Highlighted ITDR Capabilities

In the face of evolving cyber threats, traditional security measures often fall short in protecting identity-driven environments. Rezonate’s ITDR capabilities are engineered to address this gap, providing a powerful, proactive defense across every stage of the MITRE ATT&CK kill chain. Below are some highlighted threat scenarios that our ITDR module is capable of detecting

Initial Access

  • Suspicious Console and Interactive Logins: Unusual or unauthorized login attempts, especially from new devices or unfamiliar locations.

  • Brute Force and Distributed Brute Force Attacks: Repeated attempts to guess passwords or roles to gain unauthorized access, often using automated tools.

  • Password Spray Attacks: Attackers use a common password across multiple accounts, hoping to find accounts with weak or reused credentials.

  • MFA Fatigue: Overwhelming users with multiple MFA prompts to trick them into approving an unauthorized access attempt.

  • Access via Tor and Proxy Networks: Using anonymizing services to mask IPs and obscure the attack’s origin, bypassing location-based security restrictions.

  • Use of Legacy Protocols: Exploiting older, less secure protocols that lack modern protections like MFA.

  • Login with Scripting Tools: Initial access attempts via scripting languages or command-line tools, signaling potential automation or unauthorized access.

Reconnaissance

  • Enumeration of Resources: Attackers explore resources such as policies, roles, storage services, computing services, or code pipelines to gather information on the environment, looking for privileged resources or vulnerabilities.

  • Enumeration of Security Services: Assessing the configuration of security tools like monitoring and logging solutions, looking for gaps or exploitable configurations.

Persistence

  • Creation of Administrative Accounts and Credentials: Establishing persistence by creating high-privilege accounts or generating new access keys.

  • MFA Enrollment and Deletion: Modifying MFA settings to secure persistent access, such as enrolling a new MFA method or removing existing ones.

  • Conditional Access and Policy Manipulation: Updating conditional access policies to allow easier reentry or prevent detection of the compromised identity.

  • Session Hijacking and Token Creation: Attackers create or hijack session tokens, bypassing traditional authentication mechanisms and allowing long-term access without direct logins.

  • Service Principal and Application Credential Addition: Adding service principal accounts or applications with permissions, enabling attackers to bypass normal user logins and maintain access.

  • Resetting Security Information: Changing security settings, such as recovery emails or authentication factors, to maintain exclusive control over a compromised account.

  • Adding External Identity Providers: Configuring additional IDPs to allow unauthorized external accounts to authenticate as legitimate users.

Privilege Escalation

  • Role and Group Modifications: Elevating privileges by adding compromised accounts to privileged roles or groups, granting unauthorized access to sensitive resources.

  • Privileged Identity Management (PIM) Role Escalation: Exploiting PIM processes to temporarily or permanently add accounts to high-privilege roles.

  • Consent Grants to Malicious Applications: Granting admin consent to applications, which then have persistent, elevated access to the environment.

  • Adding or Updating Conditional Policies: Modifying policies to escalate privileges, such as granting new permissions, application access, or relaxing security policies for targeted users or groups.

  • Service Principal and App Role Assignment: Assigning roles to applications or service principals to expand the scope of privileges without using user accounts.

  • Owner and Administrator Privilege Changes: Assigning ownership or administrator privileges to accounts or applications, ensuring access to high-value resources.

Defense Evasion

  • Disabling Monitoring and Logging Services: Disabling security services like logging, threat detection, or monitoring tools to preventthe detection of malicious activity.

  • Modifying Security Policies to Avoid Detection: Updating access policies or security configurations to avoid triggering alerts, such as setting permissions that bypass standard protections.

Exfiltration

  • Making Storage Public: Configuring storage buckets to allow public access, enabling the attacker to extract data without authorization.

  • Cross-Tenant Sharing of Resources: Sharing resources, like snapshots or databases, across tenants or accounts, often to transfer data out of a secure environment.

  • Creating External Data Shares: Establishing data shares with external entities, allowing unauthorized parties to access data continuously.

  • High-Volume Queries for Data Exfiltration: Running large queries on databases to extract significant volumes of data in a short time, often unnoticed in high-traffic environments.

Impact

  • Resource Creation and Manipulation: Creating or altering resources (e.g., compute instances, containers, or functions) to carry out malicious operations in the victims' environments.

  • Mass Resource Deletion: Removing resources in large volumes to disrupt operations or hinder forensic investigations, typically seen in destructive attacks.

  • Backup Data Corruption: Tampering with backup data to prevent recovery in the event of a successful attack.

  • Malicious File or Script Execution: Executing unauthorized files or scripts on cloud instances or containers, potentially installing malware or manipulating data.

Lateral Movement

  • Federated Identity Access across Services: Using federated identities to access other services, such as cloud platforms or code repositories, expanding the attacker’s reach.

  • Cross-Account Role Assumption: Assuming roles in other accounts or tenants, allowing attackers to access resources in affiliated or partner environments.

PreviousRisks & ThreatsNextHow-to Guides

Last updated