Company
Deception / 10.13.2021

Defending crown jewel assets such as Active Directory Domain Controllers from Breaches

By Guy Waizel, Chief Operating Officer, TrapX Security

Global cybercriminals do not rest for a minute, and for them, Active Directory domain controllers are the crown jewels of a target organization. Organizations need to change their approach by taking the game to cybercriminals’ to their court, actively deceiving them, isolating threats and remediating the risk, while reducing risk to real assets.

Active Directory (AD) lists, authenticates and authorizes all users and computers in a Windows domain-type network, and also assigns and enforces security policies for all computers, and installs and updates software. AD contains a centralized database that describes the company’s structure and contains information about different objects such as users, computers, groups and their relations to each other in the environment.

A cybercriminal gaining access to an organizational endpoint may use it as an entry point to start the reconnaissance stage. He can use the endpoint to collect information on the company’s users, computers, and groups, and on the relations and privileges between them, by querying the AD domain controller.

Attackers can also use various Windows PowerShell commands to perform reconnaissance on Active Directory Domain Controllers, trying to get more information on users ,groups ,computer objects and the relationships between them. Once they get a foothold on a DeceptionGrid medium-level emulation trap which is proxied to a DeceptionGrid high-interaction trap, or if they run the reconnaissance on a high-interaction trap, DeceptionGrid immediately alerts. For example:

Cybercriminals can also use the Bloodhound software, a freely available Active Directory reconnaissance tool that can, from any domain endpoint, reveal hidden, vulnerable relationships and security policy information, thus identifying attack paths in an AD environment. For example, an attacker could use Bloodhound to find the shortest path to becoming a domain administrator.

TrapX DeceptionGrid 7.2 uses patented emulation technology to deliver comprehensive protection and visibility at scale. DeceptionGrid deploys a crowd of tangible assets, hidden in plain sight among organizational assets, that interact with attackers and misinform them to identify them and gain insight into their tactics, techniques, and procedures (TTPs), enabling rapid response and containment. In just minutes, with DeceptionGrid, you can launch hundreds of credible emulations that engage attackers and malware, generating high-fidelity alerts for rapid response.

We’ll explain how TrapX DeceptionGrid can detect an attacker running Bloodhound in your organization, and how you can deceive and lure attackers by creating TrapX deception token user accounts and computer objects to identify and then isolate the attacker.

TrapX users can set up a real OS as a high-interaction trap, that provides real responses to attackers, for ultimate realism, and also provides analysts with high-fidelity, detailed alerts. They can then also configure hundreds of regular, medium-interaction emulation traps as proxies to this real-OS high interaction trap. When an attacker connects to any of these traps, he may succeed in running Bloodhound on it; at that moment, DeceptionGrid will record the entire session, including all commands and activities performed by Bloodhound.

The following is a session that includes running Bloodhound to collect Active Directory data, on a full-OS high interaction trap or on an emulation trap proxied to a full-OS trap:

The TrapX DeceptionGrid console displays an Event including the attacker hostname, all commands executed, and the files created and collected during the process:

In addition, TrapX enables generating AD tokens – decoy user accounts and computer objects which are easily applied to the AD domain controller. These user and computer objects are presented to the attacker in Bloodhound. When the attacker then targets any of these computer objects, an event is immediately displayed in DeceptionGrid; event details will include the user that was used.

In addition, you can define a rule in your organizational SIEM to alert upon any use of a decoy user account anywhere in the organization, enabling detecting attackers’ lateral movements in the network.

The following are examples of decoyed user accounts and computer objects that were created in AD by TrapX Deception Tokens, as presented in Bloodhound (circled in red).

The attacker may then check for the shortest path to becoming a domain administrator:

TrapX enables automated distribution of deception tokens including decoy user accounts to all organizational endpoints, using organizational distribution tools or directly from DeceptionGrid.

Once an attacker has a foothold on a target computer, they may use the Mimikatz tool to get the decoy user’s credentials. Any attempt to connect with the user to one of the decoy computer objects will immediately produce alerts in DeceptionGrid.

Summary 

We’ve discussed how TrapX DeceptionGrid users can protect the crown jewels of their organizations, such as Active Directory domain controllers, by detecting reconnaissance activity of Bloodhound (and other similar tools, such as ADFind). And, how to deceive attackers by creating lures of decoy user account credentials and computer objects, and eventually isolate the threat.

Customers can also use DeceptionGrid to defend other crown jewels of their organization, such as databases and backup systems, RMM software, and other business-critical systems, as discussed here.

About TrapX Security 

TrapX provides a new generation of Deception technology that provides real-time breach detection and prevention. Our proven solutions immerse tangible IT assets in a virtual minefield of traps that misinform and misdirect would-be attackers, alerting SOC teams to malicious activity with immediate, actionable intelligence. Our solutions enable our customers to isolate, fingerprint rapidly and disable new Zero-Day attacks and APTs in real-time. TrapX Security has thousands of government and Global 2000 users worldwide, servicing customers in manufacturing, defense, healthcare, finance, energy, consumer products, and other vital industries. For more information, visit www.trapx.com.

Learn more about our unique approach to Deception

Discover why more than 300 global customers call TrapX "simple, powerful, and affordable."