Systemic Identity Compromise Response

From celebration to crisis

Imagine celebrating a successful financial quarter, only to have uninvited guests crash the party and ruin the entire mood. In cybersecurity, these uninvited guests can be hacktivists, cyber criminals, or even nation-states. Their attacks, ranging from accidental insider threats to full-blown systemic identity compromises, can seriously disrupt operations, demoralise employees, and damage your brand reputation.

Consider the infamous Ashley Madison data breach. Without an 'uninvited guest' response plan, company executives scrambled, the brand suffered immensely, and customer data was exposed, resulting in significant impacts from both corporate and consumer perspectives. Regardless of your views on Ashley Madison, this incident underscores the urgent need for all organisations to prioritise cyber security preparedness through a comprehensive Incident Response Plan.

Where to start?

A comprehensive and accessible incident response plan is essential for swift recovery as truth is, it's not a matter of?if?your business will be targeted, but?when... As the saying goes, "failing to plan is planning to fail." In cybersecurity, the consequences of this oversight in your defense strategy can be devastating and will at the very least amplify the impact of an incident.

For those who are inexperienced, crafting a plan might seem daunting due to a lack of tangible experience to draw from. This is why a collaborative mindset is key to collective success. Sharing experiences ensures that no one will have to face challenges alone and everyone will have a chance to shore up their defenses. Established plans from organizations that have already faced attacks offer a valuable roadmap for newcomers and ensure everyone is prepared, across all areas of cybersecurity and across all industry verticals. Imagine a team springing into action without hesitation during a crisis, thanks to a pre-built plan – that's the ‘superpower’ of collaboration!

What is an Incident Response Plan?

An Incident Response Plan serves as a comprehensive roadmap, guiding your organisation’s response to a security breach. It delineates clear and structured steps for managing expectations, engaging stakeholders, assigning accountability, tracking progress, and visualising key metrics. By providing a detailed framework, this plan empowers your security team to act decisively and efficiently during a cyber incident, minimising operational disruptions and facilitating a swift return to normalcy. Lets define some of the core phases of an Incident Response strategy that must be baked into the plan.

When a breach occurs, the containment phase is critical. This step involves implementing immediate measures to limit the breach's spread and mitigate further damage. Quick actions are taken to isolate affected systems, restrict unauthorised access, and prevent the threat from moving laterally across the network. Containment strategies can be both short-term, such as temporarily disconnecting compromised systems, and long-term, involving more comprehensive measures like strengthening network segmentation.

Following containment, the eradication phase focuses on identifying and removing the root cause of the breach. This step ensures that all malicious code, unauthorised access points, and vulnerabilities exploited during the attack are completely eliminated. The security team conducts thorough investigations to understand how the breach occurred, applies patches, updates security protocols, and enhances defensive measures to prevent a recurrence. Eradication is meticulous and often requires collaboration with external cybersecurity experts to ensure that no remnants of the threat remain.

The recovery phase aims to restore affected systems and services to full functionality, ensuring that all vulnerabilities are addressed. This involves carefully reintroducing cleaned systems back into the production environment, monitoring for any signs of lingering threats, and conducting extensive testing to verify that normal operations can resume safely. During recovery, communication with stakeholders is crucial to maintain transparency and rebuild trust. The goal is to achieve a state of normalcy while reinforcing the organisation's defenses to withstand future incidents.

By focusing on these critical steps—containment, eradication, and recovery—an Incident Response Plan ensures that your organisation can effectively manage and mitigate the impact of security breaches, maintaining operational continuity and stakeholder confidence.

One plan to rule them all

Unfortunately, there is no one-size-fits-all approach to incident response, and organisations will likely need multiple independent plans to respond to specific security incidents. While this may seem daunting, it offers the flexibility to tailor plans for diverse scenarios with varying degrees of complexity. Although different plans may share a core structure, specific actions can be customised to accommodate various technologies or service environments.

For instance, a plan to regain control over a compromised Active Directory Domain might share similarities with a plan to restore order following a systemic identity compromise of a Microsoft Entra ID tenant. However, the specific techniques and controls used to regain administrative control between each will differ. Additionally, the skill sets and timeliness necessary to effectively contain, eradicate, and recover from each threat will vary and must be factored into the design and development of an incident response plan.

