Previously, we covered understanding AD Attack Surface and AD Attack Paths on this Active Directory Protection blog series. This post looks at Acalvio’s novel approach to protecting Active Directory against advanced persistent threats. It presents a critical attack surface that needs continuous monitoring for misconfigurations, vulnerabilities, and attack persistence.

Alternative solutions attempt to protect AD using the following approaches:

  • Analyzing AD event logs
  • Signatures matching for specific tools usage
  • Heuristics-based analysis of anomalous behavior
  • SIEM-based event correlation
  • Vulnerability scanning
  • Monitoring network traffic to domain controllers and installing security agents on endpoints and other assets.

While these techniques can be useful, they can only provide a limited solution for defense against advanced and persistent threats to Active Directory. A superior strategy for AD protection is one based on Deception. The best AD protection strategy is the one that prevents an attack on the enterprise’s core infrastructure as much as possible by:

  • providing continuous visibility into potential attack surfaces
  • proactively ferreting out latent threats using threat investigation and advanced analytics
  • predicting the attacker’s path and slowing down their movement
  • confusing or diverting the attacker, predicting and detecting the TTP at every stage, and
  • ultimately, even changing the attacker’s perception of the network.

Acalvio ShadowPlex is an autonomous deception platform that provides a deception solution for Active Directory protection. ShadowPlex’s strong capabilities include deep visibility into the network assets and AD misconfigurations using automatic AD discovery. Advanced AI algorithms provide situational awareness of possible threat vectors lurking on the network and their distance from the critical assets, along with possible attack paths. ShadowPlex combines threat intelligence from various sources using pre-built integrations and builds an attacker’s view of the network that can be invaluable for the defense teams to reduce the attack surface proactively.

ShadowPlex leverages its pre-built integration with Active Directory to auto-discover, tag, and analyze entities registered in AD. It can then register deceptive entities at the right level in the enterprise AD. The solution adopts a proactive security posture by leading attackers towards deceptions, providing defenders with more time to detect and respond to the attack.
Active Directory attacks are performed in multiple phases – ranging from reconnaissance to lateral movement to data exfiltration. Each phase is related to a specific type of activity in a cyber-attack. Each phase also presents an opportunity to stop the cyber-attack in progress. ShadowPlex offers advanced detection techniques to detect attacks in real-time at every stage of the kill chain.
ShadowPlex provides pre-packaged deception playbooks for AD protection. ShadowPlex’s playbooks incorporate deep knowledge of the threat landscape and TTPs used by sophisticated threats. The playbooks are designed to detect attack techniques such as:

  • Deep Reconnaissance/AD Enumeration
  • Domain Trust Abuse, Privilege escalation
  • Credential abuse/replay attacks
  • Kerberos attacks (such as Delegation attacks, Kerberoasting, AS-Rep Roasting, Silver Ticket/Golden Ticket exploits)
  • Post-exploitation and late-stage kill chain attacks (such as DCShadow and DCSync attacks)

Timely detection of Active Directory attacks is crucial in limiting the impact on business operations. Through a combination of Deception Technology and AI, ShadowPlex provides rapid detection, advanced threat investigation, analysis, and automated response capabilities designed to proactively reduce the attack surface and protect the enterprise Active Directory against attacks without adding unnecessary complexity cost and IT overheads.