Transforming Active Directory Security
Five years ago we introduced the StealthINTERCEPT product line, to address the growing requirement for a comprehensive Active Directory change and access monitoring solution. We know that Active Directory is safest when it is clean, properly configured, closely monitored, and tightly controlled – that is exactly what StealthINTERCEPT has been successfully doing for its users.
The security implications of a well maintained and monitored AD environment have significantly increased in the years since we first released StealthINTERCEPT. We have covered many of the attacks that take advantage of misconfigurations or weaknesses in AD across several blog series, including Jeff Warren’s AD Attack series. Tools such as MimiKatz are now ubiquitous among attacks and defenders alike – in fact, just this week the author of MimiKatz, Benjamin Delpy, is unveiling yet a new attack against AD dubbed “DCShadow”. The attack transforms a compromised workstation into a Domain Controller and can push changes that are unseen by your SIEM.
These are the reasons that we chose to invest as heavily as we have into protecting Active Directory with the 5.0 release of StealthINTERCEPT. Yes, StealthINTERCEPT remains the best AD change and access monitoring solution that also incorporates security controls to prevent incidental or malicious changes and so we built on this foundation to help thwart critical elements of credential theft attacks.
StealthINTERCEPT 5.0 limits the exposure of privileged credentials across multiple threat vectors. From the StealthINTERCEPT LSASS Guardian™ which protects against memory injection attacks to DCSync protection and enforcement of ESAE Administrative Forest Designs, StealthINTERCEPT 5.0 combines cutting-edge enhancements and enforcement of recommended practices to elevate Active Directory security.
A closer look at StealthINTERCEPT 5.0
STEALTHbits LSASS Guardian™ is a new security feature designed to detect and prevent unauthorized code injection into the Local Security Authority Subsystem Service (LSASS) of Active Directory Domain Controllers.
Some of the attacks that LSASS Guardian™ Protects against include:
- Skeleton Key Attacks – Skeleton Key malware “patches” the security system enabling a new master password to be accepted for any domain user, including admins. This enables the attacker to logon as any user they want with the master password (skeleton key) configured in the malware.
- MemSSP – Inject a malicious Windows SSP (security support provider) to log locally authenticated credentials.
- SID History Tampering – SID History enables access for another account to effectively be cloned to another. A regular user account in the domain LightHouseINC can contain LightHouseINC SIDs and if the LightHouseINC SIDs are for privileged accounts or groups, a regular user account can be granted Domain Admin rights without being a member of Domain Admins.
DCSync Detection & Prevention
DCSync attacks work by impersonating Domain Controllers to pull current and previous password hashes from a DC over the network without requiring interactive logons or gaining direct access to Active Directory’s database – the NTDS.dit file. This attack effectively “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller. We covered how these attacks are executed in a past blog post.
StealthINTERCEPT 5.0 now detects attempts to execute DCSync attacks and can also prevent them!
Enterprise Password Enforcer
In 2016 the Verizon Data Breach Investigations Report stated that 63% of confirmed data breaches leverage a weak, default, or stolen password. The 2017 Verizon DBIR report that 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
The newly introduced StealthINTERCEPT Enterprise Password Enforcer proactively prevents the usage of weak and compromised passwords from being used – regardless of whether or not they meet complexity requirements – further enforcing password hygiene and reducing the opportunity for attackers to crack or guess passwords in automated or manual fashions.
These are just some of the highlights of StealthINTERCEPT 5.0, we have packed a lot more exciting features into this release. If you would like to learn more or download a free trial please sign up for our upcoming webinar and visit our product page.
- Webinar: https://go.stealthbits.com/l/71852/2018-01-16/7p2pww
- What’s New in StealthINTERCEPT 5.0 stealthbits.com/new-stealthintercept-release
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Gabriel Gumbs is the VP of Product Strategy at STEALTHbits Technologies responsible for end-to-end product vision and innovation. With a 16 year tenure in CyberSecurity, he has spent most of that time as a security practitioner, aligning security innovations with business objectives for Fortune 100 organizations. Gabriel is an information security thought leader, privacy advocate and public speaker.