KuppingerCole Report
Executive View
By Mike Small


Cyber criminals regularly exploit vulnerabilities and poor practices around Microsoft Active Directory to obtain credentials that allow them to infiltrate organizational systems, cause damage and exfiltrate data. This report describes StealthINTERCEPT, the real-time policy enforcement, change and access monitoring and Active Directory security component of the STEALTHbits’ Data Access Governance Suite, that helps organizations to protect against these forms of cyber-attack.

1 Introduction

Attacks on IT systems have become a major risk to organizations which can prevent access to critical data through ransomware or lead to penalties for loss of regulated data. Cyber criminals regularly exploit vulnerabilities and poor practices around Microsoft Active Directory to obtain credentials that allow them to infiltrate organizational IT systems, cause damage and exfiltrate data. Protecting against this form of attack has become the top priority for cyber defence.

Traditional perimeter security devices like firewalls, IDS (Intrusion Detections Systems) and IPS (Intrusion Prevention Systems) are widely deployed. While these remain an essential part of the defence for the connected business, they are not able to detect a range of threats including the use of compromised credentials, insider threats, data exfiltration, access misuse and zero-day attacks. SIEM (Security Information and Event Management) is also promoted as a solution to these problems. To be effective SIEM needs to incorporate access related data. While SIEM is a core security technology it has not been successful at providing actionable security intelligence in time to avert loss or damage.

External attacks now involve a complex process, sometimes involving an insider element. There are several known vulnerabilities in Windows and Active Directory which, if not properly defended, can be used to gain administrative access to the Active Directory Domain Controllers. This enables the attacker to create fake user credentials giving legitimate access to systems and data.

These include the Kerberos Vulnerability for which the Python Kerberos Exploitation Kit (PyKEK) is readily available. This allows an attacker to take ownership of an Active Directory forest with only a user account and a connected Windows computer (and associated admin account). Another common attack is on the Windows LSASS (Local Security Authority Subsystem Service) to obtain and use credentials held in memory. While Virtual Secure Mode with Credential Guard can protect against these in the latest versions of Windows 10 Enterprise and Windows Server 2016 however, not all organizations are using these.

Many organizations implement a forced password change policy where users must change their password regularly and cannot reuse previously used passwords together with rules for password complexity. However, few implement the recommendations in NIST SP800-63B that require new passwords to be screened to prevent the use of those “obtained from previous breach corpuses”. Organizations need to take steps to protect against the reuse of breached credentials and should implement the recommendations in the NIST SP800-63B.

These threats make it essential that organizations use the strongest possible defences for their Microsoft AD (Active Directory) deployments. You must always assume that your AD is under attack and may already have been breached. Take active steps to remove known vulnerabilities, apply relevant patches and fully monitor configuration as well as activity. Monitor not only normal administrative actions but also operations like directory synchronization and automatically block suspicious activity as soon as it is detected.

Cyber-threats to IT systems exploit any weaknesses in the critical technology that supports user identity, privilege and access rights. Therefore, this must be strongly protected as a top priority. It is important to look for solutions that suits the specific needs of your organization. Consider solutions that include managed services and pre-configured analytics, not just bare tools.

2 Product Description

STEALTHbits Technologies is a privately held software company with its head office in Hawthorne NJ in the USA. The company is focused on protecting o ...

Figure 1: StealthINTERCEPT Architecture (reproduced with permission from STEALTHbits)

StealthINTERCEPT Key features include:

  • Enterprise Password Enforcement – Most organizations have policies that govern the complexity of passwo ...
Login Get full Access

3 Strengths and Challenges

StealthINTERCEPT provides a powerful solution to detect and protect against cyber-threats that exploit weaknesses in Microsoft Active Directory, Micro ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.