Credential Compromise Attempt Detection and Response
The Cyware platform can detect credential compromise attempts and automatically respond, enhancing your organization's cybersecurity.
Category: Endpoint
Cyware Products Used:
Respond
Orchestrate
Collaborate
Third-Party Integrations Used:
TrendMicro Vision One: Collects and correlates deep activity data from the TrendMicro XDR Agent installed on endpoints and shows them as alerts.
Problem Statement
Credential dumping is one of the common methods used by attackers to gain access to account information such as login details and passwords. After gaining initial access, attackers use the stolen credentials to spread further in an organization’s network while remaining stealthy and undetected. Hence, it becomes difficult for security teams to detect these attacks as they hide between security silos and detached alerts.
Solution
To solve this problem and automatically detect credential dumping attempts, Cyware Fusion Center uses the Credential Compromise Attempt Detection and Automated Response playbook.
When attackers gain access to a system, they attempt to locate, copy, and dump the credentials that are stored for use in everyday tasks. The TrendMicro XDR Agent collects and correlates credential dumping activity data including and triggers an alert in the Trend Micro Vision One application. The Credential Compromise Attempt Detection and Automated Response playbook use the alert triggered by Trend Micro XDR Agent as the starting point to automate the detection and response process.
How do we solve this problem?
The Credential Compromise Attempt Detection and Automated Response playbook continuously looks for credential dumping alerts on the Trend Micro Vision One application. When a credential dumping attempt is detected the Trend Micro Vision One retrieves the alerts and performs the following activities.
Retrieve Alert Details: The playbook retrieves more details about the suspicious alert from Trend Micro Vision One using the alert ID.
Incident Response: Using the alert details retrieved from Trend Micro Vision One, the playbook creates an incident in Respond and updates the incident details. The playbook also performs the following activities:
Checks the asset on Respond to retrieve more details of the asset.
Creates an action in Respond to deactivate the compromised user accounts on Active Directory. The playbook also deactivates the user account on Active Directory and updates a comment on the respective action.
Investigate and close the incident after all the incident response phases are completed, actions are closed and learnings from the incident are documented.
Send Notifications: The playbook sends the following notifications to impacted users and security teams:
Notifies affected users by sending a Collaborate alert.
Notifies security teams about the incident by sending a Collaborate alert to make sure they build the necessary defense against the threat.
Update Trend Micro Alert: The playbook performs the following remediation activities.
Updates the TrendMicro Vision One alert with the incident details. The details include the name and the incident ID of the incident created in Respond.
Updates the TrendMicro Alert status with the incident details and the status is changed to closed on the TrendMicro Vision One application.
Solution Benefits
Minimize Response Times
By automating the response against complex and diverse threats, playbooks prove to be effective at minimizing response time thereby reducing overall risk exposure.
Striking the Right Balance
The automated playbook sends approval requests to analysts before performing critical tasks such as blocking a user account. This enables analysts to manually intervene wherever required in the process and make it fully effective.
Collaboration Driven Response
Cyware’s SOAR solution provides a collaboration-driven response and allows security teams to deploy necessary response actions at the right phase of the incident.