Replication Delegation is a new preconfigured threat model in StealthDEFEND 2.1 designed to detect when a user, group, or computer is granted permissions to replicate a domain.
A common technique employed by cyber attackers is to use the DCSync command in Mimikatz to request password information from a Domain Controller. If successful, attackers can easily assume the control of privileged accounts and employ the use of additional attack tactics, techniques, and procedures such as Golden Tickets, ultimately resulting in full domain compromise. However, in order for this attack to work, the attacker must have specific permissions to perform domain replication.
In version 2.1, StealthDEFEND has been tuned to detect and alert on changes to any account where domain replication is involved. If changes are detected, StealthDEFEND can automatically execute a custom playbook of actions to contain the threat and mitigate further damage.
StealthDEFEND’s internal auditing capabilities have been expanded and refined to include all activities performed within the product.
StealthDEFEND 2.1 provides a powerful threat detection and response engine, making it a critical element of an organization’s overall data security strategy. However, insider threat and human error continue to be a concern for security teams, driving the need for StealthDEFEND itself to be as secure as the technologies it’s applied to. In this release, internal auditing of StealthDEFEND has expanded to include:
This additional user activity logging also ensures that StealthDEFEND can satisfy requirements for common criteria, FIPS, and other standards required for the most secure environments.
Active Directory Sync
StealthDEFEND has transitioned from a scheduled Active Directory sync to a real-time sync in version 2.1, ensuring event details always present up-to-date information.
Attackers move quickly to establish a foothold in the environment, but then act cautiously as they collect information. In order to counter these threats, Security teams need the most current information to make decisions about the best way to respond. Getting real-time updates can mean the difference between early detection and late stage remediation and clean up, which is critical as early detection and containment are the best ways to minimize the financial and business impact of a breach.
In version 2.1, StealthDEFEND now receives updates in real time, expediting threat triage, investigations, and response.
StealthDEFEND’s SIEM integration features have been enhanced to allow users to customize their SIEM templates, including the ability to remove or reorder fields, specify custom delimiters, and even change the format of the data stream. Additional protocol support for TCP and TCP over TLS has also been added.
Most security teams employ SIEM systems as part of their overall security monitoring strategy. As companies continue to refine their security posture, they look for ways to improve the quality and level of detail of events sent to their SIEM. As a result, it’s important that all security systems work together in order to provide the additional context Security teams need to quickly respond to threats.
StealthDEFEND 2.1 has been enhanced to provide users to ability customize the amount and types of data sent to the SIEM platform of their choosing, ensuring the higher quality, higher fidelity threat insight from StealthDEFEND is seamlessly ingested and represented in the place they want it most.