How do advanced cyber attackers find their way to the heart of your enterprise? In 80 to 100 percent of attack sequences, the preferred pathway is the privileged account, as we’ve seen time and again in high-profile breaches from Sony Pictures to the Office of Personnel Management (OPM).
Once inside the network, attackers make moves to steal credentials, move laterally, and escalate privileges to gain access to their target. In this path, attackers often seek domain administrator credentials to ultimately gain control of Active Directory (AD). Once an attacker has control of AD – the control of the entire organization is in the hands of the attacker.
With access to a domain controller, an attacker can execute a Golden Ticket attack and generate Kerberos tickets. This enables an attacker to achieve unauthorized, and often, unfettered access to the enterprise environment – all while staying completely under the radar by impersonating authorized users. This stealthy impersonation strategy creates numerous challenges for organizations trying to detect and respond to in-progress attacks on the network. Not only can these attacks be incredibly catastrophic to an organization, but they can occur very quickly.
To mitigate the risks of a serious breach, organizations must adopt a security posture that addresses privileged account exposure with multiple layers of protection including proactive controls AND threat detection. Today, we’ve announced new product features that enable organizations to secure the Active Directory infrastructure with proactive controls and threat detection capabilities, available on a single platform.
CyberArk Privileged Threat Analytics 3.0 is a security intelligence solution that detects, alerts and responds to anomalous privileged activity indicating an in-progress attack –including Kerberos attacks. By focusing analytics only on privileged activity instead of analyzing everything on the IT network, CyberArk Privileged Threat Analytics delivers targeted, prioritized alerts on the most critical malicious activity.
Here is an example of Privileged Threat Analytics in-action as it detects a Kerberos Golden Ticket Attack – one of the most severe and damaging attack methods used today:

CyberArk Privileged Threat Analytics can detect in-progress Kerberos attacks by analyzing network traffic and identifying deterministic indications of compromise. With the potential to cause significant damage, these attacks must be detected quickly and responded to immediately. If CyberArk Privileged Threat Analytics detects a Golden Ticket attack, the security team will receive a prioritized alert that is automatically assigned the highest risk score possible, empowering incident response teams to respond immediately. Furthermore, credentials can be automatically rotated to contain the incident and limit the moves of a suspected attacker.
To learn more about CyberArk Privileged Threat Analytics and recommendations for detecting, alerting and responding to the most critical cyber attacks that could significantly impact your business, please check out the free resources listed below. If you’re in San Francisco this week for the RSA Conference (#RSAC), stop by the CyberArk booth N4301 in the North Expo Center. I’d be happy to give you a demo.
Resources:
- VIDEO: What is Privileged Threat Analytics https://www.cyberark.com/whatisPTA
- VIDEO: Why Privileged Threat Analytics https://www.cyberark.com/whyPTA
- Whitepaper: Know the Path of an Attack and Block it with Privileged Account Security https://www.cyberark.com/attackpath
- Whitepaper: Maintain Control of your Business – Protect Your Domain Controllers from Kerberos Attacks https://www.cyberark.com/protectdomaincontrollers