Surviving the Era of Active Directory Attacks through in-Network defence
Post successful breach of the target network, attackers would categorically progress towards discovering the critical assets to exploit and exfiltrate data. During this process of lateral movement and expanding their footholds in the network by pivoting to multiple systems, attackers would look to probe the target network primarily for Active Directory systems. Active Directory is the prime targets for adversaries since it is the central repository for enterprise-wide user information, managing user authentication. Acquiring sufficient privileges to gain access to Active Directory and compromising it serves as a catalyst for the adversaries in executing further attacks. We have had many such high impact Privilege Escalation and Remote Code Execution vulnerabilities being exploited in Active Directory authentication protocols like Kerberos, Netlogon and RPC interfaces ( like PrintNightMare ) leading to complete domain takeover. Additionally Active Directory exposing huge attack surface, it is of paramount importance for enterprise networks to protect and mitigate attacks against Active Directory .
Coalescing production assets with the deceptive services can play a conclusive role in detecting and mitigating attacks in the domain environment once the production endpoint is compromised. Deceptive network alongside production network turns out to be highly effective approach in detecting lateral movement path towards critical assets including domain controllers. Building effective deception infrastructure that blends well with the production environment would require planting deceptive credentials in the production and decoy endpoints to detect initial enumeration attacks and the same time, injecting lures on the endpoints to build and deflect attacker's lateral movement path towards deceptive services.
During this talk, highlighting the AD attack surface, we will discuss about network deception as an approach to detect and mitigate Active Directory attacks and then progressively discuss on how we can build and achieve deceptive infrastructure including AD deception, which could potentially lead to early attack detection and mitigation.
Following are the key takeaways from the talk:
- Active Directory attack surface and impact.
- Attacker’s lateral movement path to Active Directory services.
- Deception network approach for detecting lateral movement and AD attacks.
- Building and achieving AD deception infrastructure for early attack detection.
Chintan Shah
Chintan Shah is currently working as a Sr. Lead Security Researcher with Trellix Intrusion Prevention System and holds broad experience in the network security industry. He primarily focuses on Exploit and vulnerability research, building Threat Intelligence frameworks, Reverse engineering techniques and Malware Research. With multiple patent pending innovations in exploit detection, Chintan is a passionate blogger and speaker at many security research conferences. His interests lies in software fuzzing for vulnerability discovery, analysing exploits, malwares and translating them into product improvements.