SlideShare a Scribd company logo

QOMPLX Cyber Identity Access Management

C
Chad Leschefsky

Q:CYBER - Taking MIT Kerberos, a stateless protocol, and making it stateful. Allowing QOMPLX to detect Golden and Silver Tickets, DCSync, and DCShadow without false positives in under 15 minutes. Protecting Microsoft Active Directory.

Software
1 of 2
Download to read offline
© QOMPLX INC. 2019 All rights reserved. Identity Assurance (IA): Detection and Intelligence IA Detection: Exclusive Capabilities Kerberos is a computer network authentication protocol employed across most enterprise networks and is the default authentication method for Microsoft Active Directory (AD) to enable authentication for enterprise services. As bad actors dig deeper into networks, Kerberos becomes a very attractive target for privilege escalation and achieving persistant, undetected access using methods such as Golden Ticket or Silver Ticket attacks (see Fig.2). As a stateless protocol, Kerberos transactions during the authentication process are not retained throughout or after the session, which makes it susceptible to known attacks that allow bad actors to forge Kerberos tickets or reuse stolen credentials to move laterally through the network undetected, escalating privileges until they obtain full control over files, servers, and services. This vulnerability is widely thought to have played a critical role in some of the most publicized hacks in history, including the OPM breach of 20151 (during which 4 million sensitive records were exposed), the DNC breach of 20162 (during which almost 20K sensitive emails were leaked), and the spread of BadRabbit ransomware in 20173 . Historically such exploits have been virtually impossible to detect without the focused efforts of experienced incident responders conducting manual forensic analysis. QOMPLX:CYBER™ takes an entirely innovative approach instead. By instrumenting critical endpoints such as Domain Controllers and servers with proprietary agents that enable passive, stateful validation of Kerberos traffic, Q:CYBER is the only application in the world to couple advanced data science methodologies with massively scalable analytics to detect ticket forgery attacks in near- real-time with no false positives—not by simply matching a signature but by maintaining a ledger of every Kerberos transaction on your network to validate every request for access to services. In addition to deterministic Golden and Silver Ticket attack detection, Q:CYBER also provides heuristic detection of other forms of credential compromise in which attackers re-use credentials on Active Directory. By leveraging machine learning algorithms and AI-driven analytics to correlate additional log and telemetry data including Windows Event Log, proxy/firewall services, and other data sources, Q:CYBER delivers a context-rich tapestry of user behavior over time for confident and timely detection of these other AD-based attacks as well: Fig.1 Attack Path: The path an attacker takes to penetrate networks is complex and spans multiple iterative phases. The attacker must penetrate your network perimeter, identify their target, and expand access to steal data from protected systems. Key to this process is a quiet method of escalating privileges to acquire access to the target. Fig. 2 Golden Ticket Attack: If a bad actor gains access to the Kerberos key distribution center (KDC) they can sub- sequently issue a Golden Ticket—a Ticket Granting Ticket which enables another account to issue tickets to all enter- prise services. If this occurs, attackers can move laterally across the network undetected, generating what appears to be legitimate traffic resulting from an apparently genuine authentication process. Attacker forges TGT and injects the ticket into memory Attacker presents forged TGT to the KDC to request a TGS ticket for the target service Since the TGT is encrypted with the KDC service account’s key material, the KDC issues a valid TGS ticket for the target service The attacker presents the valid TGS ticket to the target service Service allows attacker access to domain resources 1 2 3 4 5 Weaponization Delivery External Exploitation Installation Command & Control Actions on Objectives ATTACK PATH Legacy Cyber Kill Chain Internal Recon. Internal Exploitation Ent. Privilege Escalation Lateral Movement Target Manipulation Internal Kill Chain Internal Recon. Internal Exploitation Ent. Privilege Escalation Lateral Movement Target Manipulation Internal Kill Chain INTERNAL NETWORK LDAP Services, Network Infrastructure, Application Firewalls, Network Architectures BUSINESS APPLICATION Pll Persistence, Trade Secrets, Business Messaging Systems Target Exploitation Weaponization Installation Execution Internal Kill Chain Network Perimeter ƒƒ Pass-the-Hash ƒƒ Overpass-the-Hash ƒƒ Pass-the-Ticket ƒƒ Kerberoasting ƒƒ Skeleton Key ƒƒ DCShadow ƒƒ DCSync ƒƒ Ntds.dit Exfiltration 1 http://flashcritic.com/technical-forensics-of-opm-hack-reveal-pla-links- to-cyber-attacks-targeting-americans/ 2 https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic- national-committee/ 3 https://www.symantec.com/connect/blogs/badrabbit-new-strain- ransomware-hits-russia-and-ukraine By effectively transforming Kerberos from a stateless protocol to a stateful one, Q:CYBER has demonstrated the ability to deterministically detect over 80 different variations of Golden and Silver Ticket attacks in less than 5 minutes on average, without any false positives. Weaponization Delivery External Exploitation Installation Command & Control Actions on Objectives ATTACK PATH Legacy Cyber Kill Chain Internal Recon. Internal Exploitation Ent. Privilege Escalation Lateral Movement Target Manipulation Internal Kill Chain Internal Recon. Internal Exploitation Ent. Privilege Escalation Lateral Movement Target Manipulation Internal Kill Chain INTERNAL NETWO LDAP Services, Ne Application Firewa BUSINESS APPLICATION Pll Persistence, Trade Secrets, Business Messaging Systems Target Exploitation Weaponization Installation Execution Internal Kill Chain Ne Per
© QOMPLX INC. 2019 All rights reserved. 2 2 3 4 1 1 Endpoints Servers 4 3 Domain Controller Endpoints Servers Domain Controller IP Controller Gateway Router Network Monitoring Forest Trust Monitoring Active Directory Monitoring Client-Server Monitoring Credential Compromise & Lateral Movement Detections Network Monitoring Forest Trust Monitoring Active Directory Monitoring Client-Server Monitoring IDS/IPS/NSM Vendors Limited lateral movement detection QOMPLX:CYBER DCSync DCShadow NTDS.dit exfiltration QOMPLX:CYBER Bro Snort Suricata QOMPLX:CYBER Golden Ticket Pass-the-Hash Overpass-the-Hash Skeleton Key Kerberoasting Deterministic No False Positives Heuristic High Confidence (correlating network-wide data sources for contextual analysis) Heuristic Lower Confidence (limited to hardcoded signature analysis from fewer data sources) QOMPLX:CYBER Silver Ticket Pass-the-Ticket Advanced Threat Detection Vendors Golden Ticket Pass-the-Hash Overpass-the-Hash Skeleton Key Pass-the-Ticket Credential Compromise & Lateral Movement Detections Data Source Comparison IA Intelligence: Active Directory (AD) Monitoring Q:CYBER extracts and maps your entire AD environment in intuitive and interactive graphs, with ongoing analytics that assess risk across domains associated with hidden or complex interrelationships, risky configurations, critical changes, and behaviors such as privilege escalation. It provides ongoing metrics and reporting for the following: ƒƒ Account and group creation and membership including frequency of change ƒƒ Accounts in domain admin groups without password expiry ƒƒ Non-admin user abilities to add computers within a domain ƒƒ Enumeration of domain and forest trusts ƒƒ AD permissions graph analysis ƒƒ Domain KPIs and metrics ƒƒ krbtgt password reset times ƒƒ Null session enabled in DCs ƒƒ Stale accounts Approach IDS/IPS/NSM  Switchport mirroring Context-based Platform) Behavior Analytics/ Advanced Threat Detection  Domain Controllers  Endpoints  Domain Controllers  Servers  Endpoints  Switchport mirroring  Packet Capture PCAP Low Medium High  Windows Event Log  Sysmon  Kerberos  Osquery  Sysmon  Telemetry ConMon)  Windows Event Log  Bro, Snort, Suricata  Vulnerability Scans  Inventory Documents  Expert Feedback  Any other logs  DHCP  Netflow  DNS Data Sources Data Types Degree of Certainty

