You have an on-premises network.
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Identity.
From the Microsoft Defender portal, you investigate an incident on a device named Device1 of a user named User1. The incident contains the following Defender for Identity alert.
Suspected identity theft (pass-the-ticket) (external ID 2018)
You need to contain the incident without affecting users and devices. The solution must minimize administrative effort.
What should you do?
In a pass-the-ticket attack, an attacker steals a Kerberos ticket from one computer and may use it on another. Since the ticket is tied to both the device and the user, the best approach to contain the incident involves both disabling the compromised user account and quarantining the affected device. Disabling the user account ensures that the attacker cannot use the stolen ticket for unauthorized access, and quarantining the device prevents any further malicious activity from that device. This method effectively contains the threat and minimizes the risk without unnecessarily affecting other users or devices.
The security team where I work carries out the activities of option E every single time.
without affecting users and devices. The solution must minimize administrative effort. For me its ---> B
If you only quarantine the device how have you prevented the attacker from using the stolen credentials? and how do you know which user credentials have been stolen from this machine? For me the primary requirement here is prevent the threat. Secondary is minimise admin effort. therefore Answer === E
The “Pass-the-Ticket” attack is a method where an attacker steals a Kerberos ticket and uses it from a different device. The attack is based on the theft of a ticket and not on the theft of an account’s credentials, so disabling User1 or resetting passwords would not necessarily contain the incident. Quarantining Device1 would prevent the stolen ticket from being used further without affecting other users or devices. This approach also minimizes administrative effort as it focuses on the device where the incident was identified.
This is why regular employees hate the security team taking unnecessary measures just because..
This question is terribly worded. There is no way to avoid some effect on at least one user. I would quarantine the device and reset passwords to all users who've been on the device. Or maybe if I had time, reset the user who's kerberos ticket was stolen and quarantine the device and "monitor" all users who have previously been signed into that device. There is no way to avoid disruption to one or more users. As a cybersecurity specialist, security should be paramount over a users discomfort during reset of password etc. Imagine being the person responsible for full compromise of an organisation. BTW. to my understanding, quarantining the device doesn't stop reuse of the kerberos ticket (before it expires).
I would choose Option D. This is because resetting the user’s password won’t have any effect in a Kerberos ticket attack. Changing the password won’t invalidate the stolen Kerberos ticket. It’s necessary to disable the user from Active Directory (AD). In this way, if a hacker tries to use the ticket to log in on any other device, it won’t work because the user is disabled. I would also definitely quarantine the device because there’s no telling what else the hacker might have done to that device. This is considered best practice. And yes, you could also argue for Option E. As a best practice, it wouldn’t hurt to change the user’s password as well.
Pass the ticket is lateral movement, and as far as I understand the ticket though correlated to the User, lives on the device. So wouldn't we quarantine the device? The user can continue local activity.
The question itself is really badly written and confusing... Option E is could be correct here because, if the exposed device was the issue that the kerberos ticket were stolen, then probably the hacker has dumped the LSAAS and gained access to all previously logged in users kerberos ticket. Option A could be correct here if User1´s kerberos ticket was compromised from a unknown source then disabling the user´s account will mitigate the risk. According to Microsoft: Pass-the-Ticket is a lateral movement technique in which attackers steal a Kerberos ticket from one computer and use it to gain access to another computer by reusing the stolen ticket https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts
This is because the alert is related to a “pass-the-ticket” attack, which is a type of Kerberos attack where an attacker steals a Kerberos ticket and uses it to gain unauthorized access to resources. The ticket is tied to the device (Device1 in this case), not the user (User1). Therefore, quarantining the device would effectively contain the incident. (GenAI generated)