Javelin AD Protect – Introduction
This is part of series articles about Javelin AD Protect and how to install, configure and investigate incidents. this post will introduce the Javelin AD Protect.
The Symantec Endpoint Threat Defense for AD, aka AD Protect from Javelin allow you to protect Microsoft Active Directory from malicious use by attackers.
Organizations of all sizes rely on Microsoft Active Directory as the backbone of their identity and access management almost three decades, and it’s not going to change soon. As much as organizations rely on Active Directory, many do not fully understand its complexities or the best practices for hardening its configurations.
Attackers too have come to rely on Active Directory as a potential gold mine of information. From reconnaissance and information gathering to authentication attacks, Active Directory can provide attackers with the keys to an organization’s most critical resources.
Because Active Directory is an open service by design, attacks on Active Directory are especially difficult to detect, and most often, attacks involving Active Directory are detected based on other actions taken by the attacker, and long after the damage is done.
Attackers access Active Directory for simple answers to network compromise. On the breached endpoint, simple queries provide them with every user account, server, and application service in the domain. AD Protect infinitely obfuscates this data on every endpoint, with no agent, using Native Language Processing.
This machine-learning algorithm learns and continuously adjusts to the real topology of the environment. The result appears completely natural, including any attributes that the attacker could query. Items like credentials stored on each endpoint are also covered in the process.
This process is non-disruptive to the business and user base. With no identifiable presence, end users are unaware of AD Protect and execute daily work with no performance impact.
The IT admin and local applications are also unaffected. When a hacker queries Active Directory, AD Protect provides the attacker with false information that thwarts further access while instantly sounding a silent alarm that an attack is in process.
Nine out of ten companies around the world use Microsoft Active Directory to control and maintain internal resources – servers, endpoints, applications, and users – and access. By design, Active Directory is open to any domain connected user, meaning all identities and resources on a corporate network are visibly exposed, making Active Directory the number one target for attackers.
It takes only one compromised endpoint connected to a corporate domain for an attacker to launch the latest APT campaign.
Symantec Endpoint Threat Defense for AD
Symantec Endpoint Threat Defense for AD (Javelin AD Protect) controls the attacker’s perception autonomously at the endpoint with no agent and identifies the Dark Corners the attacker favors.
AD Protect achieves definitive alerts on a post-exploitation activity the most important part of the breach to stop reconnaissance, credential theft, and lateral movement. Once a threat is detected, AD Protect gathers relevant artifacts automatically before an attacker can erase them, reducing time and effort to investigate the breach.
- AI to control the attacker’s perspective at the endpoint and server
- Reveal Dark Corners the attacker favors
- Supports multi-domain architecture.
With a few queries to the Active Directory at the point of a breach, an attacker can obtain all information to move throughout the network.
Reduce alert fatigue – Specific and real alerts on a definitive breach. The attacker reveals themselves during credential theft, reconnaissance, and lateral movement, providing the defender with true positive signals that an endpoint or service is compromised. This is a crucial missing datapoint in most security operations.
Reduce attack surface – Includes a continuous assessment that illuminates Dark Corners favored by the attacker, allowing the defender to reduce risk. It also automates and captures full forensics and reports active attacks at Patient Zero, providing you with the relevant information to defend yourself during the crucial post-breach phase.
Silent implementation – Javelin AD|Protect does not alter the Active Directory, network infrastructure, or user experience. With its quick and easy installation, business operations are not disrupted, leaving zero footprints on your environment for neither the attacker nor the user to see.
Breach – Attackers only need to be right once. Defenders must be right every time. Like users and business productivity software, prevention tools or techniques are not perfect. After an attacker gets a foothold on one of the domain-connected endpoints, they will recon the internal network to identify targets such as PCs, servers, applications, identities, and even powerful user accounts.
Reconnaissance – Attacker query the Active Directory on the compromised endpoint using native commands and receive visibility of the entire corporate domain. Security tools have not been able to alert on this because it is the same activity as a normal baseline. Attackers take advantage of this built-in capability.
Lateral Movement – The attacker will steal domain credentials and move laterally inside the environment as an authorized user completely hidden from security tools like AV, EDR, UBA, etc. These are the moments when detection is most critical as the defender begins to lose the fight in the first 15 minutes.
Domain Compromise – As the attacker plans persistence, the ultimate objective is to achieve Domain Admin rights. Once the domain is owned, the attacker has free reign to create unlimited persistence. This often occurs before any exfiltration, damage, or espionage. The attacker understands tradecraft will be discovered or sometimes detected. Domain Admin allows free reign across the environment.
Accomplish Objective – In a compromised domain, the attacker can persist for as long as they like by creating persistency and backdoors everywhere. Reports of compromise lasting hundreds of days, sometimes years, are common.
How It Works
The Javelin Networks solution effectively controls the attacker’s perception of the Active Directory right at the endpoint. It uses Natural Language Processing to autonomously learn the organization Active Directory structure in its entirety and uses this data to create an authentic and unlimited obfuscation.
All Active Directory queries from the endpoint are evaluated and obfuscated in runtime based on context. With obfuscation, a perspective of the domain-connected assets compromised is projected to the attacker, the attacker gives themselves away while interacting with assets or attempting use of domain admin credentials on Javelin Network’s perception.
At this point, a high-fidelity alert is triggered, forensic data is collected and analyzed in real-time, and the attack is automatically blocked at the endpoint.
AD Protect in action: