{"id":24677,"date":"2024-06-12T21:01:19","date_gmt":"2024-06-13T05:01:19","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/06\/12\/news-18407\/"},"modified":"2024-06-12T21:01:19","modified_gmt":"2024-06-13T05:01:19","slug":"news-18407","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/06\/12\/news-18407\/","title":{"rendered":"Microsoft Incident Response tips for managing a mass password reset"},"content":{"rendered":"<p><strong>Credit to Author: Microsoft Incident Response| Date: Wed, 12 Jun 2024 16:00:00 +0000<\/strong><\/p>\n<div class=\"wp-block-msxcm-kicker-container\">\n<div class=\" wp-block-msxcm-kicker-block wp-block-msxcm-kicker--align-right\" data-bi-an=\"Kicker Right\">\n<p class=\"wp-block-msxcm-kicker__title small text-neutral-400 text-uppercase\"> \t\t\tExplore how effective incident response helps organizations detect, address, and stop cyberattacks\t\t<\/p>\n<p> \t\t<a \t\t\tclass=\"wp-block-msxcm-kicker__cta btn btn-link p-0 text-decoration-none\" \t\t\thref=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/security-101\/what-is-incident-response\" \t\t\t\t\t> \t\t\t<span>Learn more<\/span> <span class=\"glyph-append glyph-append-xsmall wp-block-msxcm-kicker__glyph glyph-append-go\"><\/span> \t\t<\/a> \t<\/div>\n<\/p><\/div>\n<p>As part of any robust incident response plan, organizations often work through potential security weaknesses by responding to hypothetical cyberthreats. In this blog post, we\u2019ll imagine a scenario in which a threat actor uses malware to infect the network, moving laterally throughout the environment and attempting to escalate their admin rights along the way. In this hypothetical scenario, we\u2019ll assume containment of the incident requires a mass password reset.<\/p>\n<p>Despite technological advances, many organizations still depend heavily on passwords, making them vulnerable to cyberthreats. During a ransomware attack, the need for mass password resets becomes urgent. Unfortunately, admins can quickly become overwhelmed, burdened with the daunting task of resetting passwords for countless users across multiple connected devices. The surge in help desk calls and service tickets as users face authentication issues on multiple fronts can significantly disrupt business operations. But it\u2019s imperative to secure all digital access points to swiftly mitigate risks and restore system integrity. So how do we manage a mass password reset while minimizing disruption to users and the business?<\/p>\n<p>This blog post delves into the processes and technologies involved in managing a mass password reset, in alignment with expert advice from <a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-incident-response\">Microsoft Incident Response<\/a>. We\u2019ll explore the necessity of mass password resets and the specific methods and security measures that Microsoft recommends to effectively safeguard identities. For a more technical explanation, read our <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-security-experts-blog\/effective-strategies-for-conducting-mass-password-resets-during\/ba-p\/4159408\" target=\"_blank\" rel=\"noreferrer noopener\">Tech Community post<\/a>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"surge-in-password-based-cyberattacks\">Surge in password-based cyberattacks<\/h2>\n<p>According to the most recent Microsoft Digital Defense Report, password-based attacks in 2023 increased tenfold over the previous year, with Microsoft blocking about 4,000 attacks per second through <a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-entra\">Microsoft Entra<\/a>.<sup>1<\/sup> This alarming rise underscores the vulnerability of password-dependent security systems. Despite this, too many companies haven&#8217;t adopted <a href=\"https:\/\/www.microsoft.com\/security\/business\/identity-access\/microsoft-entra-mfa-multi-factor-authentication\">multifactor authentication<\/a>, leaving them vulnerable to a variety of cyberattacks, such as phishing, credential stuffing, and brute force attacks. This makes a mass password reset not just a precaution, but a necessity in certain situations.<\/p>\n<h2 class=\"wp-block-heading\" id=\"deciding-on-a-mass-password-reset\">Deciding on a mass password reset<\/h2>\n<p>When the Microsoft Incident Response team determines a threat actor has had extensive access to a customer\u2019s identity plane, a mass password reset may be the best option to restore environment security and prevent unauthorized access. Here are a few of the first questions we ask:<\/p>\n<ul>\n<li>When should you perform a mass password reset?<\/li>\n<li>What challenges might you face during the process?<\/li>\n<li>How should you prepare for it?<\/li>\n<\/ul>\n<div class=\"wp-block-msxcm-cta-block theme-dark\" data-moray data-bi-an=\"CTA Block\">\n<div class=\"card d-block mx-ng mx-md-0\">\n<div class=\"row no-gutters bg-gray-800 text-white\">\n<div class=\"d-flex col-md\">\n<div class=\"card-body align-self-center p-4 p-md-5\">\n<h2>Microsoft Incident Response<\/h2>\n<div class=\"mb-3\">\n<p>Dedicated experts work with you before, during, and after a cybersecurity incident.<\/p>\n<\/p><\/div>\n<div class=\"link-group\"> \t\t\t\t\t\t\t<a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-incident-response\" class=\"btn btn-primary bg-body text-body\" > \t\t\t\t\t\t\t\t<span>Explore services<\/span> \t\t\t\t\t\t\t\t<span class=\"glyph-append glyph-append-chevron-right glyph-append-xsmall\"><\/span> \t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"col-md-4\"> \t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/05\/Quick-Assist-social-engineering-ransomware-social-1024x683.webp\" class=\"card-img img-object-cover\" alt=\"Computer developer working at night in office.\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/05\/Quick-Assist-social-engineering-ransomware-social-1024x683.