Allow Attackers to Contain Themselves with Javelin AD Protect and IncMan SOAR

Back to all articles

Javelin AD Protect and IncMan SOAR

Organizations of all sizes rely on Microsoft Active Directory as the backbone of their identity and access management. As much as organizations rely on Active Directory, many do not fully understand its complexities or the best practices for hardening its configurations. Attackers too have come to rely on Active Directory as a potential gold mine of information. From reconnaissance and information gathering to authentication attacks, Active Directory can provide attackers with the keys to an organization’s most critical resources.

Because Active Directory is an open service by design, attacks on Active Directory are especially difficult to detect. Most often, attacks involving Active Directory are detected based on other actions taken by the attacker, and long after the damage is done.

In this blog post we will discuss how to mitigate the substantial potential risks inherent to Microsoft Active Directory with Javelin AD Protect in conjunction with DFLabs’ Security Orchestration, Automation and Response (SOAR) solution, IncMan SOAR, with an example use case.

About Javelin AD Protect

Javelin AD Protect controls the attacker's perception autonomously at the endpoint with no agent, and identifies the Dark Corners the attacker favors. AD Protect achieves definitive alerts on post-exploitation activity—the most important part of the breach—to stop reconnaissance, credential theft, and lateral movement. Once a threat is detected, AD Protect gathers relevant artifacts automatically before an attacker can erase them, reducing time and effort to investigate the breach.

The DFLabs and Javelin AD Protect Solution

The integration between DFLabs IncMan SOAR and Javelin AD Protect combines advanced Active Directory detection and response technology with cutting-edge orchestration and automation to allow organizations to respond almost instantaneously to Active Directory attacks. AD Protect’s advanced protection and IncMan’s R3 Runbooks combine to allow attackers to contain themselves before the security team would even have time to acknowledge the alert.

IncMan SOAR’s powerful automation and orchestration capabilities allow joint customers to automatically begin enriching the wealth of information gathered by AD Protect, separating benign artifacts from potential indicators of compromise, which can be used to identify the attacker and search for additional compromise across the environment.

Use Case

An attack is detected by Javelin AD Protect, causing an incident to be generated within IncMan SOAR. The Runbook begins by retrieving the report generated by AD Protect when the attack was detected. This report contains a wide variety of information which can be enriched by IncMan SOAR or used by an analyst to perform further investigation. After retrieving the report generated by AD Protect, the Runbook checks to see if any hash values or network connection information is present in the report. If either hash values or network connection information is present in the report, the Runbook will query the organization’s threat intelligence provider of choice to determine if the hash values or IP addresses are malicious. If any hash values or IP addresses have associated intelligence above a certain threshold, the Runbook will automatically block the given IP addresses or hash values. Finally, the Runbook will query the organization’s EDR solution for any of the hash values or IP addresses which have been determined to be malicious to determine if any other endpoints on the network have these artifacts associated with them.

Simultaneously, the Runbook will gather any user accounts from the report generated by AD Protect and extract any domain accounts. The Runbook will then query Active Directory for the attributes of any domain user account found on the potentially compromised host. For each domain account found, the analyst will be prompted with a User Choice decision asking if they would like to reset the user’s password. If the analyst chooses to reset the user’s password, a separate Runbook will be executed on the specified user account to reset the password to a random string and email the user with the new temporary password.

Summary

Microsoft Active Directory is a pervasive and complex service which is relied upon by both organizations and attackers on a daily basis. Attacks on Active Directory are notoriously difficult to detect with traditional detection technologies. However, once successful they can provide attackers with access to all the organization’s most critical assets.

The integration between DFLabs IncMan SOAR and Javelin AD Protect combines advanced Active Directory detection and response technology with cutting-edge orchestration and automation to allow organizations to respond almost instantaneously to Active Directory attacks. AD Protect’s advanced protection and IncMan’s R3 Runbooks combine to allow attackers to contain themselves before the security team would even have time to acknowledge the alert.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request Your Live IncMan SOAR Demo.

DFLabs IncMan SOAR is the pioneering Security Orchestration, Automation and Response (SOAR) platform to automate, orchestrate and measure security operations tasks.

IncMan SOAR harnesses machine learning and automation capabilities to augment human analysts to maximize the effectiveness and efficiency of security operations teams, reducing the time from breach discovery to resolution by up to 80%.

What You'll See in a Demo

See for yourself why IncMan SOAR is the preferred solution of Fortune 500, Global 2000 and MSSP clients. DFLabs IncMan SOAR at a glance:

  • Full and semi-automated Incident Response, improving response times by up to 80%
  • Covers the entire spectrum of IR and SecOps
  • Automated Responder Knowledge (ARK) generated by machine learning
  • Highly flexible and customizable, with over 100 templates and automation actions out of the box
  • Correlation engine correlates all relevant IOCs and artefacts between incidents
  • Multi-tenancy and granular role-based access
  • Dual mode playbooks and intelligence sharing
  • Powerful case management with integrated forensics capabilities.

Yes, I want a demo

DFLabs would like to stay in touch to provide you with marketing related content. By ticking the box you consent to receive educational, company and promotional information from DFLabs and accept DFLabs' Privacy Policy.

* Required fields