INSIDER THREAT SECURITY BLOG

Active Directory allows object creations, updates, and deletions to be committed to any authoritative domain controller. This is possible because every Active Directory domain controller maintains a writable copy of its own domain’s partition – except, of course, Read-Only Domain Controllers. After a change has been committed, it is replicated automatically to other domain controllers through a process called multi-master replication. This behavior allows most operations to be processed relia…

The global catalog is a feature of Active Directory (“AD”) domain controllers that allows for a domain controller to provide information on any object in the forest, regardless of whether the object is a member of the domain controller’s domain. Domain controllers with the global catalog feature enabled are referred to as global catalog servers and can perform several functions that are especially important in a multi-domain forest environment: Authentication. During an interactive …

AD Installation Overview As the primary authentication service in the majority of organizations worldwide, the health and operational integrity of Active Directory has a direct impact on the overall security of your organization. The capability to rollback and recover from changes to your Active Directory infrastructure, whether accidental or malicious, is an important and often overlooked aspect of your ability to maintain the security and performance of your network When Active D…

Recently, I was doing some research on password security using breached password databases to understand the value they bring when trying to improve overall password security. One very good database is the “Have I been pwned” database. I’ve Been Pwned Have I Been Pwned Database For those of you who have not used this excellent public resource, it’s a collection of over 551 million unique breached password hashes. The website allows you to see if your username or password has been…

Editor’s note: This is the 5th and final blog series around Active Directory (AD) backup and recovery using Stealthbits, StealthRECOVER. Read the 1st blog An Introduction to Active Directory Backup and Recovery, the 2nd blog Active Directory Object Recovery, the 3rd blog Active Directory Recover (Recycle Bin), and the 4th blog How to Rollback and Recover Active Directory Object Attributes. Welcome to the final post in this Active Directory Backup and Recovery blog series, which will discus…

In this blog post, we’ll be discussing the topic of the AdminSDHolder object in Active Directory and how it can be utilized in Active Directory attacks. Finally, we will discuss how to use StealthDEFEND to detect and respond to this type of attack. Introduction to the “AdminSDHolder” The AdminSDHolder is an Active Directory object that is basically a container to essentially act as a security descriptor template for protected accounts and groups in an Active Directory domain A securi…

Editors note: This is the 4th in a series of blogs around Active Directory (AD) backup and recovery using STEALTHbits, StealthRECOVER. Read the 1st blog, An Introduction to Active Directory Backup and Recovery, the 2nd blog, Active Directory Object Recovery, and the 3rd blog Active Directory Recover (Recycle Bin). The previous two posts in this series focused on Active Directory deleted object recovery. This post will explore a different type of Active Directory recovery. C…

If you have been following our 4 part blog series, “Challenges with Relying on Native File System Logging” you have seen some of the many challenges of auditing and collecting file activity natively. The blog series is also going to be followed by an awesome webinar. If you haven’t seen any of the blog posts be sure to check them out: NetApp File Activity MonitoringWindows File Activity Monitoring Challenges with Native File System Access AuditingEMC File Activity Monitoring In this mon…

Note: This blog is the third in a 4 part series, followed by a webinar to review all the challenges with File System access auditing. Sign up now for the webinar “Challenges with Relying on Native File System Logging“. Register now. In our last post, we walked through configuring file access auditing on a Windows File server and explored some of the common challenges with data interpretation. In this post, we will take a similar look at file access auditing on a NetApp CMode File Serv…

Cyber-crime continues to evolve – especially over the last year in terms of ransomware. Ransomware used to be largely a spray-and-pray proposition where attackers used automated tools to spread and encrypt as fast as possible, with immediate ransom demands. Those did enough damage. However, cybersecurity researchers are reporting a new, more patient and human-driven extortion scheme where criminals infect many networks but only select larger organizations with deeper pockets. In these larg…