Nearly everyone uses Microsoft’s Active Directory (AD), over 90% in fact, to manage user accounts and provide authentication and access to the majority of organizational resources. Microsoft tells us that 95 million AD accounts are under attack every day. The latest Verizon Data Breach Investigations Report informs that 56% of breaches in 2018 took a month or longer to discover. Being under constant attack, and taking months to discover it, is a recipe for disaster.
Many organizations do some kind of monitoring of their AD environment, but general monitoring or even pumping a SIEM full of your Domain Controllers’ security logs hasn’t been the secret ingredient either when it comes to detecting cyber-attacks with any real degree of success. Real security begins with hardening AD configuration and preventing the activities and conditions that put AD at risk of compromise in the first place. While many organizations would love to get rid of passwords, they are still a necessity for the foreseeable future and cannot be ignored. As a result, they too must be strengthened in order to prevent compromise through simple, yet highly effective password guessing attacks.
STEALTHbits’ StealthINTERCEPT version 7.0 not only provides the advanced monitoring required to detect advanced attack tactics, techniques, procedures, and other indicators of compromise, but it can even prevent them from happening in the first place by blocking unwanted and unauthorized changes, access, and more. We’ve also introduced a number of improvements to our advanced password policy and complexity controls that boost security without causing poor end-user experiences.
Read on to learn about these new enhancements and how they continue to build on the strong foundation StealthINTERCEPT has provided for years.
Authentication – Among dozens of enhancements in v7, StealthINTERCEPT authentication monitoring policies can now be created to detect successful and/or failed Kerberos pre-authentication events, providing visibility into activities indicative of attempts to compromise accounts early in the attack kill chain like password spraying using tools such as Kerbrute.
Configuration – v7 also allows users to audit and block AD User Account Control (UAC) configuration (e.g. Account Disabled, Account Locked, Password Not Required, Password Never Expires, etc.) and DNS changes (e.g. something as simple as a new A record being created or more complex like zone forwarding, zone creation, or scavenging.)
LDAP – StealthINTERCEPT’s LDAP auditing capabilities have been enhanced to now block specific of particular types of LDAP queries against Active Directory. Using LDAP queries, it is possible to obtain large quantities and highly sensitive information from Active Directory, and with very little rights. In fact, attack tools like Bloodhound leverage LDAP lookups in AD to map out attack paths to make AD compromise that much easier. Because organizations need to use LDAP auditing to understand how users and applications leverage the directory, it’s highly challenging to detect and stop unwanted behavior.
StealthINTERCEPT for LDAP has been enhanced in v7.0 to now surgically or blanketly block specific or certain types of LDAP activity such as insecure queries, activity from a specific user or location, or just queries that are similar to the reconnaissance activity of an attacker. The result is not just the detection of IOC’s earlier in the attack chain, but the ability to proactively prevent attackers from obtaining valuable information that allows them to locate critical assets, accounts, and more.
To help organizations conform to National Institute of Standards and Technology (NIST) guidelines and more generally construct strong passwords without overburdening users, StealthINTERCEPT’s Enterprise Password Enforcer module in 7.0 provides the following new capabilities and enhancements:
NIST and others recommend the restriction of “passwords obtained from previous breach corpuses” and other “commonly-used” or “expected” values for passwords, in order mitigate the risk of credential compromise through credential-guessing attacks. Industry expert Troy Hunt and his “Have I Been Pwned” (HIBP) database of over 555 Million breached passwords has quickly become the de-facto reference for those looking to eradicate weak, common, and already known passwords from their environment as a result.
Enterprise Password Enforcer has been enhanced as part of StealthINTERCEPT v7.0 to allow EPE users to leverage the HIPB breach database as part of their restricted password listing. If EPE detects the password is in a public breach database, it will reject the password change.
While Active Directory does not have a limitation on password complexity, other applications in an environment may. If synchronized, it’s possible for a user to have a password that works in AD but prevents them from successfully logging on to other resources they need to access. Enterprise Password Enforcer has been enhanced in StealthINTERCEPT v7.0 to allow administrators to more granularly control password requirements and automatically pass both a password and policy or password and user combination to determine whether or not a password would fail if the new policy was to be implemented. The result is greater flexibility when implementing new policies and integrating with self-service password reset tools.
Character substitution is a process where the user replaces common alpha characters with non-alpha characters like’ $’ for ‘S’ or ‘@‘ for ‘a’. These common substitutions may pass a standard password policy, but they are easy to guess, and attackers leverage this same technique to compromise weak passwords.
Enterprise Password Enforcer has been enhanced in StealthINTERCEPT v7.0 to allow or disallow character substitution within multiple aspects of a configured password policy, including within the user’s username, disallowed keyword lists, as part of a repeated pattern or as sequential characters, as well as for passwords contained in the dictionary. A substitution editor also allows users to modify or create their own custom character substitution restrictions, reducing the effort required to contemplate all permutations of a password through character substitution. Administrators only need to specify character equivalents and the base word (e.g ‘Password’).
The bottom line is that Active Directory is in the crosshairs and a primary target of virtually any breach scenario because of its pervasive use and extensive connections throughout an enterprise. The need to harden and secure AD has never been greater and the enhancements in this latest version of StealthINTERCEPT help organizations protect themselves in ways they never could before. Elevate your AD security with this cutting-edge technology trusted by the world’s most notable brands.
Damon is the Director of Product Marketing at Stealthbits responsible for Active Directory and Privileged Access Management solutions. He has over 20 years of experience addressing marketing challenges of all kinds for many notable, B2B software companies, including Red Hat, Quest Software, Sterling Commerce, and most recently SecureAuth. Damon has a passion for cybersecurity software and improving the defenses of organizations against cyber-attacks. Damon resides in Columbus, Ohio.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.