A New Capability for Incident Responders: Deny Privileged Access
Summary
This article discusses a new incident response technique that involves revoking administrator privileges from Windows servers and workstations to stop the spread of ransomware. The approach, demonstrated in a webinar, has been used successfully to contain attacks, downgrading major breaches to minor incidents.
IFF Assessment
This is good news for defenders as it presents a proactive and effective strategy to contain and mitigate the impact of ransomware attacks by removing a critical element attackers rely on.
Defender Context
Defenders should consider implementing robust privileged access management (PAM) solutions and regularly reviewing and revoking unnecessary administrator rights. This approach highlights the critical role of privilege escalation in cyberattacks and offers a tactical advantage in rapid containment.