Last, but not least, plan for these identity attacks and have a playbook for recovery. Ransomware and breaches will occur. In the past merely restoring from a backup and rebuilding AD was enough of a process. Now with identity being the key way attackers gain access, they will be looking for ways to keep persistent access to the identity they have taken over even after your rebuilding techniques have gotten under way.
Ensure an account doesn’t have delegations, trusted devices suddenly added to the devices list, permissions adjusted, and other techniques that attackers use to maintain access throughout the intrusion. You will need to clean up these processes and monitor after the fact for any unusual activity or traffic from the accounts used in the takeover.
Depending on the account, you may need to disable it and start fresh with another user account to set up a clean identity free from tokens or authentication techniques shared with the attacker. Rather than merely cleaning, rebuilding, and handing the computer back to the user, you may need to “clean up” their identity before you consider the incident under control.
