Illusive Blog December 9, 2019

Defending Active Directory: Here’s How to Paralyze Attackers

By Jason Silberman

Security teams are tasked with protecting an organization’s crown jewels – essential data volumes, intellectual property, financial transactions, or revenue-dependent business operations – from malicious insider or external threats. It’s an evolving and difficult challenge, especially with understaffed SOC teams drowning in false alerts, and ever-increasingly sophisticated attackers using various methods to exploit network vulnerabilities.

An attacker – let’s say through a phishing attack or stealing a user’s network credentials – lands on a local machine (e.g. a user workstation), then has to move laterally toward the intended target, or discover the target they want to reach. Attackers often attempt to move laterally by using credentials and connections created by the business. To obtain that information, they first have to do some reconnaissance.

Active Directory is a prime target for breaches as it’s used for identifying local and group admins and the credentials to move laterally across a network after an attacker has established an initial beachhead. Active Directory is used by 90% of the world’s enterprises as their primary method for authentication and authorization – it is used to connect users to systems, and different systems to each other. If attackers can penetrate Active Directory, they will ultimately gain access to the entire network.

To protect Active Directory and the credentials and connections it authenticates, security teams must be proactive in order to frustrate and paralyze cyberattackers. We suggest our PREEMPT-DETECT-RESPOND approach.

Preemptive cyber hygiene and attack surface reduction

Attacks can be stopped by managing the credential and connection data in Active Directory that fuels lateral movement. A preemptive approach is centered around an automated, efficient way to locate, discover and eliminate unnecessary and potentially dangerous connections and credentials across the network.

With Illusive’s Attack Surface Manager (ASM), organizations gain instant and continuous visibility into high-risk conditions, such as cached domain admin credentials across the environment, unmonitored “shadow” admins (users with admin privileges that aren’t part of an admin group), orphaned RDP connections, and violations of local admin policies. ASM can also discover saved connections, credentials to local admins, and suspicious files. All of these are presented in an easy to visualize and understandable way.

It’s not only about visibility, however. Security and risk teams have full “cleanup” capabilities as well. Through a rule-based engine, they can define and enforce credential and connection policies for various roles and group, including the use of local admins, high-privilege credentials, and permissible connections to Crown Jewels.

Furthermore, ASM automatically and continuously detects and removes violations. ASM is capable of purging endpoints from actual high-privileged credentials stored in file-system/registry and memory, preventing attackers from escalating privileges and performing lateral movement.

Attack Surface Manager also includes the Pathways feature, which automatically reveals attack paths from any machine to high-value targets, provides drill-down details on the systems in each path, and enables point-and-click elimination of excess connectivity, leveraging risk and connectivity ratings.

When choosing the most effective and scalable preemptive approach to secure Active Directory, Attack Surface Manager is unique in its comprehensive capabilities. ASM is unparalleled in the market for its visibility, analysis and remediation techniques at a granular level. Even open-source tools like Bloodhound aren’t a solution; due to limited scalability and lack of remediation capabilities.

Authentic-looking deceptions at every endpoint

Once the network has been hardened, and legitimate (but potentially dangerous) excess credentials are eliminated, we’ve to a great extent starved the attacker of what they need for lateral movement. The next goal is early detection of attackers inside the network, and this can be achieved through a deception-based approach. We’re not talking about a honeypot architecture either, as honeypots are not as effective anymore at fooling sophisticated attackers, impossible to scale, and sit too close to critical data.

First, picture an attacker who has landed on a local machine. People sometimes mistakenly think an attacker knows exactly what to do, making the right decision at every single moment, but that is not true. In reality, an attacker is distant, on a machine getting limited data and extremely concerned. Any mistake and they are caught or set back several months.

The primary reason for a deception strategy is to greatly confuse the attacker and make decision making really difficult, before they even arrive inside Active Directory. The Illusive Attack Detection System (ADS) plants a dense web of lightweight deceptions across all endpoints in a network that force early attacker detection.

For deceptions to effectively secure Active Directory, authenticity is critical. We need attackers to believe deceptive data is actually real. That’s why we’re proud that Illusive achieved Gartner’s highest rating in the Deception Credibility and Authenticity category. For that reason, Illusive deceptions are based on real Active Directory users, as opposed to setting up a fake AD that would never look authentic in the eyes of an attacker. A few examples of what that looks like when protecting Active Directory and thwarting an attacker:

  • Deceptions leverage existing Active Directory objects. The Attack Detection System locates stale objects that have historical precedence, as these are very good deceptive artifacts to place because there’s history of a user or information or a machine name in Active Directory, that can be validated.
  • ADS creates deceptive artifacts based on comprehensive endpoint analysis – so when looking at processes or naming conventions, we’re also using naming conventions in Active Directory, and the deceptive artifact can be created.
  • Some of user entities will exist in Active Directory and some will not.
  • Some user entities will look like they have not logged in for a while and some of them will look very recent because in order to appear as if it’s a real user who’s out there.
  • ADS creates usernames and passwords that are 100% mapped to what the organization users are using – no manual effort is needed to generate and update these records and no scripts are needed to create Domain Trust of to introduce the deceptive records into Active Directory (as opposed to other deception solutions).

All of this done with a completely agentless solution. Deception offerings that use an agent have several disadvantages: it’s highly traceable by the attacker – an attacker can detect, halt, reverse engineer and manipulate it; it’s very intrusive on the endpoint; it’s very resource heavy and costly; and it leaves a high amount of false positives. Not to mention that agent-based solutions can be used to uninstall the deceptions.

This all comes back to confusing attackers to such an extent that they cannot trust anything. The attacker is paralyzed and is either unable to move laterally at all toward crown jewels, or attempts to leverage data on the local machine but is caught almost immediately due tripping on a deception. They have to be right 100% of the time, which of course, they won’t be.


Clear and real-time forensics at the moment of the attack

So we’ve caught an attacker – now we need an immediate picture to respond more quickly and effectively to attacks in progress.

The Illusive Attack Intelligence System (AIS) provides precision forensics – exactly the right data captured instantly and directly from relevant systems – no more, no less – saving weeks or even months collecting and collating information from across the network in the event of a major incident.

Illusive captures forensic data from the systems where attackers are operating—both compromised endpoints and real-OS decoy systems. Immediately upon detection, incident response teams can see the attacker’s position in relation to critical business assets and are equipped with context-aware data to understand the incident, focus the investigation process, and quickly determine the best course of action.

View our on-demand webinar at any time, Securing Active Directory – How to Reduce Blind Spots and Paralyze Attackers.

Illusive can help secure your Active Directory environment – request a demo today..