A Guide to Active Directory User Logon Metadata

A Guide to Active Directory User Logon Metadata

This blog post is the first in a series about Active Directory attributes with values or behaviors that can be easily and inadvertently misinterpreted and misused. This series will provide information about these attributes, including both their limitations and their valid usages with respect to the administration of Active Directory. Active Directory user objects possess a number of logon metadata attributes that are often leveraged in Active Directory audit reporting and administration. One of their most common uses is to…

Read More Read More

Pragmatic Data Security Best Practices: Part 1

Pragmatic Data Security Best Practices: Part 1

Data security is a major issue for any company that has valuable information to protect. Breaches of that data can cost an organization dearly in the form of business disruption, loss of revenue, fines, lawsuits, and perhaps worst of all, the loss of trust between the organization and its customers and partners. But the challenge of securing all that data is daunting. It’s easy to lose sight of the fact that some small changes can have a major impact. Just…

Read More Read More

Protecting Against DCShadow

Protecting Against DCShadow

What Organizations Can Do to Stop a DCShadow Attack Recently, I came across a post outlining how companies CANNOT effectively defend against a DCShadow attack but instead need to take a reactive approach to identify when it may have occurred by monitoring their environment, and rolling back any unwanted changes once they were identified. Unfortunately, reacting to an incident could mean the damage is already done and a malicious actor has run off with the ‘keys to the kingdom’. The…

Read More Read More

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 5

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 5

Now that we understand how monitoring authentication patterns and authentication-based attacks can lead to an overwhelming amount of data which prevents any meaningful analysis, we can focus on our fifth, and final challenge of monitoring critical systems. Challenge 5 – Permission Changes and Object Changes Some of the most important changes to monitor within Active Directory are the changes to the security of the containers and objects.  Permissions control who can elevate privileges by changing group policies, adding members to…

Read More Read More

Advanced Data Security Features for Azure SQL- Part 2: Vulnerability Assessment

Advanced Data Security Features for Azure SQL- Part 2: Vulnerability Assessment

In my last blog post, we took a look at the Data Discovery & Classification features within the Advanced Data Security (ADS) offering for Azure SQL. In this blog post, we will take a deep dive into the Vulnerability assessment. The SQL Vulnerability assessment provides administrators with a streamlined approach to identify and even remediate potential security misconfigurations or vulnerabilities within their Azure SQL databases. The Vulnerability Assessment is a scanning service that contains a set of built-in rules based…

Read More Read More

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 4

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 4

The last post, we discussed monitoring directory reads. One of the limitations of Active Directory is it offers no easy way to monitor suspicious read events, which can help you detect reconnaissance activity and stop an attack before it happens. Now let’s look at the next challenge, tracking authentication events. Challenge Four – Tracking Authentication Events With the recent surge of credential-based attacks, monitoring authentication patterns is critical to identify compromised accounts, signs of pass-the-hash and pass-the-ticket attacks, forged Kerberos…

Read More Read More

Microsoft Teams Quick Admin Guide to Collaborating Safely with External Users

Microsoft Teams Quick Admin Guide to Collaborating Safely with External Users

According to a study conducted by Mio, 91% of businesses use at least two messaging apps, of which slack and Microsoft Teams are present in 66% of the organizations surveyed. Teams adoption has been growing quickly due to its interoperability with the rest of the Office 365 suite which makes collaborating easier than ever. While collaboration is great, security is a major concern for organizations who are still considering the move to Teams from Slack, Skype, etc. The great double-edged…

Read More Read More

The Problem with PAM: Implementing Privileged Access Management Without the Pain

The Problem with PAM: Implementing Privileged Access Management Without the Pain

What Does PAM Mean To You? The term is not as straightforward as most people think… it has evolved over the years in parallel with the ever-changing security landscape. Take any combination of password management, least privilege, and session management, then throw in a smattering of role-based directory groups and you’ve kinda got it. The key misunderstanding though is that a PAM solution must come wrapped around a password vault. This is not to say that password vaults are not…

Read More Read More

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 3

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 3

So far in this series, we’ve learned that changes to groups with extensive privilege within an Active Directory (AD) environment are the target for many hackers. We then looked at how Active Directory isn’t able to log the changes made to Group Policy settings, which can lead to an attack or production outage. Challenge 3 – Monitoring Directory Reads Another aspect of detecting Active Directory attacks is understanding how users are reading and enumerating AD objects.  When attackers are looking…

Read More Read More

ProTip: Using the AIC to Identify Employees Attempting to Access Data They Shouldn’t Be

ProTip: Using the AIC to Identify Employees Attempting to Access Data They Shouldn’t Be

Breaches are an everyday occurrence. IT security professionals work tirelessly to protect against attackers penetrating their organization’s IT infrastructure, but what about the malicious insider? Do you ever wonder if users in your organization are poking around where they shouldn’t be? An easy way to investigate, using out-of-the-box capabilities aligned with StealthAUDIT 9.0 and our Access Information Center (AIC), is to leverage the activity information available via STEALTHbits Technologies: Step 1) Select any “sensitive” folder (for example HR or Finance)…

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.