ProTip – Active Directory Advanced Threat Analytics and Response

ProTip – Active Directory Advanced Threat Analytics and Response

STEALTHbits Technologies’ most recent release, StealthDEFEND 2.0, brings with it a whole new suite of advanced threat analytics inside of Active Directory (AD). If you are already a user of StealthDEFEND, you are already aware of the great response and analytics it provides for file system monitoring by leveraging machine learning and user behavior analytics. Now, with StealthDEFEND 2.0, and the expansion into new threats and monitoring capabilities around AD, STEALTHbits Technologies is uniquely positioned to address threat protection for common and popular attacks inside of AD-like Password Spraying, AdminSDHolder ACL Tampering, Golden Ticket, Kerberoasting and many more! In this month’s pro-tip I will walk you through some of the new threats and how you can also set up your own custom AD alerts and threat response plans.

If you haven’t already checked out the STEALTHbits Cyber Kill Chain Attack Catalog, be sure to take a look. It is a great resource to not only learn about the common attacks for credential and data theft but also to learn about the prevention techniques you are able to leverage using our products. StealthDEFEND specifically will help with real-time analytics into a lot of these attack scenarios. Deploying the product out-of-the-box will allow you to monitor for various threats right away. For example, very common monitoring focused on sensitive security group changes or exposed administrative credentials are already set up. On top of that, even more, meaningful analytics around abnormal AD behavior will be monitored in your environment as well. Just like the UBA and machine learning for our File System module, our AD module will also learn your environment and track normal behavior profiles. Anything that deviates from normal behavior profiles such as authenticating from different workstations or various unsuccessful authentication events will be detected. How about when someone makes an insecure UAC change on a user object? StealthDEFEND will automatically detect that too. A lot of users love having all of these threats already available and of course have the option to turn on or off any of the out-of-the-box threats.

As I mentioned earlier, you also have the capability to set up and be alerted on your own custom threats in the product as well. Our Investigation Builder now includes AD changes and authentication filters for you to customize and set up your own alerts. Just like with the out-of-the-box threats, you can also set up specific response plans and preventative actions to take place for your custom threats as well. That capability helps a lot of our end users with setting up monitoring within critical areas of AD and specific changes being made to groups, users, etc. Our Actions Engine can deploy actions such as step-up authentication, requiring a password reset, posting incident alerts to various platforms (Microsoft Teams, Slack, ServiceNow, SIEM, etc.), disabling an account, and many more! You can even set up multiple steps within one response and below is a common example for a Password Spraying response plan:

Why not start out this year the right way by adding in preventative measure and real-time analytics in both Active Directory and the File System? Initiatives around response plans to these very popular and common attacks are essential to any organization. STEALTHbits is here to help with StealthDEFEND and enable our unsupervised machine learning for your organization!

To learn more about StealthDEFEND and how you could leverage it in your own environment, request a free trial.


Don’t miss a post! Subscribe to ‘The Insider Threat Security’ Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.