Skip to main content

How does Active Directory Deception work?

By 10.02.2021August 30th, 2021Blog
Active Directory Deception

Active Directory (AD) is the main directory service that controls access to the corporate network, and more than 90% of organizations use it. This makes it an obvious target for attackers looking to gain additional privileges and escalate their attacks.

Unfortunately, AD is a complicated system, and it is not inherently easy to lock down. After all, the purpose of AD is to facilitate authorized users’ access to the services they need. Restricting that access can lead to inefficiencies and disrupt business operations, which is a headache of a different kind.

Active Directory (AD) enjoys a reputation as the ” golden key ” because – according to the MITRE ATT&CK framework – it is critical to 10 of the 12 steps that threat actors commonly take. These steps include privilege escalation, lateral movement and data exfiltration.

Active Directory Attacks

Threat actors use phishing, man-in-the-middle and other techniques to gain the privileges they need to break into a network. Once inside, they often use attack tools such as Bloodhound scans to map the entire AD environment.

For example, the Bloodhound tool shows attackers the shortest lateral attack paths through these AD objects that give them domain administrator privileges on the network. This tool uses normal commands and activities, which are not detected as dangerous by a SIEM system, for example.

“The attacker has the advantage over the defenders. For decades, money, patents and effort have not changed that. The top priority must be to reverse this, so defenders have it easier.”

Deception technology can turn the tables on defenders

Active Directory Deception protects AD better than ever by returning false information in response to AD scans from attackers. When the attackers use the fake data, the solution isolates them in a secure environment where you can collect valuable information like TTPs and IOCs. Where did the attacker come from? What is he looking for? What path did they take? This type of information can help security analysts better prepare for the future.

Active Directory Deception becomes active as soon as an attacker launches an illegitimate query in AD (e.g. Bloodhound Scan) via a compromised endpoint. The query was initially routed to the AD server in a regular manner and processed properly there. However, the response coming back from the AD server to the endpoint is baited and once used by the attacker, it is redirected to a secure environment with real systems. In parallel, when the illegitimate query is sent, an alarm goes off, immediately informing the security analyst of this activity.

Once there, the attacker looking for information about privileged domain accounts, systems and other high-value objects receives fake Active Directory results that render the attacker’s automated tools ineffective. Any attempt to attack this decoy environment ran into a virtual trap environment.

By directing attackers into the deception environment, CYBERTRAP analysis software can be used to closely examine the attack to determine tactics, techniques, and procedures, and to gather enterprise-specific threat intelligence for an accelerated response. This data is made available to the security analyst on a modern dashboard.


Recommended reading:

About the author

Franz Weber Bio 02 01

Skip to content