Companies today are exposed to many threats and incident response (IR) teams have to respond to both real or suspected breaches. Incidents can include credential compromise, phishing, malware in the network, Denial of Service (DoS) attacks, zero day threats, and unauthorized changes to the network, hardware or software to name a few. Many organizations will also hire a red team, which is specifically hired to try to create actual attack scenarios to expose attack surfaces and test for network vulnerabilities. This all keeps an IR team pretty busy.
Preempt was recently brought in to help a Fortune 500 company post-breach to investigate root cause and provided critical insights related to the investigation, including an exposed password belonging to a privileged account - despite deploying a leading Privileged Account Management (PAM) solution and attacker’s lateral movement within their environment for an extended period of time - which started with a single credential compromise. You can read more in this case study.
Effective incident response requires rapid response. The goal is to minimize damage caused by incidents (cost and physical damage) along with tracking down the root cause to stop the exposure and identify the attacker. The bigger the breach is, the more it can cost.
In a recent Ponemon study sponsored by IBM, “the average total cost of a breach ranges from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 compromised records. Mega breaches (involving 1 million compromised records) could cost as much as $39.49 million. Unsurprisingly, this figure increases as the number of breached records grows. A breach involving 50 million records, for example, would result in a total cost of $350.44 million.”
And despite having lots of solutions and tools in place, many organizations find they have silos of solutions and that many don’t play nice together. Too many tools adds to complexity for incident response. Add to that the growing complexity of migrating to the cloud, and it’s clear that holistically understanding identity and access can be a major difficulty. Identity and Access Threat Prevention (IATP) can break down the silos and tie them together from a threat standpoint making it easier for organizations to perform incident response in a variety of ways.
Identity and Access Threat Prevention can help IR teams in three significant ways:
- Real-time response
- Hardening of the infrastructure
Threat hunting and determining root cause of a breach can be complex. IATP can provide analytics to identify access and critical vulnerabilities. Access can drive the knowledge that is required to identify breach sources and reduce false positive for IR. Identity and Access Threat Prevention provides a continuous assessment of Identity, Behavior and Risk and provides a unified view of all users and accounts across of the enterprise to detect known and unknown threats. It can provide the context of what users are doing on Active Directory, SSO, VPN gateways and other data sources to get a complete view of a users identity. Analytics are focused on access, and this allows IR teams to take action because the data has high fidelity of understanding human, privileged and programmatic accounts. It’s easier to understand accounts not just by looking at their behavior with logs but also by looking at traffic.
Another key component of cyber investigations is forensic data. Since the Preempt Platform tracks all entities in the network, it can add valuable forensic data, such as associating each machine with all internal IP addresses it used and log of which protocol and LDAP queries were performed by each user account in the network
With the Fortune 500 company we mentioned earlier, Preempt had found that hackers exploited a weakness in the organization’s password vaulting and were harvesting credentials from memory. We were able to provide the visibility into what happened and identify the compromised account quickly.
During an active breach, there is a need for enterprises to contain the exposure of a breach yet still keep day to day business moving forward. IATP can easily add identity verification in front of any and all access transactions to ensure that only legitimate users have access to corporate resources. With analytical and automated decisions around enterprise access for any user – privileged, service accounts, executives, and contractors – enterprises can verify identity and continuously respond to access requests in real-time. A flexible policy enables adaptive responses (like Allow/Block, MFA, Isolation, Third Party verification, etc.) and ensures legitimate transactions can smoothly continue while the breach is contained. This approach also prevents additional threats such as credential compromise, account takeover and lateral movement.
Real Time Response can also be used to keep organizations running safely during an attack. Preempt had one large oil company customer that found that someone had gotten into the network and tried to get into other accounts to create a mass system lockout (Denial of Service) Attack. By using Preempt, they were able to block rogue attempts and employees were able to access their accounts since their endpoints were recognized as legitimate by Preempt.
Another interesting scenario is that of weak passwords. Preempt, for instance, monitors passwords that were exposed in past online breaches so that the use of these passwords within the organization network would be alerted. In a case where IR teams are dealing with a previous breach, it is possible an attacker was able to dump all network passwords (using mimikatz for instance). In this case, on top of online breaches, IR team might also want to disallow any password that was used during the breach.
Hardening of the Infrastructure
Another consideration for supporting incident response involves "hardening" of the infrastructure to minimize the number of incidents that take place over time. IATP can help with this in two ways. First, it can help with identifying critical weaknesses that can expose an organization. IATP can learn about organizations users and network to identify things such as vulnerabilities in Active Directory and Active Directory services, presence of stealthy admins, users with passwords that don’t expire, stale accounts, machines with vulnerable operating systems, misuse of tools (PsExec, PowerShell), protocols (NTLM, Kerberos, LDAP) and more. Second, organizations can more easily implement a flexible and adaptive organization‐wide security policy and combine that real-time enforcement in order to reduce incidents through auto resolution
One Private Equity firm that Preempt works with was having trouble controlling the use of tools like PsExec and PowerShell which could be used by attackers to navigate the network. They deployed Preempt inline to ensure that whenever such tools are used on the network that a user’s identity must be verified using MFA. This provides them with the ability to control misuse of security tools without preventing legitimate use.
Every minute counts when it comes to resolving a security breach and time is money. Being able to reduce the Mean Time to Identify (MTTI) and Mean Time to Resolve (MTTR) are key performance indicators. Identity and Access Threat Prevention supports IR teams in both of these ways. Gaining a holistic view of identity and understanding access for all users and accounts can allow IR teams to more quickly do threat hunting and identify root cause of a breach and take the necessary steps to resolve incidents quickly. At the same time, allowing organizations to better enforce a company-wide security policy and be more proactive with automated real-time response to threats can help with stopping and containing threats before they impact the business.