A New Capability for Incident Responders: Deny Privileged Access
Summary
This article discusses a new capability for incident responders to stop ransomware attacks by revoking administrator access from Windows servers and workstations. It highlights a case where revoking these privileges across approximately 6000 servers in under six hours contained an intrusion, downgrading it from a major breach to a minor incident.
IFF Assessment
This is good news for defenders as it presents an effective and rapid containment strategy for ransomware attacks by leveraging the principle of least privilege.
Defender Context
Defenders should explore and implement strategies for dynamic or just-in-time privileged access management to quickly revoke unnecessary administrative rights during an incident. This approach can significantly limit the lateral movement and impact of ransomware and other attacks.