Detecting Attacks Using Active Directory Authentication Analytics

Detecting Attacks Using Active Directory Authentication Analytics

When a user logs on to their workstation in the morning, Active Directory authenticates them and authorizes their access. When they access a network file share or SharePoint site, RDC to another system, log into CRM, open up Outlook, or do any number of things where access is involved, AD handles the request and approves or denies entry. Active Directory is the authentication and authorization hub of nearly every organization’s IT infrastructure, and it sees all.

The vast amount of the events contained within your Domain Controller Security Logs are records of all of those authentications that AD has been handling. There’s a wealth of information hidden within the millions or even billions of events that have been gathered (probably just in a single day), but how do you separate the wheat from the chaff to surface what really matters?

Many organizations leverage Security Information and Event Management (SIEM) solutions to do the heavy lifting for them. They pull in all the security logs from all their Domain Controllers and poof!…like magic, all of the anomalies and bad actors are illuminated with all the details they’ll need to plug all their most glaring security holes.

If only it were that easy…

Authentication data can answer so many of the most difficult questions Security, Compliance, and Operational administrators face, provided you know what to look for and how to look for it. Want to know which Service Accounts are being used and from where? Authentication data will tell you. Want to know how Privileged Admins are using their credentials? Authentication data will tell you. Want to know which applications you’re going to break when you decommission a Domain Controller? You guessed it! Authentication data will tell you.

Working with authentication data is difficult though. There’s a ton of it – Gigabytes and Terabytes of it over very short periods of time – and all the data you need to catch the really bad stuff like Brute Force Attacks, Horizontal Account Movement (a great indicator of Pass-the-Hash), or Account Hacking isn’t always just in the Domain Controller Security Logs alone. To get those details, you’re going to need to grab all your member server security logs as well, which means putting an agent out on every box and pointing it to SIEM. Once it’s in SIEM, you’ll also need someone that understands these logs inside and out, and can write the logic and rules to detect abnormal patterns of activity.

Brute Force Attack Horizontal Account Movement Account Hacking
Repeated failed authentications against systems and other network assets in a specified time range User account authentications across multiple network assets in a specified time period Repeated failed logins below lockout thresholds and/or over extended periods

There is another way though…

StealthINTERCEPT Active Directory firewall technology monitors and analyzes all authentication activity in real-time, without any reliance on native logging. Using in-memory analysis techniques, StealthINTERCEPT will detect patterns of behavior indicative of things like malware infection or network reconnaissance as they are unfolding, and alert on them or send them directly to the SIEM of your choosing for alerting and correlation with other network data. It’s the needle without the haystack, and it’s much more useful, efficient, and cost-effective than any other method.

Learn more.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.