Recommended

Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommercepriyanka Garg
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
PKI Industry growth in Bangladesh
PKI Industry growth in BangladeshPKI Industry growth in Bangladesh
PKI Industry growth in BangladeshBangladesh Network Operators Group
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and ApplicationsSvetlin Nakov
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim PolkInformation Security Awareness Group
 
Pki for dummies
Pki for dummiesPki for dummies
Pki for dummiesAlex de Jong
 

Recommended

Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommercepriyanka Garg
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
PKI Industry growth in Bangladesh
PKI Industry growth in BangladeshPKI Industry growth in Bangladesh
PKI Industry growth in BangladeshBangladesh Network Operators Group
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and ApplicationsSvetlin Nakov
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim PolkInformation Security Awareness Group
 
Pki for dummies
Pki for dummiesPki for dummies
Pki for dummiesAlex de Jong
 
Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewMarco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewInformation Security Awareness Group
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...PROIDEA
 
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Avirot Mitamura
 
Pki and OpenSSL
Pki and OpenSSLPki and OpenSSL
Pki and OpenSSLTony Fabeen
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureInformation Technology
 
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFDEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFGokul Alex
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
www.ijerd.com
www.ijerd.comwww.ijerd.com
www.ijerd.comIJERD Editor
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)Soham Kansodaria
 
Identity based proxy-oriented data uploading and
Identity based proxy-oriented data uploading andIdentity based proxy-oriented data uploading and
Identity based proxy-oriented data uploading andKamal Spring
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...IJNSA Journal
 
Ppt
PptPpt
PptNidhi Bansal
 
Cryptography
CryptographyCryptography
CryptographyTanviGogri
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructureAditya Nama
 
PKI by Gene Itkis
PKI by Gene ItkisPKI by Gene Itkis
PKI by Gene ItkisInformation Security Awareness Group
 
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...Editor IJMTER
 
Certification authority
Certification authorityCertification authority
Certification authorityproser tech
 
Blockchain Scalability - Architectures and Algorithms
Blockchain Scalability - Architectures and AlgorithmsBlockchain Scalability - Architectures and Algorithms
Blockchain Scalability - Architectures and AlgorithmsGokul Alex
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
IJSRED-V2I1P29
IJSRED-V2I1P29IJSRED-V2I1P29
IJSRED-V2I1P29IJSRED
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat Security Conference
 

More Related Content

What's hot

"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...PROIDEA
 
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Avirot Mitamura
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureInformation Technology
 
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFDEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFGokul Alex
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)Soham Kansodaria
 
Identity based proxy-oriented data uploading and
Identity based proxy-oriented data uploading andIdentity based proxy-oriented data uploading and
Identity based proxy-oriented data uploading andKamal Spring
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...IJNSA Journal
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructureAditya Nama
 
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...Editor IJMTER
 
Certification authority
Certification authorityCertification authority
Certification authorityproser tech
 
Blockchain Scalability - Architectures and Algorithms
Blockchain Scalability - Architectures and AlgorithmsBlockchain Scalability - Architectures and Algorithms
Blockchain Scalability - Architectures and AlgorithmsGokul Alex
 

What's hot (20)

Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewMarco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overview
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
 
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)
 
Pki and OpenSSL
Pki and OpenSSLPki and OpenSSL
Pki and OpenSSL
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key Infrastructure
 
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFDEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
 
www.ijerd.com
www.ijerd.comwww.ijerd.com
www.ijerd.com
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)
 
Identity based proxy-oriented data uploading and
Identity based proxy-oriented data uploading andIdentity based proxy-oriented data uploading and
Identity based proxy-oriented data uploading and
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...
 
Ppt
PptPpt
Ppt
 
Cryptography
CryptographyCryptography
Cryptography
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
 
PKI by Gene Itkis
PKI by Gene ItkisPKI by Gene Itkis
PKI by Gene Itkis
 
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...
 
Certification authority
Certification authorityCertification authority
Certification authority
 
Blockchain Scalability - Architectures and Algorithms
Blockchain Scalability - Architectures and AlgorithmsBlockchain Scalability - Architectures and Algorithms
Blockchain Scalability - Architectures and Algorithms
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02
 

Similar to QOMPLX Cyber Identity Access Management

IJSRED-V2I1P29
IJSRED-V2I1P29IJSRED-V2I1P29
IJSRED-V2I1P29IJSRED
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat Security Conference
 
Blockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurityBlockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurityferiuyolasyolas
 
Optimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning AlgorithmOptimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning Algorithmijtsrd
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Modern Cyber Threat Protection techniques for Enterprises
Modern Cyber Threat Protection techniques for EnterprisesModern Cyber Threat Protection techniques for Enterprises
Modern Cyber Threat Protection techniques for EnterprisesAbhinav Biswas
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics Robb Boyd
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsIRJET Journal
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...PROIDEA
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...JamieWilliams130
 
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...IRJET Journal
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Andris Soroka
 
Presentation data security solutions certified ibm business partner for ibm...
Presentation data security solutions certified ibm business partner for ibm...Presentation data security solutions certified ibm business partner for ibm...
Presentation data security solutions certified ibm business partner for ibm...xKinAnx
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideErica StJohn
 

Similar to QOMPLX Cyber Identity Access Management (20)

IJSRED-V2I1P29
IJSRED-V2I1P29IJSRED-V2I1P29
IJSRED-V2I1P29
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 
Blockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurityBlockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurity
 
Optimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning AlgorithmOptimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning Algorithm
 
App Authentication
App AuthenticationApp Authentication
App Authentication
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
RAZORPOINT SECURITY GLOSSARY
RAZORPOINT SECURITY GLOSSARYRAZORPOINT SECURITY GLOSSARY
RAZORPOINT SECURITY GLOSSARY
 
Modern Cyber Threat Protection techniques for Enterprises
Modern Cyber Threat Protection techniques for EnterprisesModern Cyber Threat Protection techniques for Enterprises
Modern Cyber Threat Protection techniques for Enterprises
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics
 
Ips and its types
Ips and its typesIps and its types
Ips and its types
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Security and-visibility
Security and-visibilitySecurity and-visibility
Security and-visibility
 
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
 
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
 
Presentation data security solutions certified ibm business partner for ibm...
Presentation data security solutions certified ibm business partner for ibm...Presentation data security solutions certified ibm business partner for ibm...
Presentation data security solutions certified ibm business partner for ibm...
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-Guide
 

Recently uploaded

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2
 
WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2
 
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2
 
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2
 
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2
 
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2
 

Recently uploaded (20)

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration Tooling
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
 
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
 
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
 
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
 

QOMPLX Cyber Identity Access Management

  • 1. © QOMPLX INC. 2019 All rights reserved. Identity Assurance (IA): Detection and Intelligence IA Detection: Exclusive Capabilities Kerberos is a computer network authentication protocol employed across most enterprise networks and is the default authentication method for Microsoft Active Directory (AD) to enable authentication for enterprise services. As bad actors dig deeper into networks, Kerberos becomes a very attractive target for privilege escalation and achieving persistant, undetected access using methods such as Golden Ticket or Silver Ticket attacks (see Fig.2). As a stateless protocol, Kerberos transactions during the authentication process are not retained throughout or after the session, which makes it susceptible to known attacks that allow bad actors to forge Kerberos tickets or reuse stolen credentials to move laterally through the network undetected, escalating privileges until they obtain full control over files, servers, and services. This vulnerability is widely thought to have played a critical role in some of the most publicized hacks in history, including the OPM breach of 20151 (during which 4 million sensitive records were exposed), the DNC breach of 20162 (during which almost 20K sensitive emails were leaked), and the spread of BadRabbit ransomware in 20173 . Historically such exploits have been virtually impossible to detect without the focused efforts of experienced incident responders conducting manual forensic analysis. QOMPLX:CYBER™ takes an entirely innovative approach instead. By instrumenting critical endpoints such as Domain Controllers and servers with proprietary agents that enable passive, stateful validation of Kerberos traffic, Q:CYBER is the only application in the world to couple advanced data science methodologies with massively scalable analytics to detect ticket forgery attacks in near- real-time with no false positives—not by simply matching a signature but by maintaining a ledger of every Kerberos transaction on your network to validate every request for access to services. In addition to deterministic Golden and Silver Ticket attack detection, Q:CYBER also provides heuristic detection of other forms of credential compromise in which attackers re-use credentials on Active Directory. By leveraging machine learning algorithms and AI-driven analytics to correlate additional log and telemetry data including Windows Event Log, proxy/firewall services, and other data sources, Q:CYBER delivers a context-rich tapestry of user behavior over time for confident and timely detection of these other AD-based attacks as well: Fig.1 Attack Path: The path an attacker takes to penetrate networks is complex and spans multiple iterative phases. The attacker must penetrate your network perimeter, identify their target, and expand access to steal data from protected systems. Key to this process is a quiet method of escalating privileges to acquire access to the target. Fig. 2 Golden Ticket Attack: