Detecting an in-progress cyberattack is an essential component of any security strategy. But it’s getting increasingly harder to spot malicious attackers who gain access to information systems through gaps in the identity system, then move stealthily through the environment—often undetected for weeks or months—before dropping malware. To detect identity system attacks, many companies rely on DC event log consolidation and SIEM solutions. But some attack techniques leave no evidence of malicious activity.
In this session, Tal Sarid will walk through some attack techniques that bypass traditional monitoring solutions.
You’ll come away with guidelines for guarding against cyberattacks that leave no trace:
- Understanding how common attack techniques that bypass logging work, including DCShadow, Group Policy changes (as in the case of Ryuk ransomware), and Zerologon attacks
- How to proactively protect your Active Directory against leave-no-trace attacks by focusing on the replication traffic of DCs to detect changes within Group Policy and changes to specific objects
- How to roll back malicious changes to AD
- How to accelerate your response to malicious changes once they’re detected with focused forensic analysis