此列是在每周通讯可称之为最佳实践。请点击here to subscribe。
威胁形势已经转移到更危险的领土,公司一直在部署更多的IT安全解决方案,专门用于其广泛的企业环境的保护特定区域。一个这样的解决方案推向市场的Aorato今年早些时候是一个目录服务应用防火墙(DAF)。
如果你想想看,一个企业的活动目录(AD)系统将高度由网络罪犯垂涎。Active Directory中包含了所有的域成员,包括用户,计算机,服务和其他资源的身份数据,以及它们之间的关系。它包含授权信息允许谁可以访问哪些申明。这使得该目录系统的网络攻击以及内部滥用的自然目标。
尽可能早地知道它是至关重要的,如果一个马levolent actor is using tools or techniques to conduct reconnaissance on the directory, or if they have already gotten in and are illicitly using someone's identity to infiltrate the network. Many companies try to solve this problem by collecting event logs from Active Directory or user workstations and analyzing those logs in a Security Information and Event Management system (SIEM). Aorato maintains that this approach is deficient because event logs don't record all the subtle clues of malicious activity. Therefore the SIEM can never detect many types of abuse because it simply doesn't have the right data. Moreover, the logs from compromised devices should not be trusted, as they themselves might be corrupted.
Aorato's approach is to monitor and analyze all the traffic going through Active Directory. The directory services application firewall is a physical or virtual appliance that gets a copy of the AD traffic for near-real-time analysis. The Aorato DAF dissects all of the dozen or so protocols of AD and analyzes all of the data.
Aoratouses two detection mechanisms to discover malicious behavior. One is a set of detection rules that look for technical attacks like Pass-the-Hash (PtH) and Pass-the-Ticket (PtT). The other is a behavioral model that learns the typical behavior of users and detects anomalies.
Technical attacks like PtH and PtT are very common in the world of targeted attacks. These are methods that attackers use to advance from an arbitrary point in the network to the target system.Pass-the-Hash是一种攻击方法,其中对手窃取用户或以身份验证的计算机的散列凭证,通过NTLM(Windows NT LAN管理),各种企业资源。传递的客票就是对手,以冒充对各种企业资源的用户盗窃用户的Kerberos身份验证票证的攻击。
The hash or the ticket represents a token that proves that someone has authenticated to a device or service. An attacker steals that token, which is as good as a password, and uses it to connect to other machines. The attacker usually goes after the token of people with high privileges such as administrators, and using that token they move from one machine to another to propagate through the network.
Aorato的DAF有检测这些类型的攻击技术的本质规律。防火墙监控的认证令牌的整个生命周期。例如,如果令牌发出一个站或一个端点,它没有预期另一个端点待观察。如果发生这种情况,它显然是一个攻击,它Aorato警报。
Of course, not all events start from the outside. There can be internal bad actors – for instance, Edward Snowden – who misuse credentials and access privileges. Aorato catches this kind of activity by using behavioral inspection and alerts on it.
当一个组织安装一个Aorato DAF,该器件采用机器学习算法来学习Active Directory中的所有用户的典型行为模式。每个人都有自己的时间安排和使用网络资源的习惯:典型的工作时间,通常使用的资源,设备和接入地点等Aorato DAF学习上的异常,这些行为和警报。该公司说,它的秘密武器是在创建恶意的异常活动,而不仅仅是异常活动警报。毕竟,有的时候人的方式,是他们的常态以外的合法工作,Aorato声称它是小心,不要误以为这些次真正的恶意行为。
由DAF生成的警报包括为了修复已检测到的恶意活动可操作的建议。Aorato不承担其自身的警报任何自动操作。警报,顺便说一句,可以被发送到任何媒介组织希望到一个SIEM,给管理员的电子邮件,到SOC仪表板等
安装产品需要零配置。的需要的唯一的事情就是告诉Aorato DAF其Active Directory中的产品应该进行监控。从那里它开始学习行为模式并开始监测技术的攻击。
Enterprise directory services are vulnerable to attack and insider abuse. In today's threat landscape, a security solution that is purpose-built to protect this crucial component of a network just makes sense.