Cyber Incident Responses and User Access Review

The news often brings to us word on breaches and hacks – in a usually nicely capsulated package of forensic data concerning the attack vector, the point of breach, how they were able to go undetected and the mechanism used to communicate back to the hacker’s C2 (command and control) center.   But this information is not handed to the white hats from the attackers.  Instead this information in painfully extracted by a team of cyber professionals, usually 3rd party specialist, who execute an Incidence Response plan and report back thier findings.

What is an Incident Response (IR)?

An Incident Response (IR) is the effort to quickly identify an attack, minimize its effects, contain damage, and remediate the cause to reduce the risk of future incidents.

Incident responses are an organized approach to addressing and managing the aftermath of a security breach or cyberattac. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

There importance is obvious – the attack must be detected, the damage stopped and the causes and mitigation understood and implemented.

What place does Identity play in an IR?

Given that credential breaches alone account for over 50% of cyber attacks  it is imperative that the IR team understand if and what identities were involved in the attack.   Most chances, since privilege escalation and lateral movement are key parts ot the cyber kill chain – that Identity and especially amin privileges were involved in the attack process.

What also needs to be understood – is what role did existing misalignment of identity privileges played in the attack.  Often enterprises over privilege accounts that are readily available to the hackers on the dark web for purchase.  In fac, Palo Alto sites that 99% of cloud deployments are overly permissive.

How Can an User Access Review Help in the IR process?

Incident Responses (IRs) usually contains 2 crucial components:  

  • The “Management and Containment Process” and  
  • The “Post Incident Review” 

These can be thought of as the “investigation” and “remediation” components of the report.  We will detail were YouAttest, and YouAttest User Access Reviews come to play in this process. 

Image #1. YouAttest access reviews for user, groups and applications can play an important part in the incident response process.

IR Investigation and YouAttest User Access Reviews 

Review Admin privilege for suspicious user/group mappings

Upon breach, relevant groups can be investigated via the YouAttest tool for the appropriate manager(s) to review.   YouAttest can expedite this review process by:

  • Auto-delegating to relevant managers
  • Allowing these managers to make notes, certify, revoke or re-delegate

The process enables the line manager to quickly identify and communicate ANOMALOUS user privileges that may point to an identity breach and case of privileg escalation. 

B.  IR Remediation and YouAttest User Access Reviews

For the remediation and reporting phase, YouAttest can help execute the (3) following task:

1. Review Admin privileges

A IR practitioner could run a YouAttest campaign on all relevant admin and service accounts to help identify the current privileges.  The purpose of enforcing the NIST PR.AC-6 privilege of least privilege which is the governing philosophy around user privileges especially powerful admin accounts. 

2.  Remove Orphan/Ghost accounts in resources NOT connected to ISoR

A common hacker mechanism is to gain access to an account on a system that is not managed by the “identity store of record” – e.g.  the controlling (IDaaS or on-premise) directory.   

In this manner the attacker can go go unrecognized and increase “dwell time”.

With YouAttest an IR practitioner can import these siloed resources into YouAttest and compare against the active account and groups of the identity store of record (ISoR).  This helps identify ghost accounts that could have been used in the attack – and regardless should be removed improved identity security for the enterprise. 

3.   Set up Admin triggers for future notification on admin users

YouAttest has an advanced feature that can be set on admin and other privileged accounts were changes in membership and permissions can alert an attestation trigger.  This is a serious security upgrade to enterprises who lack this important identity control of auto-attestation for the enterprise’s most important accounts.

YouAttest provides this feature of identity auto-triggers and should be part of the recommendation plan of IRs responding to admin account manipulation.

Summary

With YouAttest, an IR investigator can get an accurate snapshot of an organization’s access controls – that probably played a part of the cyber incident.

YouAttest is the leading provider of automated access reviews  and can help your enterprise stay secure and eliminate orphan accounts. Contact YouAttest , today, to learn more about how we can help you maintain continuous compliance.

 

Facebook
Twitter
LinkedIn

More
articles