Last, but at least, plan for these identification attacks and there is a playbook for recovery. There will be ransomware and violations. It was enough for a process to restore only one backup and reconstruction advertisement in the past. Now the attackers get access to the important way with identity, they will look for ways Keep access continuously Despite your reconstruction techniques, he has also taken charge in the identity he has handled.
Ensure that there is no delegation in an account, reliable equipment suddenly added to the list of equipment, permissions were adjusted, and other techniques that use the attackers to maintain access to the entire intrusion. You will need to clean and monitor these procedures after any unusual activity or traffic from the accounts used in the acquisition.
Depending on the account, you may need to disable it and have to start fresh with another user account to establish a clean identity free from tokens or authentication techniques shared with the attacker. Instead of cleaning, reconstructing, and handing back to the computer back to the user, you may need to “clean” your identity before controlling the event.
