Scribd
Upload
9 views2 pages

Shadow Architecture Transcript

The document discusses the components of Shadow Architecture, including a management server that coordinates trap deployment and receives information from trap servers, which are listening devices that record an attacker's actions once connected. An optional ransomware trap server is also described.

Uploaded by

Dương Dương
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
9 views2 pages

Shadow Architecture Transcript

The document discusses the components of Shadow Architecture, including a management server that coordinates trap deployment and receives information from trap servers, which are listening devices that record an attacker's actions once connected. An optional ransomware trap server is also described.

Uploaded by

Dương Dương
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Shadow Architecture

Welcome. In this video, we introduce the components of ITDR Shadow: the


management server and the trap server.

As its name suggests, the management server coordinates everything. It handles trap
deployment onto the endpoints. It talks to your Active Directory, DNS, mail servers, and
SIEM. And it receives information sent by the trap servers.

It queries your domain controllers or SIEM and looks for login failure attempts. When it
sees an attacker attempting to log in to organizational assets using a deceptive set of
credentials, it generates an alert. It also begins gathering forensics data to learn as
much as possible regarding the event, including where the connection originates from.

Then there are trap servers. Trap servers are essentially listening devices. Deceptions
that involve pathways lead attackers away from your assets and instead to a trap
server. Once an attacker connects to a trap server, the trap server records the
attacker’s actions and reads forensic data directly from the attacker’s source machine.
This information is sent to the management server.

Your configuration may also include a ransomware trap server. This is an optional
service. The server contains a large list of files and is designed to trick ransomware
software into thinking it found a shared file repository. As ransomware tries to encrypt
the files found on the ransomware server, the server sends a command to halt
encryption, stopping ransomware in its tracks.

If you have several distinct domains or network segments, you may also want to use
connectors. Connectors are optional and allow independent segments of a network to
communicate with the management server.

All alerts are compiled and prioritized on the management server. You access the alerts
and all relevant forensic data through the ITDR console. And because the management

© 2023 Proofpoint, Inc. - All rights reserved. Confidential and proprietary. 1


server is connected to your SIEM, you can export forensic data to assist in ongoing
investigations.

© 2023 Proofpoint, Inc. - All rights reserved. Confidential and proprietary. 2

You might also like