If a bad actor gains access to the Kerberos key distribution center (KDC) they can sub- sequently issue a Golden Ticket—a Ticket Granting Ticket which enables another account to issue tickets to all enter- prise services. If this occurs, attackers can move laterally across the network undetected, generating what appears to be legitimate traffic resulting from an apparently genuine authentication process. Attacker forges TGT and injects the ticket into memory Attacker presents forged TGT to the KDC to request a TGS ticket for the target service Since the TGT is encrypted with the KDC service account’s key material, the KDC issues a valid TGS ticket for the target service The attacker presents the valid TGS ticket to the target service Service allows attacker access to domain resources 1 2 3 4 5 Weaponization Delivery External Exploitation Installation Command & Control Actions on Objectives ATTACK PATH Legacy Cyber Kill Chain Internal Recon. Internal Exploitation Ent. Privilege Escalation Lateral Movement Target Manipulation Internal Kill Chain Internal Recon. Internal Exploitation Ent. Privilege Escalation Lateral Movement Target Manipulation Internal Kill Chain INTERNAL NETWORK LDAP Services, Network Infrastructure, Application Firewalls, Network Architectures BUSINESS APPLICATION Pll Persistence, Trade Secrets, Business Messaging Systems Target Exploitation Weaponization Installation Execution Internal Kill Chain Network Perimeter ƒƒ Pass-the-Hash ƒƒ Overpass-the-Hash ƒƒ Pass-the-Ticket ƒƒ Kerberoasting ƒƒ Skeleton Key ƒƒ DCShadow ƒƒ DCSync ƒƒ Ntds.dit Exfiltration 1 http://flashcritic.com/technical-forensics-of-opm-hack-reveal-pla-links- to-cyber-attacks-targeting-americans/ 2 https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic- national-committee/ 3 https://www.symantec.com/connect/blogs/badrabbit-new-strain- ransomware-hits-russia-and-ukraine By effectively transforming Kerberos from a stateless protocol to a stateful one, Q:CYBER has demonstrated the ability to deterministically detect over 80 different variations of Golden and Silver Ticket attacks in less than 5 minutes on average, without any false positives. Weaponization Delivery External Exploitation Installation Command & Control Actions on Objectives ATTACK PATH Legacy Cyber Kill Chain Internal Recon. Internal Exploitation Ent. Privilege Escalation Lateral Movement Target Manipulation Internal Kill Chain Internal Recon. Internal Exploitation Ent. Privilege Escalation Lateral Movement Target Manipulation Internal Kill Chain INTERNAL NETWO LDAP Services, Ne Application Firewa BUSINESS APPLICATION Pll Persistence, Trade Secrets, Business Messaging Systems Target Exploitation Weaponization Installation Execution Internal Kill Chain Ne Per
  • 2. © QOMPLX INC. 2019 All rights reserved. 2 2 3 4 1 1 Endpoints Servers 4 3 Domain Controller Endpoints Servers Domain Controller IP Controller Gateway Router Network Monitoring Forest Trust Monitoring Active Directory Monitoring Client-Server Monitoring Credential Compromise & Lateral Movement Detections Network Monitoring Forest Trust Monitoring Active Directory Monitoring Client-Server Monitoring IDS/IPS/NSM Vendors Limited lateral movement detection QOMPLX:CYBER DCSync DCShadow NTDS.dit exfiltration QOMPLX:CYBER Bro Snort Suricata QOMPLX:CYBER Golden Ticket Pass-the-Hash Overpass-the-Hash Skeleton Key Kerberoasting Deterministic No False Positives Heuristic High Confidence (correlating network-wide data sources for contextual analysis) Heuristic Lower Confidence (limited to hardcoded signature analysis from fewer data sources) QOMPLX:CYBER Silver Ticket Pass-the-Ticket Advanced Threat Detection Vendors Golden Ticket Pass-the-Hash Overpass-the-Hash Skeleton Key Pass-the-Ticket Credential Compromise & Lateral Movement Detections Data Source Comparison IA Intelligence: Active Directory (AD) Monitoring Q:CYBER extracts and maps your entire AD environment in intuitive and interactive graphs, with ongoing analytics that assess risk across domains associated with hidden or complex interrelationships, risky configurations, critical changes, and behaviors such as privilege escalation. It provides ongoing metrics and reporting for the following: ƒƒ Account and group creation and membership including frequency of change ƒƒ Accounts in domain admin groups without password expiry ƒƒ Non-admin user abilities to add computers within a domain ƒƒ Enumeration of domain and forest trusts ƒƒ AD permissions graph analysis ƒƒ Domain KPIs and metrics ƒƒ krbtgt password reset times ƒƒ Null session enabled in DCs ƒƒ Stale accounts Approach IDS/IPS/NSM  Switchport mirroring Context-based Platform) Behavior Analytics/ Advanced Threat Detection  Domain Controllers  Endpoints  Domain Controllers  Servers  Endpoints  Switchport mirroring  Packet Capture PCAP Low Medium High  Windows Event Log  Sysmon  Kerberos  Osquery  Sysmon  Telemetry ConMon)  Windows Event Log  Bro, Snort, Suricata  Vulnerability Scans  Inventory Documents  Expert Feedback  Any other logs  DHCP  Netflow  DNS Data Sources Data Types Degree of Certainty