Skip to main content

Using PAM for Cyber Forensics & Security Breach Remediation―Key to a Safer 2019

By: Morey Haber, CTO, BeyondTrust

No one wants to respond to a security incident or a breach, particularly at the start of a new year! Instead the highest priority should be to stop a cyberthreat before it compromises the organization. But in reality, preventing a cyberattack from landing is not always possible. The steps for incident or breach identification―from threat hunting to searching for explicit Indicators of Compromise (IoC)—are well established. While the processes will vary from organization to organization, malware, compromised accounts, lateral movement, etc. will all need to be addressed as a part of any formal clean-up plan.

If a breach is severe enough (for example, including the compromise of domain controllers), organizations may have no choice other than to reinstall the entire environment from scratch. While that is a worst-case scenario, it does happen. In many cases, businesses may choose to scrub servers as best as possible versus performing a complete reinstall. That is a business decision based on risk, feasibility, and cost. It also represents a no-win scenario if the threat is a persistent presence that uses techniques to evade traditional identification measures. If you think that is far-fetched, just look at the history of threats like rootkits, Spectre, and Meltdown that prove that there is always a way to attack a technology resource.

Threat actors are after your credentials
Regardless of your remediation strategy, you can be assured that, via some fashion or another, threat actors will have access to your credentials. This implies that any clean-up effort should not reuse any existing passwords or keys. If possible, you should change (rotate) all credentials across every affected or linked resource. This is where Privileged Access Management (PAM) comes into play. The clean-up or redeployment needs to be protected from password reuse or from a threat actor regaining a persistent presence due to poor credential management, as remediation efforts begin.

Password management is a core aspect of PAM, and includes the automatic onboarding, rotation, session management, reporting, and check-in and check-out of passwords from a password safe. While PAM technology is most prominently used for privileged passwords like administrator, root, service accounts, and DevOps secrets, it can also be used as a least privilege solution to remove administrative rights for applications and tasks. This means that end users would no longer have, or need, a secondary administrator account to perform business functions.

PAM’s role in clean-up after a breach
With this mind, how does PAM help with security breach clean-up? During a security incident or breach, you first need to investigate and address the following:

  • Determine which accounts were compromised and used for access and lateral movement.
  • Determine the presence and resources using any linked, compromised accounts. For example, the same account that was compromised on asset X or application Y is also used on assets A, B and C for applications D, E and F so they can all communicate.
  • Identify and purge any illicit or rogue accounts created by the threat actor.
  • Identify, and remove or segment, any shadow IT, IoT, or other resource that was part of the cyberattack chain, to protect against future threats.
  • Analyze the accounts that have been compromised and determine the least amount of privileges needed for them to perform their functions. Most users and system accounts do not require full domain or local administrator or root accounts.
  • Analyze how data was used/accessed by the attacker during the breach. Was any IoC data captured during abuse of the privileged account? If data was captured, did it help identify the threat? If data was not captured, determine what needs to change to monitor future misuse of privileged accounts. This includes privileged account usage as well as session monitoring and keystroke logging, where appropriate.

This analysis is not trivial. Tools are needed to discover accounts, identify resources, determine usage patterns, and, most importantly, flag any potential abuse. Even if all the log data is sent to a security information and event management (SIEM), it still requires correlation or user behavior analytics to answer these questions.

Once you have made the initial investigation, here are the five ways PAM can help after a breach and should be considered an essential component of your clean-up efforts:

1. After a discovery, automatically onboard your privileged accounts and enforce unique and complex passwords with automatic rotation for each. This will help ensure any persistent presence cannot repeatedly leverage compromised accounts.
2. For any linked accounts, have your PAM solution link and rotate them all together on a periodic schedule; including for service accounts. This will keep the accounts synchronized and potentially isolated from other forms of password reuse.
3. When applicable, remove unnecessary privileged accounts all the way down to the desktop. This includes any secondary administrator accounts associated with an identity. For any application, command, or task that requires administrative rights, consider a least privilege model that elevates the application--not the user—to perform privileged management.
4. Using PAM, look for IoCs that suggest lateral movement, either from commands or rogue user behavior. This is a critical portion of the cyberattack chain where PAM can help identify whether or not any resources have been compromised.
5. Application control is one of the best defenses against malware. This capability includes looking for trusted applications that are vulnerable to threats by leveraging various forms of reputation-based services. PAM can help here too. Decide on an application’s runtime based on trust and known risks before it is allowed to interact with the user, data, network, and operating system.

Privileged access management should not only be considered for new projects and legacy systems to stop privileged attack vectors. It should be considered for forensics and remediation control after an incident or breach. PAM will help stop a threat actor from acting on some of the lowest hanging fruit within your organization―poor password and credential management.

As a security best practice, privileged access should always be limited. When a threat actor gains administrator or root credentials, they do have the keys to your kingdom. The goal is stop them from obtaining them and “rekeying” the accounts via passwords on a frequent basis, so even if they steal a password, their usage can be limited and monitored for potential abuse. Therefore, after an incident or breach, this helps ensure that any lingering persistent presence can be mitigated and represents a valuable methodology in the clean-up and sustainment process.

- Ends - 


Popular posts from this blog

Cloud Computing powering India’s priority of ‘Digital-first country’

By: Sunil Mahale, India MD and VP, Nutanix
Digital transformation has been recognized as being vital to the growth of our nation. This transformation has enjoyed the unanimous approval and contribution from all stake holders including enterprises, MSMEs, government bodies and citizens. But this level of adoption in a country with a population of over a billion people would need a robust technology base that is capable to collecting and distributing vital data seamlessly.
Digital India envisions creating high speed digital highways, that will impact commerce and create a digital footprint for every individual. Technologies based on mobility, analytics, Internet of things and most importantly, cloud technologies are the building blocks for the digital India missionThere is a growing need to manage huge volumes of data, and making them readily available to public through digital cloud services. Cloud has a pivotal role in enabling this change.
While Data centers have become crucial to th…

RevStart launches its RevItUp Incubation Programme

Underlining its vision of creating a nurturing ecosystem for start-ups to grow in, RevStart, a co-working and incubation centre, has announced the launch of its RevItUp Incubation Programme. The 12-week long programme will be held at RevStart Incubation Centre in Noida from July 1, 2018 onwards. As part of the programme, RevStart will select five high potential start-ups from the ed-tech sector, AI, Consumer Internet, Sustainability, as well as for-profit social impact companies to assist them with developing their business, along with connecting them to global mentors across industries and sectors. In addition, start-ups selected for the programme will receive INR 5 lakh to Rs. 25 lakhs worth of cash and benefits, while RevStart will get an equity stake in the ventures.
The RevItUp Incubation Programme has been created to enhance the founding team’s industry, product, and company building knowledge and capabilities through a world-class curriculum. The programme will focus on tailor…

The Workplace of the Future

By: Arnab Ghosh – Director, Synergy Property Development Services)
Workplaces are undergoing a major transformation today to stay relevant. Conventional space planning and design approach for office space are slowly but steadily changing across the globe. What was a trickle a decade back is snowballing into a movement as we speak? The nature of the work we do and the time we spend in our workplace is driving this change. 
The Social Workplace The original office in the west was originally based on the factory floor design. The Workers occupied the maximum space followed by Managers and the Senior Executives in their glass cabins. The term “productivity” also has industrial roots. There were well-defined tasks and targets for the employees to achieve in their working time. All these have changed drastically over the last few decades and going to change further in the future. The culture of organizations has to adapt to this change to stay ahead and retain talent. Productivity is no long…