How Semperis Is Helping Detect 'Low And Slow' Cyberattacks And Why It's Targeting The Midmarket

Semperis' VP of products, Darren Mar-Elia, breaks down how ML helps with identity-based security and why the new offering is a fit for midmarket organizations' cyber resilience strategies

How Semperis Is Helping Detect 'Low And Slow' Cyberattacks And Why It's Targeting The Midmarket

Semperis recently announced the release of its new identity threat detection and response (ITDR) solution that uses machine learning models: Lightning Identity Runtime Protection (IRP).

The Hoboken, New Jersey-based company specializes in protection against identity attacks. These attacks include methods like password spraying, credential stuffing and other brute force tactics that can allow a bad actor to co-opt the identity of a user in an organization, and then make lateral moves in that organization's network to escalate privileges and wreak havoc. Identity attacks are common ways attackers set the stage for ransomware and other malicious activity.

MES Computing spoke with Semperis' VP of products, Darren Mar-Elia, about the ML behind the Lightning IRP platform and how it can help midmarket organizations shore up their cyber resiliency.

Tell us about the Lightning IRP and the machine learning behind it.

We've been in this game for a while now doing identity-based threat detection and response. We've been focused on Active Directory and Microsoft Entra [formerly Microsoft Azure Active Directory]. The way we've done threat detection is through a variety of mechanisms, but a lot of it relates to direct changes or activities, malicious or otherwise happening to the directory service.

However, we know there are also other types of attacks that are going on out there, what I'll call ‘low and slow' types of attacks where attackers are trying to be stealthy about performing activities that eventually lead to some kind of privilege escalation.

So, the goal of this new Lightning IRP platform is to be able to detect those types of attacks -- what I'll call pattern-based attacks. What we're doing is collecting a lot of activity data related to what users are doing in the identity system in Active Directory and applying machine learning models against it to look for patterns of suspicious activity.

And in the case of, for example, a password spray attack or a Kerberos-style attack, we can detect when those attack patterns are being performed by an attacker; by somebody that's trying to gain access to the environment.

Let's talk a little bit about the new Lightning IRP -- it's machine-learning based. What models is this feature being trained off?

Our chief data scientist, Igor Baikalov, who has a long history in machine learning related to cybersecurity, develops the models.

We are collecting log on and service requests events from Active Directory, and then running those models through or basically training those models through that data. It can take a few days to train the model to have it sort of recognize patterns. In some cases it's a lot quicker than that. But essentially, that's the data that we're training it on -- the login and service request data that's going on in the customer's environment.

So, you have that going on for every single customer and it's all siloed?

Yeah, in fact, this solution doesn't run in the cloud, it runs on prem. There is no sharing of data between customers.

You mentioned the company focuses on Microsoft identity technology. Do you work with other identity systems like Okta or Auth0?

We released a version of our free Purple Knight tool a while back with support for Okta. So yes, we are looking at and looking for opportunities to add other identity systems as customers prioritize those for us.

Image
Figure image
Description
Darren Mar-Elia, Semperis VP of Products

How do identity attacks differ from other forms of cyberattacks?

It's part of the larger ecosystem of other threats. So, the thing that's unique about identity is if an attacker compromises identity, and an identity system, then they have access to everything.

If I'm an attacker that lands on a workstation and I phish the user and I gain access to their workstation, then my scope of control is fairly limited unless there's some really bad hygiene going on in that network.

But if I can then move laterally to a position where I have privileged access to the identity system, meaning that I can get access to all users' password material or password hash material, or I can make changes to the identity system that allows me to distribute malware, then all bets are off.

The identity system tends to be the main goal of compromise for an attacker once they get onto a network. And it is because that is the kind of, we call it the keys to the kingdom, but it is the backbone of most organizations -- systems and applications.

How much do you see of these malware attacks that are identity-based versus let's say, ransomware?

I can say confidently that pretty much every ransomware attack starts small and moves to the identity system, because what that does is it allows them to spread. And that's the goal, right? The goal is not to encrypt one workstation, the goal is to encrypt the entire network. And in order to do that, you need privileges to be able to get to the entire network. And those privileges are held in the identity system.

That is that is a more common scenario than you would imagine that most attackers once they land, they're looking to do reconnaissance of the identity system, steal credentials of key identities, and then use that access to install and spread the malware or do exfiltration of data.

Once Semperis detects that type of intrusion, how does it alert the IT department and what are the remediation steps?

There's a number of things that you can do; depends on the attack, of course.

Let's say, we detected a user account that has been compromised and the system is performing a password spray, we're certainly going to send an alert. We can send an alert either to them locally, or through their SIEM [security information and event management] system using standard protocols like syslog. But then we can also remediate that automatically. We can say, I see this compromised user doesn't look like they should be doing this. So I'm going to go ahead and disable their user account.

Or I might be able to do any number of other activities against the account: prevent them from logging into other systems. There's a bunch of different responses. We have a kind of a response playbook that we can put together for customers and allow them to choose what kind of response they want to do. But the bottom line is, once I know that there's an attacker doing something, I can essentially disable their ability to go forward and do that again.

Is this a solution for midmarket organizations?

Absolutely. We have a lot of midmarket customers. Frankly, what you find with the larger enterprise customers is they often have a lot of resources to throw against these problems that pull cybersecurity teams with expertise around identity security.

And in the midmarket, that's not always the case. We find ourselves more often than not being in the position of kind of trusted adviser. A lot of what we've tried to do is bake in our knowledge and expertise in history with Active Directory and now enter it into the products so that the products are not only monitoring and alerting, but also educating what the best practices are for the identity systems in terms of keeping them safe.

I think for [midmarket customers] it proves to be a nice point of leverage without having to be identity security experts. I've been in medium enterprise organizations myself as a technical person. You're always wearing multiple hats. You don't always have to be expert in everything.

Can IT professionals go directly to Semperis if they are interested in the platform, or do they go through the channel?

We support both. We certainly have a rich channel network that folks can use, and we work with our partners closely to make sure they're up to speed on our products and they understand. But we're also here frankly, for our customers, if they were to get into a situation [with] Active Directory [and] ransomware, and they had to recover it we have a disaster recovery solution for Active Directory.

We also have an incident response team that's experienced and targeted at Active Directory disaster recovery, as well as breach preparedness. So, whether it's going through one of our partners or getting help from us directly -- it depends on the situation of the customer, but we can accommodate both.

Editor's note: This article has been updated to correct the name of Semperis' tool to Purple Knight.