To ensure that incident response plans are practical and executable, it is essential to incorporate tools that allow teams to define tasks and track progress and not just rely on the superficial nature of a policy document. These tools, should compliment the 'high level' plan and empower incident responders to assign tasks and track progress. These tools should also be used to present metrics to stakeholders, providing clear visibility into the status and effectiveness of the incident response efforts. By acknowledging the need for diverse plans and integrating tools to support execution, organisations can enhance the implementation and oversight of their incident response plans, ensuring a more organised and transparent approach to managing a given security incident.

What tools can help?

Microsoft Teams 'Planner' App or a custom built Excel workbook can complement the overarching incident response plan by incorporating features that enable assignment, tracking, and communication. The capabilities expected of these tools would be:

• Dashboards: Provide real-time situational awareness, allowing the team to quickly assess the current status of the incident response and communicate status.
• Task Lists: Outline the necessary steps for technology-specific actions, ensuring that all required tasks are defined and accessible.
• Workload Assignment: Clearly designate responsibilities to team members for specific tasks, ensuring accountability and clarity in action items.
• Status Updates: Offer an intuitive and seamless method for tracking progress, allowing team members to update the status of tasks.
• Scalability: Facilitate the ability to scale operations on demand, such as adding additional tenants or domains as needed dependent on the scope of the Incident Response engagement.

By leveraging tools such as the Microsoft Teams 'Planner' app or building a task list in Microsoft Excel, the incident response team can effectively follow the plan and manage the situation while keeping everyone informed of current progress. With these basics in mind, let’s examine a specific use case of a Systemic Identity Compromise. This use case is necessary to help us build the specific tasks required to address an incident, which will frame the next part of this article.

Systemic Identity Compromise Use Case?

What is a 'systemic identity compromise'. This type of incident refers to a security breach where multiple user accounts within an organisation are compromised simultaneously. Unlike isolated incidents involving single stolen credentials, a systemic attack affects a broader range of users, potentially impacting key personnel, multiple departments, or even the entire user base.

This type of breach can lead to widespread unauthorised access to sensitive information, disrupt business operations, and often precedes a ransomware attack. Attackers leverage stolen credentials to escalate privileges, move laterally within the network, and access critical systems and data. Therefore, swift detection and response are crucial to minimising the impact of such an attack and anyone experiencing such an event will likely need all the help they can get.

Let make this specific. In our use case the Global Administrator of a Microsoft Entra Id tenant has been compromised due to a lack of Multi factor Authentication controls and the platform is no longer considered trustworthy. What are the steps to recover and how should one go about starting them…

Now that we have the fundamentals of Incident Response Plan in place, let’s explore how the guidance provided and our cloud based scenario can transition into something more tangible for us to work with.

Example Incident Response Template

Welcome to the Gunryaku. This Microsoft Excel template provides consumers with an initial starting point for addressing a systemic identity compromise of Microsoft Entra ID through a six step framework focused on containment, eradication, and recovery in a novel and intuitive manner whilst leveraging the guidance and components provided above.

This workbook and its contents were inspired by industry leading public guidance, such as "Recovering from Systemic Identity Compromise", "Octo Tempest: Hybrid Identity Compromise Recovery", "UNC3944", “Security Advisories", community feedback and refined with firsthand experience. It is being designed to offer consumers a trusted playbook or reference for responding to these contemporary identity driven threats.

Why mention being designed… Well, the template and its contents are still a 'work in progress' and should be completed in the next few weeks. This article has chosen to reference the material in its beta stage of development to illustrate how to effectively utilise the provided IR Plan guidance in a measurable and accessible manner to achieve recovery objectives. While it serves as a starting point for organisations preparing for and responding to systemic identity compromise of Microsoft Entra ID, it must be considered incomplete for real-world application at this stage of development.

When complete however this Excel workbook will offer everyone a foundational and operational framework for implementing a combination of sixty-one (61) recovery tasks to ensure the integrity of the cloud Identity and Access Management platform following a security incident. For now, this version only contains a subset of all tasks, (around twenty-one in total) to help you get started which is more than enough for our purposes.

The current functionally serves as both a plan and a repeatable framework, empowering incident response teams by addressing the fundamental needs of a response plan and incorporating the following capabilities:

• Expectation Management:?The plan facilitates the establishment of clear and realistic expectations for all stakeholders throughout the response process.
• Accountability Delineation:?It enables clear assignment of critical tasks and actions, to responsible parties to ensure a well-coordinated and efficient response.
• Progress Monitoring:?Incorporates mechanisms for tracking the response effort's efficacy, allowing for real-time adjustments if necessary.
• Situational Awareness:?The workbook cultivates a comprehensive understanding of the incident's scope and impact, enabling informed decision-making.
• Intuitive Framework:?The plan provides a user-friendly roadmap for regaining control of compromised systems, streamlining the recovery process.

