Bekker's Blog

Blog archive

Symantec Adds AD Recon Protection to Endpoint Security Stack

Symantec Corp. is buying its way into the business of defending Active Directory against reconnaissance attacks.

The Mountain View, Calif.-based security giant bought privately held Javelin Networks earlier this week for an undisclosed amount.

Founded in 2014, Javelin Networks has focused on giving organizations a tool to partially defend against the advanced persistent threat (APT) attacks that are largely attributed to sophisticated hacking groups or nation-state attackers. Examples of high-profile attacks in those categories include APT28, APT29 and DUQU 2.0.

Javelin Networks' organizing principle is that Active Directory is a popular and effective way for hackers to get information about corporate networks for lateral movement and privilege escalation, once they've found some other way into the network.

The company set forth its take on the problem with Active Directory in a whitepaper last year: "AD can't distinguish between a legitimate query and an illegitimate query. As long as the query came from an authenticated user, it has no choice but to answer, revealing the organization's biggest secrets. With a legitimate query, the attacker doesn't get just part of the organization's information -- they get all of it in a matter of seconds without any risk of being detected."

Javelin Networks contends that the vast majority of sophisticated attackers use Active Directory recon techniques once they're inside a network rather than noisier methods like network scans and protocol scans that tend to trigger alerts in security tools.

The company's main solution, AD|Protect, is designed to detect breaches autonomously, apparently based on profiles of the kinds of Active Directory recon that attackers typically try to carry out once they've gotten control of a domain-connected system. Javelin Networks uses Native Language Processing and other technologies to obfuscate the network in a way that is supposed to prevent the attacker from moving laterally. At the same time, the system kicks off forensics to help IT document and track the attack. Additionally, the tool probes for domain misconfigurations and persistence on an ongoing basis, an important feature given the months and years that APTs can remain hidden in a network.

Aside from the main, horizontal version of AD|Protect, Javelin Networks offered specialized versions for business services, critical infrastructure, energy, financial services, government, health care, information security and retail.

Other tools in the company's portfolio include an Active Directory breach and attack simulation product for finding misconfigurations and backdoors called AD|Assess, and some offerings designed for corporate penetration testers.

Because Active Directory recon efforts aren't standalone -- attackers need to be inside the network already to use the technique -- the acquisition by Symantec makes sense. The company will be bundling AD|Protect with other endpoint security products in its broad portfolio.

Symantec put the Javelin Networks team, which is split between offices in the United States and Israel, into its endpoint security business. The Javelin Networks tools will become part of Symantec's broader endpoint security stack.

Posted by Scott Bekker on 11/08/2018 at 3:22 PM


comments powered by Disqus

Subscribe on YouTube