ACTIVE DIRECTORY DECEPTION
for CYBERTRAP Enterprise & CYBERTRAP Pro
Active Directory (AD) is a standard tool used by most organisations to control access of users and computers to company servers and applications. Each computer on the corporate network must therefore have some access to AD in order for the network environment to function properly.
Attackers use phishing, man-in-the-middle and other techniques to gain the permissions they need to break into a network. Once inside the system, they often use attack tools like Bloodhound scans to map the entire AD environment. Through this reconciliation, attackers can identify the valuable resources, systems and privileged user accounts they need to achieve their goals and create an attack plan. By accessing the AD, attackers hope to hide from the security teams and their tools, for example by using existing credentials or creating their own domains.
In case an attacker uses the Bloodhound tool to scan AD for admin accounts, he will get back false information. This immediately sets off an alarm and the security team knows that someone is searching for AD Admin accounts without authorisation. If the attacker uses false information to move around the network, he is immediately redirected to a secure deception environment where he can be monitored. While this is taking place, we record the techniques, tactics and procedures used by the attackers, which in turn are used by the security team to strengthen the security measures in the production network to prevent further attacks.