After an organization has been breached, one of the most critical steps to take is to determine the root cause and to take active steps to more proactively protect the business. Recently, Preempt was brought in to help a Fortune 500 company with a critical internal threat situation. A malicious actor was able to move laterally within the company’s environment, threatening its international brand, financials and customer relationships. Capitalizing on lessons learned during and after incident response provides immediate and long-term benefits to prevent future breaches. These takeaways can also provide valuable advice for other companies who are looking to improve their security posture and prevent business critical attacks. Here, we’ll share the story and outline the top three lessons.
The Before State: Security Gaps
While the company had a robust investment in cybersecurity platforms and an industry-leading security team, the sheer size and complexity of the organization contributed to gaps that left them exposed and unable to respond quickly. With a global footprint, the company had a variety of distributed and disorganized authentication ports numbering in the six figures, as well as an extensive list of vulnerabilities. The complexity created silos of security, which in turn contributed to them having no unified visibility into their network, an inability to respond in real-time, and disorganized password, access and authentication policies. As a result, they were exposed and later compromised.
How Preempt Helped on Day One
Within 24 hours of implementation – and without guidance from the organization on the origin of the threat – the Preempt Platform identified the exact source of the breach: an exposed password to a privileged account. Additionally, the Preempt Platform filled the company’s visibility gap and quickly identified the organization’s most critical weaknesses, including major vulnerabilities in their Active Directory and Active Directory services, presence of stealthy admins, users with passwords that did not expire, machines with vulnerable operating systems, users with SPNs and a lack of encryption. Since being deployed, the firm’s IT management has been able to increase their use of Preempt by approximately tenfold following a brief ramp-up and training period.
Key Lessons That Any Organization Can Benefit From
In looking back at how this breach transpired, there several key takeaways that any organization can learn from. Here are three key lessons:
Privileged Account Management Only Goes So Far
In response to the risks posed by cyber attacks and breaches, like this one, many organizations are investing in additional security controls to more proactively manage their users and accounts. And with good reason, privileged users can hold the keys to the castle, and if compromised can be much more damaging to an organization.
With this organization, the Preempt Platform found business critical vulnerabilities including an exposed password to a highly privileged account, which was exposed despite the company’s use of a leading Privileged Account Management (PAM). They had PAM, so what went wrong?
Preempt found that hackers exploited a weakness in their PAM’s password vaulting and were harvesting credentials from memory. We were able to provide the visibility into what happened and identify the compromised account quickly. While PAM best practices typically include an inventory of accounts and regular audits, these policies must be consistently updated and enforced. If and when a user makes a change to location, device, behavior, location, or other factors, your solution should respond accordingly – such as with a challenge, or other security alert or other action. Had these policies been correctly designed, updated and enforced, the organization’s threat landscape would have been significantly reduced. Preempt’s Identity and Access Threat Prevention capabilities empower enterprises to automatically discover all privileged accounts and consistently apply security policies that enable organizations to preempt threats before impact. Adaptive responses can be triggered automatically based on policy and whenever there is suspicious access or use of an account
A Patchwork of Disjointed Solutions Can be Deadly
A common thing we hear from CISOs is that they have a lot of great security solutions, they’ve employed top security talent and services yet they still suffer with silos of solutions across different platforms (on premise, hybrid, cloud) with nothing tying them together from a threat perspective. This organization was no different. The team had significant experience and top-of-the-line IT solutions but they weren’t aligned and solutions weren’t integrated appropriately, which in turn meant the organization lacked consistent visibility and enforcement. Regardless of organization size or what type of platforms your organizations support, your security solutions need to work seamlessly together and practice consistent policies and enforcement.
We recently announced an expansion of the Preempt Platform with our Secure Federated Access application, which provides visibility and control to a wide range of federated cloud applications, such as Office 365, Salesforce, Workday, and others. Preempt integrates with ADFS, as well as Cloud SSO such as Okta and Azure SSO, and enables companies to practice consistent enforcement and real-time threat prevention.
Visibility is Critical
Silos of solutions create silos of visibility. This creates gaps in seeing and understanding a holistic view of identity. When there are gaps it makes it difficult to assess risk because one solution doesn’t see what’s happening in another solution with a particular user or account. What is required is the ability to have a single pane of glass to monitor identity, behavior and risk across all accounts and all platforms. If we look at this particular Fortune 500’s environment, they have global footprint, diverse and distributed employee base, and evolving IT perimeters (due to the complexity of their IT environment). Observing all users and accounts, analyzing behavior and understanding risk at scale can be a daunting challenge. Prior to Preempt coming on board, even tracing the footsteps of an attacker within their network seemed prohibitively difficult. The lesson: a robust cybersecurity policy is impossible without unified visibility. While visibility into all user actions across large global enterprises often seems impractical to IT leaders, it is not only doable, but critical to the longevity of virtually any enterprise. Visibility and security go hand in hand.
Within a week of coming online, Preempt helped the team determine the complete extent of the breach, including lateral movement within the company’s environment for an extended period of time. The Preempt Platform located interactive logins by service accounts and LDAP Simple Bind clear-text authentication, all of which had contributed to the incident. To prevent future incidents, the organization will rely on Preempt to reduce and continuously monitor the number of unnecessary and stale privileged accounts, improve the overall strength of passwords among its users, and remediate vulnerabilities in order to prevent accounts from being compromised.To view the full case study, visit here.