Identity Threat Detection and Response (ITDR)
Identity-driven attacks bypass prevention-based security solutions, such as Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity and Access Management (IAM). Identity threat detection and response (ITDR) provides a layer focused on detecting identity threats. Honeytokens enable deception-based ITDR for comprehensive identity threat detection. Deception technology is a proven approach for identity threat detection to detect current and emerging identity threats with precision and speed.
There is a massive spike in identity-driven attacks. Attackers are targeting identities to gain trusted access to sensitive data and critical systems. Readily available offensive tools enable attackers to gain access to credentials on endpoints and in identity stores. Traditional security solutions are unable to distinguish between legitimate and malicious use of identities. Attackers leverage stealthy offensive techniques such as client-side attacks, offline attacks such as Kerberoasting and Silver Ticket attacks. Attackers leverage novel and emerging offensive techniques, identity zero days that bypass traditional security solutions. Honey accounts and honeytokens enable deception-based ITDR that provides early and precise identity threat detection for a wide variety of identity threats.
Honey Accounts
Honey accounts are deceptive user accounts and service accounts added to identity stores, for example, Active Directory or Azure Active Directory.
ShadowPlex generates AI powered recommendations for honey accounts that are blended with the identity stores and are made attractive to attackers. It automates the deployment and refresh of honey accounts across multiple identity stores.
Honeytokens
Honeytokens are deceptive credential profiles deployed in identity caches on endpoints. Honeytokens enable early detection of identity threats.
Acalvio deploys honeytokens that blend with the endpoints and are deployed into identity caches. It automates the deployment and refresh of honeytokens across tens of thousands of endpoints.
Together, honey accounts and honeytokens enable early and precise detection of identity threats. Any usage of these deceptive artifacts results in an actionable alert. The approach is not dependent on signatures, network traffic, availability of logs and is agnostic to attacker TTPs. This enables detection of current and emerging identity threats, including zero days.
Honey accounts and honeytokens provide deception-based identity threat detection and response (ITDR). This is a necessary detection layer for a defense-in-depth approach to identity protection.
Identity Attack Surface Management (ASM)
Identity Attack Surface Management (ASM) provides proactive ability to identify and reduce the identity attack surface. Organizations gain visibility into the attack surface of the identity infrastructure and on endpoints. Enables mitigation steps to strengthen the security posture and improve the identity hygiene. Identity ASM is an essential layer of prevention-based identity protection.
The Identity attack surface of an organization compromises the identity infrastructure (AD, ADCS, ADFS, Azure AD Connect) and identity caches on endpoints. Attackers use readily available pen testing tools such as Mimikatz, LaZagne, Seatbelt to identity cached identities on endpoints and tools such as Bloodhound and PowerSploit to target identity infrastructure. ShadowPlex Identity ASM enables defense teams to gain visibility to the identity attack surface and perform proactive steps to reduce the attack surface.
Active Directory and Azure AD Assessment
150+ point analysis of the attack surface in AD, ADCS and Azure AD. Provides an attacker view of AD and Azure AD. Surfaces insights such as shadow admins, kerberoastable service accounts. AD assessment provides visibility into the attack surface with recommendations for mitigating the attack surface. The assessment provides a prioritized set of findings with automated mappings to the MITRE ATT&CK framework. Periodic assessment to enable visibility to changes that occur in the AD environment. Ability to perform assessments for multiple AD domains and forests.
Endpoint Zero Trust Assessment
Visibility into the identity attack surface on endpoints. Identity attack surface on endpoints results from cached credentials in the OS and on installed applications. Security settings that need to be enabled/disabled result in attack surface. ShadowPlex endpoint Zero Trust assessment surfaces visibility through automated and periodic assessment of the endpoint attack surface. The visibility is mapped to the MITRE ATT&CK Tactics. ShadowPlex enables reduction of the attack surface through automated and periodic clearing of cached credentials for Automated Moving Target Defense (AMTD).
Key Asset Visibility
Key assets are the important assets (endpoints, identities) of an organization. These can include important business applications, data repositories, infrastructure servers, workstations belonging to the executive team and privileged identities such as service accounts, administrative accounts.
Attackers target key assets to gain access to critical systems and sensitive data. Attackers leverage readily available offensive tooling to identify the key assets. ShadowPlex provides visibility of key assets. ShadowPlex key asset visibility combines automated visibility based on analytics and administrator specified input. This enables prevention based strategies for attack surface management and threat detection strategies to protect the key assets. The visibility of key assets is foundational for Zero Trust.
Identity Attack Paths
Assets are connected by security relationships. These enable pathways for attackers to gain control over the critical assets. Identity Attack Paths provides powerful visibility to identify the attack pathways that lead to a critical asset. Defense teams gain visibility into the blast radius from an identity. Enables mitigation actions to reduce the attack pathways as a proactive approach to identity protection. Attack paths are not based on vulnerabilities and would not show in traditional security posture management tools.
Identity Attack Surface Management (ASM) enables a proactive, prevention-based approach to identity protection. Organizations gain the ability to improve the identity hygiene through attack surface reduction.
Honeytokens for CrowdStrike Falcon®
Acalvio integration with CrowdStrike enables enterprise-scale honeytokens to detect a wide variety of identity threats with precision and speed.
Visit Web Page
Acalvio ShadowPlex Identity Protection Solution Brief
This solution brief provides an overview of the deception-based identity threat detection and response (ITDR) and identity attack surface management capabilities in ShadowPlex Identity Protection to protect identities and accelerate Zero Trust.
Read Solution Brief
Customer Case Study
Learn how a Healthcare Provider protects identities across the organization with honeytokens. The case study highlights the benefits of the Acalvio solution for protecting identities across the organization and the ease of deployment of the solution.
Read Case StudyCustomer benefits
Improve identity hygiene
- Identity attack surface visibility
- Proactive reduction
- Reduce attack pathways to protect identities
Comprehensive identity threat detection
- Detect known and unknown (zero-day) attacks
- Early and precise detection
- Divert attacker and protect assets
Accelerate Zero Trust
- Identity is a pillar of Zero Trust architecture
- Identity ASM and Deception-based ITDR protect identities and accelerate Zero Trust
Enterprise-scale deployment with agentless deployment architecture
- Automated deployment and refresh of honey accounts and honeytokens across multiple AD domains and endpoints
- Agentless deployment architecture avoids compatibility challenges associated with agents and also avoids increase of attack surface
- SaaS service ensures continuous value as identity threats continue to evolve
Next Steps
Protect your organization from identity-driven attacks