A common tactic used by hackers once they have landed within your environment, is to escalate their level of access by compromising a user with administrative privileges. In this post, we cover the issues with admin accounts being compromised, and the steps you can take if you believe one of yours has been.
To have a privileged user or an admin compromised instantly jeopardizes the cybersecurity of an entire organization. With the access power of a privileged user or admin, a malicious actor can gain widespread access, install malware, and make system-level alterations. This can open you up to losses far worse than if a read-only or standard-level user clicked on something they shouldn't. A hacker who gains admin level access could potentially manage privileged user accounts or groups, reset passwords, change domain security group memberships, or even create legitimate-looking accounts to allow for future malicious use. All of this would be difficult to trace, given that it looks like it's coming from an authorized source.
Unfortunately, no matter how robust your security hygiene is, accidents can happen or a clever, determined hacker can configure a way into your system. Many times this is from zero-day attacks undetected by your Antivirus, or via compromised passwords traded on the dark web. Hackers have many other tactics at their disposal to attempt to gain this level of control - it’s what you can do about it once it happens that we are focusing on today.
So what can you do if these privileged users are compromised? Here are seven steps to take to protect your systems:
The first step should be the most basic: disable the affected user's compromised account. You'll need to reset all admin-level passwords, and just to be safe, you should have all other users reset their passwords, too. If anyone else's credentials have been compromised as a result of an admin level hack, this is a good first step in preventing additional spread, disruption or data loss.
While everyone is resetting their passwords anyway, now is an excellent time to have all users adopt multi-factor authentication (MFA). This additional level of security will help make it harder for passwords to be compromised in the future.
The next step will be to examine your system activity logs to determine when and where failures took place which allowed your system to be breached.
You need to look top to bottom throughout the organization at this point. Anyone can make a mistake. Anyone can be tricked by a phishing email or mistakenly click on an attachment that contains malware. It doesn't matter who opened up a compromising asset on your system, or who left a given port open - and it shouldn't be about assigning blame. What matters is finding out how to plug the hole and prevent further damage.
You need to find the IP address the attack came from and kill it. You need to do anything you can to block off future access from that IP or related ones, so pay particular attention to where the IP is located. If it's overseas in a country that you don't do any business with, the most natural solution may be simply to block all IP's from that geographic area. Increasingly this information is stored in EDR or SIEM tools to help with the search. If that sounds like tools you don’t have an MDR provider is another alternative.
Then comes report time. You need to report the breach to any relevant authorities and ensure you're compliant with applicable legislation, as we've talked about previously.
Part of this documentation process should involve an inventory of the internal systems that the compromised user had access to. Think of it as a web of connecting potential vulnerabilities. Each connection has to be sourced and checked to ensure there's been no malicious activity as a result of the breach. Privacy Officers will ask for the number of records or systems affected, so it’s helpful to inventory whether these systems had sensitive files on them. Always keep records of where your sensitive data is to help with this collection.
After that, you need to take account of any external systems the affected user was involved with. What SaaS programs did they use? What integrations with clients or suppliers are they part of? Are those clients or suppliers at risk because of the breach? You'll need to alert those parties, one way or the other.
Be sure also to check what, if any, devices the affected user was able to access remotely, as these also present potential vectors of attack. Pay special attention to unusual usage patterns for such devices, including unusual spikes in activity, and activity outside of typical usage hours. If you have a user who isn't typically doing a lot of work at 3 am, well, the odds are that's malicious activity.
One additional area that is helpful to check if you have managed detection and response capabilities are the files the affected user had access to, both local and on any shared drives. If a malicious actor has moved files, it's unlikely that you will be able to detect that on your own unless the files were saved after they were altered.
ActZero's Managed Detection and Response (MDR) Service will help identify occurrences of admin compromise or data exfiltration, without the necessity of threat actors having saved or changed files. This is helpful in instances where you might be concerned about sensitive or confidential data being compromised in such an attack, such as personally identifiable information or intellectual property.
But the most significant benefit of ActZero's MDR service is in helping prevent breaches in the first place. Our dedicated Threat Hunters and proprietary technology can detect suspicious behaviour and other indicators of compromise (IOCs) as they happen and respond to them in real-time.
You can also take advantage of our Virtual CISO (vCISO) program. Your vCISO will be an experienced security leader that can help you build cybersecurity policies, adhere to regulatory frameworks, and demonstrate your risk reduction efforts.
To learn more about how ActZero can help protect your business, reach out to us now.