Professional Documents
Culture Documents
HARDEN YOUR
AD SECURITY
CrowdStrike White Paper 2
Cybersecurity visibility and enforcement starts with Active Directory (AD). Identity
and Access Management (IAM) - via AD, Active Directory Federated Services
THREATS TO ACTIVE
(AD FS), or another Identity Store - is the nerve center of an enterprise, governing DIRECTORY SERVICES
how users and accounts access applications and assets. From this central point,
organizations create and maintain user credentials and assess application, network,
and behavioral traits, as well as create new logical segmentation strategies based Default settings and simple
on identity and risk. Any security compromise of AD undermines the entire identity passwords
management infrastructure, leading to potential data leaks as well as potential
system corruption, takeover or ransomware, or destruction. Inappropriate access for roles
and employees
Your Active Directory governs whether access should be granted or not – but the
world is more complex than the standard allow/deny settings. By adding risk analysis
through context and threat scoring to basic identity and access management Lack of visibility into elevation
authentication functions, the Falcon Identity Protection solution helps security of privilege
teams to make pre- access decisions before potential damage occurs, and enforce
frictionless conditional access on all requests. Risk-based conditional access No behavior analysis or logging
principles pave way for identity segmentation, with policies built around the context of anomalies
of identity, behavior and the dynamic risk of user (includes human and service
accounts) credentials.
Lateral movement in the
environment
This conditional access ensures the right level of security is delivered to either
stop a threat or validate the credential to let users get on with their work.
Falcon Identity Protection realizes enterprise security infrastructures are
not one-size-fits-all, and most networks are increasingly both on
premises and hybrid, or even moving entirely virtual. NTITY PR
IDE O
TEC
FA L C O N
BRINGING ENFORCEMENT TO AD
Enforcement at the authentication infrastructure opens up more flexible enforcement
options than trying to control at the application or share level. Instead of blocking a
connection outright, a user’s privileges could be evaluated and reduced or held to
role-based accesses. This could keep the user productive, while limiting higher-risk
behaviors. Enforcement means keeping a constant activity trail for all privileged
and service accounts, with immediate identification for anomalous traffic or unusual
resource connection requests.
In the end, the directory infrastructure is the logical center of the enterprise where Real-time threat mitigation
all users and accounts gain access to resources. By bringing a security layer to the through risk-based MFA
authentication infrastructure, organizations can get visibility into all behavior with a
simple update to internal DNS settings.
User analytics that examine
changes in behavior and
Privileged user credentials or service accounts are the ultimate target as these provide an
attacker nearly full control and lateral access over the network. As a result, understanding
a user’s role and privileges in the organization is critical not only for setting smart security
policies, but also for detecting signs that the credential has been compromised to cut off
active attacks.
Organizations need to understand their own security posture. There are constant questions
about identity and access that security needs to know:
These are a few examples of attributes and activities that illustrate the role of the account as
well as potential risks tied to a specific connection attempt.
Both inherent risks like weak passwords and deviations from normal behavior can potentially
indicate the user is doing something risky or possibly has even been compromised by an
attacker. Bringing enforcement controls to the authentication infrastructure provides new
options and flexibility to meet these needs.
As an example, attackers are using tools like Mimikatz to steal credentials and gain a foothold
on the network. Attackers then move laterally within a network by using techniques such pass-
the-hash (PtH), Pass-the-Ticket, relay and replay attacks or even threats like Maze, Sunburst
or Conti ransomware. Attackers also use a variety of reconnaissance techniques such as
account scanning and credential spraying in order to find new targets or credentials, while
methods such as Golden Ticket attacks can allow an attacker to achieve near-permanent
persistence within a network.
These techniques are the difference between a threat that is limited to a single host and a
persistent threat which can expose the entire enterprise and all of its assets. However, these
progressive multi-step attacks also provide multiple opportunities for security to detect
the threat and halt the progress before major damage is done. By monitoring behaviors on
the network and AD infrastructure, security can detect the behaviors of PtH or other attack
techniques and tactics..
Falcon Identity Protection detects these lateral movement techniques as well as the use of
risky protocols and abnormal behavior, which identifies devices and accounts that are likely
compromised. These accounts can then be challenged via MFA/2FA or blocked based on
policy to halt the progress of an attack.
CrowdStrike White Paper 5
TARGET
ATE
OT I
NEG
8-A
E
ENG
LM
PPR
T
ALL
OV
2-N
7-N
E
E
CH
CAT
E
TLO
TLM
NTI
GO
3-N
THE
1-NTLM NEGOTIATE
N
AU
TLM
6-N
4-NTLM CHALLENGE
5-NTLM AUTHENTICATE
ABOUT CROWDSTRIKE
FALCON IDENTITY PROTECTION
CrowdStrike Holdings, Inc. (Nasdaq:
Falcon Identity Protection developed the industry’s first security platform CRWD), a global cybersecurity leader,
has redefined modern security with one
bringing real-time layers of threat prevention to an organization’s authentication
of the world’s most advanced cloud-
infrastructure. This allows organizations to stop cyber attacks, insider native platforms for protecting critical
threats, and enforce policies across the extended enterprise based on areas of enterprise risk – endpoints and
cloud workloads, identity and data.
identity, behavior, and risk. Falcon Identity Protection offers real-time visibility
of identity-based attacks and anomalies, and enforces risk-based MFA/ Powered by the CrowdStrike Security
conditional access. Cloud, the CrowdStrike Falcon®
platform leverages real-time indicators
Falcon Identity Protection operates in real time alongside Active Directory of attack, threat intelligence, evolving
adversary tradecraft and enriched
and Domain Controllers. From this strategic vantage point, Falcon Identity
telemetry from across the enterprise
Protection leverages advanced AI/ML techniques to continually learn to deliver hyper-accurate detections,
the behaviors that are both common and essential to the enterprise, automated protection and remediation,
while proactively detecting the malicious actions of attackers. Our built-in elite threat hunting and prioritized
observability of vulnerabilities.
intelligence automatically surfaces weaknesses such as password issues, risky
user behavior, and all associated devices. The solution automatically identifies Purpose-built in the cloud with a single
all privileged users including those with privileges outside of the traditional lightweight-agent architecture, the
Falcon platform enables customers
administrator groups in Active Directory, including service accounts. to benefit from rapid and scalable
deployment, superior protection and
Falcon Identity Protection continually tracks the actions and behaviors of all of performance, reduced complexity and
these credentials on premises or in the cloud for signs of malicious or abnormal immediate time-to-value.
behavior. Falcon Identity Protection is powered by CrowdStrike Security Cloud,
CrowdStrike: We stop breaches.
the world’s largest unified, threat-centric data fabric, which correlates trillions
of security events per day leveraging the industry’s leading threat intelligence Learn more:
and enterprise telemetry. When it sees suspicious activity, Falcon Identity https://www.crowdstrike.com/
Protection can challenge the behavior in real-time before access is granted to Follow us: Blog | Twitter | LinkedIn |
Facebook | Instagram
verify the user's identity and, if needed, reset the password based on the risk
and enterprise policy. This allows organizations to automatically resolve any Start a free trial today:
false positives without preventing valid access, and logically align real-time https://www.crowdstrike.com/free-
trial-guide/
security enforcement with the needs of the business.
© 2022 CrowdStrike, Inc. All rights
reserved. CrowdStrike, the falcon logo,
CrowdStrike Falcon and CrowdStrike
Threat Graph are marks owned by
CrowdStrike, Inc. and registered with
the United States Patent and Trademark
Office, and in other countries.
CrowdStrike owns other trademarks
and service marks, and may use the
brands of third parties to identify their
products and services.
Request a Demo