Identity-Based Breaches: Navigating the Aftermath
According to Cisco Talos, 80% of breaches involved identity as a key component. As organizations continue to rely on digital identities for access control and authentication, the risk of identity compromise grows. These breaches can have severe consequences, affecting not only the organization but also its customers, partners and overall reputation. Therefore, it is crucial to have proper mitigation controls in place. However, even with the best defenses, breaches can still occur. When they do, it's essential to have a robust response plan to limit the damage and recover swiftly.
The serious consequences of a breach
There is really no need to reiterate the serious consequences of a breach. Breaches are bad! They pose significant risks to an organization's operations, reputation and stakeholders. They can expose sensitive data, instigate operational disruption and lead to serious financial liability in both direct and indirect ways. The key point here is that limiting the blast radius of a breach is of the utmost importance — and having a plan to quickly remediate and bounce back from a breach is integral.
Mitigation controls: A proactive approach
To be clear, Duo often sits as a primary mitigation mechanism against breaches. By providing strong and flexible multi-factor authentication (MFA), enforcing granular, risk-based access policies, and ensuring that only trusted devices get access to sensitive resources, Duo helps our customers defend against breaches in a variety of key ways.
With the introduction of our Identity Intelligence functionality, Duo has even more tools to proactively help organizations improve their identity posture and make sure their defenses are optimized.
Responding to an identity-based breach: Best practices
However, despite having strong defenses in place, sometimes breaches can still occur. When they do, it's important to remember that the game is not over. Here are some best practices to put in place after an identity breach occurs:
Short-term best practices
Identify and Remediate Affected Accounts: Conduct a thorough investigation to identify all compromised accounts. Understanding the scope of the breach is crucial for effective remediation and preventing further unauthorized access.
Re-establish Trust and Secure Accounts: Though it may be painful, it's important to re-establish trust with the affected accounts. This means running them through an identity verification process to know that the account is associated with the correct user. Then, consider strengthening MFA requirements. For example, if SMS was still allowed as an MFA factor, maybe move up to Verified Push. Re-establishing trust and adding stronger MFA can help prevent attackers from regaining access using stolen credentials.
Rotate Passwords for All Users: Require all users to change their passwords, even if their accounts were not directly affected. This precaution helps mitigate the risk of undetected compromised accounts and enhances overall security.
Enhance Monitoring and Detection Capabilities: Implement or upgrade security monitoring tools to detect suspicious activities and potential breaches in real-time. One way to do this is by leveraging Duo’s new Identity Intelligence functionality, which provides dedicated Identity Threat Detection & Response capabilities. Improved monitoring allows for quicker detection and response to security incidents, minimizing potential damage.
Long-term best practices
Conduct a Post-Breach Security Audit: Perform a comprehensive security audit to identify vulnerabilities and gaps in the current security infrastructure. An audit helps in understanding how the breach occurred and what measures can be taken to prevent similar incidents in the future. Again, Duo’s new Identity Intelligence is a great mechanism to use during such an audit. In particular, the new Identity Security Posture score can help highlight areas of weakness and gives recommended actions for improvement.
Implement Stronger Identity Security Controls: Review and improve identity security controls, such as implementing tighter access policies, enforcing device trust and improving the deployment and adoption of MFA. Stronger controls reduce the likelihood of future breaches and improve the organization's security posture.
Educate and Train Employees: Conduct security awareness training for employees to recognize phishing attempts and other common attack vectors. Educated employees are less likely to fall victim to social engineering attacks, reducing the risk of future breaches.
Communicate Transparently with Stakeholders: Inform affected individuals, regulatory bodies and other stakeholders about the breach and the steps being taken to address it. Transparent communication helps maintain trust and ensures compliance with legal and regulatory requirements.
Conclusion
While we hope to have strong enough defenses in place to prevent breaches, we must not ignore the possibility that a breach will happen to us. If it does, having a strong playbook ready can help limit the blast radius, remediate the situation quickly and improve our security posture moving forward. By following best practices and learning from each incident, we can build a more resilient organization capable of withstanding the evolving threat landscape. Remember, the key to effective breach response is preparation, swift action, and continuous improvement.
If you’d like to learn more about building a playbook for breach response, check out our eBook: Building an Identity Security Program.