When we released StealthDEFEND 2.0 earlier this year, we knew we were breaking new ground in the Active Directory security space. We had delivered a solution purpose-built to detect the most advanced attacks against Active Directory in real-time, drastically reducing time to detection while increasing the ability for organizations to respond to these attacks quickly and efficiently. The response (pun intended) has been tremendous.
In version 2.1, we’re taking StealthDEFEND to another level with a plethora of usability enhancements, threat model refinements, and general improvements. Most interestingly, however, is what we’ve done to help you become more proactive in the fight against Active Directory credential theft and account compromise.
Commonly used and highly successful credential compromise techniques like Pass-the-Hash and Pass-the-Ticket are notoriously difficult to detect amidst the noise of everyday activities within Active Directory. To an observer, they appear to be legitimate authentication events, and to Active Directory, they are. However, the use of deception methods like honeypots have proven to be particularly effective in capturing less savvy or careless attackers at a minimum, allowing security practitioners to proactively detect and thwart attempts to compromise their credentials and the resources they provide access to.
In StealthDEFEND 2.1, users now have the ability to employ a new application of the honeypot concept through the use of centrally managed honeytokens, creating a digital tripwire throughout their infrastructure and providing an early warning alert that allows security teams to respond quickly and with confidence. With reduced time to detection potentially earlier in the kill chain, organizations can significantly mitigate the risks and impact of successful data breach outcomes.
Some of you may know that honeytokens aren’t a “new” thing. A Pass-the-Hash Honeypot was first introduced by Mark Baggett of the SANS Institute years ago. The premise was that by inserting fake credentials into LSASS memory, you could deduce that a credential theft attempt must have occurred if someone retrieves and attempts to use them. Pretty clever. However, what we’ve aimed to do in StealthDEFEND 2.1 is both “operationalize” and improve upon the honeytoken concept.
First, we enabled StealthDEFEND to create, deploy, manage, and monitor honeytokens in bulk and in a centralized fashion. This allows honeytokens to be leveraged at scale. Additionally, one of the aspects of the equation we paid particular attention to was the ability to provide users with configuration and customization capabilities that ensure each honeytoken looks and feels real. This is critical for obvious reasons.
Furthermore, and just as importantly, we improved upon the honeytoken concept by developing a patent-pending approach to determining whether or not the attacker is attempting to sniff out the honeytoken before attempting to use it. So in essence, it doesn’t matter whether they actually use the honeytoken or not. Even the attacker’s reconnaissance activities will trigger a definitive alert on foul play. Clever and cool!
As an addition to StealthDEFEND’s wide array of threat detection and response capabilities, the honeytoken provides yet another useful arrow in the quiver for security practitioners charged with protecting their two most vulnerable targets – credentials and data.
Want to learn more about StealthDEFEND v2.1? Visit our What’s New page.
Want to see a demo? Fill out our demo request form.
Want to get StealthDEFEND installed in your environment? Contact us.
As General Manager, Adam is responsible for product lifecycle and market adoption from concept to implementation through to customer success. He is passionate about market strategies, and developing long-term path for success for our customers and partners.
Previously, Adam served as CMO and has held a variety of senior leadership positions at Stealthbits – now part of Netwrix including Sales, Marketing, Product Management, and Operational Management roles where his focus has consistently been setting product strategy, defining roadmap, driving strategic engagements and product evangelism.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more