PREDI C TI VE I NTEL L I GE NC E
PAM
Using
for cyberforensics and security
breach remediation
While no organisation wants to respond to a
security incident or a breach, the reality is that
preventing a cyberattack from landing is not always
possible. Morey Haber, CTO at BeyondTrust, discusses
the role of privileged access management (PAM) in a
post-breach clean-up.
N
o one wants to
respond to a
security incident
or a breach,
particularly
at the start of
a new year.
Instead the highest priority should
be to stop a cyberthreat before it
compromises the organisation. But in
reality, preventing a cyberattack from
landing is not always possible. The steps
for incident or breach identification
– from threat hunting to searching
for explicit indicators of compromise
(IoC) – are well established. While the
processes will vary from organisation
to organisation, malware, compromised
accounts, lateral movement, etc. will all
need to be addressed as a part of any
formal clean-up plan.
If a breach is severe enough (for
example, including the compromise of
www.intelligentciso.com
|
Issue 11
domain controllers), organisations may
have no choice other than to reinstall the
entire environment from scratch. While
that is a worst-case scenario, it does
happen. In many cases, businesses
may choose to scrub servers as best as
possible versus performing a complete
reinstall. That is a business decision
based on risk, feasibility and cost. It
also represents a no-win scenario if
the threat is a persistent presence that
uses techniques to evade traditional
identification measures. If you think that
is far-fetched, just look at the history
of threats like rootkits, Spectre and
Meltdown that prove that there is always
a way to attack a technology resource.
Threat actors are after
your credentials
Regardless of your remediation strategy,
you can be assured that, via some
fashion or another, threat actors will have
access to your credentials. This implies
that any clean-up effort should not
reuse any existing passwords or keys.
If possible, you should change (rotate)
all credentials across every affected or
linked resource. This is where privileged
access management (PAM) comes into
play. The clean-up or redeployment
needs to be protected from password
reuse or from a threat actor regaining
a persistent presence due to poor
credential management, as remediation
efforts begin.
Password management is a core
aspect of PAM and includes the
automatic onboarding, rotation, session
management, reporting and check-in
and check-out of passwords from a
password safe. While PAM technology
is most prominently used for privileged
passwords like administrator, root,
service accounts and DevOps secrets,
it can also be used as a least privilege
33