Attivo Networks announced a new way of protecting credentials from theft and misuse. As part of its Endpoint Detection Net (EDN) Suite, the ThreatStrike functionality allows organizations to hide real credentials from attacker tools and bind them to their applications. Additionally, the solution can show decoy credentials that facilitate threat intelligence gathering when left as bait. With this new functionality, Attivo becomes the only solution of its kind to cloak real credentials from attackers.
A credential-based attack occurs when an attacker steals credentials, extends privileges, and compromises critical data. Credential theft is the first stage of a lateral movement attack and stopping the attack early in the process can make a material impact on the success and damages incurred by an attacker.
According to Verizon’s 2021 Data Breach Investigation Report, credentials remain among the most sought-after data types by attackers (60%). Stolen Credentials have been behind some of the largest and most costly data breaches.
The Attivo ThreatStrike cloaking hides and denies unauthorized access to applications. For example, only Chrome will have access to its credential store, and all other applications won’t. The product launches with support for 75 of the most popular Windows applications that attackers target, with a plan to add more applications in the future.
“The benefit of credential protection is that only allowed system software can access them,” said Srikant Vissamsetti, senior vice president of engineering at Attivo Networks. “Customers will benefit from the prevention of unauthorized access, which can lead to credential theft attacks, such as Pass-the-Hash, Pass-The-Ticket, and Password Theft that can be extremely difficult to detect and stop.”
This new capability directly addresses sophisticated attack techniques as outlined in the MITRE ATT&CK Credential Access Tactic, such as OS Credential Dumping (T1003), Credentials from Password Store (T1555), Unsecured Credentials (T1552), Steal or Forge Kerberos Tickets (T1558) and Steal Web Session Cookie (T1539).
With endpoint credentials now hidden from attacker view, the ThreatStrike solution plants bait on the endpoint, designed to appear as popular production Windows, Mac, and Linux credentials. As threat actors conduct reconnaissance, these lures will appear as attractive bait for in-network attackers to steal.
“The growing risk of credential theft attacks and misuse is the root cause of many modern cyber incidents,’ said Ed Amoroso founder and CEO of TAG Cyber. ‘The recent Verizon Data Breach Report, for example, underscores stolen credentials as a top target for attackers. This challenge in the market is fueling the need to reduce credential risk by managing entitlements in the context of an authorization model. With the introduction of credential cloaking and policy-based application access, Attivo Networks is well-positioned to emerge as a significant player in the identity detection and response market.”
The addition of credential cloaking also adds to the company’s stack of cloaking technology. The company can currently cloak Active Directory objects, as well as files, folders, network, and cloud mapped shares, and removable drives. This technology is distinctly different from traditional deception technology that weaves fake objects amongst real ones. Cloaking technology hides real assets and puts fake data in its place. This combined innovation has received recognition and awards for its efficacy in identifying and deterring both ransomware and advance attack tactics.
The Attivo Networks Endpoint Detection Net (EDN) Suite is a component of the company’s identity detection and response (IDR) offering. IDR solutions grew popular in 2021 as the technology became available to detect identity theft, privilege escalation, and lateral movement threat activities. The company’s EDN solution includes:
- ThreatStrike: for credential protection
- ADSecure: for Active Directory protection
- ThreatPath: for credential attack path visibility and attack surface reduction
- Deflect: prevents fingerprinting of endpoints to identify targets and vulnerabilities to exploit
- Central Management: manages EDN and comes with the ability, through licensing, to add visibility to Active Directory and cloud entitlement exposures and vulnerabilities