Written by: Joseph Salazar, Technical Marketing Engineer – A few months ago, Attivo Networks released its ADSecure offering, which protects Active Directory against unauthorized queries. Before release, the solution went through extensive beta testing with several organizations that used Red Team security evaluations against it to gauge its effectiveness in detecting and misinforming unauthorized AD queries. Below is a case study in how the solution performed in such a scenario.
The organization is a financial services organization that regularly conducted security evaluations of its environment. It had recently deployed the Attivo Networks ThreatDefend® platform and agreed to test the ADSecure module during a Red Team test. The Red Team’s job was to reach the production AD Primary Domain Controllers and successfully compromise them with prior knowledge that deception technology was in the environment. To aid in the testing, they had administrative privileges on the entry system.
The organization deployed multiple layers of deception as part of their ThreatDefend® platform deployment, including the ThreatStrike® endpoint deception suite with the ADSecure module and the BOTsink® deception server. They created deceptive credentials that they installed on the endpoints and set up an entire decoy AD environment with fake AD servers. They also deployed decoys crafted to match production systems across the production VLANs that matched the DNS naming conventions, services, and MAC addresses common therein. It noteworthy that the ADSecure module did not touch or alter the operational AD infrastructure in any way.
In the first phase of the test, the Red Team began their activity by landing on the entry systems and stealing locally stored credentials. They then conducted several stealthy scans using well-recognized services to avoid detection. They initiated web connections to hosts that bypassed internal IDS detection and ran TCP SYN connection sweeps to enumerate multiple systems without generating alerts. They also used the credentials they stole to gain access to several systems where they attempted to map network shares with the stolen accounts. The various ThreatDefend solutions detected all of these activities, generated alerts, and collected valuable forensics on everything the Red Team did.
In the second phase, the Blue Team gave the Red Team administrative access to a system to simulate a successful compromise so they could test the effectiveness of the ADSecure solution. The Red Team installed several tools to aid them in accessing and compromising the AD PDCs. They ran queries to enumerate the name of the PDC and then attempted to steal credentials from other systems that would give them access to it. They used a tool to scrape the memory of the local host they had access to and tried it against the PDC. Unfortunately for them, the attempt generated an alert from the ThreatDefend platform, because the PDC they had enumerated was a decoy result from the ADSecure module installed on the system, and the credential they had scraped was a decoy ThreatStrike credential. The ADSecure module had detected the unauthorized query and returned false information pointing to a decoy PDC. When the Red Team tried the fake credentials they had scraped from memory, they logged onto a decoy AD server that recorded all their activities and generated multiple alerts to the intrusion.
Believing that they had succeeded, the Red Team then ran several exploits on the “PDC” and documented their compromise of the AD environment. During the debrief, they recounted their activities and reported their results. The Blue Team then explained how the Red Team had fallen for the deception, from their initial incursions and scanning activity, the credential scraping and queries against AD, and the connection and compromise of the fake AD domain controller.
The exercise validated the capabilities of the ADSecure solution against an adversary versed in conducting activities to compromise AD. While the Red Team is just a proxy for an actual attacker and operates with defined Rules of Engagement, the ADSecure solution demonstrated that it could effectively detect unauthorized AD queries and present fake information while hiding critical AD objects from the results. For more information on the ThreatDefend Platform or the ADSecure solution, please visit www.attivonetworks.com.