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/05\/Quick-Assist-social-engineering-ransomware-social-300x200.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/05\/Quick-Assist-social-engineering-ransomware-social-768x512.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/05\/Quick-Assist-social-engineering-ransomware-social.webp 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<h2 class=\"wp-block-heading\" id=\"how-to-manage-a-mass-password-reset-effectively\">How to manage a mass password reset effectively<\/h2>\n<p>In today\u2019s world, many of us are working from anywhere, blending home and office environments. This diversity makes executing a mass password reset particularly challenging, and the decision isn\u2019t always clear. Organizations need to weigh the risk to the business from ransomware and down time against the disruption to users and the often overwhelming strain on IT staff. Here are the two main drivers of mass password resets, as well as advanced security measures a cybersecurity team can apply.<\/p>\n<h3 class=\"wp-block-heading\" id=\"user-driven-resets\">User-driven resets<\/h3>\n<p>In environments where identities sync through Microsoft Entra, there\u2019s no need for a direct office connection to reset passwords. Using <a href=\"https:\/\/www.microsoft.com\/security\/business\/identity-access\/microsoft-entra-id\">Microsoft Entra ID<\/a> capabilities allows users to change their credentials at their next login. Opting for Microsoft Entra ID can also add layers of security through features like Conditional Access, making the reset process both secure and user-friendly. Conditional Access policies work by evaluating the context of each sign-in attempt and allowing you to configure requirements based on that context\u2014like requiring users to complete multifactor authentication challenges if they\u2019re accessing files from outside the corporate network, for example. Conditional Access policies can significantly enhance security by preventing unauthorized access during the reset process. <\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1006\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/diagram-mass-password-reset-1024x1006.jpg\" alt=\"The image is an infographic comparing &quot;User-driven process vs. Admin-driven process&quot; for handling cybersecurity measures like password resets.\" class=\"wp-image-134625\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/diagram-mass-password-reset-1024x1006.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/diagram-mass-password-reset-300x295.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/diagram-mass-password-reset-768x754.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/diagram-mass-password-reset-1536x1509.jpg 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/diagram-mass-password-reset-2048x2012.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<h3 class=\"wp-block-heading\" id=\"administrator-driven-resets\">Administrator-driven resets<\/h3>\n<p>This method is crucial when immediate action is needed. Resetting all credentials quickly might disrupt user access, but it\u2019s sometimes necessary to secure the system. Providing options like <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/tutorial-enable-sspr\" target=\"_blank\" rel=\"noreferrer noopener\">self-service password reset<\/a> (SSPR) can help users regain access without delay. SSPR allows users to authenticate using alternative methods such as personal email addresses, phone numbers, or security questions\u2014options available when they have been previously configured. This method not only restores access quickly but also reduces the load on help desk and support hotline departments during critical recovery phases.<\/p>\n<h3 class=\"wp-block-heading\" id=\"advanced-security-measures-beyond-basic-resets\">Advanced security measures: Beyond basic resets<\/h3>\n<p>In addition to the primary reset methods, advanced security measures should be considered to enhance the security posture further. For highly privileged accounts, using <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/id-governance\/privileged-identity-management\/pim-configure\" target=\"_blank\" rel=\"noreferrer noopener\">privileged identity management<\/a> (PIM) can manage just-in-time access, reducing the risk of exposure. PIM enables granular control over privileged accounts, allowing administrators to activate them only when necessary, which minimizes the opportunity for attackers to exploit these high-level credentials. To explore more scenarios where mass password reset might be the best option, read through our <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-security-experts-blog\/effective-strategies-for-conducting-mass-password-resets-during\/ba-p\/4159408\" target=\"_blank\" rel=\"noreferrer noopener\">technical post<\/a>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"securing-emergency-access-don-t-forget-to-monitor\">Securing emergency access: Don\u2019t forget to monitor<\/h2>\n<p>For <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/security-planning\" target=\"_blank\" rel=\"noreferrer noopener\">critical accounts<\/a>, manually resetting credentials ensures tighter security. It\u2019s essential to equip emergency access accounts with phishing-resistant authentication, such as FIDO2 security keys and support from the Microsoft Authenticator app. Monitoring the activities from these accounts is crucial to ensure they are used correctly and only in emergencies. IT admins can leverage Microsoft Entra ID logs to keep a close watch on login patterns and activities, viewing real-time alerts and ensuring quick response to any suspicious actions.