EDR, AD, Network Management Solutions, Email Servers, Software Management Solutions (such as SCCM, Chef, Puppet, and other platform-specific tools) among other solutions. ShadowPlex leverages integrations with these defense systems for network discovery, gathering forensic data from endpoints, breadcrumb and bait deployment on network endpoints and assets, as well as for automated response.
Explore our patented technologies to enable Active Defense and Identity Security in your enterprise.