How to Eliminate the Threat Posed by Compromised Account(s)

Eliminate the Threat Posed by Compromised Account(s)

· Is the risk identified as compromised account(s)?

· Identify the account(s) that were breached and listed for sale on the Dark Web

o Create a list of all breached email addresses and categorise them

§ If the account has an email address on the corporate email domain -Confirm it as "Employee account".

§ If the account has an email address on a third-party email domain-Confirm "Corporate resource user".

§ If the account has a login without an email domain -Confirm "Domain or service account".

§ Other accounts can be considered partner/customer accounts.

o Check that users with such usernames exist and have not been brute-forced.

§ Confirm with the owner of the resource, in case the URL or resource where the user was authenticated.

· Confirm the account has been breached.

o Check the validity of passwords for corporate/domain/service accounts.

o Prioritise accounts for further investigation

o Disable immediately, if any valid account is in the breached list

· Change the passwords/request to change the password or use the identity and access management system to force the password change of the compromised accounts and notify the account owners.

· Investigate the account breach to identify the source of the breach

o If it is a leaked database:

§ Check these accounts for associated suspicious activity. If such activity is detected, investigate further.

§ If the source of the leak is credential stealers/malware infection:

· Perform a full antivirus scan of affected personal/corporate devices and machines using an endpoint protection product.

· Conduct malware analysis and reverse engineering for collecting the IOC and artefacts related.

o Prepare remediation and lessons learned document

§ Conduct root-cause analysis. Ensure that you apply all possible methods to prevent the incident from happening again.

§ Analyse whether your current threat model is relevant. Review your current procedures and policies and compliance with security controls.

§ Analyse your current prevention measures, such as intrusion detection systems, antimalware solutions.

§ Review accesses and rights.

§ Eliminate vulnerabilities.

§ Change passwords for affected accounts and systems and enforce a strict password policy.

§ Monitor network traffic to detect if an attacker attempts to initiate connection again.

§ Continue monitoring the Dark Web to find re-publications of the same breaches on different forums.

§ Implement a program to improve staff awareness in information security, and conduct periodic training to monitor the awareness of each employee.

How to Eliminate the Threat Posed by Compromised Account(s)

Post a Comment

Threat Research Advisory - When Your Company Hits the Darknet: Navigating the Surge in High-Validity Combolist-as-a-Service Threats

Cyber Security Alert - Cisco Addresses Multiple Vulnerabilities in Cisco Nexus Software

Cyber Security Alert - SonicWall Updates Advisory with Urgent Warning Regarding CVE-2024-40766: Potential Exploitation in the Wild

Incident Response Methodologies: SOPs (Standard Operating Procedures) / Playbooks / Runbooks

Cyber Security Alert - Windows Elevation of Privilege Vulnerability Chain-PoC Exploit Released

Cyber Security Alert-Ivanti Security Advisory EPM September 2024 Addresses Multiple Vulnerabilities in Endpoint Manager

How to Eliminate the Threat Posed by Remote Access

Cybersecurity Concepts | From Threats to Breaches

Selecting the Right Framework for Threat Intelligence Teams

Understanding the STRIDE Threat Modeling Framework

Contact Form