Products
- Products
  
  Platform
  ShadowPlex Advanced Threat Defense
  Deception for early detection of cyber threats with precision and speed
  
  ShadowPlex Identity Protection
  Visibility, management and protection of identity stores and attack paths
  Acalvio Active Defense Platform
  Comprehensive and Award-winning Distributed Deception Platform
  
  What is Active Defense?
  Active defense detects and diverts attacks.
  
  Why do I need Acalvio Active Defense?
  Active Defense deceives and disrupts attackers.
Solutions
- Technology Solutions
  
  Industry Solutions
  Early Threat Detection
  Detect cyber threats early in the attack lifecycle to prevent adversary breakout
  
  Identity Threat Detection & Response
  Detect identity threats with precision and protect the identity architecture
  
  OT Security
  Protect OT environments from cyber threats with an easy-to-deploy and non-intrusive solution
  
  Red Teaming
  Strengthen defenses to detect red team activities
  
  Threat Hunting
  Active threat hunting to confirm latent threats and gain visibility to attacker TTPs
  
  Ransomware
  AI-driven deception to protect against known and zero-day ransomware variants
  
  Honeytokens for CrowdStrike
  Enterprise-scale honeytokens to protect against current and evolving identity threats
  
  Active Directory Protection
  Visibility to AD attack surface and detection of AD attacks
  
  Zero Trust
  Advance Zero Trust maturity through improved cyber visibility
  
  Insider Threats
  Unmask hidden dangers. Cyber deception for high-fidelity insider threat detection
  Public Sector
  Targeted solution for protecting Federal agencies in conformation with NIST and CISA recommendations
  
  Financial Services
  Transform Financial Cybersecurity with Innovative Cyber Deception and Active Defense
  
  Healthcare
  Active defense solutions thwart healthcare attacks before they can inflict real damage.
Resources
Partners
Company

Stopping identity-driven attacks from unmanaged endpoints

by Suril Desai | December 11, 2023

Unmanaged endpoints are a prime target for identity-driven attacks

In cybersecurity, unmanaged endpoints represent a significant vulnerability within even the most meticulously planned defense strategies. These unprotected access points are attractive targets for identity-driven attacks. Organizations are unable to gain coverage for all the endpoints with endpoint security and detection tools; even those maintaining the highest levels of vigilance might only achieve around 80% endpoint security coverage. This leaves a consequential proportion of endpoints – about 20% – unmanaged and susceptible. In addition, there are a large number of peripherals and IoT devices, such as printers, cameras that are not compatible with endpoint security solutions and add to the pool of the unmanaged endpoints.

These exposed endpoints, linked with the network and Active Directory (AD), offer an easy entry point for attackers to compromise the system, gain access to privileged credentials, and cause substantial damage. Recent research indicates over 25% of modern attacks originate from an unmanaged endpoint.

Organizations have a significant set of unmanaged endpoints

Understanding the potential vulnerability that unmanaged endpoints pose to organizations’ cybersecurity is critical. IT equipment that represent contractor laptops, Bring Your Own Device (BYOD) devices and legacy workstations in lab environments are all representative of unmanaged endpoints. Seemingly harmless devices like printers and cameras are also exploited for identity-driven attacks. Moreover, servers running a custom OS that are not supported by endpoint security also fall into the category of unmanaged endpoints. The legacy OS versions and custom form factors often make patching and hardening also challenging. With limited prevention based defense and no endpoint detection capabilities, the unmanaged endpoints represent a significant security risk to organizations.

Unmanaged devices include:

Contractor laptops that are connected to the enterprise on a temporary basis
Workstations and servers running legacy IT equipment, such as equipment in labs and test environments
Printers, cameras – IoT equipment that is connected to the enterprise
Servers running on OS versions that are not supported by endpoint security tools

Unmanaged endpoints are typically members of the AD domain. IT teams join these endpoints to the domain to enable IT policies to be applied and to allow administrators to login to the devices using domain credentials.

Attackers target identity stores from unmanaged endpoints

Attackers target unmanaged endpoints to gain unauthorized access to domain account credentials. These endpoints have no endpoint detection in place and are often running legacy operating system versions with known vulnerabilities that are exploited by attackers. Attackers can exploit these vulnerabilities to gain access to these endpoints.

Attackers take advantage of the lack of endpoint detection on the unmanaged endpoint to download and execute credential stealing malware that targets AD. This enables attackers to gain access to domain credentials, including privileged domain accounts such as domain admin accounts or important service accounts. Attackers leveraged the trusted credentials for lateral movement to critical systems and to obtain access to sensitive data, resulting in breaches with significant financial and reputational impact to the organization.

Organizations need a solution to stop breaches that originate from unmanaged endpoints.

Honeytokens to defend against identity-driven attacks from unmanaged endpoints

Deception technology is a proven approach for identity threat defense. Honey accounts are deceptive user accounts and service accounts added to the identity store, such as AD. Honey accounts are personalized for the AD domain and are made attractive for attackers to exploit.

Attackers that gain access to unmanaged endpoints and attempt to target identity stores to gain access to identities will find the honey accounts. Any usage of the honey account results in a high-fidelity threat detection. Defense teams are able to detect identity-driven attacks that originate from unmanaged endpoints.

Organizations gain the ability to stop identity-driven attacks that originate from unmanaged endpoints.

More information on honeytokens can be found at : /products/identity-protection/

Authors

Suril Desai

Suril is VP Engineering at Acalvio Technologies. Suril has led engineering for industry leading cybersecurity offerings. Suril has deep domain expertise in cybersecurity and holds multiple patents.