Active Response enables Rapid7’s expert SOC analysts to respond directly to validated threats in an environment with two containment actions:
- Quarantining assets
- Disabling users
While quarantining an asset works fine, I believe Disabling a user in an event of a validated threats is not sufficient in terms of limiting potential damage.
During our test, we noticed that it took 5 to 10 mins for the account to be disabled in AD, which leaves the attacker enough time to hack a system or cause further damages. Furthermore, this action doesn’t terminate current user sessions so the attacker could carry on his activities until the session is terminated or refreshed by the web app.
Hence, my suggestion is to improve the default action for responding to an account in an event of a validated threats by implementing the below workflow:
1- The first action should be to revoke all sessions from that user via AzureAD API
2- Then to disable the account
3- And finally reset the password as an extra layer of security
All of the additional workflows are already available as an InsightConnect extension so it is just be a matter of integrating the workflows to the default actions in the Active Response product.