P RE D I C T I V E I NTELLIGEN CE
solution to remove administrative rights
for applications and tasks. This means
that end users would no longer have, or
need, a secondary administrator account
to perform business functions.
PAM’s role in clean-up after
a breach
With this mind, how does PAM help
with security breach clean-up? During a
security incident or breach, you first need
to investigate and address the following:
• Determine which accounts were
compromised and used for access
and lateral movement
• Determine the presence and
resources using any linked,
compromised accounts. For
example, the same account that
was compromised on asset X or
application Y is also used on assets
A, B and C for applications D, E and
F so they can all communicate
• Identify and purge any illicit or rogue
accounts created by the threat actor
• Identify, and remove or segment, any
shadow IT, IoT or other resource that
was part of the cyberattack chain, to
protect against future threats
• Analyse the accounts that have been
compromised and determine the
least amount of privileges needed
for them to perform their functions.
Most users and system accounts
do not require full domain or local
administrator or root accounts
• Analyse how data was used/
accessed by the attacker during the
breach. Was any IoC data captured
during abuse of the privileged
account? If data was captured, did it
help identify the threat? If data was
not captured, determine what needs
to change to monitor future misuse
of privileged accounts. This includes
privileged account usage as well as
session monitoring and keystroke
logging, where appropriate.
This analysis is not trivial. Tools are
needed to discover accounts, identify
resources, determine usage patterns
and, most importantly, flag any potential
abuse. Even if all the log data is sent
to a security information and event
management (SIEM), it still requires
34
correlation or user behaviour analytics to
answer these questions.
Once you have made the initial
investigation, here are the five ways PAM
can help after a breach and should be
considered an essential component of
your clean-up efforts:
1. After a discovery, automatically
onboard your privileged accounts
and enforce unique and complex
passwords with automatic
rotation for each. This will help
ensure any persistent presence
cannot repeatedly leverage
compromised accounts.
2. For any linked accounts, have your
PAM solution link and rotate them
all together on a periodic schedule;
including for service accounts. This
will keep the accounts synchronised
and potentially isolated from other
forms of password reuse.
Regardless of your
remediation strategy,
you can be assured
that, via some
fashion or another,
threat actors will
have access to your
credentials.
3. When applicable, remove
unnecessary privileged accounts
all the way down to the desktop.
This includes any secondary
administrator accounts associated
with an identity. For any application,
command, or task that requires
administrative rights, consider a
least privilege model that elevates
the application – not the user – to
perform privileged management.
4. Using PAM, look for IoCs that
suggest lateral movement, either
from commands or rogue user
behaviour. This is a critical portion
of the cyberattack chain where PAM
can help identify whether or not any
resources have been compromised.
5. Application control is one of the
best defences against malware. This
capability includes looking for trusted
applications that are vulnerable to
threats by leveraging various forms
of reputation-based services. PAM
can help here too. Decide on an
application’s run-time based on trust
Issue 11
|
www.intelligentciso.com