User Reported Account Compromise

Resource Downloads

Google Slides | Microsoft PowerPoint | PDF Presentation

Injection

Fred from HR calls the helpdesk to report that they entered their credentials on a website that they now think was fake.

Discussion Prompts

1. How do you determine if this is a confirmed security incident or some kind of anomaly?
   • How do you identify what systems, data, people, and operational processes are potentially involved?
   • What real or potential risk(s) does your organization face?
2. What short term containment options do you have?
   • Can you contain it without destroying evidence?
   • What is the operational impact of the incident and your containment strategy?

Check Your Work

• Thanking Fred for Calling
• Compromised Account Containment
  • End sessions
  • Revoke tokens
  • Force password change
  • Force MFA
  • Check email for rules or delegation changes.
• Ask user to change PW is used on other accounts (business or personal).
• Review Activity
  • Access Logs
  • VPN Connections
  • Impossible travel
• How much time did you spend on investigation before you changed passwords, etc.?