In our fifth edition of the Insider Threat Podcast, we caught up with Gabriel Gumbs who has just spent the week at Black Hat 2017. Gabriel is the STEALTHbits VP of Product Strategy and his mission was to meet with some of our customers and partners at the show as well as bring back any interesting exploits and vulnerabilities that were on display for us to chew on. He certainly found a few. There were, of course, the usual set of topic that have been mainstays for years. Security for cloud and leveraging analytics and emerging machine learning methods to help us do our hunting more effectively. There was a bigger focus on IoT (Internet of Things) than in years past. Given the waves of IoT botnets that were roaming the web in packs the last 18 months, that is no surprise.
IoT botnets were not the bots we were looking for, though. We were much more interested in the Active Directory based botnet that researchers from Threat Intelligence presented. This AD botnet represents a big shift in the way the bad guys may view AD going forward. AD has typically been a target. It is an end – you get data like passwords and PII from its records. This new attack turns AD into a means. It becomes a means to gain persistence and movement across segmented networks. Done well, this trick isn’t something that will affect AD in any real way. That means it will not be apparent unless you’re looking for it pretty specifically.
The AD botnet was only one of three big stage sessions dedicated to AD security. All of them brought new twists to how bad guys can attack AD as part of a greater mission to steal enterprise data. In the podcast we run down all three and look forward to Gabe writing a detailed series of blog posts talking about each one, what it means, and how STEALTHbits can help prevent and defend your Active Directory from all of them.
Click here to listen to the podcast.
To be notified of Insider Threat Podcast episodes, sign up here