Time is against incident response ( IR ). Because there is sufficient evidence that a negative event is occurring, you hire an internal or external team, but you are still unaware of its scope, effects, and underlying causes. Malicious files and outbound network connections can be found by IR teams thanks to a common set of tools and techniques. Unfortunately, the identity component—namely, identifying compromised user accounts that were used to spread throughout your network—goes unattended. The IR teams find this task to be the most time-consuming, and it has developed into a difficult uphill battle where attackers can buy valuable time while still causing harm.
In this article, we examine the underlying factors that contribute to IR blind spots ‘ identity and offer examples of how they can prevent a quick and effective process. The Unified Identity Protection Platform from Silverfort is then introduced, and we demonstrate how its real-time MFA and identity segmentation can get around this blind spot and distinguish between a contained incident and an expensive breach.
Knowledge is Power, according to IR 101. Everything depends on time.
An IR process can be triggered in a myriad of ways. They are all similar in that you may believe—or even be certain—that something is wrong but you are unsure of its precise nature, location, or method. If you’re lucky, your team discovered the threat while it was still internally gaining strength but had n’t yet carried out its malicious intent. If you’re not as lucky, you wo n’t notice the adversarial presence until after it’s already started, which includes malicious activity like encrypted machines and missing data.
In either case, dispelling the darkness and gaining clear understanding of the compromised entities in your environment is the most pressing task once the IR begins to operate. After being discovered and verified, attacks can be contained by resetting user accounts, quarantining machines, and blocking outbound traffic.
When dealing with compromised user accounts, the final task presents a problem that has n’t yet been resolved and is far from simple. Let’s investigate the cause.
No Playbook Move to Identify Compromised Accounts is the first Identity IR Gap.
A compromised account simply logs in to resources like a regular account would, unlike malware files or malicious outbound network connections. Its lateral movement wo n’t even appear unusual if it’s an admin account that regularly accesses multiple workstations and servers, as is the case in many attacks.
As a result, manually checking every account that is logged there is required even after the compromised machines have been located and quarantined in order for the account to be discovered. And once more, the reliance on manual and error-prone investigation causes a serious delay when time is of the essence.
Identity IR Gap# 2: There is no easy way to stop the attack and stop it from spreading.
Like in real life, immediate first aid comes before complete treatment. In the IR world, the equivalent is to stop the attack from spreading even before its active components are discovered by keeping it within its current bounds. It is accomplished by temporarily separating malicious activity-hosting segments from those that have not yet been compromised on the network level. It is accomplished at the endpoint level by securing malware-infested computers.
Once more, the identity component needs to improve. Resetting the user account’s password or disabling it in AD are the only containments that are available. Due to the operational disruption it causes, particularly in the case of false positives, the first option is a no-go. Resetting the password of the suspected account’s machine-to-machine service account is likely to disrupt the crucial processes it manages, adding to the damage already caused by the attack. This is not a good option either. Resetting the password will be handled right away by moving to a different account if the attacker was able to compromise the identity infrastructure itself.
Identity IR Gap# 3: There is no tried-and-true strategy to lessen exposed identity attack surfaces that attackers are targeting.
The security stack’s posture and hygiene products are blind spots because of the vulnerabilities that make the identity attack surface vulnerable to malicious credential access, privilege escalation, and lateral movement. The IR team is deprived of crucial compromise cues that might have greatly sped up the process as a result.
Sensitive authentication methods like NTLM (or, even worse, MTLMv1 ) and numerous other errors, such as accounts set with unrestricted delegation, shadow admins, and stale users, are glaring examples. As they travel the Living Off the Land route, adversaries prey on these flaws. The IR becomes a cat herding where, while the analyst is busy checking to see if Account A is compromised, the adversaries are already using compromised Account B because it is impossible to find, reconfigure, or protect accounts and machines that have these weaknesses.
In the end, there are no tools. There are no shortcuts. Just a slow, manual log analysis while the attack is underway
The IR team must now identify the compromised user accounts that the attacker is using to spread throughout your environment, which is the current state of affairs. The real reason why lateral movement attacks are so successful and difficult to contain, even when the IR process is underway, is a secret that no one ever discusses.
Silverfort finds a solution to this problem.
Unified Identity Protection for IR Operations at Silverfort
The Unified Identity Protection platform from Silverfort integrates with cloud and on-premise identity infrastructure ( Active Directory, Entra ID, Okta, Ping, etc. ). With the help of this integration, Silverfort can fully monitor every attempt at authentication and access, real-time access enforcement to stop malicious access using an MFA or access block, and automated service account discovery and protection.
Let’s examine how the identity IR process is accelerated and optimized by these capabilities:
MFA Compromised Accounts Investigation with No Operational Disruption
Only Silverfort, along with command-line programs like PsExec and Power Shell, can impose MFA protection on all AD authentication. With this capability, all compromised accounts can be quickly identified by a single policy that mandates that all user accounts check their identity with MFA.
The process is straightforward once the policy is set up:
- With the account’s compromised credentials, the adversary logs into a machine in an effort to continue its malicious access.
- When MFA is prompted, the actual user denies having asked for access to the requested resource.
Goal# 1 was accomplished: This account has been compromised, and there is now conclusive proof of it.
Side note: All we need to do is filter all the Silverfort log screen machines that this account has logged into now that it has been verified as compromised.
Use MFA and block access policies to fend off the attack.
In addition to identifying compromised accounts, the MFA policy we’ve just described also serves to stop the attack from spreading further. As a result, the IR team is able to stop the enemy’s advance and guarantee the preservation of all resources that have not yet been compromised.
Zoom-in on service accounts: Operational Disruption Protection Revisited
Service accounts should receive special consideration because threat actors frequently abuse them. These machine-to-machine accounts cannot be protected by MFA because they are not linked to a human user.
Silverfort, however, automatically finds these accounts and learns about their recurring behavioral patterns. Silverfort makes it possible to set up policies that prevent access whenever a service account behaves inappropriately thanks to this visibility. Thus, while any malicious attempts to abuse it are blocked, all standard service account activity is not disrupted.
Attack has been stopped, allowing the IR team to quickly begin their investigation.
Getting rid of exposed weaknesses on the surface of identity attacks
Silverfort can identify and address common vulnerabilities that attackers exploit thanks to its visibility into all authentication and access attempts made within the environment. Here are a few illustrations:
- establishing MFA guidelines for all shadow administrators
- establishing NTLMv1 authentication block access policies
- Find every account that was set up without pre-authentication.
- Find out which accounts were set up with unrestricted delegation.
Typically, the initial” first aid” stage is when this attack surface reduction occurs.
Identity weaknesses have been reduced and cannot be used for malicious propagation, which is goal number three.
Conclusion: Are You Prepared to Gain Identity IR Capabilities?
Over 80 % of cyberattacks involve compromised accounts, which increases the likelihood that you will be harmed. To ensure their capacity to react quickly in the event of such an attack, security stakeholders should spend money on IR tools that can address this aspect.
Contact one of our experts to arrange a quick demo to find out more about the IR capabilities of the Silverfort platform.