The adage “assume breach” drives awareness that attackers will find a way onto an endpoint in the Domain. After establishing control on an endpoint, they are looking for ways to create persistence that will enable their campaign, and then execute when the time is perfect.
Javelin over Microsoft in a head-to-head fight
Once attackers access Active Directory reconnaissance, they build a treasure map and take their time to execute a plan.
Using common methods of credential theft and persistence, attackers use Active Directory in their favor as a flight data recorder and “bookmark” their page during the fight for the victim’s assets.
It is critical to stop reconnaissance and develop zero detect cyber resilience.
Often, privileged users and domain admins have access to other environments, like SCADA and other critical infrastructure components.
Attackers use this synergy to exploit dark environments from “lit” environments like Active Directory governed networks inside critical infrastructure operations and energy providers.
Javelin Networks brings valuable post-infiltration expertise to the hand-to-hand combat of Red versus Blue team.
Through advanced forensic methodologies, Javelin ADProtect disrupts attack reconnaissance against Active Directory while automating memory analysis and file system evidence collection before enacting automated containment.
Microsoft ATA has none of these features and only offers behavioral analysis, which is often too late in the breach to stop compromise of domain admin roles.
If domain admin roles are compromised, the fight for a clean domain is lost due to the unlimited persistence that an attacker can create in an admin role.
Javelin ADProtect forces the attacker to give himself away.
This technique reduces the number of needles to be analyzed while providing true positive signals to the SIEM, SOC, and IR teams of post-infiltration activity.
Automating memory analysis and file system evidence collection based on post-infiltration activity allows Blue Team to understand unidentified threats that other methodologies incorrectly score as good.
Active Directory as the ultimate countermeasure
Javelin AD|Protect turns Active Directory into an Intrusion Detection and Containment system. Using an advanced, Domain forensic methodology, AD|Protect controls the attacker’s perception and uses it against them.
Capture Patient Zero
Letting an attacker roam an environment from Patient Zero yields full Domain compromise, putting every asset and enlisted at risk. By using the attacker’s perspective against them, Javelin AD|Protect automates the discovery of Patient Zero.
Shorten containment time
Counterintelligence can shorten containment time, allowing for a strong defensive position to protect core assets. Using Domain-specific incident response methodologies, an autonomous capability launches forensics for memory and file system artifacts.
Reduce alert fatigue
Increasing cyber resilience will raise the cost for the attacker, discourage additional attacks, and allow responders to study advancement in the attacker’s breach tactics. Near real-time containment at the point of breach in the Domain will decrease collateral damage and improve resource utilization by reducing alert fatigue.
Reduce attack surface
Attackers leave backdoors and hooks in the Domain that are used to persist privileges and exploit Active Directory. AD|Protect uncovers attacks in progress and evidence left behind to mitigate risk in real-time, all the time.
Javelin vs Microsoft ATA
This video demonstrates a common Domain attack and the results from both Javelin AD|Protect and Microsoft ATA.