PROGRAMMATIC ENHANCEMENTS Based on three common issues we observed during enterprise investigations in 2018, we recommend three programmatic changes to improve incident response and remediation.

Ensure that incident response plans, use cases and playbooks include processes that preserve evidence.

RECOMMENDATION

Conduct regular reviews of incident response plans, use cases and playbooks and include guidelines on eradication timing.

LACK OF INVESTIGATIONIncident response playbooks lack steps that would help understand context or determine the need for in-depth analysis—resulting in larger undetected breaches and longer dwell times.

POORLY TIMED REMEDIATIONOrganizations respond too quickly to a breach, which fails to eradicate the attacker, complicates the investigation and prolongs the breach.

DESTRUCTION OF EVIDENCEThe “re-image and replace” model of incident response may destroy valuable evidence, leaving key questions unanswered.

RECOMMENDATION

Develop guidelines to understand the context around identified threats and establish escalation procedures to more experienced analysts.

RECOMMENDATION

• Enforce a tiered architecture model for restricting privileged account access

• Implement designated and isolated jump boxes/privileged access workstations (PAWS) for admin functions

• Use the Protected Users Active Directory security group for privileged and sensitive accounts

• Use separate VPN profiles for admins

PRIVILEGED ACCOUNT MANAGEMENT

Premideiation is proactively implementing common remediation focusedinitiatives

PREMEDIATIONMany of the incidents we investigated in 2018 could have been prevented or rapidly contained if the targeted organizations had proactively implemented common remediation-focused enhancements.

• Tune visibility and detection mechanisms for your environment

• Document domain-based service accounts to speed enterprise password resets

• Design your network architecture to segment and restrict communications between systems

GENERAL POSTURING

• Review forest architecture and trusts, focusing on the direction of the trust and security controls

• Review operational processes, monitoring and hardening strategies

ACTIVE DIRECTORY HARDENING

• Use Group Policy settings to enforce Microsoft O�ce hardening controls

• Review and reduce the scope of standard users with local administrative permissions on endpoints

• Ensure that built-in local admin accounts have unique and random passwords across all endpoints

• Enforce segmentation at the endpoint to prevent lateral movement

ENDPOINT HARDENING

Conduct a compromise assessment of the acquisition to identify any current or previous compromises

Conduct a proactive review to search for evidence of potential attacker activity within both acquiring and acquired networks—before you integrate them

Audit rights to identify accounts that have access to other users’ email

Disallow the automatic forwarding of email outside the organizations or regularly audit the forwarding rules on mail servers to detect evidence of this technique

Enable audit logging on O�ce 365

Enable multi-factor authentication on O�ce 365

RECOMMENDATIONSHere are several mitigation and detection strategies to consider as you go through the M&A process:

1

2

3

4

5

6

M&A RISKS Mergers and acquisitions (M&A) include due diligence and integration activities that are executed under aggressive deadlines. In the rush, leaders integrate networks without resolving security issues, putting both the parent organization and the acquisition at risk.

Once attackers gain access, they create forwarders, exports or re-direct rules. This allows them to maintain access to email without needing to authenticate to the environment.

FORWARDING AND REDIRECTION

Attackers exploited vulnerabilities in Outlook configurations so that when victims logged on, the system redirected to the attacker’s webpage and compromised it with malware.

MALWARE INSTALLATION

In 2018, we observed an increase in attackers using compromised email accounts to send phishing emails to the users’ colleagues. This is particularly e�ective in M&A situations, since employeesexpect communication, sometimes unsolicited, betweenthe organizations.

PHISHING

Attackers use access to compromised email accounts during M&A to bypass SMS-based, email-based and software-based security token (soft-token) multi-factor authentication.

BYPASSING MULTI-FACTOR IDENTIFICATION

© 2019 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. F-EXT-IG-US-EN-000188-01

Download the full M-Trends 2019 report >

M-TRENDS 2019A FIREEYE MANDIANT SPECIAL REPORT