When we released StealthDEFEND 2.0 earlier this year, we knew we were breaking new ground in the Active Directory security space. We had delivered a solution purpose-built to detect the most advanced attacks against Active Directory in real-time, drastically reducing time to detection while increasing the ability for organizations to respond to these attacks quickly and efficiently. The response (pun intended) has been tremendous.
In version 2.1, we’re taking StealthDEFEND to another level with a plethora of usability enhancements, threat model refinements, and general improvements. Most interestingly, however, is what we’ve done to help you become more proactive in the fight against Active Directory credential theft and account compromise.
Introducing the Honeytoken
Commonly used and highly successful credential compromise techniques like Pass-the-Hash and Pass-the-Ticket are notoriously difficult to detect amidst the noise of everyday activities within Active Directory. To an observer, they appear to be legitimate authentication events, and to Active Directory, they are. However, the use of deception methods like honeypots have proven to be particularly effective in capturing less savvy or careless attackers at a minimum, allowing security practitioners to proactively detect and thwart attempts to compromise their credentials and the resources they provide access to.
In StealthDEFEND 2.1, users now have the ability to employ a new application of the honeypot concept through the use of centrally managed honeytokens, creating a digital tripwire throughout their infrastructure and providing an early warning alert that allows security teams to respond quickly and with confidence. With reduced time to detection potentially earlier in the kill chain, organizations can significantly mitigate the risks and impact of successful data breach outcomes.
How do StealthDEFEND honeytokens work?
Some of you may know that honeytokens aren’t a “new” thing. A Pass-the-Hash Honeypot was first introduced by Mark Baggett of the SANS Institute years ago. The premise was that by inserting fake credentials into LSASS memory, you could deduce that a credential theft attempt must have occurred if someone retrieves and attempts to use them. Pretty clever. However, what we’ve aimed to do in StealthDEFEND 2.1 is both “operationalize” and improve upon the honeytoken concept.
First, we enabled StealthDEFEND to create, deploy, manage, and monitor honeytokens in bulk and in a centralized fashion. This allows honeytokens to be leveraged at scale. Additionally, one of the aspects of the equation we paid particular attention to was the ability to provide users with configuration and customization capabilities that ensure each honeytoken looks and feels real. This is critical for obvious reasons.
Furthermore, and just as importantly, we improved upon the honeytoken concept by developing a patent-pending approach to determining whether or not the attacker is attempting to sniff out the honeytoken before attempting to use it. So in essence, it doesn’t matter whether they actually use the honeytoken or not. Even the attacker’s reconnaissance activities will trigger a definitive alert on foul play. Clever and cool!
As an addition to StealthDEFEND’s wide array of threat detection and response capabilities, the honeytoken provides yet another useful arrow in the quiver for security practitioners charged with protecting their two most vulnerable targets – credentials and data.
Want to learn more about StealthDEFEND v2.1? Visit our What’s New page.
Want to see a demo? Fill out our demo request form.
Want to get StealthDEFEND installed in your environment? Contact us.
Adam Laub is STEALTHbits Technologies’ Chief Marketing Officer (CMO). As CMO, Adam is responsible for corporate marketing, communications and AR/PR, demand generation, product marketing, events, and marketing operations. Additionally, he and his team participate heavily in setting product strategy, defining future roadmap, driving strategic sales engagements, supporting demand generation activities, enabling the sales organization, and all aspects of product evangelism.
Since joining STEALTHbits in 2005, Adam has held multiple positions within the organization, including Sales, Marketing, Product Management, and Operational Management roles.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.