Highlighted ITDR Capabilities

In the face of evolving cyber threats, traditional security measures often fall short in protecting identity-driven environments. Rezonate’s ITDR capabilities are engineered to address this gap, providing a powerful, proactive defense across every stage of the MITRE ATT&CK kill chain. Below are some highlighted threat scenarios that our ITDR module is capable of detecting

Initial Access

Suspicious Console and Interactive Logins: Unusual or unauthorized login attempts, especially from new devices or unfamiliar locations.
Brute Force and Distributed Brute Force Attacks: Repeated attempts to guess passwords or roles to gain unauthorized access, often using automated tools.
Password Spray Attacks: Attackers use a common password across multiple accounts, hoping to find accounts with weak or reused credentials.
MFA Fatigue: Overwhelming users with multiple MFA prompts to trick them into approving an unauthorized access attempt.
Access via Tor and Proxy Networks: Using anonymizing services to mask IPs and obscure the attack’s origin, bypassing location-based security restrictions.
Use of Legacy Protocols: Exploiting older, less secure protocols that lack modern protections like MFA.
Login with Scripting Tools: Initial access attempts via scripting languages or command-line tools, signaling potential automation or unauthorized access.

Reconnaissance

Enumeration of Resources: Attackers explore resources such as policies, roles, storage services, computing services, or code pipelines to gather information on the environment, looking for privileged resources or vulnerabilities.
Enumeration of Security Services: Assessing the configuration of security tools like monitoring and logging solutions, looking for gaps or exploitable configurations.

Persistence

Creation of Administrative Accounts and Credentials: Establishing persistence by creating high-privilege accounts or generating new access keys.
MFA Enrollment and Deletion: Modifying MFA settings to secure persistent access, such as enrolling a new MFA method or removing existing ones.
Conditional Access and Policy Manipulation: Updating conditional access policies to allow easier reentry or prevent detection of the compromised identity.
Session Hijacking and Token Creation: Attackers create or hijack session tokens, bypassing traditional authentication mechanisms and allowing long-term access without direct logins.
Service Principal and Application Credential Addition: Adding service principal accounts or applications with permissions, enabling attackers to bypass normal user logins and maintain access.
Resetting Security Information: Changing security settings, such as recovery emails or authentication factors, to maintain exclusive control over a compromised account.
Adding External Identity Providers: Configuring additional IDPs to allow unauthorized external accounts to authenticate as legitimate users.

Privilege Escalation

Role and Group Modifications: Elevating privileges by adding compromised accounts to privileged roles or groups, granting unauthorized access to sensitive resources.
Privileged Identity Management (PIM) Role Escalation: Exploiting PIM processes to temporarily or permanently add accounts to high-privilege roles.
Consent Grants to Malicious Applications: Granting admin consent to applications, which then have persistent, elevated access to the environment.
Adding or Updating Conditional Policies: Modifying policies to escalate privileges, such as granting new permissions, application access, or relaxing security policies for targeted users or groups.
Service Principal and App Role Assignment: Assigning roles to applications or service principals to expand the scope of privileges without using user accounts.
Owner and Administrator Privilege Changes: Assigning ownership or administrator privileges to accounts or applications, ensuring access to high-value resources.

Defense Evasion

Disabling Monitoring and Logging Services: Disabling security services like logging, threat detection, or monitoring tools to preventthe detection of malicious activity.
Modifying Security Policies to Avoid Detection: Updating access policies or security configurations to avoid triggering alerts, such as setting permissions that bypass standard protections.

Exfiltration

Making Storage Public: Configuring storage buckets to allow public access, enabling the attacker to extract data without authorization.
Cross-Tenant Sharing of Resources: Sharing resources, like snapshots or databases, across tenants or accounts, often to transfer data out of a secure environment.
Creating External Data Shares: Establishing data shares with external entities, allowing unauthorized parties to access data continuously.
High-Volume Queries for Data Exfiltration: Running large queries on databases to extract significant volumes of data in a short time, often unnoticed in high-traffic environments.

Impact

Resource Creation and Manipulation: Creating or altering resources (e.g., compute instances, containers, or functions) to carry out malicious operations in the victims' environments.
Mass Resource Deletion: Removing resources in large volumes to disrupt operations or hinder forensic investigations, typically seen in destructive attacks.
Backup Data Corruption: Tampering with backup data to prevent recovery in the event of a successful attack.
Malicious File or Script Execution: Executing unauthorized files or scripts on cloud instances or containers, potentially installing malware or manipulating data.

Lateral Movement

Federated Identity Access across Services: Using federated identities to access other services, such as cloud platforms or code repositories, expanding the attacker’s reach.
Cross-Account Role Assumption: Assuming roles in other accounts or tenants, allowing attackers to access resources in affiliated or partner environments.

