Event banner
Event details
Thanks for hosting the AMA, DART Team. I'd like to know, as you're wrapping up an engagement, what are the most frequent tips you find you give clients in the spirit of: "If you had done {x} before this incident, it would have been easier for us to help you recover...." I know sadly it probably isn't a true assumption, but so we get best value from your answers to this, let us assume everyone is already well on top of their game when it comes to a) making appropriate backups and keeping them out of attacker reach, and b) centralised log collection and management. If those were nailed, what else would be your top tips?
- DaveSchrock
Microsoft
Some of the frequent things we find missing in todays landscape is: 1. Lack of Incident Response plan - Doesn't have to be a million steps, but it needs to have procedures in place that are clear and direct. SOC analyst calls lead to get the alert or suspicious behavior looked at with another set of eyes, then a flow chart based on decisions from there. Actors are getting faster, however they are usually signs of compromise 30-60+ days before the investigation starts. 2. Recovery only needs to happen after an incident. Lets build more on proactive measures! MFA everything, password-less login, Windows Hello. As remote work has turned into the norm, many IT providers have put solutions in place fast to enable workers. This fast pace usually cuts security corners sometimes, as they may not have MFA on VPN. 3. Someone will always click the email. Credential tiering helps cut off the lateral movement possibilities and privilege escalation. Losing an end users workstation should not lead to a full domain compromise.- Glad to hear I'm not the only one banging the drum re: "Someone will always click the email." End-user security awareness training is a useful part of the strategy but I worry too many people think that it can form an 'entire' solution to a problem that will always need more than that. Other than LAPS, what are your "defend against lateral movement" recommendations?
- DaveSchrockLAPS is huge for this as I am sure you are aware. However we see customers deploying LAPS, then having a helpdesk administrator group that has accounts that are administrators across every workstation. This pretty much defeats the purpose of having LAPS at all since there are still accounts that have admin level permissions across all or a large portion of the user endpoints. Other then LAPS, setting business and technical policies stopping administrative accounts logging into endpoints outside of their scope. Using Group Policy, you can restrict users or groups from logging into devices. This is a good way to technically enforce your tier 0 admins (Active Directory admins, ADFS, AD Connect, Configuration Manager, etc) from logging into their workstation (which is a tier 2 asset). You can also use this to set which groups of users can login to which endpoints. Users located in America shouldn't need to login to workstations over in Europe.
eolsonKnow your business applications and their dependencies. When we ask you to take down a SQL Server because of an indicator of compromise, what's going to be the impact? What applications will be unavailable to your organization? Do you know all of your service accounts and their passwords? What would be the level of effort to reset those passwords?
