...
For now, lets dig in to some of what abnormal access looks like to the admin.
...
Identity data accesses are very cut and dry, if the admins don’t recognize a program, it shouldn’t be accessing that data! This immediately stands out as something suspicious going on.
What’s the flip side of this the attacker sees? Plaintext!
...
These responses are not responses like traditional data extortion events, so they are not actions of automated suspension. Instead, they are more like process injections, where Cyber Crucible did not stand in the way. As our analytics have been growing out, we have learned what “normal” access to identity stores look like for various types of applications. By 2023 we will enable our proteciton protection feature, which will restrict access, at the kernel level, to various forms of identity databases and only allow the associated software to access them.
...