Preventing the ability of attackers to perform lateral movement within your network is not only a threat detection function—it’s also a cyber hygiene function. In this blog, we’ll review some of the most common—and invisible—ways that privileged user credentials proliferate in enterprise networks. It’s well understood that domain admin or other high-powered credentials are gold to a cyberattacker. With “keys to the kingdom,” they can move easily and silently from one system to another, change domain attributes, add permissions, change passwords, and connect to any machine in the domain. Most organizations dedicate significant resources to careful management of Active Directory and use various technologies and practices to control access privileges. But our experience shows that even in the most diligent organizations, privileged user credentials are more accessible to attackers than you’d think.
It goes without saying that digital transformation—the reengineering of core business processes leveraging digital technology—dramatically increases cyber risk for most organizations. It usually results in greater avenues of connectivity, collection of richer data from more sources, use of cloud services, extension of trust to more people and entities, and incorporation of smart devices in one form or another.
ATMs are literally boxes of cash—too good for criminals of any stripe to pass up. When ATMs first emerged, thieves used brute-force tools like crowbars, explosives, and propane torches to remove the ATM machine itself or get at the cash inside. As recently as April, three men were charged in Salt Lake City, UT, for trying to blow up ATMs and steal the cash.
With cyber risk an executive- and board-level concern, it's not enough to try to prevent attackers from gaining entry to your network. Advanced, persistent attackers can still get through even the most advanced defenses. Once they're in, they have the arduous task of moving from their initial point of entry to their ultimate target. This is the time when attackers are most vulnerable—and where we, as defenders, have an opportunity to tip the balance in our favor.
Practically, conducting digital forensics analysis is the procedure of investigating security alerts or suspicions of malicious activity in a computer network.
I like to think of DFIR as a procedure analogous to a military debriefing.
When fighter pilots return from an operative mission, they immediately conduct a debrief, which covers the objectives, what worked and what didn’t, and exactly how the next mission will be improved upon to complete each objective. Digital Forensics is really no different and here's why ...