Identity Access Mismanagement Incident Playbook

December 16, 20233 min read

Let us consider an international financial services company called “GlobaFinance Inc.” that handles sensitive client data and has a complex IT infrastructure, including an on-premises data center, cloud-based services, and remote access for employees. Within GlobaFinance, IT security is overseen by a team led by Chief Information Security Officer (CISO) Alex Mercer and Incident Response (IR) team lead, Rachel Donovan.
GlobaFinance Inc. has recognized the significance of robust IAM controls after seeing an uptick in targeted attacks in the financial sector, where adversaries often exploit poor identity and access controls.
The exercise scenario involves a disgruntled former employee, Nick Sloan. Nick previously had privileged access to the high-value assets of GlobaFinance’s network but left the company under contentious circumstances. Due to an oversight in the deprovisioning process after his departure, his access was not fully revoked.
Six months later, the exercise posits that Nick has decided to exploit his insider knowledge and accesses the network using his dormant credentials. Once in, he escalates privileges and begins exfiltrating confidential data.
The goal of the cyber range exercise will be to detect Nick’s unauthorized re-entry into the system, respond appropriately to his actions, prevent data exfiltration, revoke his access, and plan steps to remediate any vulnerabilities exposed by the incident.

Reconnaissance: Nick Sloan assesses the IT landscape to ensure his access is still intact and begins mapping out a strategy to exploit his privileges.
Initial Compromise: Using his previously authorized credentials, Nick logs into the VPN to gain remote access under the guise of a current employee.
Privilege Escalation: After accessing the network, Nick elevates his privileges by exploiting an unpatched vulnerability within the IAM system.
Pivoting: Once he has higher-level access, Nick moves laterally across the network to target high-value data repositories.
Collection and Exfiltration: Nick begins compressing and encrypting confidential client data for exfiltration.
Detection and Analysis: The IR team is alerted by an anomaly in data flow and begins to investigate.
Containment: Once Nick is identified as the intruder, his access is immediately revoked and network controls are put in place to prevent further data movement.
Eradication: The IR team assesses the scope of the breach, removing any backdoors and preventing Nick’s re-entry.
Recovery: IAM policies are reviewed and tightened, and monitoring solutions are put in place to detect similar incidents.
Lessons Learned: A post-mortem analysis is conducted to improve procedures, technical controls, and training for staff to prevent similar oversights.