Directory Services Protector FAQ
Q: What is Directory Services Protector and what are its main capabilities?
Answer: Directory Services Protector (DSP) is the industry’s most comprehensive Active Directory threat detection and response platform. It provides the capabilities that organizations need to defend AD from today’s most sophisticated cyberattacks, as well as to recover quickly from everyday mistakes. It’s core capabilities help you:
- Minimize the AD attack surface
- Identify exposures
- Harden defenses
- Protect sensitive accounts
- Detect advanced attacks
- Automate remediation
- Accelerate and orchestrate incident response
- Investigate forensic data
- Recover from catastrophes
Q: What AD indicators of exposure (IOEs) and Indicators of compromise (IOCs) does DSP detect?
Answer: The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations’ information systems — particularly by exploiting vulnerabilities in Active Directory. Leveraging the threat intelligence from our research team, Semperis is constantly updating the list of published security indicators available in DSP and Purple Knight.
Both solutions perform a comprehensive set of tests against the most common and effective attack vectors to uncover risky configurations and security weaknesses including:
- Account security
- AD delegation
- AD infrastructure security
- Group Policy security
- Kerberos security
For a complete list of indicators click here [link to the latest]
Q: How does DSP help combat privilege escalation, lateral movement, and backdoor techniques?
Answer: DSP shines a spotlight on attackers moving laterally through your network unchecked. It uses multiple data sources, including the Active Directory replication stream, to gain uninterrupted visibility into advanced attacks that bypass agent-based or log-based detection. DSP allows you to close backdoors for good.
Q: What are DSP’s AD audit capabilities?
Answer: DSP continuously monitors for indicators of exposure (IOCs) based on built-in threat intelligence from a community of security researchers. It captures changes even if security logging is turned off, logs are deleted, agents are disables, or stop working, or changes are injected directly into AD. DSP supports Digital Forensics and Incident Response (DFIR) operations to track down the sources and details of incidents. It eliminates blind spots in your SIEM with out-of-the-box integration. It’s powerful, built-in reporting capabilities provide insight into the operational, best practice, compliance, and security aspects of your AD.
Q: Is DSP a point-in-time or continuous AD security audit tool?
Answer: DSP provides continuous security validation through automated monitoring of AD to combat security posture regression caused by configuration drift. Semperis Purple Knight is a point-in-time security assessment tool.
Q: How does DSP help me combat Golden Ticket attacks?
Answer: Golden Ticket attacks target Kerberos and involve attackers who have obtained the password hash of the krbtgt account forging a logon ticket to escalate privileges and log in to any service as any user (including a privileged user). The best defense against these attacks comes down to monitoring AD for suspicious activity. DSP detects and responds dynamically to threats as they appear. It scans AD for indicators of exposure (including all those exploited in a Golden Ticket attack) and then prioritizes vulnerabilities according to their risk. DSP’s auto-remediation capability will roll-back critical operational and security-related changes without requiring administrator involvement.
Q: How does DSP help me combat DC Shadow attacks?
Answer: DCShadow attacks use the DCShadow functionality within the hacker tool Mimikatz, this attack first takes the path of registering a rogue domain controller (DC) by modifying the Configuration partition of AD. Then the threat actor makes malicious fake changes. bypasses traditional SIEM-based logging, as the rogue DC doesn’t report the changes. Instead, changes are injected directly into the replication stream of the production domain controllers. DSP helps combat DCShadow attacks by monitoring AD (in particular the replication stream) for malicious changes and DCShadow artifacts. DSP reveals what changes have occurred and provides the ability to roll back changed to a pre-attack state.
Q: How many identities are secured through DSP?
Answer: Semperis solutions protect more than 40 million identities (and growing every day) serving government and fortune 2000 enterprises, including the largest and most complex identity environments in the world across every major vertical. We’re talking about folks like Walmart, HCA, American Airlines, Geico, and Dell, just to share a few.
Q: Why would I need DSP if I already have a SIEM?
Answer: For AD-based attacks, the only unalterable data source is the AD replication stream, which happens to be outside the scope of any SIEM’s view. Additionally, most agent-based AD change auditing tools lack the deep visibility necessary to detect and thwart such attacks. The AD replication stream is the only reliable method of catching every change (pre-attack and during an attack) no matter how an attacker might attempt to cover their tracks. DSP integrates with any SIEM system that consumes the SYSLOG. DSP uses the SYSLOG to send change data. Also, DSP can send notifications if the SIEM can collect Windows event logs.
Q: What is DSP’s impact on my Active Directory?
Answer: DSP in non-intrusive and specifically architected to “play well” with AD. This unique approach captures changes without compromising AD stability.
Q: How complex of AD environments can DSP support?
Answer: DSP is purpose-built for AD and as such can support even the most complex AD environment including multi-organization and multi-forest deployments. Some of the largest and most complex ADs in existence rely on Semperis to help them spot directory vulnerabilities, intercept cyber-attacks in progress, and quickly recover from ransomware and other data integrity emergencies.
Q: How is DSP licensed?
Answer: DSP is licensed as an annual subscription based on the number of identities (heartbeats/AD accounts) who log into Active Directory. There is no charge for service accounts, admin accounts, test accounts, or inactive accounts.
Q: What type of AD privileges are required for DSP to find and respond to IOEs and IOCs?
Answer: DSP uses an unprivileged context when running security indicators for IOEs and IOCs. Notifications can also be used to detect IOCs. This process relies on the audit events collected by the DSP audit agents on domain controllers. Automatic undo of AD changes, such as removing rogue members from a privileged group, is done using the DSP agent, which runs in an elevated context on the domain controller.
Q: How does DSP map to security frameworks such as NIST, MITRE, and CIS?
Answer: DSP’s powerful capabilities satisfy many of the recommendations from leading security frameworks. The product currently includes built-in MITRE ATT&CK Framework reports that provided detailed analysis of your AD in relation to MITRE’s recommendations. Additional frameworks will be added in the very near future. In addition, customized reporting allows you to map DSP’s information to whatever you choose.
Q: What compliance frameworks does DSP support?
Answer: Keeping up with regulatory compliance is a critical but often complicated and expensive task, especially if you are strapped for security resources. DSP provides built-in compliance report templates for major regulations and frameworks to automate reporting, including:
Q: What advantages does DSP have over Quest Change Auditor?
Answer: Some differences between Quest Change Auditor and Semperis Directory Services Protector that should be considered include:
- Auto remediation: Change Auditor does not provide auto remediation. DSP allows you to automatically reverse malicious or unwanted changes without user intervention.
- Capture directory changes that bypass security auditing: Change Auditor collects change events on each DC, using their own auditing agent, which means Change Auditor can miss changes if the Change Auditor Agent is down. DSP defends against stealth attacks that circumvent event logging by capturing changes even IT security logging is turned off, logs are deleted, agents are disabled or stop working, or changes are injected directly into AD.
- Respect AD (non-instructive): Change Auditor uses LSASS “injection” in order to capture changes and LSASS injection had been proven to be a risky way to track AD changes and can crash AD servers. DSP is specifically architected to “play well” with AD. DSP leverages the AD replication API to capture AD changes.
- Usability/Object rollback: Change Auditor does not provide an object rollback capability. You need RMAD to undo the change. With DSP, from within a single view you can track all AD changes and rollback unwanted changes to individual attributes, group memberships, objects, and containers, without having to mount backups.
- Licensing: Change Auditor license count is based on user objects
Q: Is there any redundancy between Advanced Audit in Microsoft 365 and DSP?
Answer: No. Advanced Audit in Microsoft 365 does not audit Windows Active Directory.