Hackers are what we might call the thorns and thistles of the internet. An egregious nuisance in the age of technology, and a poisonous problem in the evolving landscape of social and business interactions. It is not to be treated casually. To abate the risks of compromised admin accounts, we should take proactive measures to mitigate security vulnerabilities. In this post, we will cover seven quick steps to take when a particular hack occurs.
But first, let’s cover the basics.
A privileged user, who has primary control and unlimited access to proprietary and confidential data, manages an admin account. This account can be equated to the brain power of an organization and serves as the core of business operations.
When an unauthorized user—hacker or malicious actor gains the access privilege of an admin, they can install malware and make system-wide alterations such as password resets and domain security group membership changes. They could even go as far as creating legitimate looking accounts to allow for future malicious use. This may look like fraudulent changes being made from an imitation account, but can remain undetected because it looks like it is coming from an authorized source. Consequently, we can expect losses far worse than if a read-only or standard-level user clicked on something they shouldn’t have.
Unfortunately, the hostile nature of hackers makes it so that they embody the phrase: necessity is the mother of invention. What this implies is that despite having a robust security network, a determined cybercriminal can still engineer a way into your systems. They often achieve this with zero-day attacks, which exploit software and hardware vulnerabilities, or via compromised passwords traded on the dark web.
With a plethora of nifty tactics, technologies, and tools outfitted to gain control of your admin account, your response plan to threats and attacks matter. For an effective guide on simple ways to prepare your organization for commonplace threats, and prospective multi-stage attacks download our eBook: Foundations for Incident Response Readiness at no cost to you.
Seven steps improve your cybersecurity
The debilitating effects of a data breach are instant and extensive. However, advancements in cybersecurity are on a continuous improvement trajectory. Here are the promised seven steps to take to protect your systems:
- Disable Accounts and Change Passwords
The first step is simple: disable the affected user’s compromised account. You’ll need to reset all admin-level passwords, and just to be safe, you should have all other users reset their passwords too. If an admin-level hack compromises the credentials of other staff within your company, this is a good first step in preventing additional spread, disruption, or data loss.
- Enable Multi-Factor Authentication
While everyone is resetting their passwords, it is an excellent time to have all users adopt multi-factor authentication (MFA). This additional level of security will help make it harder for passwords to be compromised in the future.
- Examine Logs and Determine Failure Points
The next step is to conduct an extensive examination of your system activity logs to determine when and where the failures that increased the risks for a data breach occurred. It is important to note that no one is exempt from making mistakes. Anyone is susceptible to being tricked by a phishing email or lured to click on an attachment that contains malware. It doesn’t matter who opened a compromising asset on your system, or who left a port open - and it shouldn’t be about assigning blame. What matters is finding out how to plug the hole and prevent further damage.
- Trace, Find and Block External Source IP
A crucial step in data protection and system recovery is tracing the IP address and location of the attack and blocking all future access. For example, if the source is determined to be overseas, in a country that you do not have business dealings with, the simple solution may be to block all IPs from that geographic area. SIEM and EDR tools and services are viable options to help information security and threat detection, but have some notable drawbacks. MDR providers are also a recommended alternative to optimize your network security as they provide comprehensive 24/7 monitoring, investigation, and remediation.
- Security Incident Reporting and System Inventory
It is important to report a data breach to all relevant authorities and exercise compliance with applicable legislation as discussed here (talked about previously) After a cyber-attack, Privacy Officers will require records of the systems affected. It is helpful to the investigation to have a detailed inventory of the affected systems, compromised accounts and the response actions deployed.
Also, taking an inventory of your system is an opportunity to connect the web of potential network vulnerabilities by sourcing and checking each connection to ensure there is no residual or under the radar malicious activities because of the breach.
- Analyze Connected Apps
All external systems the affected user was connected to must be reviewed. To ensure no stone is left unturned, it is best practice to ask questions like what SaaS programs did they use? What integrations with clients or suppliers are they a part of? Are those clients or suppliers at risk because of the breach? If yes, promptly alert those parties.
- Analyze Connected Devices
Check what devices the affected user accessed remotely, as these present potential vectors of attack. Pay special attention to unusual usage patterns for such devices, including abnormal spikes in activity, and activity outside of typical usage hours. For instance, if you have a user who rarely works at 3 am, the odds are that’s malicious activity.
The Benefits of MDR
If you have managed detection and response capabilities, an additional area to check are the files the compromised user had access to, both locally and on any shared drives. If a malicious actor has moved files, it is unlikely that you will detect this on your own unless the files were saved after alteration.
ActZero’s Managed Detection and Response (MDR) Service will help identify occurrences of admin (or other user’s account) compromise. This is helpful where you might be concerned about sensitive or confidential data being compromised in such an attack, such as personally identifiable information or intellectual property. But the most significant benefit of ActZero’s MDR service is in helping prevent breaches. Our dedicated Threat Hunters and proprietary technology can detect suspicious behavior and other indicators of compromise (IOCs) as they happen and respond to them in real-time.
As the saying goes, give a hacker an inch and they will take a mile. If immediate steps to cybersecurity incident response are what you seek, look no further than our free eBook: Foundations for Incident Response Readiness. In it you will find real-world guidelines to help your business prepare in advance for cybersecurity incidents, and reduce the impact and likelihood of data breaches. But also, how to respond effectively, quickly should an incident occur, and with minimal disruption to your business processes. Download today!