How to use the Example Template:

The workbook includes two visible worksheets and one hidden worksheet containing formulas for data visualisation. The first visible worksheet is for the Dashboard and Data Visualisation, while the second is for Task Management and Status Updates.

Tasks Worksheet

This worksheet is the 'heart' of our response plan, where ‘you’ as an incident responder will spend most of your time. On the left-hand side, it includes a column detailing each 'high-level' tasks. These tasks have been structured according to one of the six phases of the execution within the overarching Gunryaku framework.

Each task is accompanied by options that foster accountability, determine priority, and align with the expected phase of execution.

To update the status of each task, there are three options provided within an intuitive drop-down menu: 'Not Started', 'Active', and 'Complete'. Simply scroll to the right and beneath the tenant, select a suitable status from the drop-down menu.

Once an option had been selected, conditional formatting rules will automatically adjust the color and font, ensuring the status change can be quickly identified at a glance.

While most of this worksheet provides a static configuration of items such as tasks and priorities, the columns for each tenant are dynamically generated using a macro found within the Dashboard worksheet. This approach allows the plan to be executed at scale, whether recovery is needed for a single tenant or multiple tenants, up to a maximum of seven. When activated, this macro creates a new tenant column and automatically sets the formatting, column width, font size, provisions the menu options, and configures the conditional formatting rules.

This automation allows the response team to focus on what matters most: the recovery. Now lets try to explain the phases of the incident response plan.

The Six Phases of Recovery

The ‘complete’ Gunryaku concept is a comprehensive incident response plan currently under development. It aims to provide written guidance (Word), task lists (Excel), training videos and automation methods (PowerShell) for effectively recovering from a systemic identity attack, and will empower responders, regardless of the current level of maturity or technical expertise to regain control. Its fair to state that this article will not delve into the detailed components, but will highlight key points and provide an overview of each phase within the broader context of the recovery plan.

Each phase of the plan consists of a series of tasks designed to contain, eradicate, and recover from systemic identity compromise event. The plan is tailored to address the nuances of threats specific to the Microsoft Entra ID environment but can be adapted to accommodate AWS or Google Cloud environments. Below is an overview of each phase of the Gunryaku as its is defined in the workbook:

1. Tetsu no Kusari: Enable quick access for the Incident Response team to ensure they have the required permissions at each stage of the recovery process. Once access is granted, the team will place iron chains around the identity control plane to enforce an unyielding hold on the adversary’s movement. This hold will remain in place throughout the recovery of the Microsoft Entra ID tenant, guaranteeing that modifications can be made securely, free from the risk of unauthorised alterations or the possibility of further compromise.
2. Gekimetsu: The annihilation of persistent access from both the Microsoft Entra ID and cloud resources within Azure management groups or subscriptions. This phase focuses on systematically revoking all existing privileged role assignments, expiring refresh tokens to require re-authentication, removing registered authentication methods, resetting compromised credentials, and deactivating each targeted account that has previously held a privileged role assignment in the tenant.
3. Futoteki Toride: The initiative involves conducting meticulous evaluations of highly privileged App Registrations, consolidating multi factor authentication policies into a unified set to construct an impregnable fortress of security, and curtailing the ability of external identities to manipulate the tenant. A secondary objective is to proactively enable the Microsoft Self Service Password Reset service, aimed at streamlining enterprise-wide password resets, particularly in scenarios where the NTDS.dit database has been compromised.
4. Chōhei: Investigate the widespread persistence mechanisms within active cloud services designed to thwart evasion of mail flow rules, enable untrusted devices to pass conditional access evaluations, mitigate data exfiltration from collaboration tools, and bypass anti-malware solutions. The goal is to thoroughly evaluate and adjust global configurations in Exchange Online, Intune, and SharePoint Online to counteract persistence established to achieve unrestricted access to the target tenant.
5. Hayabusa no Me: Configure and deploy Defender for Cloud across all Azure Subscriptions to enable vigilant observation of identities and cloud workloads. Integrate critical logs, such as Sign-in and Audit Logs, with Microsoft Sentinel. This integration aggregates security events into a centralized Security Incident Event and Monitoring solution, enabling scalable operations, and providing security teams with the capability to swiftly detect and respond to both new and existing threats.
6. Noboru Tora: Facilitate a smooth transition of stewardship back to the tenant owners and initiate a powerful resurgence of business operations. Privileges will be reinstated using new cloud-only accounts which embrace the adoption of Microsoft Privileged Identity Management to enhance security measures. Emergency user access identities are introduced with FIDO 2 security key authentication for maximum security. Temporary, tenant-wide restrictions that were previously imposed to expedite the restoration of administrative control are lifted.

