Posted: 2 Min Read Product Insights

Finally, A way to Stop Advanced Persistent Threats (APTs) In Their Tracks

Symantec acquires innovative technology to protect Microsoft Active Directory from malicious use by attackers

Active Directory: The Root of Domain Compromise

Nine out of ten companies around the world use Microsoft Active Directory to control and maintain internal resources - servers, endpoints, applications, and users - and access.[1] By design, Active Directory (AD) is open to any domain connected user, meaning all identities and resources on a corporate network are visibly exposed, making AD the number one target for attackers.

It takes only one compromised endpoint connected to a corporate domain for an attacker to launch the latest APT campaign.

The recent acquisition of Javelin Networks advances Symantec’s endpoint security solution for addressing APTs with effective Active Directory defense from the endpoint to provide autonomous breach containment and incident response. This is the only solution that protects Active Directory from the endpoint; restricts post-exploit incursions by preventing credential theft and lateral movement. It immediately contains attackers after compromise of an endpoint, but before they can persist on the domain, disrupts reconnaissance activity, and prevents them from utilizing Active Directory to move laterally to other assets. Javelin Networks addresses the path of least resistance in today’s networks and greatly reduces the time, effort, and error involved in detecting, responding and containing a breach where it starts - the endpoint.

Why This Matters

Active Directory is the building block for every APT campaign

Attackers are not only aware of Active Directory’s value, but also its flaws. With careful examination of recent APT campaigns, we see what attackers have known for a long time: Active Directory is the most targeted asset in the organization.

How It Works

Defend Active Directory Against Attacks with Obfuscation

The Javelin Networks solution effectively controls the attacker’s perception of the Active Directory right at the endpoint. It uses Natural Language Processing to autonomously learn the organization’s Active Directory structure in its entirety and uses this data to create an authentic and unlimited obfuscation. All Active Directory queries from the endpoint are evaluated and obfuscated in runtime based on context. With obfuscation, a perspective of the domain-connected assets compromised is projected to the attacker; the attacker gives themselves away while interacting with assets or attempting use of domain admin credentials on Javelin Network’s perception. At this point, a high-fidelity alert is triggered, forensic data is collected and analyzed in real-time, and the attack is automatically blocked at the endpoint.

[1] An Overview of Active Directory, Philippe Beraud, Microsoft Corporation, 2016

About the Author

Roi Abutbul

VP Engineering, Symantec

A post-exploit expert with 15 years of experience in network security, Roi is the former CEO and co-founder of Javelin Networks, acquired by Symantec. He is a lifelong entrepreneur, as well as having served with the Israeli Air Force in the OFEK unit.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.