<\/p>\n<h2 class=\"wp-block-heading\" id=\"passwordless-authentication-and-enhancing-incident-response\">Passwordless authentication and enhancing incident response<\/h2>\n<div class=\"wp-block-msxcm-kicker-container\">\n<div class=\" wp-block-msxcm-kicker-block wp-block-msxcm-kicker--align-left\" data-bi-an=\"Kicker Left\">\n<p class=\"wp-block-msxcm-kicker__title small text-neutral-400 text-uppercase\"> \t\t\tPlan a passwordless authentication deployment in Microsoft Entra ID\t\t<\/p>\n<p> \t\t<a \t\t\tclass=\"wp-block-msxcm-kicker__cta btn btn-link p-0 text-decoration-none\" \t\t\thref=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/howto-authentication-passwordless-deployment\" \t\t\ttarget=\"_blank\"\t\t> \t\t\t<span>Learn more<\/span> <span class=\"glyph-append glyph-append-xsmall wp-block-msxcm-kicker__glyph glyph-append-go\"><\/span> \t\t<\/a> \t<\/div>\n<\/p><\/div>\n<p>As cybersecurity evolves, the move toward <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/solutions\/passwordless-authentication\">passwordless authentication<\/a> is becoming integral to enhancing incident response strategies. Traditional passwords\u2014often vulnerable to breaches\u2014are giving way to <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/concept-authentication-methods\" target=\"_blank\" rel=\"noreferrer noopener\">more secure methods<\/a> like Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys. These technologies leverage biometrics and secure tokens, reducing common attack vectors such as password theft and phishing, and thereby streamlining the incident response process. Policies like a <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/howto-authentication-temporary-access-pass\" target=\"_blank\" rel=\"noreferrer noopener\">Temporary Access Pass<\/a> can be configured to empower a move towards passwordless authentication, making it easier for users to <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-entra-blog\/secure-authentication-method-provisioning-with-temporary-access\/ba-p\/3290631\" target=\"_blank\" rel=\"noreferrer noopener\">register new strong authentication methods<\/a>.<\/p>\n<div class=\"wp-block-buttons alignwide is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-1 wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button has-custom-width wp-block-button__width-50 btn-primary\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-entra\">Explore unified identity and network access with Microsoft Entra<\/a><\/div>\n<\/p><\/div>\n<p>Implementing multifactor authentication also further strengthens security frameworks. Multifactor authentication is an essential component of basic security hygiene that can prevent 99% of account compromise attacks.<sup>1<\/sup> When integrated with phishing-resistant authentication methods, together they form a formidable barrier against unauthorized access. This dual approach not only speeds up the response during security incidents but also reduces potential entry points for attackers. This transformative phase in cybersecurity shifts focus on reactive to proactive security measures, promising a future where digital safety is inherent and user interactions are inherently secure. An option to enable phish-resistant authentication is the newly released ability to use <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/how-to-enable-authenticator-passkey\">passkeys with the Microsoft Authenticator.<\/a><\/p>\n<p>A mass password reset is just one of the many tools organizations need to understand and consider as part of their robust incident response plan. For a more in-depth look at scenarios that may require mass password reset, read our <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-security-experts-blog\/effective-strategies-for-conducting-mass-password-resets-during\/ba-p\/4159408\" target=\"_blank\" rel=\"noreferrer noopener\">technical post<\/a>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n<p>Learn more about <a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-incident-response\">Microsoft Incident Response<\/a> and <a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-entra\">Microsoft Entra<\/a>. <\/p>\n<p>To learn more about Microsoft Security solutions, visit our&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\" target=\"_blank\" rel=\"noreferrer noopener\">website.<\/a>&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (<a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-security\/\">Microsoft Security<\/a>) and X (<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">@MSFTSecurity<\/a>)&nbsp;for the latest news and updates on cybersecurity.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n<p><sup>1<\/sup><a href=\"https:\/\/www.microsoft.com\/security\/security-insider\/microsoft-digital-defense-report-2023\">Microsoft Digital Defense Report 2023<\/a>.<\/p>\n<p>The post <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/06\/12\/microsoft-incident-response-tips-for-managing-a-mass-password-reset\/\">Microsoft Incident Response tips for managing a mass password reset<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/06\/12\/microsoft-incident-response-tips-for-managing-a-mass-password-reset\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Microsoft Incident Response| Date: Wed, 12 Jun 2024 16:00:00 +0000<\/strong><\/p>\n<p>When an active incident leaves systems vulnerable, a mass password reset may be the right tool to restore security. This post explores the necessity and risk associated with mass password resets. <\/p>\n<p>The post <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/06\/12\/microsoft-incident-response-tips-for-managing-a-mass-password-reset\/\">Microsoft Incident Response tips for managing a mass password reset<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[],"class_list":["post-24677","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24677","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24677"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24677\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24677"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24677"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}