Defending Against Credential Based Attacks by Protecting the Keys to the Front Door
Most organizations rely on directory services such as Active Directory (AD) to grant users access to an account by verifying user credentials based on a username and password. Due to the importance of this information, organizations must remain vigilant to stop hackers from stealing legitimate credentials and gain access to the network.
To combat against credential-based attacks, organizations have sought to implement solutions such as Multifactor Authentication (MFA) or Privileged Access Management (PAM). But even with these solutions in place, there are gaps that organizations can bridge with Deception Technology. In order to understand how Deception Technology can assist your security posture, it’s best to first understand how Multifactor Authentication and Privileged Access Management work.
Multifactor Authentication Management (MFA)
Multifactor Authentication prevents unauthorized access by requiring at least two independent types of verification that must be presented at the time of login. These factors can include a combination of the following:
- Something one knows – this can be a password or security question
- Something one has – token or authentication app
- Something one is – biometrics such as facial recognition or fingerprints
- Somewhere one is – geofencing or location-aware apps
- Something one does – typing speed, gestures
The logic behind this method is that a legitimate user will have the answer to any one of the combinations listed above, whereas an illegitimate user would not.
Privileged Access Management (PAM)
Privileged Access Management is for special user accounts such as system administrators, whose duties require them to access critical assets. PAM secures, controls, manages, and monitors these privileged accounts to prevent misuse. It works by storing these privileged account credentials inside a secure repository and isolating their use to reduce the risk of theft. Systems administrators are required to check out the privileged credential from the PAM in order to use it. The credential is only valid for a limited period or specific number of uses before it becomes invalid. The PAM authenticates and logs each access and sends an alert on any suspicious behavior. When the administrator checks the privileged credential back in, the PAM resets it to prevent further use.
How Deception Technology Can Help
While MFA and PAM work for their intended use, they are not an all-in-one remedy for credential-related compromises. MFA covers the initial login but does not protect against non-interactive logins or memory-resident theft of access tokens. PAM protects privileged accounts but does not protect against the openness of Active Directory where attackers can find overlapping permissions and privileges.
Organizations that implement both solutions can bridge the gap in coverage by deploying a Deception Technology solution such as Attivo Networks ThreatDefend Platform’s EDN (Endpoint Detection Net) suite, particularly the ThreatStrike and ADSecure solutions. These solutions help to strengthen endpoint defenses against credential-based exploitation.
ThreatStrike solution creates and stores fake credentials on user systems and servers, both in credential storage and within memory. When attackers steal the locally stored credentials, they will also take the fake credentials, which leads to decoys on the network and if followed, will initiate an alert.
ADSecure solution detects and alerts unauthorized Active Directory (AD) queries from tools like PowerShell or Bloodhound. When the AD controller replies with the query results, the ADSecure solution replaces the critical accounts with fake data that leads to the decoys. When attackers follow this data, they end up in the deception environment.
To read more about MFA, PAM and how Attivo Networks Endpoint Detection Net suite can help increase your security posture, download the full article here.