Newsroom

Gone in 12 Minutes: CyberArk Announces Real-Time Detection and Automatic Containment of Cyber Attacks Targeting Active Directory

March 1, 2016

New Targeted Analytics and Network Monitoring Improve Effectiveness of Incident Response Teams by Focusing on the Data that Matters to Stop In-Progress Attacks

RSA Conference 2016 (Booth #N4301) – CyberArk (NASDAQ:CYBR), the company that protects organizations from cyber attacks that have made their way inside the network perimeter, today announced new real-time threat detection and containment capabilities to help organizations secure against cyber attacks targeting Microsoft Active Directory infrastructure. Compromising Active Directory empowers attackers to take control of the business.

The new CyberArk Privileged Threat Analytics v3.0 features targeted analytics and the ability to analyze network traffic to better detect indications of an attack early in the lifecycle, including credential theft, lateral movement and privilege escalation. These features enable incident response teams to visualize the threat and shut down in-progress attacks – including Kerberos authentication attacks like “Golden Ticket,” which can lead to a complete network takeover and massive business disruption. CyberArk Privileged Threat Analytics is integrated within the CyberArk Privileged Account Security Solution to deliver a robust Active Directory security offering.

Active Directory infrastructure includes domain controllers, domain administrator accounts, critical servers and workstations. According to Forrester Research, “Microsoft’s Active Directory has evolved into the most widely used enterprise repository for digital identities. Active Directory’s growing importance also means it’s a tempting target for hackers who attack Active Directory infrastructure to elevate privileges and pilfer data.”1 Based on what CyberArk has seen in the field, it can take an attacker who has hijacked a privileged credential less than 12 minutes from initial infiltration to being able to take over a domain controller, which hosts the services that constitute Active Directory.

“A Kerberos ticket attack has the ability to shut down critical business services. It would ultimately mean the loss of trust in all network-connected digital assets. The only remediation would be to re-build the entire network trust model and associated infrastructure,” said Darren Argyle, group chief information security officer (CISO) managing director, Markit.

Effective Incident Response Goes Beyond Detection

It is no longer enough to simply detect an attack. The CyberArk Privileged Account Security Solution goes beyond threat detection to also deliver proactive protection and containment, which are critical to limiting attacker movement, and decreasing damage from an attack. CyberArk Privileged Threat Analytics improves incident response with two key new features:

  • Kerberos Attack Detection: An additional data feed collects and analyzes network traffic to identify indicators of an in-progress Kerberos attack. The solution now collects a targeted set of data from multiple sources including the CyberArk Digital Vault, SIEM solutions, and network taps/switches. Then, the analytics engine applies a complex combination of new statistical and deterministic algorithms, enabling organizations to analyze the “right” data – that associated with privileged account compromise – in order to detect and alert on the most critical attacks.
  • Automated Threat Containment: After identifying a potential attack, CyberArk Privileged Threat Analytics can help organizations automatically respond and contain the attack. CyberArk offers a single platform for proactive protection and threat detection that enables a suspected stolen credential to be invalidated in order to disrupt an in-progress attack – without disrupting business – and block the attacker from continuing.

There are several ways an attacker can exploit Kerberos authentication. Some of the most common Kerberos attacks include PAC manipulation, Overpass-the-Hash and Golden Ticket. A critical step that enables attackers to execute the most threatening Kerberos attacks is hijacking domain administrator credentials. Proactively protecting administrative credentials and preventing attackers from ever reaching these credentials in the first place is essential to every enterprise security strategy. CyberArk Privileged Threat Analytics enables organizations to identify previously undetectable attacks; limit an attacker’s window of opportunity; improve the efficiency of security teams and receive quick time to value.

“Most enterprises are vulnerable to Kerberos attacks and are at risk of complete network takeover, which can happen at an alarming speed. We have witnessed post-breach forensic research in which attackers took control of the network in just 12 minutes,” said Roy Adar, senior vice president, product management, CyberArk. “Taking over Active Directory and leveraging Kerberos attacks such as Golden Ticket is a critical point in an attack enabling attackers to move laterally and operate undetected within the network for months or even years. Insight into these serious threats – those associated with anomalous privileged account activity – must be a high priority. We are proud to offer our customers access to this Active Directory security solution, featuring CyberArk Privileged Threat Analytics, which delivers significant advancement toward proactive attack prevention, earlier detection and more effective incident response.”

Availability and Supporting Materials
CyberArk Privileged Threat Analytics v3.0 is available now. Customers can purchase the solution directly from CyberArk, as well as through the company’s global network of channel partners. Upgrades to v3.0 are provided to current CyberArk Privileged Threat Analytics customers at no charge.

Supporting Materials:

1 – Forrester Research, “Vendor Landscape: Active Directory Security and Governance Solutions,” January 5, 2016 by Merritt Maxim, Andras Cser