Attackers will always gravitate to the cheapest and most effective way to get into a network. According to the latest Verizon Data Breach Investigations Report, compromised credentials have been the top attacker methodology for two years in a row now. Credentials enable attackers to move through the network undetected because most companies still have no way to detect them, so attackers enjoy excellent economics.
UserInsight has always focused on detecting compromised credentials, but most people don't realize we also to detect credential theft early in the attack chain by detecting intruder tools. A great example of an intruder tool is Mimikatz, an interactive attack software that helps attackers extract credentials from the memory of machines they have compromised. Attackers then use the compromised credentials for lateral movement and to gain persistence on the network.
Detecting intruder tools on endpoints without the need for an agent
UserInsight's solution's endpoint monitoring provides visibility into activity on endpoints without requiring the deployment of a software agent. The ability to detect intruder tools expands on UserInsight's capabilities to detect attacks across an organization's ecosystem, from the endpoint to the cloud.
Once attackers have stolen credentials from the endpoint, they move laterally across networks and cloud services, collecting more and more credentials to gain access to other machines. UserInsight already detects the use of compromised credentials and lateral movement from the endpoint to the cloud. Detecting intruder tools increases the number of places UserInsight spots intruders in the attack chain, making it harder for them to remain undetected.
UserInsight detects intruder tools in two ways: UserInsight checks all processes running on an endpoint against a list of 'known bad' executables. If attackers use anti-virus evasion routines to obfuscate the malware, UserInsight will flag them by highlighting rare and unique processes on the network to the intruders.
Bringing the context of malware to compromised credentials, users, and assets
UserInsight has several other capabilities to investigate malware alerts. Through its integrations with third-party endpoint protection and advanced malware sandboxing solutions, such as FireEye NX Series and Palo Alto Wildfire, UserInsight consumes malware alerts and puts them in the context of the user and indicators of attack, such as compromised credentials and lateral movement, to accelerate investigations. In addition, UserInsight natively detects other known malware by comparing all running processes in an organization to a database of known malicious software. It also alerts on attacks using custom backdoors or obfuscated malware using anti-virus evasion techniques by detecting rare and unique processes on the network.
To learn how UserInsight detects intruders from the endpoint to the cloud, schedule a guided demo with one of our specialists.