Blog

5 Critical Response Actions for an Identity Breach

Leveraging automation for rapid threat response

bl_5 Critical Response Actions_4-3-xl

79 percent of data breaches are identity related, costing organizations an average of $4.5M1. When an identity breach occurs, time is of the essence. The median dwell time for ransomware has dropped to less than 24 hours. Cyberattacks are happening faster, and the longer a compromised identity remains active, the greater the potential for damage.

Cybercriminals can use a compromised identity to access sensitive information, steal data, move laterally and launch further attacks within the organization. Taking immediate action is essential to contain a breach and minimize its impact. Automation plays a key role in enabling organizations to respond swiftly and effectively to identity threats.

5 Critical Automated Response Actions to Protect Against an Identity Breach

1. Disable a User

One of the first actions an organization should take when an identity breach is detected is to disable the compromised user account. Disabling the user account prevents the attacker from continuing to use the compromised identity to access the organization's systems and data. This action effectively cuts off the attacker's access and helps to contain the breach.

Automation can significantly speed up this process. With automated response actions, organizations can quickly identify compromised accounts and disable them in real-time. This rapid response minimizes the window of opportunity for attackers and reduces the risk of further damage.

2. Force a Password Reset

Passwords are often the first line of defense against unauthorized access. When an identity breach occurs, it is crucial to force a password reset for the compromised account. This ensures that the attacker can no longer use the stolen credentials to gain access.

Automated playbooks can be configured to trigger a password reset when a breach is detected. This not only saves time but also ensures that the password reset process is initiated immediately, reducing the risk of further unauthorized access.

3. Force a Multi-Factor Authentication (MFA) Refresh

Multi-factor authentication (MFA) adds an extra layer of security by requiring users to provide additional verification beyond just a password. In the event of an identity breach, it is important to force an MFA refresh for the compromised account. This means that the user will need to re-authenticate using MFA, effectively invalidating any existing authentication tokens that the attacker may have obtained.

Automated playbooks can enforce MFA refresh policies, ensuring that compromised accounts are re-authenticated promptly. This action helps to prevent attackers from using stolen authentication tokens to gain access to the organization's systems.

4. Lock an Account

Locking a compromised account is another critical response action. This prevents the attacker from attempting to use the account until the issue is resolved. Locking the account also provides the organization with time to investigate the breach and take appropriate remediation steps.

Automation can streamline the account locking process, allowing organizations to quickly lock compromised accounts as soon as a breach is detected. This immediate response helps to contain the breach and prevent further unauthorized access.

5. Revoke a Session

In addition to disabling the user account and forcing a password reset, it is important to revoke any active sessions associated with the compromised identity. This ensures that the attacker is immediately logged out of any systems they may have accessed using the stolen credentials.

Automated actions can be configured to revoke active sessions in real-time, effectively cutting off the attacker's access. This is crucial for containing the breach and preventing further unauthorized activity.

Quickly and Automatically Respond to Identity Threats with Secureworks® Taegis™

Automated threat response actions are built into Secureworks Taegis XDR and analysts use these actions to rapidly respond to critical threats. Secureworks provides real-time monitoring and detection of identity threats, including advanced threats like kerberoasting, password spraying, and brute force attacks. When a breach is detected, automated workflows can be triggered to disable user accounts, force password resets, enforce MFA refreshes, lock accounts, revoke sessions, and more.

Secureworks recently introduced One-Click Response Actions, allowing organizations to swiftly execute response actions within their environment with a single click. These actions are easy to configure and are powered by the Taegis automation platform. They support integration with common IT and InfoSec tools, ensuring that the right response actions are readily available when needed. Additionally, Secureworks Taegis IDR can help organizations prevent identity threats by continuously monitoring the environment for identity risks and misconfigurations while providing dark web intelligence on compromised credentials.

Request a demo of Taegis to see how built-in automation can accelerate identity threat response.

1Identity Defined Security Alliance (IDSA), Identity Security: A Work in Progress; Ponemon Institute, Cost of a Data Breach 2023

Back to all Blogs

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Try Taegis Today

Request a demo to see how Taegis can reduce your risk, optimize your existing security investments, and fill your talent gaps.