8 hours 28 minutes
hello and welcome to part two of our valid accounts discussion. So let's go ahead and pick up where we left off.
So, ah, lot of these things, if you've been in the industry and you work in in a security type field, will be nothing new to you. But it is worth reiterating the importance of the simple controls
in overall mitigating risk based on this particular vector.
So enforce password policies that require complex and unique passwords across all systems.
So if you've got network infrastructure
and let's say you've got three or four switches of fire roll you've got, maybe you do need around her and you've got around her in place and some devi ours.
Let's just say that you've got, you know, a sprawl of different things that are out there.
It would be convenient
to have one administrative account that's created across all of those systems with a very complex password that's better than nothing, right. But
it would be ideal to create a separate administrative account, even if it's admin is the same. Create a complex and unique password across each of their systems, because if a threat actor for some reason is able to gain access to
a system if they're able to figure out the password or they're able to intercept the password because
something was sent in clear text or whatever the case may be,
they would only have access to that one system that can still cause trouble. But it's not the same as being able to get into every every system. When possible, Implement multi factor authentication. This is just a general statement here. It's been found that this greatly reduces the risk of account compromise. There's a number off
case studies as well as incidents that have been reported over the years, where
organizations don't implement dual factor authentication, and it's something that they could do.
pertinent that if you're banking with a certain organization and even if you've got just a general, you know, Bill pay account for, like your phone or whatever the case may be, if you have the opportunity to implement multi factor authentication, I would always,
you know, say that it's worth doing, even though we've seen over the last year
that threat, actors are finding ways to bypass multi factor authentication
again path of least resistance if it takes that much longer to compromise an account because multi factors in place if we can avoid, you know, a threat actor easily getting in. Or maybe they decide to move on to une easier target than that helps to reduce overall risk,
ensuring that default accounts are noted and changed on all network and in user systems.
I have done again a number of network assessments and things that nature. And when you walk into a new organization, one of the first things that we do is a scan of the network. You find out what assets are out there, you find out what's talking, talking back,
and then if you can get default Web pages or interfaces or things of that nature, the first thing you do is go to Google
and say, Hey, I've got this network switch the stele device. I've got this Cisco Devices got this wireless device. I've got this controller, I've got this DVR.
What's the default password?
And we find almost
in every instance
that some system has been overlooked and default credentials have been left in place. And if that system were to be changed, if it were to be compromised, if it were to be just wiped out rebooted,
that can cause issues for an organization, and it could make it very difficult
to maybe pinpoint where that devices at
properly review privileges and standard user accounts on a regular basis. Now we get caught up in the day to day mundane activities, but in this case,
it makes sense again. We looked at organizations having upwards of 1000 stale accounts.
It makes sense once 1/4 and a minimum
to review those accounts and disable those and, you know, put him in the proper Oh, you are organization unit in active directory. If that's what you're using
and kind of document where things were at, that helps with just keeping track of systems. If you use some type of same solution, it makes it easier to see what is legitimate activity and what is not.
And so let's go ahead and with that look at detection activities, because that's what we're starting to touch on him.
So implement a system that can alert on suspicious behaviors
and provides you, of course, with feedback. And so that's important because let's say that we're looking at Logan activity in Europe and in the US, and that activity is from the same user at the same time.
I mean, that is what I would consider not possible. I mean, as much as I'd like to be, you can't be in two places at once. And so in this case,
implementing some form of account monitoring being able to review account states on a regular basis, being able Teoh track that activity back to legit
administrative. Either activity or general user activity
is going to be beneficial in detecting threat actors as soon as possible and ensuring that you could stop a compromise potentially or at least reduce its impact. So with that, let's go ahead and do a quick check on learning. So I've got a softball question for you today.
True or false, a default account is considered a valid account. Based on what we reviewed today, based on minor,
a default account is considered
in the category of valid account.
so if you need any more time, please go ahead and pause the video. So a default account is one of the categories of account types that would be considered valid in the minor framework. So This is true. So if you miss that, just go back and check out our definition area and give that a look.
So let's go ahead and jump over to the summary for today's discussion.
So we reviewed what is or are valid accounts, and we talked about types of accounts that we talked about local versus domain versus default.
We reviewed statistics
and the association of those statistics with valid Account area. So we talked about stale accounts on compromises and things of that nature that happened with these account types.
We reviewed mitigation activities and some best practices that you can go through their some of this reiterating things that you already know. But it's always worth mentioning that sometimes it's best to go back to the basics and implement the simple things.
And then we reviewed some detection eight activities in a high level, again being able to review account activity and tie it back to legitimate user activity, being able to have geo location information, seeing what
systems the users long into at what times is definitely a way that we can, uh,
kind of stop Attackers in their tracks and at least minimized the amount of damage that they could do. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.
MITRE ATT&CK Defender™ (MAD) ATT&CK® SOC Assessments Certification Training
This course prepares you for the ATT&CK® Security Operations Center Certification. In this course, students ...
2 CEU/CPE Hours Available
Certificate of Completion Offered
MITRE ATT&CK Defender™ (MAD) ATT&CK® Fundamentals Badge Training
This course is the fundamental piece of the MITRE ATT&CK Defender™ (MAD) series where we ...
2 CEU/CPE Hours Available
Certificate of Completion Offered