If an adversary manages to gain control of a privileged account in your network, you may face serious consequences, including costly data loss, prolonged downtime, customer churn, and legal and compliance penalties.
This blog explains how to build an effective incident response plan that can help you minimize the damage from a breach.
The playbook of an attack involves multiple steps.
Attackers seldom accomplish their goal by accessing a single system. Instead, attacks typically involve multiple steps:
- Establish a beachhead on one system in the network. For example, adversaries can exploit vulnerabilities in enterprise software or compromise a user account through phishing or password-guessing attacks.
- Elevate privilege on that system. All too often, regular users have administrative rights on their own computers to provide a better user experience, giving adversaries a leg up immediately.
- Compromise additional user accounts, especially accounts with elevated privileges.
- Use the access rights to move laterally through the network while avoiding detection in order to achieve persistence and achieve objectives such as exfiltrating sensitive data or bringing down vital systems.
Containment and eradication require a multi-faceted approach.
An incident response plan has to consider the tactics that the attacker may be using during all of these steps and be prepared to respond quickly. For example, effective responses can include:
- Terminating the user or application session
- Forcing password resets and multifactor authentication
- Disabling the account
- Blocking network connectivity to command-and-control (C&C) servers
- Blocking script execution
Thwart attackers by removing standing privileges.
However, an effective incident response strategy must focus not only on the software, systems and data involved, but also on the 24x7x365 privileged access that enabled the attackers to move from their initial beachhead to a full-on security breach.
With effective privileged access management (PAM), you can dramatically reduce the risk of adversaries gaining the elevated rights they need to complete their attack. Netwrix Privilege Secure empowers you to replace standing privileged accounts with ephemeral accounts that provide just enough access for the task at hand and that are removed immediately afterward, so adversaries cannot exploit them.
With this solution, you can:
- Get dynamic and continuous visibility into privileged accounts across all endpoints.
- Replace risky privileged accounts with just-in-time privileged access — without hurting administrator productivity.
- Get a single control point for all privileged access, including the ability to require multifactor authentication (MFA).
- Monitor and record privileged user sessions to enable investigations, satisfy auditors and ensure accountability.
- Visualize, analyze and manage your attack surface with dashboards tailored to executives and IT pros.
