The adage “assume breach” drives awareness that attackers will find a way onto an endpoint in the Domain. After establishing control on an endpoint, they are looking for ways to create persistence that will enable their campaign, and then execute when the time is perfect.
Financial data is coveted and demands attack surface reduction
Financial organizations are highly coveted by persistent threats for their data.
Opportunities to exploit this data are unbounded but most often include motivations for theft, espionage, or destruction
Javelin Networks combines post-infiltration experience with advanced forensic methodologies to enable security programs of Financial Services organizations to reduce risk posed by persistent and sophisticated cyber criminals and nation-states.
Active Directory was discovered to have several easy to exploit vulnerabilities for persistence and lateral movement.
For example, client detected a GPP SYSVOL Dark Corner with Javelin ADAssess.
IT personnel no longer with the organization created this vulnerability years ago.
They created a scheduled task that added a local administrator to every machine.
This was written to an XML file on the SYSVOL share of domain controller which every PC reads.
Compounding the problem was the encryption key released by Microsoft a few years ago on TechNet.
Within a brief period, any adversary could steal this password from the SYSVOL share and have free traversal of the AD environment.
Active Directory as the ultimate countermeasure
Javelin AD|Protect turns Active Directory into an Intrusion Detection and Containment system. Using an advanced, Domain forensic methodology, AD|Protect controls the attacker’s perception and uses it against them.
Capture Patient Zero
Letting an attacker roam an environment from Patient Zero yields full Domain compromise, putting every asset and enlisted at risk. By using the attacker’s perspective against them, Javelin AD|Protect automates the discovery of Patient Zero.
Shorten containment time
Counterintelligence can shorten containment time, allowing for a strong defensive position to protect core assets. Using Domain-specific incident response methodologies, an autonomous capability launches forensics for memory and file system artifacts.
Reduce alert fatigue
Increasing cyber resilience will raise the cost for the attacker, discourage additional attacks, and allow responders to study advancement in the attacker’s breach tactics. Near real-time containment at the point of breach in the Domain will decrease collateral damage and improve resource utilization by reducing alert fatigue.
Reduce attack surface
Attackers leave backdoors and hooks in the Domain that are used to persist privileges and exploit Active Directory. AD|Protect uncovers attacks in progress and evidence left behind to mitigate risk in real-time, all the time.
Javelin vs Microsoft ATA
This video demonstrates a common Domain attack and the results from both Javelin AD|Protect and Microsoft ATA.