Identity-First Incident Response
The missing piece in your IR toolkit is now available: accelerate your incident response in Active Directory (AD) environments under attack with Silverfort’s identity-first incident response. Automatically detect and isolate compromised users, block attack spread in real time and rapidly remove malicious activity.
Block attack spread with a single click
Instantly isolate malicious presence by applying MFA and access block policies on all users and resources, bringing lateral movement and ransomware spread to a halt, with no need for prior investigation.
Streamline detection of compromised users
Monitor for violations of MFA or block access policies that force compromised accounts to reveal their presence, enabling timely mitigation steps.
Deploy rapidly when time matters most
Gain these capabilities within hours by installing the Silverfort platform and get the IR process running as quickly as possible – even in complex multi-domain environments with hundreds of DCs.
Step #1: Bring the attack's spread to an immediate halt
- Leverage the combined power of MFA and identity-based segmentation in an AD environment to stop an attack in its tracks, regardless of lateral movement TTPs or specific tools (PsExec, PowerShell, Impacket, etc.).
- Eliminate the need for lengthy investigations with ready-made policies that block malicious access, even before compromised accounts are identified.
- Adjust the level of lockdown based on the attack’s severity. Applyaccess policies either across the entire environment or to specific segments where malicious activity is suspected.
Step #2: Identify compromised accounts easily and efficiently
- Quickly discover compromised accounts that reveal their presence through denied MFA attempts and blocked access, both of which are clear indicators that an attacker is attempting to spread within the environment.
- Leverage Silverfort’s detailed audit trail to trace how attackers use compromised accounts to move laterally across the network, from the machine where they were first detected back to patient zero. Block the point of entry and eradicate the attacker.
- Focus your forensic efforts on the endpoint where compromised users were logged in, to collect attack artifacts and identify suspicious network connections.
Step #3: Gradual recovery and attack surface reduction
- Gradually restore user access after confirming the removal of malicious activity, while maintaining critical security measures such as MFA and continuous monitoring of previously compromised accounts.
- Mitigate any identity-related security weaknesses exploited during the attack, such as shadow admins, unmonitored service accounts, and unconstrained delegation.
- Limit potential attack paths by eliminating insecure connections, (such as NTLM between workstations), removing excessive access permissions, and resetting risky configurations (e.g., shadow admins, unconstrained delegation).
“Silverfort immediately helped us to mitigate the impact of compromised users. It was one of the most significant tools we used to analyze authentication flow/protocols and determine compromised identities as we brought our Domain Controllers back online. We worked quickly with the IR team to put blocking policies in place over the compromised identities.”
CISO of a Fortune 100 company
Customer Challenge
The customer realized their environment was infiltrated and their vault compromised. Attackers had already gained access to critical systems, introducing significant potential for damage.
Silverfort Solution
The Silverfort platform was deployed in less than 12 hours across an environment with over 100 DCs. A block access policy for all users and resources was enforced, containing the attack at its current state and preventing further ransomware spread. The IR team utilized Silverfort to detect compromised accounts in a few hours, significantly shortening the overall IR timeline and enabling the customer to securely restore operations.
How they rate us:
4.7 – 28 Reviews
Stop Identity Threats Now