Shadow Overview

Welcome. In this video, we introduce Shadow, a part of Proofpoint Identity Threat

Detection and Response (ITDR). ITDR Shadow provides post-breach detection and
protection for vulnerabilities that can’t be remediated.

Using machine learning, ITDR analyzes the information it collects from your
environment. It learns how your network is structured and how connections and
credentials would be expected to appear to an attacker who breaches your network. It
studies your naming conventions, password policies, and even looks for expired,
disabled, or stale accounts that can be repurposed by Shadow as enticing deceptions.
Taking this approach means an attacker can’t tell the difference between real and
deceptive credentials and pathways.

Shadow uses the same dissolvable binary to collect information and deploy deceptions,
so there is no agent for the attacker to disable or bypass. And Shadow deploys many
traps throughout your network, so a network goes from looking like this to instead
looking like this to an attacker. This makes it virtually impossible for an attacker to move
through your network without triggering at least one deception.

Whenever an attacker attempts to use a deceptive set of credentials or pathway, they

are detected. Because there are many types of deceptions, the process of detection
varies, but all produce the same rich forensic data.

For example, if an attacker tries to log in to your organizational assets with a set of
deceptive credentials, the management server detects the login attempt and creates an
alert. The attacker only sees a login failure message.

But if an attacker follows a deceptive pathway, they are directed away from your assets
and instead land in our trap server. And unlike a traditional honeypot, when an attacker
connects to one of our trap servers, we collect real-time forensics from both the
attacker’s actions on the trap server and from the attacker’s source machine. Forensics

© 2023 Proofpoint, Inc. - All rights reserved. Confidential and proprietary. 1

is also run in real time when they conduct a login attempt using a deceptive credential
anywhere on the network.

You can access alerts directly in our ITDR console. Each alert provides forensic
information about the incidents involved, depending on the type of deception sprung.
You can also access screenshots of an attacker’s own desktop to see their actions.

This rich forensic data is available for export to support your larger investigations.

© 2023 Proofpoint, Inc. - All rights reserved. Confidential and proprietary. 2