Threats that involve the compromise of multiple privileged identities within the network may require a mass password reset as part of incident response. A mass password reset helps incident responders gain control of the identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in the environment. There are several variables and considerations for a mass password reset, and there is no one-size-fits-all solution. In this blog post, Microsoft Incident Response provides best practices in preparing for and performing a mass password reset: https://msft.it/6046YhXQ6
Microsoft Threat Intelligence’s Post
More Relevant Posts
-
This one still bothers me in the way it oversimplifies analysis. Before you consider a Mass Password Reset, you absolutely must understand the nature and scope of the #threat you mean to address. If the attack has progressed to the point where #APT actors have #privileged access, there is a serious risk of krbtgt (Kerberos security "golden ticket") compromise. When this happens, you can change the #password for every user and service account with absolutely zero benefit. In fact, you may exacerbate the problem. It takes an expert to respond to #Identity attacks. Don't wait for a compromise to find your expert. Make that part of your plan. Good details from MS DART here: https://lnkd.in/gxK26YzV
Threats that involve the compromise of multiple privileged identities within the network may require a mass password reset as part of incident response. A mass password reset helps incident responders gain control of the identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in the environment. There are several variables and considerations for a mass password reset, and there is no one-size-fits-all solution. In this blog post, Microsoft Incident Response provides best practices in preparing for and performing a mass password reset: https://msft.it/6046YhXQ6
Effective strategies for conducting Mass Password Resets during cybersecurity incidents
To view or add a comment, sign in
-
"Assurance and control considerations for a mass password reset, ... there are several different scenarios that necessitate a mass password reset. This means that there are different levels of control or assurance an organization might require while performing a mass password reset. When SSPR mechanisms can be reliably used to provide assurance, organizations can use that feature to accelerate a mass password reset. However, there are situations where an organization may not want to use the existing SSPR solution. For example, when an advanced threat actor has abused the organization’s SSPR system, or where there is actual evidence of AD DS database exfiltration. In such a scenario the organization would likely not choose to use that mechanism to enforce the mass password reset because the threat actor could re-establish initial access or persistence via SSPR. Where an organization seeks a high degree of control and assurance for a mass password reset there will, unfortunately, be an element of manual intervention. However, with preparedness ahead of time, Microsoft Entra ID features such as a Temporary Access Pass, when combined with Conditional Access policies, can be used to automate some aspects of assurance and control. In any event where a high degree of assurance and control is desired, some level of manual intervention to verify users’ physical identities and the issuance of such temporary access passes is inevitable. In a subsequent post we will examine different Microsoft Entra ID features that can be used to accomplish this." https://msft.it/6046YhXQ6
Threats that involve the compromise of multiple privileged identities within the network may require a mass password reset as part of incident response. A mass password reset helps incident responders gain control of the identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in the environment. There are several variables and considerations for a mass password reset, and there is no one-size-fits-all solution. In this blog post, Microsoft Incident Response provides best practices in preparing for and performing a mass password reset: https://msft.it/6046YhXQ6
Effective strategies for conducting Mass Password Resets during cybersecurity incidents
To view or add a comment, sign in
-
I try to create detection "TLDRs" for customers after interesting threats or breaches. This one would be: "If an adversary sent you a password protected archive, containing legitimate IT management software, would you alert on the delivery, or detect the execution?"
Finding the unknown unknowns, part 1
blog.strikeready.com
To view or add a comment, sign in
-
Passwords get leaked all the time... 🤦♂️ Microsoft should learn from their recent attack. Luckily there is an easy way an organization can check for leaked passwords and force password updates. Breached Password Detection consists of: 1) Finding breached and compromised passwords. 2) Processing and stores the passwords. 3) Checking passwords to see if they’ve been compromised. 4) Taking action when a compromised credential is found.
To view or add a comment, sign in
-
Did you know? Microsoft Entra ID Protection helps organisations detect, investigate, and remediate identity-based risks. Leveraging signals from various sources, it identifies risky behaviors like anonymous IP usage, password spray attacks, and leaked credentials. It generates real-time risk levels for each sign-in, triggering automatic remediation actions through Conditional Access policies. Entra ID Protection also provides detailed reports on risky sign-ins and users, enabling administrators to take manual actions if needed. Data can be exported to Microsoft Sentinel for deeper analysis, enhancing overall security and compliance. Licensing requirements for Entra ID Protection is a Microsoft Entra ID P2 license. #microsoftsecurity #entraid #RyansRecaps
To view or add a comment, sign in
-
Sad example of the significance of controlling the identity attack surface and proactively fighting identity based risks. Seeing leading enterprises fall short is a concerning evidence and therefore requires a new systematic approach. “the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts” #identitysecurity #itdr
Microsoft corporate emails hacked by Russian-backed group, company says
abcnews.go.com
To view or add a comment, sign in
-
Last year, over 75% of customer incident response cases handled by Sophos’ X-Ops Incident Response service were for #SmallBusiness customers. In the past, adversaries largely relied on malicious email attachments to gain initial cyberattack access. But changes to the default security of the Microsoft Office platform shifted the types of file attachments malware-as-a-service organizations favor. Updated #CyberThreat information empowers SMBs to align their defenses to the cybercriminals’ latest tactics. Read more in our 2024 Threat Report to see what you’re up against: https://bit.ly/3xdLI8A Contact Us For More Inquires and Purchase: https://lnkd.in/eTiNkvVz #themartnetworksgroup #awardwinningdistributor #sophos #cyberthreat #data #attacks #credential #theft
To view or add a comment, sign in
-
Traceable: DYK: Your APIs' authentication might be vulnerable to account takeover attacks. 🥷 Discover the world's first – and only – solution to actively reduce your attack surface, by minimizing or eliminating implied and persistent trust for APIs. https://lnkd.in/dSbPYdw4 #APIsecurity #AppSec #ZeroTrust
Zero Trust API Access - Traceable API Security
traceable.ai
To view or add a comment, sign in
-
Sharing a comprehensive guidebook on incident response and forensic analysis by Microsoft Security Incident Response Team. An invaluable resource for boosting analytical skills and constructing detailed activity timelines. Link to the pdf : https://lnkd.in/eux2mf3t #DFIR #Microsoft #IncidentResponse #ThreatIntelligence
PowerPoint Presentation
cdn-dynmedia-1.microsoft.com
To view or add a comment, sign in
-
In 2023, there was a dramatic spike in the number of attacks on account passwords, meaning it’s more important than ever to enable MFA. In fact, Microsoft found that with MFA enabled, you can prevent 99.9% of attacks on your accounts. Don’t wait – visit the link below to protect your data with MFA! 🔗 https://ow.ly/Y0fp50RUgLa
To view or add a comment, sign in
45,632 followers
Securing operations and information
3moDirectly useful. Thanks for posting.