Data Breach Response Calls for Immediate Admin Access

August 10, 2021

Your incident response team or a third party has just notified you of a data breach in your organization. What are the first few steps you must take to stop the breach in action and prevent the attackers’ lateral movement?

Do you/your admins or security teams have IMMEDIATE access to the critical servers to investigate, isolate infected computers, adjust access entitlements, and secure backup data and systems?

As a best practice, highly privileged administrative accounts and passwords are vaulted.  Suppose incident response doesn’t get immediate access to vaulted admin credentials to log in quickly. Consider a scenario where the necessary credentials are already checked out of the vault by another user. You are blocked until the checkout window expires or have to wait for the user to check the password back-in manually. In that case, the risk is that the breach will be successful, and dependent on the time required to respond and contain, has the potential to spread to other networked resources.

Time is, therefore, of the essence, as we learned in the 2017 NotPetya malware attack, where it took only seven minutes for malware to infect the worldwide network of a global shipping giant. In a more recent malware attack, we learned that the BazaCall threatcould move quickly within the network, conduct extensive data exfiltration and credential theft, and distribute ransomware within 48 hours of the initial compromise.”

When critical account access is needed immediately, every second matters!

In the above scenario, knowing that you can force password check-in of an account not checked back in after use is a huge benefit to avoiding delays. In our recent 21.5 release, a new feature enables an administrator with appropriate rights to force password check-in to release an account checked out by another user. Mitigating potential delays in gaining system access within a very short time-to-action window of opportunity, this feature can make the difference between a successful breach or a thwarted attempt.

While the above capability helps react to a breach in progress, it is much better to have Privileged Access Management (PAM) controls in place to prevent data breaches and ransomware attacks. Here are some of our recommendations for securing privileged accounts:

  1. As a very first step, vault privileged passwords.
  2. Avoid standing privileges and enforce least privilege based on approved just-in-time access request workflows.
  3. Decrease the overall number of accounts and passwords to reduce the attack surface ultimately.
  4. Enforce multi-factor authentication (MFA) policy during login and privilege elevation.
  5. Finally, audit all privileged activity and monitor live sessions.

Reflecting on the NotPetya attack, the chief technology and information officer at global shipping giant, Maersk, said that if they had implemented privileged access management in their cybersecurity strategy, the impact of the malware attack would have been significantly lower.

In today’s expanding threatscape, it is vital to have a robust privileged identity and access management solution to properly verify who has privileged access to sensitive enterprise resources. According to Gartner, a just-in-time (JIT) privileged access model suffers from 80% less privileged breaches. As you strengthen your company’s identity maturity, ThycoticCentrify PAM solutions based on the Zero Trust principles can help you protect your critical software and platforms from unauthorized access and usage.

Learn more about how ThycoticCentrify is making administrative access for data breach response faster with our latest 21.5 release

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.