Why UEBA, SIEM, EDR and PAM are Not Enough to Secure AD Today


Kenneth Teo, APJ Technical Directory of Alsid

I bet your organization relies on reactive based security solution to protect against AD-targeted attacks.

Traditional cyber security is based on protecting the organization with solution that primarily react to security incident that has happened. This approach, although straightforward to understand and easy to justify (who would not be immediately swayed by any salesperson that pitch the idea "we can detect attacks"?) is not effective.

I am sure the following scenario will be very much relatable: in any post-cyberattack incident, the Board and executives will swiftly approve emergency budget to procure any product that promises to detect future attacks. This line of reasoning is understandable – The company became a victim because it was not aware of the attacks occurring within the perimeter. However, this does not help with the purpose of preventing future attacks.

While a solid, reactive, cyber-security defense strategy (file signature, network behavior) that focuses on detecting attack as it happens is important, such approach on its own is insufficient to mitigate the threat. Attackers are quick to catch-on and change their strategy, thereby creating a cycle of Game of Mouse and Cat – with the attacker gaining advantage as the security team chases in the distant.

We have not exhausted all possible preventive measures; an effective defense can be built by combining with and investing on proactive solution. Instead of focusing on responding to an attack, focusing on how an attack may be possible and deploy preventive measures would allow an organization to interfere with the "attack path" that is ripe to be exploited.

By using this approach, we effectively empower organizations to:

  1. Shift the battlefield away from the network
  2. Shift the balance from chasing against attacker to anticipate what an attacker would do
  3. Starve off attacker by proactively remove their "prey"

Detecting Golden Ticket after it happens is useless. Get into the bandwagon of stopping it from happening.

Instead of treating the symptom of Golden Ticket, for example, it is much more effective in stopping the "primary ingredients" from being made available to malicious actors than detecting an attack has happen.

Take the following Golden Ticket creation script for example:

mimikatz # kerberos::golden /domain:Alsid.corp/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:johndoe

The only thing an attacker need to create a Golden Ticket is the secrets of KRBTGT so why are we not "prescribing" controls to continuously ensure and monitor that this sensitive account is protected, and backdoors are not leeched on it?

Anticipate Attacks

This emerging trend of proactive approach is not new, in the line of healthcare there is always the saying "prevention is better than cure". I believe that this holds true as well in cybersecurity, it will always be less disruptive and more cost-efficient than responding to an attack incident.

UEBA (User and Entity Behavior Analytics) like Microsoft ATP, Varonis DSP, or Forcepoint Insider Threat, detects user behavior. This approach is not most effective when securing AD as you will only know about dangerous new attack pathways that lead to Golden Tickets for example, when the compromise is actually occurring which means it will be too late as you will have no time to fix the attack pathway to stop the AD compromise. UEBA delays are also well-known due to learning time-gap.

Reactive focused detection such as SIEMs, UEBA and others while very good at reporting for compliance and attack detection fail to stop attacks because the offensive operations has been completed by the time the alert is triggered.

Sustaining Partners