Finally, A way to Stop Advanced Persistent Threats (APTs) In Their Tracks

Symantec acquires innovative technology to protect Microsoft Active Directory from malicious use by attackers

Active Directory: The Root of Domain Compromise

Nine out of ten companies around the world use Microsoft Active Directory to control and maintain internal resources – servers, endpoints, applications, and users – and access.[1] By design, Active Directory (AD) is open to any domain connected user, meaning all identities and resources on a corporate network are visibly exposed, making AD the number one target for attackers.

It takes only one compromised endpoint connected to a corporate domain for an attacker to launch the latest APT campaign.

The recent acquisition of Javelin Networks advances Symantec’s endpoint security solution for addressing APTs with effective Active Directory defense from the endpoint to provide autonomous breach containment and incident response. This is the only solution that protects Active Directory from the endpoint; restricts post-exploit incursions by preventing credential theft and lateral movement. It immediately contains attackers after compromise of an endpoint, but before they can persist on the domain, disrupts reconnaissance activity, and prevents them from utilizing Active Directory to move laterally to other assets. Javelin Networks addresses the path of least resistance in today’s networks and greatly reduces the time, effort, and error involved in detecting, responding and containing a breach where it starts – the endpoint.

Why This Matters

Active Directory is the building block for every APT campaign

Attackers are not only aware of Active Directory’s value, but also its flaws. With careful examination of recent APT campaigns, we see what attackers have known for a long time: Active Directory is the most targeted asset in the organization.


SOLUTIONS

Intrusion Detection, Investigation, and Prevention

  • Stop Credential Theft.
  • Stop Reconnaissance.
  • Stop Lateral Movement.
  • The cybersecurity industry focuses on defending endpoints, applications, networks, and mobile devices.

    Yet it neglects to defend the greatest endpoint vulnerability: Active Directory.

    This service has a database containing information about all users, servers, endpoints, and applications in the domain. Nine out of ten companies around the world use Active Directory to control and maintain internal resources. By design, the Active Directory database is exposed through the native API. Attackers can access this integral asset anytime from any machine connected to the domain. It only takes ONE compromised endpoint connected to a corporate domain to jeopardize the entire organization.

    INTRODUCING AD|PROTECT: DESIGNED BY HACKERS FOR DEFENDERS

    Javelin AD|Protect defends the Active Directory while providing autonomous breach containment, incident response, and threat hunting capabilities. The platform will also show the defender and AD Admin the domain from the attacker’s perspective, allowing for immediate risk mitigation to reduce the attack surface. Javelin combines technologies such as Native Language Processing, obfuscation, and advanced forensics methodologies at the point of a breach.

    IMMEDIATE DETECTION   
    Achieve definitive alerts on post-exploitation activity—the most important part of the breach—to stop reconnaissance, credential theft, and lateral movement.

    AUTONOMOUS INVESTIGATION   
    Obtain relevant artifacts automatically before an attacker can erase them, reducing time and effort to investigate the breach.
    INFINITE SCALE   
    Scalable coverage across all assets in an enterprise organization without impacting the Active Directory or endpoint.
    AUTONOMOUS CONTAINMENT   
    Real-time response based on true positive signals to stop the attacker when it matters the most.

    Active Directory Breach and Attack Simulation (BAS)

    Breach and Attack Simulation (BAS) to find misconfigurations and backdoors in Active Directory that lead to total compromise.

    Attackers exploit misconfigurations and utilize backdoors to compromise your Active Directory. Find them first.

    ACTIVE DIRECTORY MISCONFIGURATIONS
    Default and unused settings from Microsoft that pose risk to the organization are easy to disable. Maintenance, enhancements, and vulnerabilities need to be continuously assessed as the configuration evolves.

    BACKDOORS IN ACTIVE DIRECTORY
    Attackers leave backdoors and hooks that are used to persist privileges and exploit Active Directory. This enables them to have unrestricted and undetected access back to the organization at anytime.

    How it works

    AD|Assess continuously works in the background and leverages unique algorithms to gather in-depth information about configurations of the directory, privileged accounts, security settings, GPO, endpoints connected to the domain, domain controller configurations and even inappropriate use of privileged accounts. Then, it autonomously analyzes every component for misconfigurations and backdoors attackers left behind. Once identified, an alert is sent to the central console with recommendations for remediation.

    The AD Assessment process uses native AD commands and has no impact on your production environment.

    Key Benefits

    REDUCE ATTACK SURFACE   
    Discover persistence undetected by traditional methodology. Prevent attackers’ grip on your domain and disrupt their attack. Uncover attacks in process and evidence left behind to mitigate risk in real-time, all the time.

    INCREASE VISIBILITY   
    See the domain from the attacker’s perspective. All machines and applications that are authenticated to the domain have critical security dependency on Active Directory. By implementing the guidance provided in the AD assessment, the overall security posture of an organization is significantly improved.
    SAVE TIME & MONEY   
    Reducing the risk to Active Directory will save the organization time and money defending this critical asset. Vulnerability scanners are not able to cover the AD topology. Consulting is point in time and costly. This effort should be continuous as the configurations will evolve with the company.

    A PowerShell-based script, Get-ShellContent leverages a modified Strings2 tool loaded in-memory to extract all the strings of any running or dumped process. Receive full visibility of the screen buffer the attacker used, the commands he wrote, and the results he obtained—Incident Response forensics at its finest!

    There are a few reasons why the use of scripting language-based malware has increased:

  • Some are installed by default on every Windows operating system.
  • Detection is difficult because they leverage legitimate tools to perform malicious activity.
  • Shell-based attacks have the ability to exist only in memory.
  • According to almost every cyber security vendor, the major trend in the last few years is non-malware attacks. Scripting languages are becoming more prominent than before—a few lines of PowerShell code can be used as a full hacking toolkit, and open-source hacking frameworks based on PowerShell and Python are easily accessible.

    Fetch the Attacker’s Command-Line Shells History

    Application

  • Use –ComputerName [TARGET] to analyze shells on a remote target endpoint.
  • Use –ProcDump [DumpPath] to analyze a Process Dump (Conhost or Shell) file.
  • Use –Deep to scan the actual process of the shell for any remaining data (you’ll get FP).
  • Use –ProcessID [PID] to analyze specific (Conhost or Shell) process; don’t use the flag if you want to scan all the processes automatically.
  • Learn More
    Discover how SecureNation can help you better protect your IT assets.