The new CyberArk Privileged Threat Analytics v3.0 features targeted analytics and the ability to analyse network traffic to better detect indications of an attack early in the lifecycle, including credential theft, lateral movement and privilege escalation. These features enable incident response teams to visualise the threat and shut down in-progress attacks – including Kerberos authentication attacks like “Golden Ticket,” which can lead to a complete network takeover and massive business disruption. CyberArk Privileged Threat Analytics is integrated within the CyberArk Privileged Account Security Solution to deliver a robust Active Directory security offering. Active Directory infrastructure includes domain controllers, domain administrator accounts, critical servers and workstations. According to Forrester Research, “Microsoft’s Active Directory has evolved into the most widely used enterprise repository for digital identities. Active Directory’s growing importance also means it’s a tempting target for hackers who attack Active Directory infrastructure to elevate privileges and pilfer data.”1 Based on what CyberArk has seen in the field, it can take an attacker who has hijacked a privileged credential less than 12 minutes from initial infiltration to being able to take over a domain controller, which hosts the services that constitute Active Directory. "A Kerberos ticket attack has the ability to shut down critical business services. It would ultimately mean the loss of trust in all network-connected digital assets. The only remediation would be to re-build the entire network trust model and associated infrastructure,” said Darren Argyle, group chief information security officer (CISO) managing director, Markit.
Effective Incident Response Goes Beyond Detection
It is no longer enough to simply detect an attack. The CyberArk Privileged Account Security Solution goes beyond threat detection to also deliver proactive protection and containment, which are critical to limiting attacker movement, and decreasing damage from an attack. CyberArk Privileged Threat Analytics improves incident response with two key new features:
• Kerberos Attack Detection: An additional data feed collects and analyses network traffic to identify indicators of an in-progress Kerberos attack. The solution now collects a targeted set of data from multiple sources including the CyberArk Digital Vault, SIEM solutions, and network taps/switches. Then, the analytics engine applies a complex combination of new statistical and deterministic algorithms, enabling organisations to analyse the “right” data – that associated with privileged account compromise – in order to detect and alert on the most critical attacks.
• Automated Threat Containment: After identifying a potential attack, CyberArk Privileged Threat Analytics can help organisations automatically respond and contain the attack. CyberArk offers a single platform for proactive protection and threat detection that enables a suspected stolen credential to be invalidated in order to disrupt an in-progress attack – without disrupting business – and block the attacker from continuing. There are several ways an attacker can exploit Kerberos authentication. Some of the most common Kerberos attacks include PAC manipulation, Overpass-the-Hash and Golden Ticket. A critical step that enables attackers to execute the most threatening Kerberos attacks is hijacking domain administrator credentials. Proactively protecting administrative credentials and preventing attackers from ever reaching these credentials in the first place is essential to every enterprise security strategy. CyberArk Privileged Threat Analytics enables organisations to identify previously undetectable attacks; limit an attacker’s window of opportunity; improve the efficiency of security teams and receive quick time to value. “Most enterprises are vulnerable to Kerberos attacks and are at risk of complete network takeover, which can happen at an alarming speed. We have witnessed post-breach forensic research in which attackers took control of the network in just 12 minutes,” said Roy Adar, senior vice president, product management, CyberArk. “Taking over Active Directory and leveraging Kerberos attacks such as Golden Ticket is a critical point in an attack enabling attackers to move laterally and operate undetected within the network for months or even years. Insight into these serious threats – those associated with anomalous privileged account activity – must be a high priority. We are proud to offer our customers access to this Active Directory security solution, featuring CyberArk Privileged Threat Analytics, which delivers significant advancement toward proactive attack prevention, earlier detection and more effective incident response.”