Last updated 6 months ago

In the face of evolving cyber threats, traditional security measures often fall short in protecting identity-driven environments. Rezonate’s ITDR capabilities are engineered to address this gap, providing a powerful, proactive defense across every stage of the MITRE ATT&CK kill chain. Below are some highlighted threat scenarios that our ITDR module is capable of detecting

Initial Access

Suspicious Console and Interactive Logins: Unusual or unauthorized login attempts, especially from new devices or unfamiliar locations.
Brute Force and Distributed Brute Force Attacks: Repeated attempts to guess passwords or roles to gain unauthorized access, often using automated tools.
Password Spray Attacks: Attackers use a common password across multiple accounts, hoping to find accounts with weak or reused credentials.
MFA Fatigue: Overwhelming users with multiple MFA prompts to trick them into approving an unauthorized access attempt.
Access via Tor and Proxy Networks: Using anonymizing services to mask IPs and obscure the attack’s origin, bypassing location-based security restrictions.
Use of Legacy Protocols: Exploiting older, less secure protocols that lack modern protections like MFA.
Login with Scripting Tools: Initial access attempts via scripting languages or command-line tools, signaling potential automation or unauthorized access.

Reconnaissance

Enumeration of Resources: Attackers explore resources such as policies, roles, storage services, computing services, or code pipelines to gather information on the environment, looking for privileged resources or vulnerabilities.
Enumeration of Security Services: Assessing the configuration of security tools like monitoring and logging solutions, looking for gaps or exploitable configurations.

Persistence

Creation of Administrative Accounts and Credentials: Establishing persistence by creating high-privilege accounts or generating new access keys.
MFA Enrollment and Deletion: Modifying MFA settings to secure persistent access, such as enrolling a new MFA method or removing existing ones.
Conditional Access and Policy Manipulation: Updating conditional access policies to allow easier reentry or prevent detection of the compromised identity.
Session Hijacking and Token Creation: Attackers create or hijack session tokens, bypassing traditional authentication mechanisms and allowing long-term access without direct logins.
Service Principal and Application Credential Addition: Adding service principal accounts or applications with permissions, enabling attackers to bypass normal user logins and maintain access.
Resetting Security Information: Changing security settings, such as recovery emails or authentication factors, to maintain exclusive control over a compromised account.
Adding External Identity Providers: Configuring additional IDPs to allow unauthorized external accounts to authenticate as legitimate users.

Privilege Escalation

Role and Group Modifications: Elevating privileges by adding compromised accounts to privileged roles or groups, granting unauthorized access to sensitive resources.
Privileged Identity Management (PIM) Role Escalation: Exploiting PIM processes to temporarily or permanently add accounts to high-privilege roles.
Consent Grants to Malicious Applications: Granting admin consent to applications, which then have persistent, elevated access to the environment.
Adding or Updating Conditional Policies: Modifying policies to escalate privileges, such as granting new permissions, application access, or relaxing security policies for targeted users or groups.
Service Principal and App Role Assignment: Assigning roles to applications or service principals to expand the scope of privileges without using user accounts.
Owner and Administrator Privilege Changes: Assigning ownership or administrator privileges to accounts or applications, ensuring access to high-value resources.

Defense Evasion

Disabling Monitoring and Logging Services: Disabling security services like logging, threat detection, or monitoring tools to preventthe detection of malicious activity.
Modifying Security Policies to Avoid Detection: Updating access policies or security configurations to avoid triggering alerts, such as setting permissions that bypass standard protections.

Exfiltration

Making Storage Public: Configuring storage buckets to allow public access, enabling the attacker to extract data without authorization.
Cross-Tenant Sharing of Resources: Sharing resources, like snapshots or databases, across tenants or accounts, often to transfer data out of a secure environment.
Creating External Data Shares: Establishing data shares with external entities, allowing unauthorized parties to access data continuously.
High-Volume Queries for Data Exfiltration: Running large queries on databases to extract significant volumes of data in a short time, often unnoticed in high-traffic environments.

Impact

Resource Creation and Manipulation: Creating or altering resources (e.g., compute instances, containers, or functions) to carry out malicious operations in the victims' environments.
Mass Resource Deletion: Removing resources in large volumes to disrupt operations or hinder forensic investigations, typically seen in destructive attacks.
Backup Data Corruption: Tampering with backup data to prevent recovery in the event of a successful attack.
Malicious File or Script Execution: Executing unauthorized files or scripts on cloud instances or containers, potentially installing malware or manipulating data.

Lateral Movement

Federated Identity Access across Services: Using federated identities to access other services, such as cloud platforms or code repositories, expanding the attacker’s reach.
Cross-Account Role Assumption: Assuming roles in other accounts or tenants, allowing attackers to access resources in affiliated or partner environments.

Last updated 6 months ago