Threats that involve the compromise of multiple privileged identities within the network may require a mass password reset as part of incident response. A mass password reset helps incident responders gain control of the identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in the environment. There are several variables and considerations for a mass password reset, and there is no one-size-fits-all solution. In this blog post, Microsoft Incident Response provides best practices in preparing for and performing a mass password reset: https://msft.it/6046YhXQ6
Microsoft Threat Intelligence’s Post
More Relevant Posts
-
This one still bothers me in the way it oversimplifies analysis. Before you consider a Mass Password Reset, you absolutely must understand the nature and scope of the #threat you mean to address. If the attack has progressed to the point where #APT actors have #privileged access, there is a serious risk of krbtgt (Kerberos security "golden ticket") compromise. When this happens, you can change the #password for every user and service account with absolutely zero benefit. In fact, you may exacerbate the problem. It takes an expert to respond to #Identity attacks. Don't wait for a compromise to find your expert. Make that part of your plan. Good details from MS DART here: https://lnkd.in/gxK26YzV
Threats that involve the compromise of multiple privileged identities within the network may require a mass password reset as part of incident response. A mass password reset helps incident responders gain control of the identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in the environment. There are several variables and considerations for a mass password reset, and there is no one-size-fits-all solution. In this blog post, Microsoft Incident Response provides best practices in preparing for and performing a mass password reset: https://msft.it/6046YhXQ6
Effective strategies for conducting Mass Password Resets during cybersecurity incidents
To view or add a comment, sign in
-
"Assurance and control considerations for a mass password reset, ... there are several different scenarios that necessitate a mass password reset. This means that there are different levels of control or assurance an organization might require while performing a mass password reset. When SSPR mechanisms can be reliably used to provide assurance, organizations can use that feature to accelerate a mass password reset. However, there are situations where an organization may not want to use the existing SSPR solution. For example, when an advanced threat actor has abused the organization’s SSPR system, or where there is actual evidence of AD DS database exfiltration. In such a scenario the organization would likely not choose to use that mechanism to enforce the mass password reset because the threat actor could re-establish initial access or persistence via SSPR. Where an organization seeks a high degree of control and assurance for a mass password reset there will, unfortunately, be an element of manual intervention. However, with preparedness ahead of time, Microsoft Entra ID features such as a Temporary Access Pass, when combined with Conditional Access policies, can be used to automate some aspects of assurance and control. In any event where a high degree of assurance and control is desired, some level of manual intervention to verify users’ physical identities and the issuance of such temporary access passes is inevitable. In a subsequent post we will examine different Microsoft Entra ID features that can be used to accomplish this." https://msft.it/6046YhXQ6
Threats that involve the compromise of multiple privileged identities within the network may require a mass password reset as part of incident response. A mass password reset helps incident responders gain control of the identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in the environment. There are several variables and considerations for a mass password reset, and there is no one-size-fits-all solution. In this blog post, Microsoft Incident Response provides best practices in preparing for and performing a mass password reset: https://msft.it/6046YhXQ6
Effective strategies for conducting Mass Password Resets during cybersecurity incidents
To view or add a comment, sign in
-
Did you know? Microsoft Entra ID Protection helps organisations detect, investigate, and remediate identity-based risks. Leveraging signals from various sources, it identifies risky behaviors like anonymous IP usage, password spray attacks, and leaked credentials. It generates real-time risk levels for each sign-in, triggering automatic remediation actions through Conditional Access policies. Entra ID Protection also provides detailed reports on risky sign-ins and users, enabling administrators to take manual actions if needed. Data can be exported to Microsoft Sentinel for deeper analysis, enhancing overall security and compliance. Licensing requirements for Entra ID Protection is a Microsoft Entra ID P2 license. #microsoftsecurity #entraid #RyansRecaps
To view or add a comment, sign in
-
CyberSecurity Professional | GMON | CCSP | ISO 27001 LA | Threat Informed Defense | GRC Enterprise Risk Management | CEH | MICROSOFT 10X | AWS 3X | Zero Trust Architect | Security Blogger | Thecyberthrone.in
With the CrowdStrike mishap is just happened, and the world is on the recovery mode. On the other side, with higher financial and legal implications areincoming, there is a debate ongoing wheather this major outage is just an incident due to its awful CI/CD practice or it's a security incident either by an Insider threat or an external threat actors are responsible. With #TheCyberThrone has decoded the technical analysis of Crowdstrike aftermath details. This is happened due to the logic error resides within the C291 channel file that related to named pipes helps in preventing the C2 communication has crashed the OS which resulted in BSOD. However with respect to few of important frameworks the outage must be definitely a security incident, since it's disturbed the Availability criteria of CIA Triad. National Institute of Standards and Technology (NIST) says an incident is described as an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. European Union Agency for Cybersecurity (ENISA) says an incident occurrs and in which the availability also can be affected by local actions (destruction, disruption of power supply, etc.) – or by Act of God, spontaneous failures or human error, without malice or gross neglect being involved. Since CrowdStrike is operating in USA as HQ and it will be subjected to SEC jurisdiction, 8-K filling is imminent within 72 Hours of the incident. CrowdStrike CEO George Kurtz outplayed this incident as not a security incident, the investigation and other development are still in progress. It's wait and watch situation. But the legal battle is inline. Open for Thoughts!!!. Also in wake of this mishap, other breaches are successfully got submerged from the limelight AT&T ... 😊 #Crowdstrike #Bsod #Outage #Microsoft.
To view or add a comment, sign in
-
Sad example of the significance of controlling the identity attack surface and proactively fighting identity based risks. Seeing leading enterprises fall short is a concerning evidence and therefore requires a new systematic approach. “the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts” #identitysecurity #itdr
Microsoft corporate emails hacked by Russian-backed group, company says
abcnews.go.com
To view or add a comment, sign in
-
Last year, over 75% of customer incident response cases handled by Sophos’ X-Ops Incident Response service were for #SmallBusiness customers. In the past, adversaries largely relied on malicious email attachments to gain initial cyberattack access. But changes to the default security of the Microsoft Office platform shifted the types of file attachments malware-as-a-service organizations favor. Updated #CyberThreat information empowers SMBs to align their defenses to the cybercriminals’ latest tactics. Read more in our 2024 Threat Report to see what you’re up against: https://bit.ly/3xdLI8A Contact Us For More Inquires and Purchase: https://lnkd.in/eTiNkvVz #themartnetworksgroup #awardwinningdistributor #sophos #cyberthreat #data #attacks #credential #theft
To view or add a comment, sign in
-
Be careful out there. Some IT Pros are preaching about changing passwords. Pause. If your password isn't being guessed now, why change it? Instead, you should consider identity protection mechanisms like MFA, FIDO2, and Microsoft Identity Protection (impossible travel) configuration . Message me to see how we can help you.
To view or add a comment, sign in
-
Traceable: DYK: Your APIs' authentication might be vulnerable to account takeover attacks. 🥷 Discover the world's first – and only – solution to actively reduce your attack surface, by minimizing or eliminating implied and persistent trust for APIs. https://lnkd.in/dSbPYdw4 #APIsecurity #AppSec #ZeroTrust
Zero Trust API Access - Traceable API Security
traceable.ai
To view or add a comment, sign in
-
Safeguarding Data Exchange: A Comprehensive Overview of API Gateways and Their Imperative Role in Ensuring Robust Security https://lnkd.in/dSsBFddp
Safeguarding Data Exchange: A Comprehensive Overview of API Gateways and Their Imperative Role in Ensuring Robust Security
To view or add a comment, sign in
-
Senior Cybersecurity Expert, CEH V12, Seceon Ai-SIEM, Ai-XDR, Ai -MSSP, CTI, Cyber Kill Chain CrowdStrike EDR, Darktrace login Threat Visualizer 6.1, Counter Exposure Operations, Next-Gen SIEM, Identity Protection
What are the Queries need to check in EDR or A.I or ML or Threat Intelligence Detection or ENDPOINT or DETECTION RESPOND or SIEM or SOC BELOW are the main important suggested queries : 1. Network Scanning 2. Reverse DNS 3. Large SMB Reads and Writes 4. SMB File Reads 5. SMB File Writes 6. SMB Enumeration / Write to Hidden Share 7. SMB Scripts 8. Large Data Transfers (over 100 MB) in either direction 9. Large External Data Transfers (over 1 GB) over outgoing connections 10. Active Directory Activity 11. Internal Destinations 12. SMB Version 1 13. Unencrypted LDAP 14. Passwords in URI (Internal or External) 15. Password Files 16. CryptoMining 17. BitTorrent 18. Possible Outbound Spam 19. Domain Fluxing (Numbers and/or Letters) 20. TeamViewer Usage 21. Tor2Web 22 Password Files in SaaS 23. Anonymous Access
To view or add a comment, sign in
32,492 followers
Securing operations and information
1moDirectly useful. Thanks for posting.