Active Response containment actions/workflow for a user account in breach are insufficient

Active Response enables Rapid7’s expert SOC analysts to respond directly to validated threats in an environment with two containment actions:
- Quarantining assets
- Disabling users

While quarantining an asset works fine, I believe Disabling a user in an event of a validated threats is not sufficient in terms of limiting potential damage.
During our test, we noticed that it took 5 to 10 mins for the account to be disabled in AD, which leaves the attacker enough time to hack a system or cause further damages. Furthermore, this action doesn’t terminate current user sessions so the attacker could carry on his activities until the session is terminated or refreshed by the web app.

Hence, my suggestion is to improve the default action for responding to an account in an event of a validated threats by implementing the below workflow:
1- The first action should be to revoke all sessions from that user via AzureAD API
2- Then to disable the account
3- And finally reset the password as an extra layer of security

All of the additional workflows are already available as an InsightConnect extension so it is just be a matter of integrating the workflows to the default actions in the Active Response product.

1 Like

Hey @ssahiri - we appreciate this feedback on our Active Response user containment automation. It does make sense to add in logic to ensure we are terminating all active user sessions in the process of disabling a user account. I have taken these suggestions back to our team.

2 Likes