Malicious attackers laterally move across the network to get to the critical systems and oftentimes leverage common protocols such as NTLM or tools like Mimikatz. Protecting your infrastructure by identifying weak spots is critical to stop an attacker in their tracks and contain the breach. With Preempt, you can continuously monitor the network and all other entities to identify and stop lateral movement, in real-time, before it impacts your organization.
Lateral movement is a type of attack used by sophisticated hackers to gain access to crown jewel applications and exfiltrate sensitive data. Lateral movement attacks, in general, progress slowly, yet systematically so as not to arouse suspicion – making it difficult to detect and react in time.
The attacker will move laterally and eventually try to compromise account credentials (human or service accounts) using a variety of techniques such as through social engineering, Pass the Hash (PtH), Golden Ticket, or using tools like Mimikatz, PsExec, WMI, and PowerShell
Preempt finds deterministic signs of attacks inside the network including lateral movement techniques such as Pass-the-Hash/Ticket attacks, Golden Tickets, and directory harvesting – without the need for logs, looking back in time and connecting the dots.
Preempt can proactively detect and apply policies to common tools such as Mimikatz, PsExec, PowerShell, and more. With Preempt, you can also detect the use of NTLM, LDAP/S, and a wide variety of related relay attacks.
Attackers often rely on common administrator tools and protocols or weak protocols that can be abused. Preempt’s proprietary security analytics and pattern recognition can spot the unusual protocol misuse and triage with risky behavior detection to help organizations stop lateral movement.
With Preempt, you can continuously detect and prevent threats based on identity, behavior, and changing risks.
Preempt lets you take action early in a lateral movement attack without disrupting valid users. Trigger Conditional Access or step-up authentication using MFA, based on virtually any aspect of changing risk to distinguish between genuine user accesses from malicious activities.
You can choose from any number of other responses such as password changes, quarantine devices, and more, based on the context.