Attackers have proven that they can evade the perimeter to establish a beachhead inside the network from which they can move laterally while using tactics to remain undetected. Traditional security controls cannot stop many of the in-network tactics that attackers use to elude detection while traversing the network.
The above graphic is a representation of a typical cyber attack cycle. The first system an attacker compromises from outside is just a beachhead and usually accomplished using social engineering (such as phishing emails) or exploiting externally vulnerable services. Once an attacker compromises a host inside the network and establishs their foothold, they must ensure that they can always return to continue their attacks. They install back doors and remote access tools to establish persistence mechanisms, using covert communications channels to remain hidden. They must then break out of the beachhead to move around.
In the next stage of the cyber attack, they conduct discovery activities to identify subsequent targets. They search the local system for data and credentials they can steal to progress their attacks. They also query Active Directory (AD) from a domain-joined system and extract sensitive information, such as domain administrator accounts, domain controller addresses, service principal names, or Kerberos tickets. They can use this data to find targets, compromise systems, and elevate privileges.
Once they identify their next targets, they fingerprint the systems for any open ports or services to exploit or use the data they gathered from AD to compromise them. They then move laterally to the target and install their persistence mechanisms. They then look for sensitive or critical data to either use to further their cyber attacks or exploit for gain. They repeat this cycle of discovery, credential theft, privilege escalation, lateral movement, and data collection until they complete their mission. These steps can occur in any order and often do.
Providing In-Network Defenses with the ThreatDefend Platform
Security solutions deployed inside the network, such as IDPS, segmentation firewalls, EDR, and EPP, are good at preventing known cyber attacks from compromising internal systems. However, suppose attackers do succeed and establish a beachhead. In that case, there is little that these security controls can do to detect their activity because they use native tools and advanced tactics to remain hidden.
The ThreatDefend platform provides early and accurate detection of in-network threats, regardless of attack method or surface, using deception and concealment technologies. It provides a comprehensive fabric that blankets the network with deceptive decoys, credentials, shares, bait, and other misdirections while hiding sensitive or critical data to derail adversaries early in the attack lifecycle. Automated intelligence collection, attack analysis, and third-party integrations accelerate incident response.
The ThreatDefend platform provides visibility into and protection against attacker lateral movement across the network, as highlighted below:
Derailing Internal Discovery:
- Deploy decoys mimicking critical servers, code repositories, databases, file servers, and other deceptive assets
- Deploy ThreatDirect (TD) forwarders, either TD-VM or TD-EP, across all subnets and expand deception coverage
- Deploy the ThreatDefend® Deflect function to detect port and service discovery activities – the Deflect function turns every endpoint into a decoy and engages attackers as they fingerprint and discover network services
Denying Credential Stealing:
- Deploy ThreatStrike lures across all endpoints leading attackers to decoys
- Deploy SMB mapped shares to decoys
- Apply DataCloak policies to restrict access to production network file shares, OneDrive mapped drives or other sensitive storage from attacker tools
- Apply DataCloak policies to restrict access to data documents on endpoints from attacker tools
Detecting Credential Exposures
- Find exposed lateral movement paths using the ThreatPath solution and remediate them.
- Analyze the presence of new user accounts, privilege accounts, or service accounts on endpoints, Active Directory using the ThreatPath solution
Denying Active Directory Data Harvesting
- Take steps to prevent and detect kerberoasting attacks with the ADSecure solution by hiding the service accounts, thereby mitigating and avoiding the possibility of kerberoasting attacks and silver ticket attacks while alerting in real-time
- Analyze the presence of attackers on domain-connected endpoints discovering privileges in Active Directory while getting real-time visibility into domain enumeration
- Use ADSecure to detect and prevent attacker lateral movement from a domain-connected system
The unique functionality Attivo provides enhances existing security controls as another layer to detect attackers that elude their defenses. Investigators attribute the success of recent high-profile security breaches to a gap in in-network lateral movement detection and protection. Organizations should deploy the ThreatDefend platform as an internal security control to close that gap.