Products
- Products
  
  Platform
  ShadowPlex Advanced Threat Defense
  Deception for early detection of cyber threats with precision and speed
  
  ShadowPlex Identity Protection
  Visibility, management and protection of identity stores and attack paths
  
  ShadowPlex Threat Hunting
  Rapid threat investigation capabilities for SOC efficiency
  Acalvio Active Defense Platform
  Comprehensive and Award-winning Distributed Deception Platform
  
  What is Active Defense?
  Active defense detects and diverts attacks.
  
  Why do I need Acalvio Active Defense?
  Active Defense deceives and disrupts attackers.
Solutions
- Technology Solutions
  
  Industry Solutions
  Breach Detection
  Active Defense for breach detection and response, both in on-premises and cloud workloads
  
  Identity Threat Detection & Response
  Visibility into Identity attack surface and effective detect & respond solution for identity attacks
  
  OT / ICS Security
  Passive and low-risk agentless solution that is easy to deploy
  
  Active Directory Protection
  Visibility into AD attack surfaces and detection of AD Attacks
  
  Threat Hunting
  Active threat hunting, based on targeted deception, to confirm hunting hypothesis
  
  Ransomware
  AI-Driven Advanced Deception Technology to combat even zero-day Ransomware
  Public Sector
  Targeted solution for protecting Federal agencies in conformation with NIST and CISA recommendations
Resources
- Blog
- Events
- In the News
- Press Releases
- Analyst Reports
- Data Sheets
- E-Books
- Webinars
- White Papers
- Case Studies
Partners
- Strategic Partners
- Technology Partners
Company

Protecting Microsoft Active Directory Part 3: Deception-based AD Security

by Team Acalvio | September 22, 2021

Previously, we covered understanding AD Attack Surface and AD Attack Paths on this Active Directory Protection blog series. This post looks at Acalvio’s novel approach to protecting Active Directory against advanced persistent threats. It presents a critical attack surface that needs continuous monitoring for misconfigurations, vulnerabilities, and attack persistence.

Alternative solutions attempt to protect AD using the following approaches:

Analyzing AD event logs
Signatures matching for specific tools usage
Heuristics-based analysis of anomalous behavior
SIEM-based event correlation
Vulnerability scanning
Monitoring network traffic to domain controllers and installing security agents on endpoints and other assets.

While these techniques can be useful, they can only provide a limited solution for defense against advanced and persistent threats to Active Directory. A superior strategy for AD protection is one based on Deception. The best AD protection strategy is the one that prevents an attack on the enterprise’s core infrastructure as much as possible by:

providing continuous visibility into potential attack surfaces
proactively ferreting out latent threats using threat investigation and advanced analytics
predicting the attacker’s path and slowing down their movement
confusing or diverting the attacker, predicting and detecting the TTP at every stage, and
ultimately, even changing the attacker’s perception of the network.

Acalvio ShadowPlex is an autonomous deception platform that provides a deception solution for Active Directory protection. ShadowPlex’s strong capabilities include deep visibility into the network assets and AD misconfigurations using automatic AD discovery. Advanced AI algorithms provide situational awareness of possible threat vectors lurking on the network and their distance from the critical assets, along with possible attack paths. ShadowPlex combines threat intelligence from various sources using pre-built integrations and builds an attacker’s view of the network that can be invaluable for the defense teams to reduce the attack surface proactively.

ShadowPlex leverages its pre-built integration with Active Directory to auto-discover, tag, and analyze entities registered in AD. It can then register deceptive entities at the right level in the enterprise AD. The solution adopts a proactive security posture by leading attackers towards deceptions, providing defenders with more time to detect and respond to the attack.

Active Directory attacks are performed in multiple phases – ranging from reconnaissance to lateral movement to data exfiltration. Each phase is related to a specific type of activity in a cyber-attack. Each phase also presents an opportunity to stop the cyber-attack in progress. ShadowPlex offers advanced detection techniques to detect attacks in real-time at every stage of the kill chain.

ShadowPlex provides pre-packaged deception playbooks for AD protection. ShadowPlex’s playbooks incorporate deep knowledge of the threat landscape and TTPs used by sophisticated threats. The playbooks are designed to detect attack techniques such as:

Deep Reconnaissance/AD Enumeration
Domain Trust Abuse, Privilege escalation
Credential abuse/replay attacks
Kerberos attacks (such as Delegation attacks, Kerberoasting, AS-Rep Roasting, Silver Ticket/Golden Ticket exploits)
Post-exploitation and late-stage kill chain attacks (such as DCShadow and DCSync attacks)

Timely detection of Active Directory attacks is crucial in limiting the impact on business operations. Through a combination of Deception Technology and AI, ShadowPlex provides rapid detection, advanced threat investigation, analysis, and automated response capabilities designed to proactively reduce the attack surface and protect the enterprise Active Directory against attacks without adding unnecessary complexity cost and IT overheads.

Contact Acalvio to Schedule a Demo