From the CISO perspective, identity security is one of the top security challenges, driven by the adversary’s increased use of stolen credentials to target and infiltrate organizations. The data bears this out: according to the CrowdStrike 2023 Global Threat Report, 80% of attacks use compromised identities, while advertisements for access broker services jumped 112% in 2022.
Most security professionals won’t be surprised by these stats. Identity-driven attacks are extremely hard to detect with traditional approaches. When a valid user’s credentials have been compromised and an adversary is masquerading as that user, it’s often very difficult to differentiate between the user’s typical behavior and that of the hacker using traditional security measures and tools.
Schedule your free Active Directory Risk Review. |
At the same time, Microsoft Active Directory (AD) is an increasingly attractive target for attackers. Used by approximately 90% of Fortune 1000 companies as the main identity and authentication provider, the decades-old legacy technology connects users to endpoints and provides access to systems, applications and resources — the proverbial keys to the kingdom for threat actors.
AD vulnerabilities are becoming a greater risk to organizations, as attackers narrow their focus on identities. In a recent Patch Tuesday, 40% of Microsoft patches were privilege-escalation vulnerabilities — including a zero day, prompting Microsoft to warn that “an attacker who successfully exploited this vulnerability could gain system privileges.”
As attackers evolve their tactics, so must our collective defenses. Modern ransomware attacks can involve both code execution (initial foothold) and identity access (lateral movement). At the same time, malware-free attacks continue to rise. As noted in the CrowdStrike 2023 Global Threat Report, 71% of attacks detected last year were malware-free, while hands-on-keyboard activity increased by 50%.
The only effective way to protect against modern attacks is an adversary-focused security solution that unifies world-class endpoint protection with real-time identity protection to cover all aspects of an adversaries toolkit — from exploitation, malware delivery and fileless attacks, all the way through stolen credentials or compromised identities.
Consolidating World-Class Endpoint and Identity Protection
The CrowdStrike Falcon® platform delivers modern protection designed to combat the threats of today and tomorrow across every attack surface. By unifying industry-leading endpoint security with native identity protection, delivered through a single lightweight agent, our platform helps stop the full attack lifecycle — whether an adversary is attempting to use exploits, malware, fileless attacks or stolen credentials.
As we continuously improve the Falcon platform, we’re proud to introduce the latest innovations in identity protection.
New Platform Capabilities to Extend Protection Against Identity-Based Attack Techniques
Today, we’re solving three new use cases with CrowdStrike Falcon® Identity Protection, while simplifying work for security analysts.
1. Lure Adversaries Away from Critical Resources with Honeytokens
In a common attack scenario, adversaries often try to gain a foothold by harvesting valid accounts with passwords from an LSASS dump. To combat this, Falcon Endpoint Protection immediately identifies the credential access along with the MITRE tactic and technique, and the tool used (e.g. Mimikatz) to block the execution. Falcon Identity Protection further prevents the adversary from pivoting to an unmanaged host like a contractor laptop using valid credentials, blocking the adversary, even if they have valid credentials.
Building on these foundational innovations within Falcon Identity Protection, we are further advancing our customer’s ability to get elevated behavior into adversary activity with our new honeytokens capability. Customers can create honeytoken accounts to confidently lure adversaries into leveraging the properties of these accounts. When an adversary interacts with a honeytoken, security teams can gain data and detailed insight into the attack path and malicious techniques, while ensuring their critical resources and accounts stay protected. As part of our unified agent and platform architecture, we’ve made it effortless for customers to create honeytoken accounts, track them and enforce dedicated policies to control their movement so that adversaries can’t access high-value resources.
Now, customers can easily flag accounts as honeytokens in AD without additional configuration or resource requirements. Any activities or alterations of honeytoken accounts trigger a dedicated detection, giving security operations center (SOC) analysts visibility into the adversary attack path. This unified endpoint and identity protection is delivered seamlessly from the Falcon platform with a single lightweight agent.
2. Reduce Risks from Account Vulnerabilities with Duplicate Password Detection
Adversaries typically attempt to compromise endpoints with TTPs like privilege escalation of local accounts or command and control. But, when these attempts are stopped by a robust endpoint protection platform, they often pivot to brute-force credential stuffing attacks targeting AD accounts — typically service accounts with shared, duplicate or default passwords.
The new duplicate password detection feature for Falcon Identity Protection simplifies the detection of password reuse across the organization’s AD, allowing administrators to instantly identify these accounts without manual AD audits and enforce the use of unique passwords to defend against threats such as credential stuffing attacks.
3. Extend Protocol Coverage with Detections over Server Message Block (SMB)
As adversaries constantly look for alternatives to attack identity stores that may already be protected against traditional endpoint/server attacks by a strong endpoint security platform, they often try to exploit legacy protocols that may still be used by organizations.
Many organizations lack visibility into SMB to DC authentications to detect malicious and anomalous user behavior that lead to brute force and Pass-the-Hash (PtH) attacks. Building on Falcon Identity Protection’s real-time analysis and detections covering Kerberos, NTLM and LDAP/S, we are now extending protocol coverage to enable detections of authentications over SMB.
For example, security teams can now detect a suspicious protocol implementation using the CrackMapExec tool along with the SMB session setup activity that led to it. With insights on failed and successful SMB to DC authentication events, and threat hunting covering CrackMapExec, PtH, password bruteforce, Mimikatz, etc., you now get powerful additional baseline data to identify suspicious behavior and fortify AD security.
Complete Protection for Identity and Beyond
With these new innovations, Falcon Identity Protection gives customers even better capabilities to detect and prevent identity-related threats, building upon our unique fusion of the world’s best endpoint security with industry-leading identity protection — all in a unified platform.
Additional Resources
- Schedule your free Active Directory Risk Review from CrowdStrike to get instant visibility into your AD hygiene and expert guidance on how to reduce your attack surface.
- Learn the importance of having a robust AD security and identity protection solution in this CrowdCast.
- Read the white paper, “Identity and Security: Addressing the Modern Threat Landscape”
- Watch this video about Falcon Identity Protection’s enhanced capabilities to stop evolving threats