Intelligent CISO Issue 11 | Page 34

P RE D I C T I V E I NTELLIGEN CE solution to remove administrative rights for applications and tasks. This means that end users would no longer have, or need, a secondary administrator account to perform business functions. PAM’s role in clean-up after a breach With this mind, how does PAM help with security breach clean-up? During a security incident or breach, you first need to investigate and address the following: • Determine which accounts were compromised and used for access and lateral movement • Determine the presence and resources using any linked, compromised accounts. For example, the same account that was compromised on asset X or application Y is also used on assets A, B and C for applications D, E and F so they can all communicate • Identify and purge any illicit or rogue accounts created by the threat actor • Identify, and remove or segment, any shadow IT, IoT or other resource that was part of the cyberattack chain, to protect against future threats • Analyse the accounts that have been compromised and determine the least amount of privileges needed for them to perform their functions. Most users and system accounts do not require full domain or local administrator or root accounts • Analyse how data was used/ accessed by the attacker during the breach. Was any IoC data captured during abuse of the privileged account? If data was captured, did it help identify the threat? If data was not captured, determine what needs to change to monitor future misuse of privileged accounts. This includes privileged account usage as well as session monitoring and keystroke logging, where appropriate. This analysis is not trivial. Tools are needed to discover accounts, identify resources, determine usage patterns and, most importantly, flag any potential abuse. Even if all the log data is sent to a security information and event management (SIEM), it still requires 34  correlation or user behaviour analytics to answer these questions. Once you have made the initial investigation, here are the five ways PAM can help after a breach and should be considered an essential component of your clean-up efforts: 1. After a discovery, automatically onboard your privileged accounts and enforce unique and complex passwords with automatic rotation for each. This will help ensure any persistent presence cannot repeatedly leverage compromised accounts. 2. For any linked accounts, have your PAM solution link and rotate them all together on a periodic schedule; including for service accounts. This will keep the accounts synchronised and potentially isolated from other forms of password reuse. Regardless of your remediation strategy, you can be assured that, via some fashion or another, threat actors will have access to your credentials. 3. When applicable, remove unnecessary privileged accounts all the way down to the desktop. This includes any secondary administrator accounts associated with an identity. For any application, command, or task that requires administrative rights, consider a least privilege model that elevates the application – not the user – to perform privileged management. 4. Using PAM, look for IoCs that suggest lateral movement, either from commands or rogue user behaviour. This is a critical portion of the cyberattack chain where PAM can help identify whether or not any resources have been compromised. 5. Application control is one of the best defences against malware. This capability includes looking for trusted applications that are vulnerable to threats by leveraging various forms of reputation-based services. PAM can help here too. Decide on an application’s run-time based on trust Issue 11 | www.intelligentciso.com