Acalvio ShadowPlex™ Active Directory Protection
Active Directory InSights ™
ShadowPlex Active Directory InSights™ presents an Attacker’s View of the network and reveals the attack surface and risk exposure in the production domains.The first step in reducing the attacker’s chance for success is to reduce the attack surface. ShadowPlex leverages threat intelligence from various sources using pre-built integrations to build the attacker’s view. This view can be invaluable for the defense teams to proactively reduce the attack surface.
The ShadowPlex AD InSightsTM provides security and IT administrators, continuous visibility into potential security risk exposure introduced by factors such as unprotected administrator accounts, shadow administrators, over-permissioned accounts, kerberoastable accounts, unmanaged SPNs, and service accounts, among other misconfigurations. ShadowPlex generates these extensive insights spanning user and computer accounts, groups, GPOs, ACLs, domains, forests and trust relationships, and other AD artifacts.
Even in modestly complex Active Directory environments, it can often be a challenge to track objects and present the attack surface. ShadowPlex solves this problem without requiring any manual intervention. ShadowPlex does not require any special privileges or permissions on the domain to generate the attack surface insights.
Attack Path Analysis
In any enterprise, with continuous growth and restructuring, there is a complex and evolving ecosystem of users, computers, groups, GPOs, and other objects. Management blind spots, vulnerabilities, misconfigurations, and inadequate access controls in AD present a significant security risk. Attackers leverage AD misconfigurations and vulnerabilities to identify attack paths that facilitate lateral movement and privilege escalation to compromise valuable assets on the network.
Attackers use tools such as BloodHound to analyze the attack paths on the network and even find the shortest path to their targets. ShadowPlex Attack Path provides the powerful capability for the defense teams to proactively predict these attack paths and remediate them to significantly reduce the exposure.
A typical enterprise may have many viable attack paths that can potentially lead attackers to their targets. ShadowPlex Attack Path combines AI-based Advanced Deception with Graph Theory to identify attack paths involving exploitable chains of relations. Each graph represents potential paths that adversaries can traverse from exploitable accounts or endpoints to reach valuable assets on the network.
This feature serves as a powerful Active Defense tool to proactively disrupt viable attack paths to valuable assets and add deceptions to strengthen defenses.
Curated ShadowPlex Deceptions for Active Directory Protection
Attacks against Active Directory are hard to detect and sometimes even undetectable given that they use legitimate domain credentials, service accounts and domain authenticated computers. Detection using traditional triaging or event log monitoring does not surface conclusive malicious activity.
Acalvio offers an extensive variety of deceptions that is fundamental to Active Directory protection.
ShadowPlex provides pre-defined Active Directory Protection Deceptions that combine targeted deceptions with AI. Deceptions for AD consist of Decoy Computers, Services, User and Service Accounts, and SPNs that are recommended by the AI engine to seamlessly blend into the AD environment. The deceptions are registered in the production AD.
Auto Recommendation and Placement of Deceptions
An effective deception strategy should include deceptions that blend into the enterprise environment. In large, complex Active Directory environments, determining the type and placement of deceptions is a practical challenge for enterprises.
ShadowPlex uses AI algorithms to auto-recommend the right type of entity names and attributes such as unique identifiers for SPNs, and best-practice conventions for service accounts among others to make deceptions attractive to attackers. ShadowPlex also devises an effective deception placement strategy to divert attackers away from assets and toward decoys. This capability removes the burden of IT teams manually specifying the properties and placement of deceptions.
Auto recommendation and placement of deceptions is not a one-time activity. Active Directory environments undergo constant change. As a result, deception strategy, deployment, and placement must be reviewed periodically. ShadowPlex runs in autonomous mode, auto-discovers changes, and appropriately adjusts deceptions to blend with the network. It recommends relevant, new deceptions without requiring manual intervention. This is a unique capability aimed at ensuring that deceptions are current and dynamic.
ShadowPlex’s dynamic deceptions combined with AI for blending and recommendation ensure that the deception quality and realism are best-in-class.
Decoy Containment
ShadowPlex has the in-built capability to contain Deceptions (Decoy Computers and Service Accounts/Users) to ensure that attackers cannot use these deceptions to cause harm to the production network. For example, Decoy Computers are contained using the patented ShadowPlex Deception Farms Architecture.
Attackers cannot disable ShadowPlex containment
This ensures that attackers cannot leverage the Decoy as a pivot point to mount attacks against the production network. Similarly, Service Accounts have in-built containment to ensure that attackers cannot use these accounts to gain access to production assets.
AI-based Traversal Analysis
ShadowPlex provides a capability for viewing real-time attack progression. ShadowPlex generates the traversal path by leveraging advanced AI techniques. The path shows possible routes that a threat may have taken to reach the asset under investigation.
Automated Response
Given the malicious nature of Active Directory attacks, robust containment of an attacker is a requirement. Acalvio ShadowPlex offers comprehensive and automated response mechanisms and leverages integrations with SOAR, EDR, and Network Management solutions for automated actions such as the ability to isolate or quarantine compromised endpoints, kill a malicious process, or complete shutdown. Additionally, ShadowPlex also offers effective responses such as Diverting an Attacker away from production assets to adjacent decoys to protect the real assets. Another response mechanism is to Slow Down the attacker’s progress by deploying several identical deceptions to surround the production asset while ShadowPlex surfaces the attacker’s trajectory for quick defense and IR actions.
