The quarter brings focus on doing things right the first time or fixing things to get them right. For Attivo Networks, this means helping customers by offering advice on best practices when implementing deception. This blog suggests some best practices to use when deploying endpoint deception components. Attivo Networks would also like to take this opportunity to thank cybersecurity researchers from the Government Technology Agency of Singapore (GovTech) for sharing their findings, which helps to better secure Attivo’s offerings.
The Attivo Networks ThreatDefend® Platform covers endpoints with two solutions, ThreatStrike® and ThreatPath®. The ThreatPath solution provides visibility into lateral attack paths that attackers can leverage based on stored credentials and misconfigurations on each system. The capability gives defenders awareness on where and how attackers can move from system to system using existing credentials stored there. It can also identify critical paths that allow attackers access to high-value assets. These could be credentials saved to the keychain or credential manager or forgotten stored credentials for users that are no longer with the organization. The solution not only informs security teams of these issues but can remediate them automatically as well.
To maximize value from ThreatPath, Attivo recommends taking a close look at the intervals when the solution checks for updated credentials. For the most part, the default setting is sufficient. However, an organization should account for the number of endpoints and the level of activity expected on the network and evaluate whether the default interval is adequate for its needs. Attivo also recommends defining critical paths organizations want ThreatPath to observe to make full use of the power of the solution. ThreatPath can generate alerts from blacklisted or whitelisted rules. For example, ThreatPath can specify an Active Directory group that has access to a resource and alert when anyone outside of that group attempts to use it, such as a user not part of the domain administrators group accessing an AD domain controller. One could also use ThreatPath to put specific users on a “watch list” and alert when that user ID accesses any resource as part of threat hunting efforts.
The ThreatStrike solution is the endpoint deception suite for the Attivo Networks ThreatDefend Platform. Working in tandem with the BOTsink® deception server, the ThreatStrike solution gives organizations a powerful capability to incorporate endpoints as part of their enterprise-wide deception fabric. With what the solution provides, Attivo recommends several best practices to gain the full value from the solution.
ThreatStrike works best when incorporated within the ThreatDefend platform’s full deception fabric that includes fake Active Directory servers and a decoy AD environment. While the solution can work standalone, Attivo recommends that organizations deploy it as part of a comprehensive deception fabric solution for complete coverage. ThreatStrike also works with the production AD environment. Attivo recommends using the auto-learning and deployment function for ease deployment. The ThreatStrike solution automatically customizes the credentials to mirror those of user accounts within production AD but only allows validation within the decoy environment. The solution also crafts credentials based on services and operating systems on each network segment. These accounts can be valid for the decoy domain, a specific decoy system, or a particular service present on a VLAN.
Attivo Networks supports the deployment of the ThreatStrike solution in Persistent and Non-Persistent modes. Attivo recommends that organizations use the solution persistently on the endpoint. This method does not install an agent on the endpoint but does add a service that updates the credentials and timestamps automatically. By updating the timestamps, the solution makes the stored credentials appear fresh and recently used. Most organizations use the default update setting as sufficient, but Attivo recommends evaluating this setting to validate that it meets one’s particular needs. When deployed persistently as a service, Attivo recommends that customers configure proper permissions to prevent a non-privileged user from making any changes to the software modules in the installed folder.
One additional module within the ThreatStrike suite adds capabilities to protect the organization further. The ADSecure module adds Active Directory deception at each endpoint without interfering or interacting with the production AD servers. The solution identifies unauthorized attacker queries at each member system, hides the valid high-value objects, and presents deceptive results to the attacker that points to decoys. This capability tightens the net around the attacker, increases the likelihood of early detection without impacting production.
Hopefully, these best practices are beneficial. From all of us at Attivo Networks, may this quarter bring greater security to you and your organization.