Incident response (IR) is a race against time. Involve your internal or external team because there is enough evidence that something bad is happening, but you are still blind to the scope, impact and root cause. The common set of IR tools and practices provides IR teams with the ability to discover malicious files and outgoing network connections. Unfortunately, however, the identity aspect of identifying compromised user accounts that were used to spread across your network remains unattended. This task proves to be the most time-consuming for IR teams and has become a tough uphill battle that allows attackers to buy valuable time in which they can still inflict damage.
In this article, we analyze the root cause of IR blind spot identity and provide sample IR scenarios where it acts as an inhibitor of a fast and efficient process. We’ll then introduce Silverfort’s unified identity protection platform and show how its real-time MFA and identity segmentation can overcome this blind spot and make the difference between a contained incident and a costly breach.
IR 101: Knowledge is power. Time is everything
The activation of an IR process can take a thousand forms. They all share a similarity in that you think so – or even are sure something it’s wrong, but you don’t know exactly What, WhereAND As. If you’re lucky, your team spotted the threat when it was still accumulating power within itself but had not yet achieved its damaging goal. If you are Not Luckily, you become aware of the adversary’s presence only after its impact has already erupted: encrypted machines, missing data, and any other form of malicious activity.
One way or another, the most pressing task once the IR gets rolling is to dispel the darkness and get clear information about compromised entities in your environment. Once identified and validated, steps can be taken to contain attacks by quarantining machines, blocking outbound traffic, removing malicious files, and resetting user accounts.
As it happens, that last task is far from trivial when dealing with compromised user accounts, and introduces an as yet unresolved challenge. We understand why.
IR gap on identity n. 1: No moves in the playbook to detect compromised accounts
Unlike malware files or malicious outgoing network connections, a compromised account doesn’t do anything that’s essentially malicious: it just accesses resources in the same way a normal account would. If it’s an administrator account that logs into multiple workstations and servers daily, as is the case in many attacks, its lateral movement won’t even seem anomalous.
Want to learn more about the incident response capabilities of the Silverfort platform? Schedule a demo today!
The result is that the compromised account is only discovered After compromised machines are located and quarantined, and even then, you need to manually check all accounts registered there. And again: in the race against time, the reliance on manual and error-prone investigations creates a critical delay.
IR gap on identity n. 2: No playbook moves to immediately contain the attack and prevent further spread
As in real life, there is an immediate first aid phase that precedes full treatment. The equivalent in the IR world is to contain the attack within its current boundaries and ensure that it does not spread further, even before discovering its active components. At the network level, this is done by temporarily isolating segments potentially hosting malicious activity from those that are not yet compromised. At the endpoint level, this is done by quarantining the machines where the malware is found.
Even in this case, the identity aspect must be recovered. The only mitigation available is to disable the user account in AD or reset the password. The first option is impractical due to the operational disruptions it introduces, especially in the case of false positives. The second option is also not good; if the suspect account is a machine-to-machine service account, resetting its password could break critical processes it manages, ending up with additional damage beyond that caused by the attack. If the attacker managed to compromise the identity infrastructure itself, password recovery will be immediately resolved by switching to another account.
Gap IR identity n. 3: No playbook moves to reduce exposed identity attack surfaces that opponents target within the offense
Weaknesses that expose the identity attack surface to malicious credential access, privilege escalation, and lateral movement are blind spots for posture and hygiene products in the security stack. This deprives the IR team of critical compromise guidance that could have significantly accelerated the process.
Prominent examples are vulnerable authentication protocols such as NTLM (or, even worse, NTLMv1), misconfigurations such as accounts set up with unconstrained delegation, shadow administrators, obsolete users, and many others. Adversaries feed on these weaknesses as they embark on their path to Living Off the Land. The inability to identify, reconfigure, or protect accounts and machines that have these weaknesses turns the IR into a pack of cats, where while the analyst is busy analyzing to see if Account A is compromised, adversaries are already exploiting the compromised B account.
Bottom line: no tools. No shortcuts. Just a slow, manual analysis of the log while the attack is in full gear
So, this is the status quo: when the IR team finally has to figure out who the compromised user accounts are that the attacker is using to spread in your environment. This is a secret that no one talks about and the real root cause of why lateral movement attacks are so successful and difficult to contain, even when the IR process is underway.
This is the challenge that Silverfort solves.
Silverfort unified identity protection for IR operations
Silverfort’s Unified Identity Protection platform integrates with on-premise and cloud identity infrastructure (Active Directory, Entra ID, Okta, Ping, etc.). This integration allows Silverfort to have full visibility into any authentication and login attempts, real-time login enforcement to prevent malicious logins with MFA or login blocking, and automated service account detection and protection.
Let’s see how these features accelerate and optimize the identity IR process:
Detect compromised accounts with MFA without operational disruption
Silverfort is the only solution that can apply MFA protection across all AD authentication, including command-line tools like PsExec and PowerShell. With this feature, a single policy that requires all user accounts to verify their identity with MFA can detect all compromised accounts in minutes.
Once the policy is configured, the flow is simple:
- The attacker attempts to continue his malicious access and logs into a machine with the compromised account credentials.
- The real user is prompted for MFA and denies requesting access to the specified resource.
Objective no. 1 achieved: There is now proof beyond a doubt that this account is compromised.
Side note: Now that a validated compromised account exists, all we need to do is filter out all the machines this account logged in to in the Silverfort log screen.
Contain the attack with MFA and access blocking policies
The MFA policy we described above is not only for detecting which accounts are compromised, but also ator prevent any further spread of the attack. This allows the IR team to freeze the adversary’s foothold where it is and ensure that any assets not yet compromised remain intact.
Outage protection revisited: Zoom on service accounts
Special attention should be paid to service accounts as they are heavily exploited by threat actors. These machine-to-machine accounts are not associated with a human user and cannot be subject to MFA protection.
However, Silverfort automatically detects these accounts and gains insights into their repetitive behavioral patterns. With this visibility, Silverfort enables the configuration of policies that block access whenever a service account deviates from its behavior. This way, all standard service account activities are not interrupted, while any malicious attempts to abuse it are blocked.
Objective no. 2 achieved: The attack is contained and the IR team can quickly move on to the investigation
Eliminate exposed weaknesses in the identity attack surface
Silverfort’s visibility into all authentication and login attempts within your environment helps you discover and mitigate common weaknesses that attackers take advantage of. Here are some examples:
- Setting MFA policies for all shadow administrators
- Setting block access policies for any NTLMv1 authentication
- Discover all accounts configured without preauthentication
- Discover all accounts configured with unconstrained delegation
This reduction of the attack surface will usually take place during the initial “first aid” phase.
Objective no. 3 achieved: Identity weaknesses are mitigated and cannot be used for malicious propagation.
Bottom line: Acquiring identity IR capabilities is critical – are you ready?
Compromised accounts are a key component in more than 80% of cyberattacks, making the risk of being affected almost certain. Security stakeholders should invest in the availability of IR tools that can address this in order to ensure their ability to respond efficiently when such an attack occurs.
To learn more about the IR capabilities of the Silverfort platform, contact one of our experts to schedule a quick demo.