Previously, we covered understanding AD Attack Surface and AD Attack Paths on this Active Directory Protection blog series. This post looks at Acalvio’s novel approach to protecting Active Directory against advanced persistent threats. It presents a critical attack surface that needs continuous monitoring for misconfigurations, vulnerabilities, and attack persistence.
- Analyzing AD event logs
- Signatures matching for specific tools usage
- Heuristics-based analysis of anomalous behavior
- SIEM-based event correlation
- Vulnerability scanning
- Monitoring network traffic to domain controllers and installing security agents on endpoints and other assets.
While these techniques can be useful, they can only provide a limited solution for defense against advanced and persistent threats to Active Directory. A superior strategy for AD protection is one based on Deception. The best AD protection strategy is the one that prevents an attack on the enterprise’s core infrastructure as much as possible by:
- providing continuous visibility into potential attack surfaces
- proactively ferreting out latent threats using threat investigation and advanced analytics
- predicting the attacker’s path and slowing down their movement
- confusing or diverting the attacker, predicting and detecting the TTP at every stage, and
- ultimately, even changing the attacker’s perception of the network.
Acalvio ShadowPlex is an autonomous deception platform that provides a deception solution for Active Directory protection. ShadowPlex’s strong capabilities include deep visibility into the network assets and AD misconfigurations using automatic AD discovery. Advanced AI algorithms provide situational awareness of possible threat vectors lurking on the network and their distance from the critical assets, along with possible attack paths. ShadowPlex combines threat intelligence from various sources using pre-built integrations and builds an attacker’s view of the network that can be invaluable for the defense teams to reduce the attack surface proactively.
- Deep Reconnaissance/AD Enumeration
- Domain Trust Abuse, Privilege escalation
- Credential abuse/replay attacks
- Kerberos attacks (such as Delegation attacks, Kerberoasting, AS-Rep Roasting, Silver Ticket/Golden Ticket exploits)
- Post-exploitation and late-stage kill chain attacks (such as DCShadow and DCSync attacks)
Timely detection of Active Directory attacks is crucial in limiting the impact on business operations. Through a combination of Deception Technology and AI, ShadowPlex provides rapid detection, advanced threat investigation, analysis, and automated response capabilities designed to proactively reduce the attack surface and protect the enterprise Active Directory against attacks without adding unnecessary complexity cost and IT overheads.