The repercussions of a network intrusion can be extremely detrimental and demanding for any organization. Before returning to business as usual after a breach, enterprises must ensure that all threat actors have been evicted from the network and are not able to enter again. An effective manner of preparing for success prior to an intrusion is understanding what allows for a smooth eviction process. Proactively planning for an eviction requires effective and mature password reset capabilities, solid password management practices and good multifactor authentication (MFA) standards.
Ensure a Thorough Inventory
When planning for an eviction, it is useful to consider account and network inventories. From a network security prospective, how can one protect a computer or account that they do not know exists? Having gaps in inventory can invite poor or absent security controls and inadequate logging, patching, vulnerability analysis, account management or endpoint management, among other issues. It is imperative to have a thorough and precise inventory of all devices and accounts that are on a network. The inventory record should contain information about how the account is used, who owns the account (and takes responsibility for it), how often the password is changed and how the account is monitored.
Consider Service Accounts and Password Management
When approaching credential management and password resets, service accounts are often a pain point. Service account management is a thorn in the side of almost every infosec team. Historically, service accounts have had too many privileges, been poorly monitored, had little or no security controls (e.g., password management) and/or not been included in inventories. Often, accounts with elevated credentials are not effectively managed or secured.
The most important—and difficult—aspect of eliminating threat actors is conducting mass, rapid password resets. During an eviction process, all credentials must undergo password resets to ensure that threat actors are successfully evicted. In some cases, the password must be reset more than once, and in the case of elevated credentials, each account password must be reset at least twice. It is not advisable to start an eviction process if some passwords are unable to be reset because processes used by service accounts would break if the password was changed.
Take Advantage of MFA
Additionally, it is not recommended to begin an eviction process unless all external accounts have been secured with multifactor authentication (MFA). Attempting to evict threat actors who gain access to the internal network based on passwords alone would likely result in a waste of time and resources. No eviction process should start until all external accounts have been protected by an additional factor to which threat actors do not have access. In fact, it is recommended that anything in the network that is deemed confidential or business-critical also have MFA requirements, even for trusted, internally authenticated network users.
Attempting to evict threat actors who gain access to the internal network based on passwords alone would likely result in a waste of time and resources.
Consider the Principle of Least Privilege
Along with solid password management and thorough credential inventories, all organizations should abide by the principle of least privilege to reduce the likelihood of intrusion by a threat actor. This is a key foundation of an enterprise’s overall network security policies. An employee should only be granted access and tools to do what their job requires. This sounds simple but is often overlooked. To achieve proper access levels, hardening operating systems and removing any unnecessary components are recommended, or one can opt to use a hardened virtual machine (VM) or virtual desktop interface (VDI) topology.
In some cases, an end user may not need Internet access to perform their duties, in which case they should not have it. They may be able to suffice with local intranet access. This can result in a significant reduction in risk. The same concept applies to email: Some users may only need internal email access. Again, this can serve to reduce risk.
Monitor User Access Levels
For all network resources, enterprises must ensure that all employees have only the access required for their roles. Some organizations task college interns with accompanying various enterprise personnel in documenting and defining proper access levels. This is a valuable experience for the intern, helps IT and security teams immensely and can result in a reduction in risk.
Fortunately, for enterprises that do not have the resources to hire interns, technology now exists to help assist with some of the worrisome aspects of endpoint account management. Historically, organizations have tried to adopt models in which the end user does not have administrator (admin) access to their local machine. If a user has admin access, if they click a malicious link or open a malicious attachment, malware and PowerShell scripts can run, changing security mechanisms and the operating system itself. Typically, any malware, backdoors or remote control applications can be installed if the end user has admin access.
Forcing an end user to go through the call center for assistance every time they need momentary rights to install something takes too much time and uses too many resources to be productive.
Over the past two decades, many organizations have attempted to remove end user admin access. This approach often fails. Some end users simply need admin access to do their jobs. Forcing an end user to go through the call center for assistance every time they need momentary rights to install something takes too much time and uses too many resources to be productive.
In recent years, user endpoints have continually posed a significant risk and been targets for threat actor intrusions. The days of only having antivirus software in place for endpoints are over. A next-generation endpoint management system is now required. In fact, higher-end endpoint management systems offer auto-isolation features, which, in effect, evict the threat actor from the network automatically when certain events occur. These next-generation endpoint security applications also give the internal security or networking team the ability to isolate (on demand) based on anomalies, event logs or end user complaints.
Today, there are endpoint privilege management systems that can easily be configured to solve issues with endpoint privileges and security. Several vendors supply add-on tools that solve most (if not all) problems associated with lateral or vertical movements of a threat actor who has taken over an endpoint. This technology also prevents threat actors from stealing stored account information from any number of stored locations on the endpoint, while solving the issue for some users who need temporary admin access by a simple click of a button. Endpoint privilege management systems make it easier to prevent threat actor takeover and, in the event the threat actor does enter the network, it is easier to evict them.
Harness AD Security
The most important aspects of preparing for an eviction and preventing an intrusion involve Active Directory (AD) security. Many breaches exploit misconfigurations with AD. What better place could a threat actor set up shop than AD? AD is typically on a centrally located domain controller and contains all privileges, passwords and access information for the domains. If a threat actor owns AD, they own the network.
Historically, AD assessments and security have not been given enough attention. In fact, there have been many issues with and misconfigurations of AD that have led to a threat actor elevating themselves to Domain Administrator status in a matter of minutes. After obtaining Domain Administrator access, a threat actor can create or change any AD object in pursuit of their objectives. Remember, 86% of the time, a threat actor’s motivation is financial gain.1 Objectives could be to deploy ransomware or exfiltrate confidential data. Afterwards, threat actors can easily configure AD to maintain persistence and enable reentry into the network at any time.
In many networks, AD was originally set up decades ago. Just as common, multiple mergers and acquisitions have occurred over the years wherein other domains have been added without much scrutiny around security. Practices such as these have led to problems and misconfigurations that can be extremely detrimental to network security. It is critical to secure AD after evicting a threat actor to remove persistence.
Conduct Threat Actor Eviction
After an organization has ensured that it has a thorough inventory of all assets and accounts; enforced strong multifactor authentication, the principle of least privilege, and endpoint account management; and assessed and secured AD, it is time to proceed with eviction. Some organizations are able to routinely reset every password in the environment on a whim. It is a beautiful thing when this can be done without costly, lengthy repercussions such as end users being locked out or eommerce sites ceasing to function.
Conclusion
By implementing the strategies discussed and enabling rapid password resets, an organization not only raises its security posture to a higher level, but also dramatically reduces obstacles that could hinder the eviction of threat actors and the prevention of reentry after initial intrusion. These effects lessen the impact of a dire situation and allow for more rapid normalization of network activity and business functionality after a threat actor intrusion.
Endnotes
1 Bayern, M.; “86% of Data Breaches Are Conducted for Financial Gain,” TechRepublic, 18 May 2020
Patrick Barnett, CISA, CISM, CEH, CISSP, PCI QSA, PCIP
Is an incident response principal consultant for Secureworks. He has more than 30 years of experience as a cybersecurity professional and specializes in network engineering with a focus on security. In previous roles, he acted as chief information security officer (CISO) and chief information officer (CIO) and has served as vice president at a large financial enterprise. Barnett is driven by a passion for seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, procedures and mechanisms to respond to security events of any size.