Drew Wigodsky’s Post

Threats that involve the compromise of multiple privileged identities within the network may require a mass password reset as part of incident response. A mass password reset helps incident responders gain control of the identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in the environment. There are several variables and considerations for a mass password reset, and there is no one-size-fits-all solution. In this blog post, Microsoft Incident Response provides best practices in preparing for and performing a mass password reset: https://msft.it/6046YhXQ6

"Assurance and control considerations for a mass password reset, ... there are several different scenarios that necessitate a mass password reset. This means that there are different levels of control or assurance an organization might require while performing a mass password reset. When SSPR mechanisms can be reliably used to provide assurance, organizations can use that feature to accelerate a mass password reset. However, there are situations where an organization may not want to use the existing SSPR solution. For example, when an advanced threat actor has abused the organization’s SSPR system, or where there is actual evidence of AD DS database exfiltration. In such a scenario the organization would likely not choose to use that mechanism to enforce the mass password reset because the threat actor could re-establish initial access or persistence via SSPR. Where an organization seeks a high degree of control and assurance for a mass password reset there will, unfortunately, be an element of manual intervention. However, with preparedness ahead of time, Microsoft Entra ID features such as a Temporary Access Pass, when combined with Conditional Access policies, can be used to automate some aspects of assurance and control. In any event where a high degree of assurance and control is desired, some level of manual intervention to verify users’ physical identities and the issuance of such temporary access passes is inevitable. In a subsequent post we will examine different Microsoft Entra ID features that can be used to accomplish this." https://msft.it/6046YhXQ6

Passwords get leaked all the time... 🤦♂️ Microsoft should learn from their recent attack. Luckily there is an easy way an organization can check for leaked passwords and force password updates. Breached Password Detection consists of: 1) Finding breached and compromised passwords. 2) Processing and stores the passwords. 3) Checking passwords to see if they’ve been compromised. 4) Taking action when a compromised credential is found.

With the CrowdStrike mishap is just happened, and the world is on the recovery mode. On the other side, with higher financial and legal implications areincoming, there is a debate ongoing wheather this major outage is just an incident due to its awful CI/CD practice or it's a security incident either by an Insider threat or an external threat actors are responsible. With #TheCyberThrone has decoded the technical analysis of Crowdstrike aftermath details. This is happened due to the logic error resides within the C291 channel file that related to named pipes helps in preventing the C2 communication has crashed the OS which resulted in BSOD. However with respect to few of important frameworks the outage must be definitely a security incident, since it's disturbed the Availability criteria of CIA Triad. National Institute of Standards and Technology (NIST) says an incident is described as an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. European Union Agency for Cybersecurity (ENISA) says an incident occurrs and in which the availability also can be affected by local actions (destruction, disruption of power supply, etc.) – or by Act of God, spontaneous failures or human error, without malice or gross neglect being involved. Since CrowdStrike is operating in USA as HQ and it will be subjected to SEC jurisdiction, 8-K filling is imminent within 72 Hours of the incident. CrowdStrike CEO George Kurtz outplayed this incident as not a security incident, the investigation and other development are still in progress. It's wait and watch situation. But the legal battle is inline. Open for Thoughts!!!. Also in wake of this mishap, other breaches are successfully got submerged from the limelight AT&T ... 😊 #Crowdstrike #Bsod #Outage #Microsoft.

I try to create detection "TLDRs" for customers after interesting threats or breaches. This one would be: "If an adversary sent you a password protected archive, containing legitimate IT management software, would you alert on the delivery, or detect the execution?"

Did you know? Microsoft Entra ID Protection helps organisations detect, investigate, and remediate identity-based risks. Leveraging signals from various sources, it identifies risky behaviors like anonymous IP usage, password spray attacks, and leaked credentials. It generates real-time risk levels for each sign-in, triggering automatic remediation actions through Conditional Access policies. Entra ID Protection also provides detailed reports on risky sign-ins and users, enabling administrators to take manual actions if needed. Data can be exported to Microsoft Sentinel for deeper analysis, enhancing overall security and compliance. Licensing requirements for Entra ID Protection is a Microsoft Entra ID P2 license. #microsoftsecurity #entraid #RyansRecaps

Apply encryption and to prevent unauthorized access to sensitive data. How to secure data with policies using Microsoft Purview. Watch the full video here: https://lnkd.in/gAbteMkD VIDEO SYNOPSIS: Detect and prevent data security incidents with Microsoft Purview. Combine data classification with proactive and adaptive data loss prevention policies aligned to the assessed insider risk level for a multi-layered approach. #MicrosoftPurview #DLP #InsiderRisk #InformationProtection #PurviewCase

Sad example of the significance of controlling the identity attack surface and proactively fighting identity based risks. Seeing leading enterprises fall short is a concerning evidence and therefore requires a new systematic approach. “the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts” #identitysecurity #itdr

Conditional access policies can be a great tool to detect and prevent threat actors' attempts to gain initial access to your Microsoft 365 environment - here are a set of 9 foundational policies to start with. https://bit.ly/3MUjYuc

Last year, over 75% of customer incident response cases handled by Sophos’ X-Ops Incident Response service were for #SmallBusiness customers. In the past, adversaries largely relied on malicious email attachments to gain initial cyberattack access. But changes to the default security of the Microsoft Office platform shifted the types of file attachments malware-as-a-service organizations favor. Updated #CyberThreat information empowers SMBs to align their defenses to the cybercriminals’ latest tactics. Read more in our 2024 Threat Report to see what you’re up against: https://bit.ly/3xdLI8A Contact Us For More Inquires and Purchase: https://lnkd.in/eTiNkvVz #themartnetworksgroup #awardwinningdistributor #sophos #cyberthreat #data #attacks #credential #theft