No one wants to respond to a security incident or a breach. Instead the highest priority should be to stop a cyberthreat before it compromises the organization. But in reality, preventing a cyberattack from landing is not always possible. The steps for incident or breach identification – from threat hunting to searching for explicit Indicators of Compromise (IoC) – are well established. While the processes will vary from organization to organization, malware, compromised accounts, lateral movement, etc. will all need to be addressed as a part of any formal clean-up plan.
If a breach is severe enough (for example, including the compromise of domain controllers), organizations may have no choice other than to reinstall the entire environment from scratch. While that is a worst-case scenario, it does happen. In many cases, businesses may choose to scrub servers as best as possible versus performing a complete reinstall. That is a business decision based on risk, feasibility, and cost. It also represents a no-win scenario if the threat is a persistent presence that uses techniques to evade traditional identification measures. If you think that is far-fetched, just look at the history of threats like rootkits, Spectre, and Meltdown that prove there is always a way to attack a technology resource.
Threat actors are after your credentials
Regardless of your remediation strategy, you can be assured that, via some fashion or other, threat actors will have access to your credentials. This implies that any cleanup effort should not reuse any existing passwords or keys. If possible, you should change (rotate) all credentials across every affected or linked resource. This is where Privileged Access Management (PAM) comes into play. The cleanup or redeployment needs to be protected from password reuse or from a threat actor regaining a persistent presence due to poor credential management as remediation efforts begin.
Password management is a core aspect of PAM, and includes the automatic onboarding, rotation, session management, reporting, and check in and check out of passwords from a password safe. While PAM technology is most prominently used for privileged passwords like administrator, root, service accounts, and DevOps secrets, it can also be used as a least privilege solution to remove administrative rights for applications and tasks. This means that end users would no longer have, or need, a secondary administrator account to perform business functions.
How PAM helps cleanup after a breach
With this mind, how does PAM help with security breach cleanup?
During a security incident or breach, you first need to investigate and address the following:
- Determine which accounts were compromised and used for access and lateral movement.
- Determine the presence and resources using any linked, compromised accounts. For example, the same account that was compromised on asset x or application y is also used on assets a, b, and c for applications d, e, and f so they can all communicate.
- Identify and purge any illicit or rogue accounts created by the threat actor.
- Identify, and remove or segment, any shadow IT, IoT, or other resource that was part of the cyberattack chain to protect against future threats.
- Analyze the accounts that have been compromised and determine the least amount of privileges needed for them to perform their functions. Most users and system accounts need do not require full domain or local administrator or root accounts.
- Analyze how data was used/accessed by the attacker during the breach. Was any IoC data captured during abuse of the privileged account? If data was captured, did it help identify the threat? If data was not captured, determine what needs to change to monitor future misuse of privileged accounts. This includes privileged account usage as well as session monitoring and keystroke logging, where appropriate.
This analysis is not trivial. Tools are needed to discover accounts, identify resources, determine usage patterns, and, most importantly, flag any potential abuse. Even if all the log data is sent to a SIEM, it still requires correlation or user behavior analytics to answer these questions.
Here are 5 ways PAM can help after a breach and should be considered an essential component of your cleanup efforts:
- After a discovery, automatically onboard your privileged accounts and enforce unique and complex passwords with automatic rotation for each. This will help ensure any persistent presence cannot repeatedly leverage compromised.
- For any linked accounts, have your PAM solution link and rotate them all together on a periodic schedule; including for service accounts. This will keep the accounts synchronized and potentially isolated from other forms of password reuse.
- When applicable, remove unnecessary privileged accounts all the way down to the desktop. This includes any secondary administrator accounts associated with an identity. For any application, command, or task that requires administrative rights, consider a least privilege model that elevates the application--not the user—to perform privileged management.
- Using PAM, look for IoCs that suggest lateral movement, either from commands or rogue user behavior. This is a critical portion of the cyberattack chain where PAM can help identify whether or not any resources have been compromised.
- Application control is one of the best defenses against malware. This capability includes looking for trusted applications that are vulnerable to threats by leveraging various forms of reputation-based services. PAM can help here too. Decide on an application’s runtime based on trust and known risks before it is allowed to interact with the user, data, network, and operating system.
Privileged access management should not only be considered for new projects and legacy systems to stop privileged attack vectors, it should be considered for forensics and remediation control after an incident or breach. PAM will help stop a threat actor from acting on some of the lowest hanging fruit within your organization; poor password and credential management.
As a security best practice, privileged access should always be limited. When a threat actor gains administrator or root credentials, they do have the keys to your kingdom. The goal is stop them from obtaining them and “rekeying” the accounts via passwords on a frequent basis, so even if they steal a password, their usage can be limited and monitored for potential abuse. Therefore, after an incident or breach, this helps ensure that any lingering persistent presence can be mitigated and represents a valuable methodology in the cleanup and sustainment process.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.