It's important to note that the definitions and tasks are intentionally high-level as the primary function of the workbook is to track and report progress. Each task is based on extensive and credible field experience, public reports / advisories and various online community members and includes contributions derived from engagements where ScatteredSpider had received low to moderate fidelity attribution. The phases outlined here, have been built from the ground up to ensure tasks are performed sequentially and should be considered complimentary toward achieving positive administrative control of the tenant.

As stated, there is much more to come, but for now, let's focus on the Dashboard worksheet, a key component in your incident response and defence toolkit.

Dashboard Worksheet

As stated, the Dashboard is an essential tool for incident response, providing a comprehensive overview of the response plan's status and progress. With its data visualisation capabilities, the Dashboard enhances stakeholder engagement by delivering clear and concise updates on the number of tasks that are completed, active, or not yet started.

Key metrics, such as task completion rates and high-priority task distribution, enable informed decision-making by highlighting areas that require immediate attention and resources. Additionally, the graphical representation of task status by phase and tenant allows for quick identification of bottlenecks and ensures accountability across teams. This level of transparency and detailed reporting keeps stakeholders consistently informed about the progress and effectiveness of incident response efforts, fostering confidence and facilitating timely interventions to mitigate risks.

The Dashboard also includes two macros, essential for utilising the workbook effectively. The first macro, the "Add Tenant" button, serves as the starting point.

Upon clicking this button, you will be prompted to provide a unique and recognisable name for the tenant, which will be used for tracking throughout the recovery process. Simply enter a name and click OK.

If you cancel, no tenant will be created within the tasks worksheet, and you will receive a notification that no changes have been made.

Once you have entered a suitable name and clicked OK, a macro will run behind the scenes to create a new column for your tenant within the tasks worksheet. For the first tenant, the starting point will be column E, and the status of each task will be set to 'Not Started' by default. Each subsequent click of the Add Tenant button will create a new tenant in the next adjacent 'empty' column, up to a maximum of seven tenants.

As new tenants are added, the data visualisation tables will adjust to accommodate the increase in tasks for each newly scoped tenant. This includes dynamic updates to the info graphics banner, bar charts, and task completion by phase metrics.

Additionally, if you wish to clear the data points and remove all tenants and dependent formulas, you can click the Clear Data button.

This will effectively restore the Excel workbook to its default state, ready for re-use.

Intuitive, simplified, and dynamic, the dashboard is designed to lower the barriers to effective incident response for less experienced users. It helps them establish and maintain clear communication and streamlined operations during a crisis.

Conclusion

Cultivating a collaborative mindset around cybersecurity is essential for our collective success. By sharing knowledge and experiences, organisations can move beyond individual struggles and build an effective defense against cybersecurity threats, such as systemic identity compromises. We hope you find this insight and guidance beneficial in ensuring your readiness.

The Gunryaku 'template' when accompanied with Threat Intelligence and complimented with contextual insights, offers a valuable foundation for preparedness and adaptation. Leveraging these resources empowers you to hit the ground running during a crisis, minimising confusion and expediting the crucial recovery of operations.

This collaborative approach yields numerous benefits: it fosters a sense of community within the cybersecurity landscape, shortens the learning curve for newcomers, and strengthens the overall resilience of organisations against ever-evolving cyber threats. By working together and sharing knowledge, we can create a more secure digital environment for everyone.

Remember, incident response is an ongoing process that does not benefit from complacency. Regularly test and update your plan, and don't hesitate to adapt the Gunryaku to your specific needs. With a proactive approach and a commitment to collaboration, you can ensure your organisation is well-equipped to weather any cybersecurity storm. We hope you find this insight and guidance helpful and welcome your support, feedback, or contribution to ensure quality and usefulness for future Gunryaku masters.

The views expressed in this article are based on publicly available information, subject matter expertise, and insights from industry leaders. They reflect the author's unique perspective and do not represent the views of their employers, affiliates, or any associated organisations. This article and its supporting materials are intended solely for educational purposes and are provided without any warranty or guarantee of accuracy. Users of this content should ensure their use complies with their organisational policies and standards, promoting responsible and compliant utilisation. Any reliance on the information provided is at your own risk.