Identity Threat Detection & Response

“Identity as the new security perimeter” is the reality. The traditional security perimeter has become porous with the rapid adoption of cloud services, mobile solutions, internet-facing applications, and the recent hybrid work-from-home model. The new normal is that the traditional perimeters will be breached sooner or later. The focus is now on internal identity security protection so that the breaches do not become disasters.

Acalvio Identity Threat Detection & Response (ITDR) solution includes visibility and management of the identity attack surface area and an effective deception-based solution to detect and respond against identity attacks. The first step in reducing the attacker’s chance for success is to identify the identity attack surface. For the attack surface that cannot be removed, ShadowPlex provides targeted cyber deception to detect and respond to identity compromise attempts.

Identity Attack Surface Visibility & Management

Identity Attack Surface includes identity repositories and credential caches on endpoints. ShadowPlex provides deep visibility into the attack vectors in both kinds of identity stores and proactive management of the identity attack paths.

Identity Repositories

ShadowPlex provides insights into the attack targets in on-premises AD deployments, Azure AD, and Hybrid AD deployments. ShadowPlex also provides visibility into M365® email attack surface area. ShadowPlex does not require special privileges or permissions on the domain to generate the attack surface insights and does not affect AD operations.

Credential Caches

A credential cache holds credentials (or tickets) on an endpoint so that authenticating to a service or an enterprise asset multiple times doesn’t require repeated contacting the credential store or re-entering the credentials. When adversaries breach the enterprise network, it is rather simple to enumerate cached credentials and select an identity to compromise. ShadowPlex Endpoint Attack Surface Management capability provides in-depth visibility into identity caches.

Attack Paths

All sophisticated attacks use pre-analysis tools that can zero in on identities to compromise once they are inside the enterprise and move within the network without being detected. ShadowPlex Attack Paths capability combines identity repository insights and the endpoint attack surface area with vulnerability data and observed exploits to identify attack paths involving exploitable chains of relations.

Identity Protection

ShadowPlex provides early detection of identity attacks with precision and speed. ShadowPlex deploys blended and targeted deception in identity repositories and identity caches, to detect identity exploit attempts and lead attacks to decoys.

ShadowPlex AD attack detection uses a combination of decoy users, computers, and SPNs to detect sophisticated attacks against AD. Based on the attack type, ShadowPlex uses an AI module to automatically recommend the deception to deploy. By leveraging the insights gained from identity attack surface visibility, ShadowPlex can craft a set of precise deceptions that address the attack type and blend into the contents of the AD. ShadowPlex provides a pre-built curated palette of non-fingerprintable deceptions designed specifically to detect advanced Active Directory attacks

ShadowPlex also provides management of endpoint attack surface area to reduce the attack surface by removing the cached credentials in various endpoint credential caches, as well as a capability to replace any cached real credentials with deceptions.

ShadowPlex has an extensive palette of identity deceptions to deploy in all endpoint credential caches to detect credential cache exploits and redirect attacks to decoys. This includes

  • Privileged User Credentials and Profiles
  • Pathways for lateral movement
  • Security configurations
  • Security configurations

The endpoint identity deceptions are blended and personalized by an AI engine for each endpoint, and the deployment process leaves no fingerprints. The deceptions are customizable and extensible, including customer-specific applications. The deceptions are also automatically refreshed as endpoint configurations change.

Read More

Identity Threat Detection & Response is a critical component of the enterprises’ overall security strategy. The right depth of visibility, analysis, guidance and control on mitigation can remarkably help strengthen the proactive security posture. Acalvio provides novel AI-powered automated processes to obtain visibility into identity exposure risk and analysis at enterprise scale. Leveraging an award-winning Autonomous Deception platform, ShadowPlex can deploy a layer of identity deception across the identity repositories, identity caches, and the network to detect and respond to identity attacks. Follow the links below to read more.

Next Steps

Explore our patented technologies to enable Active Defense and Identity Security in your enterprise.