Preparation

This section outlines the essential steps to proactively prepare for responding to and addressing compromised credentials as they are detected. These measures ensure that the organization is well-equipped to efficiently identify, evaluate, and remediate incidents involving exposed login details.

How Lumu Helps

• Lumu Discover monitors adversarial infrastructure to detect any data leaks containing exfiltrated login data belonging to people in your organization, then, it will alert you about any stolen employee credentials it detected.
• Lumu traces back malicious activity to affected accounts inside your organization. You can use this information to start operating on affected accounts to close the breach.

Recommended Actions:

• Credential Management:
  
  • Ensure all passwords follow strong policy guidelines (e.g., length, complexity). A longer password with more characters exponentially increases the number of possible combinations, making it significantly more challenging for attackers to guess, even if the individual characters used are simpler. If you add special characters and capitalization on top, you will create exceptionally safe passwords.
  • Implement Multi-Factor Authentication (MFA) across all corporate applications and systems. Additional layers of security bound to inherent aspects and/or possessions of users will make it harder for adversaries to gain access to company accounts.
  • Use Lumu’s detection capabilities to monitor for credential leaks in real time. Whenever Lumu detects compromised credentials in a data leak, they will be filtered and shown in Lumu Discover.
• Access Control:
  
  • Limit administrative privileges to a few select accounts, and enforce the principle of providing ONLY the necessary privileges to employee accounts to conduct their job. Limiting access and clearance for accounts according to their necessities will limit the impact of any potential credential leaks.
  • Audit critical systems and assets to find any inactive or unnecessary accounts. These accounts are weak links in your organization and must be addressed post-haste.
• Employee Awareness:
  
  • Cybersecurity unawareness is a fatal weakness for any organization, and the only way to address it is through training. Train all your employees and collaborators to easily recognize phishing emails, to avoid suspicious links and downloads, and to avoid social engineering campaigns.

Detection & Analysis

During this stage, you must make good use of the groundwork laid during the preparation stage, and focus on identifying, validating, and understanding any incidents involving compromised credentials and their potential impact.

How Lumu Helps:

• You can use the intelligence provided by the Lumu Portal and Lumu Discover to correlate detected leaked credentials with its corresponding employee account and compromised company asset.

Recommended Actions:

• Validate Credential Compromise:
  
  • Use the IoC intelligence provided by the Lumu Portal to pinpoint compromised accounts and vulnerable collaborators.
  • Validate the presence of unusual login activity in any of your systems and/or services. If an account has been compromised, expect failed login attempts as well as logins from unusual locations.
• Assess Exposure:
  
  • Determine the scope and impact of the affected systems and/or data. Validate the permissions and administrative privileges of the affected accounts and assets to gain a better understanding of the issue.
  • Investigate any potential lateral movement or privilege escalation attempts made by the affected accounts, and from the compromised company assets.

Containment, Eradication & Recovery

During this stage, you must focus on mitigating risks from any identified infostealer infections, stopping the spread of the threat, eliminating it, and restoring any affected operations securely.

How Lumu Helps:

• Lumu delivers actionable intelligence on the misuse of credentials and company assets, enabling you to guide your team effectively during containment and eradication efforts..

Recommended Actions:

• Containment:
  
  • Temporarily limit or deactivate any compromised accounts.
  • Use firewall and/or IP rules to block any malicious contact attempts. This can also be achieved using Lumu’s integrations so your firewall solution can automatically block adversary contact attempts.
• Eradication:
  
  • Re-establish the credentials of all affected accounts, and ensure that the new ones are set using the updated cybersecurity standards that your workforce should have learned by this point.
  • Conduct a security audit of all connected systems to ensure any remaining backdoors have been addressed and closed.
• Recovery:
  
  • Reinstate all accounts once their credentials have been updated and the account holder has received updated cybersecurity awareness training.
  • Keep monitoring all affected accounts in case any unusual activity is detected.

Post-Incident Activity

Make the best out of what was learned while handling a potential crisis. Focus on improving secure credential management practices and preventing future incidents.

How Lumu Helps:

• Lumu continuously assesses your organization’s network activity to detect further credential misuse. You can use the Incidents view and Lumu Discover in tandem to detect the symptoms of a potential malware infection, and to find out whether any credentials have been compromised.

Recommended Actions:

• User Behavior Analysis:
  
  • Identify unsafe trends in user behavior that can potentially lead to compromising account details.
• Policy Adjustments:
  
  • Strengthen your organization’s authentication mechanisms and policies, and make sure that your collaborators are following them. (e.g., passwordless login, stricter MFA enforcement).
• Training Adjustments:
  
  • If enough negative behavioral trends are detected, you must consider adjusting your general training guidelines to correct these potential behaviors and to reinforce your cybersecurity policy.