This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
The threat landscape has been shifting to more dangerous territory, and companies have been deploying more IT security solutions that are purpose-built to protect specific areas of their broad enterprise environment. One such solution brought to market by Aorato earlier this year is a directory services application firewall (DAF).
If you think about it, an enterprise's Active Directory (AD) system would be highly coveted by a cyber criminal. Active Directory contains all of the identity data on domain members, including users, computers, services and other resources, as well as the relationships between them. It contains authorization information that affirms who is allowed to have access to what. This makes the directory system a natural target for cyber attacks as well as for internal abuse.
It's critical to know as early as possible if a malevolent actor is using tools or techniques to conduct reconnaissance on the directory, or if they have already gotten in and are illicitly using someone's identity to infiltrate the network. Many companies try to solve this problem by collecting event logs from Active Directory or user workstations and analyzing those logs in a Security Information and Event Management system (SIEM). Aorato maintains that this approach is deficient because event logs don't record all the subtle clues of malicious activity. Therefore the SIEM can never detect many types of abuse because it simply doesn't have the right data. Moreover, the logs from compromised devices should not be trusted, as they themselves might be corrupted.
Aorato's approach is to monitor and analyze all the traffic going through Active Directory. The directory services application firewall is a physical or virtual appliance that gets a copy of the AD traffic for near-real-time analysis. The Aorato DAF dissects all of the dozen or so protocols of AD and analyzes all of the data.
Aorato uses two detection mechanisms to discover malicious behavior. One is a set of detection rules that look for technical attacks like Pass-the-Hash (PtH) and Pass-the-Ticket (PtT). The other is a behavioral model that learns the typical behavior of users and detects anomalies.
Technical attacks like PtH and PtT are very common in the world of targeted attacks. These are methods that attackers use to advance from an arbitrary point in the network to the target system. Pass-the-Hash is an attack method where the adversary steals the hashed credentials of a user or a computer in order to authenticate, via NTLM (Windows NT LAN Manager), to various enterprise resources. Pass-the-Ticket is an attack where the adversary steals a user’s Kerberos authentication ticket in order to impersonate that user against various enterprise resources.
The hash or the ticket represents a token that proves that someone has authenticated to a device or service. An attacker steals that token, which is as good as a password, and uses it to connect to other machines. The attacker usually goes after the token of people with high privileges such as administrators, and using that token they move from one machine to another to propagate through the network.
Aorato's DAF has rules that detect the essence of these kinds of technical attacks. The firewall monitors the authentication token throughout its lifecycle. For example, if the token is issued for one station or one endpoint, it isn't expected to be seen on another endpoint. If this is happening, it's clearly an attack and Aorato alerts on it.
Of course, not all events start from the outside. There can be internal bad actors – for instance, Edward Snowden – who misuse credentials and access privileges. Aorato catches this kind of activity by using behavioral inspection and alerts on it.
When an organization installs an Aorato DAF, the device uses machine learning algorithms to learn the typical behavior patterns of all users within Active Directory. Each person has his own schedule and habits of using network resources: typical work hours, resources that are commonly used, devices and access locations, etc. The Aorato DAF learns these behaviors and alerts on anomalies. The company says its secret sauce is in creating alerts for malicious abnormal activity, not just abnormal activity. After all, there are times when people legitimately work in a manner that is outside their norm, and Aorato claims it is careful not to mistake these times for genuinely malicious behavior.
The alerts generated by the DAF include actionable suggestions in order to remediate the malicious activity that has been detected. Aorato does not take any automatic action on its own alerts. The alerts, by the way, can be sent to whatever medium the organization wants—to a SIEM, to an administrator's email, to a SOC dashboard, etc.
Installing the product requires zero configuration. The only thing that's required is to tell the Aorato DAF which Active Directory the product is supposed to monitor. From there it starts learning for the behavioral mode and begins monitoring for technical attacks.
Enterprise directory services are vulnerable to attack and insider abuse. In today's threat landscape, a security solution that is purpose-built to protect this crucial component of a network just makes sense.