Bekker's Blog

Blog archive

Symantec Adds AD Recon Protection to Endpoint Security Stack

Symantec Corp. is buying its way into the business of defending Active Directory against reconnaissance attacks.

The Mountain View, Calif.-based security giant bought privately held Javelin Networks earlier this week for an undisclosed amount.

Founded in 2014, Javelin Networks has focused on giving organizations a tool to partially defend against the advanced persistent threat (APT) attacks that are largely attributed to sophisticated hacking groups or nation-state attackers. Examples of high-profile attacks in those categories include APT28, APT29 and DUQU 2.0.

Javelin Networks' organizing principle is that Active Directory is a popular and effective way for hackers to get information about corporate networks for lateral movement and privilege escalation, once they've found some other way into the network.

The company set forth its take on the problem with Active Directory in a whitepaper last year: "AD can't distinguish between a legitimate query and an illegitimate query. As long as the query came from an authenticated user, it has no choice but to answer, revealing the organization's biggest secrets. With a legitimate query, the attacker doesn't get just part of the organization's information -- they get all of it in a matter of seconds without any risk of being detected."

Javelin Networks contends that the vast majority of sophisticated attackers use Active Directory recon techniques once they're inside a network rather than noisier methods like network scans and protocol scans that tend to trigger alerts in security tools.

The company's main solution, AD|Protect, is designed to detect breaches autonomously, apparently based on profiles of the kinds of Active Directory recon that attackers typically try to carry out once they've gotten control of a domain-connected system. Javelin Networks uses Native Language Processing and other technologies to obfuscate the network in a way that is supposed to prevent the attacker from moving laterally. At the same time, the system kicks off forensics to help IT document and track the attack. Additionally, the tool probes for domain misconfigurations and persistence on an ongoing basis, an important feature given the months and years that APTs can remain hidden in a network.

Aside from the main, horizontal version of AD|Protect, Javelin Networks offered specialized versions for business services, critical infrastructure, energy, financial services, government, health care, information security and retail.

Other tools in the company's portfolio include an Active Directory breach and attack simulation product for finding misconfigurations and backdoors called AD|Assess, and some offerings designed for corporate penetration testers.

Because Active Directory recon efforts aren't standalone -- attackers need to be inside the network already to use the technique -- the acquisition by Symantec makes sense. The company will be bundling AD|Protect with other endpoint security products in its broad portfolio.

Symantec put the Javelin Networks team, which is split between offices in the United States and Israel, into its endpoint security business. The Javelin Networks tools will become part of Symantec's broader endpoint security stack.

Posted by Scott Bekker on 11/08/2018 at 3:22 PM


  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus