Best Practices to Detect and Respond to a Compromised Identity

Table of Contents

Table of Contents

So, it looks like your organization was hacked, you are almost sure, but it’s still under investigation. What should you do to avoid immediate damage ?

Cybersecurity breaches revolving around compromised identity security have become increasingly common, making it essential for organizations to have a robust incident response plan. When faced with a suspected or confirmed identity breach, here’s a step-by-step guide to managing the situation effectively.

Identity Security: Speed, Strategy, and Controlled Actions 

Responding promptly and strategically to an identity security breach can tilt the balance in your favor against hackers. Awareness is crucial: understanding the breach timeline, piecing together the incident’s narrative, and recognizing potential damages. As you build your incident response (IR) plan, incorporate critical components such as reporting cadences (to regulators, CISOs, management, and customers), in-depth investigation, documentation, action steps, and retrospective evaluations to glean lessons learned. This proactive approach ensures a comprehensive and resilient defense.

So what should I do now when I suspect an identity is compromised or was highly exposed – the rezonators share the 14 steps you should take, based on 100s of incidents we have solved over the years: 

14 Best Practices for Identity and Access IR and Blast Radius Analysis 

Blast Radius Analysis: Understand the Power of the Identity at Risk

1. Access Journey Mapping – own the identity security storyline:

Hackers will laterally move across Identities and try to fully leverage their credentials to gain persistence and velocity in their attack execution. Ascertain how this identity is utilized from authentication methods, identity assumption patterns, privilege utilization, authorization paths, and privilege-chaining capabilities. Understanding the possible exploit paths offers insights into a hacker’s potential reach.

2. Stakeholder Identification:

Pinpoint all entities, both direct and indirect, associated with this identity. Recognizing the people or processes that depend on it helps orchestrate an effective response and risk analysis. 

Reduce the Attack Surface

3. Blast Radius Analysis:

Examine the depth and breadth of privileged access management. What data, applications, processes, infrastructure, or business assets can it touch? Specifically, assess its capabilities across reading, writing, changing, or deleting data. Scrutinize direct, indirect, hidden, or toxic access privileges associated with this identity.

4. Risky Privileges Assessment:

Identify high/substantial privileges that the identity possesses but rarely uses. These can be potential vulnerabilities that you can easily taken out of the game, simply remove them.

5.  Behavior Analysis:

Delve into the regular and rare activities associated with this identity. What are the implications, both from infrastructure and business perspectives, if this identity is rendered inactive?

6. Misconfiguration Audit: 

Utilize tools to uncover and rectify vulnerabilities linked to the identity, such as weak passwords, lack of session controls, outdated keys, weak authentication methods, or risky practices.

7. Hackers will laterally move across Identities

 Excise unutilized, risky, or exclusive privileges.

8. Strengthen Security Controls

For privileges that are essential but potentially risky, implement additional security measures, such as geographic or device-specific restrictions.

9. Authentication Reinforcement:

 Reset and fortify authentication processes, possibly by incorporating multi-factor authentication, enhancing password security, limiting session durations, or narrowing down granular actions.

Damage Assessment and Containment

10. Asset Protection:

Based on the assessed blast radius, prioritize assets. Temporarily restricting access to certain assets might be less damaging than allowing a hacker to manipulate them.

11. Attack Story Compilation

Differentiate between legitimate and malicious activities by creating a narrative of the identity’s actions. The differentiation process requires a comprehensive understanding of the identity’s typical behavior. Techniques such as threat modeling or statistical reputation analysis can assist here.

12. New Assets Examination

Detect any newly generated assets, like databases, storage units, or machines, and neutralize them to prevent attacker persistence or data exfiltration.

13. Cryptographic Scrutiny

Identify cryptographic elements generated by the identity, which could either be used to lock you out or exfiltrate data. Ensure you have control over these elements.

14. Continuous Monitoring: 

After implementing containment measures, keep an eye out for any attempts to re-assume the identity or detect recurring patterns that might indicate the attacker’s active presence.
By meticulously following these steps, organizations can significantly mitigate the risk of extensive damage following the compromise of a critical identity. While preventive measures are crucial, an effective response strategy is equally imperative in today’s volatile cyber landscape. Learn more about securing identities across the entire access journey to your business assets with Rezonate.


Ready to see Rezonate in action?

“Rezonate combines identity threat detection and posture management to reduce exposure time and optimize our response to suspicious activities. The robust remediation workflows and the UI, make the platform an important asset in our line of defense.”

Paul Groisman

Sr. Director Cyber Security, Fubo

Maximize Okta Security Posture: Get the Okta Security Booster Kit.  Learn more