Tysons Corner, Virginia company is a leader in detecting and preventing sophisticated hacks of Active Directory and Kerberos like those employed by Russian state sponsored actors.
In the wake of an unprecedented, nation-state attack on U.S. federal government agencies, state governments and the private sector, QOMPLX Inc. on Friday said that it is actively assisting very large commercial organizations in assessing the integrity of their Active Directory environments and stands ready to work with organizations concerned that they may have been a victim of Russian state-sponsored actors.
“The latest warnings and guidance from CISA about the extent and severity of this incident within and outside the Federal government deeply concern us,” said QOMPLX CEO Jason Crabtree. “We’re ready to help.”
“In late 2019 QOMPLX stood up its QOMPLX Government Solutions subsidiary to assist US Federal, State & Local government customers conduct their critical tasks more efficiently and securely,” said Bill Solms, President of QOMPLX Government Solutions, LLC. “We offer capabilities that allow key Government Agencies to detect critical attacks and continue to function effectively.”
QOMPLX is a recognized leader in identity assurance for both Active Directory and Kerberos. The company has invested more than five years and close to $100 million developing technology and services that are used by some of the world’s most sophisticated firms to spot attacks on critical control infrastructure including Active Directory and the Kerberos authentication protocol – both of which were targeted in the recent hacks of federal agencies.
“Sophisticated cyber adversaries want to establish persistence within your trusted networks: siphoning off sensitive data from your organization, or laying the groundwork for a crippling attack. Account takeovers and hacks of critical identity infrastructure like Active Directory and Kerberos are their most potent weapons,” said QOMPX Chief Information Security Officer Andy Jaquith.
QOMPLX’s software can spot attacks such as “Kerberoasting” and “Golden Ticket attacks” deployed by the adversaries against federal agencies like the Department of the Treasury and the Commerce Department. Those techniques are essential to enabling sophisticated adversaries to move from low-value to high value IT assets and establish dominance within a compromised network. “QOMPLX can detect and stop these attacks,” Crabtree said.
Stateful validation is the key to stopping attacks such as the Golden Ticket technique alluded to in the CISA advisory, and means that applications that rely on Kerberos, such as downstream SAML services, can be authenticated with confidence.
QOMPLX Q:CYBER provides real-time analytics and external stateful validation of Kerberos. Because QOMPLX validates the Kerberos protocol, instead of looking for specific malicious binaries or log-based “signatures,” our technology is completely agnostic to the methods used. It does not matter whether threat actors use attack tools such as Mimikatz or Cobalt Strike, lace SolarWinds with backdoor malware, or forge Kerberos tickets by hand—Q:CYBER will detect all violations of the protocol. Also, QOMPLX makes it faster and easier for organizations to integrate disparate internal and external data sources across the enterprise via a unified analytics infrastructure that supports better decision-making at scale.
As companies work to assess their own exposure to this wide ranging threat, QOMPLX stands ready to assist them in assessing whether their Active Directory environment may have been compromised and, if necessary, to establish “ground truth” in their environment and begin recovering from the incident.