Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Service accounts, by design, are created to perform specific tasks for services running on endpoints. Depending on the service and how the service account is configured, service accounts can have a range of different privilege levels. Malicious actors understand that service accounts typically have higher privileges than normal user accounts, and often target these accounts and their associated privileges in order to move laterally within an environment. However, many organizations overlook the risk associated with these accounts during configuration and implementation, leaving them vulnerable to attack.
With this in mind, does your organization have any controls or practices set in place to mitigate the risk of service accounts misuse? If your organization is looking for additional controls or practices, here’s a few practices you can implement to help combat the attack vector that service accounts present.
When a service account is configured to allow interactive logins like Logon Types 2, 10, and 11, this presents a way for a person to exploit privileges that administrators might have not originally given to that person. Since service accounts are designed for services or applications to log into in order to interact with the operating system, interactive logins of these accounts prevent an accurate audit trail since there is typically no way to clearly identify who performed the interactive login through logs.
Service accounts should only be used by applications or services – not users. Due to the accounts’ intended function, interactive logons should not be permitted by default. The Group Policy Object (GPO) policies ‘Deny log on locally’ and ‘Deny log on through Remote Desktop Services’ will help your organization in preventing a service account from logging in interactively.
Configure service accounts with the following GPO policies: ‘Deny Logon locally’ (above) and ‘Deny logon through Remote Desktop Services’ (below) to help prevent service accounts from logging on interactively.
We advise creating two groups, one that is set with ‘Deny log on locally’ and ‘Deny log on through Remote Desktop Services’ policies and the other with ‘Allow log on locally’ and ‘Allow log on through Remote Desktop Services’ policies. You can name the groups something like ‘Service Account – AllowInter’ and ‘Service Account – DenyInter’. This will help address a situation in which a member of your organization needs to leverage the service account locally. If this becomes true, all an administrator needs to do is remove the service account from the group ‘Service Account – DenyInter’ and add it to the group ‘Service Account – AllowInter’.
Give the groups descriptive names like ‘Service Account – AllowInter’ (pictured above) and ‘Service Account – DenyInter’ to help address a situation in which a member of your organization needs to leverage the service account locally.
To further harden the group ‘Service Account – AllowInter’, your organization can assign the group GPO policies ‘Log On To’ and ‘Logon Hours’. The ‘Log On To’ GPO will allow your team to specify certain domain joined machines that the service account can only log on to and ‘Logon Hours’ will allow your team to a specify the time frame from which logins will be permitted for the service account.
To strengthen the group ‘Service Account – AllowInter’, assign the group GPO policies ‘Log On To’ (above) and ‘Logon Hours’ (below) so your team can specify certain domain-joined machines and time frames permitted for the service account.
The principle of least privilege is a dated best practice that still holds its weight in a continually evolving information technology landscape. The root of the principle is to give users, programs, or services the minimal amount of privileges necessary to perform their intended function. With the assistance of Active Directory, we can help achieve the principle of least privilege with our service accounts.
Vendor permission requirements often state their product needs explicit and sensitive permissions, when in reality they do not. For example, why would a SQL service need Domain Admin rights? It doesn’t. Working closely with the vendor to uncover the absolute specific rights the service needs to function will help your organization in assigning a service account permissions that are consistent with its function. If the service does not require permissions defined by any built-in privileged groups, your organization should create a new privileged security group for the corresponding service account following the principle of least privilege. In the event that the service requires permissions defined by a built-in privileged group, it’s advised to replicate the permissions and create a new privileged security group for only the corresponding service account. This will help combat nonrepudiation since each member of a built-in privileged group will have access to the credentials of the service account.
Understanding what a sensitive object is in your environment will help your organization in applying DACL (Discretionary Access Control List) to prevent the account from accessing the object. Like an implicit deny firewall ACL rule, DACL in Active Directory provides the ability to deny permissions to objects in your environment. Implementing DACL on your sensitive files and folders will help combat misuse of the account in the event the account is compromised. One of the first steps an attacker will conduct with a compromised account is to understand what they can do and access with the account. Denying access to sensitive objects for your service accounts will make it difficult for an attacker to complete their actions on objective with the account.
At its core, change management processes are used to track, schedule, communicate, and define scope of a change in your environment. After the initial creation and deployment of a service account, there should be minimal changes made to the account. In the event a change is needed, or a new service account needs to be created, your organization should have a formal change management processes in place.
Implementing a formal approval and change management process for your service accounts will help ensure the change does not go unnoticed. Traditionally, these changes may fall under your organization’s Standard Change process rather than a Normal Change process; but if applicable, we recommend following a Normal Change process.
Using a Normal Change process rather than a Standard Change process will ensure that the change is reviewed by a change-advisory board. The process could look something like this: In order to change an attribute of the service account or create a new service account, you should draft a formal proposal that defines the reason for the change or addition, the impact it will have, the personnel conducing the change, and the scope of change. Then, you can present this to the person or persons your organization has granted permission to approve or deny the change.
By using a defined Normal Change process change for service accounts, your organization will have a better control in place to ensure the accounts are not configured or changed to a state that will make them more vulnerable than they already are. This implementation will also provide your organization the visibility needed to establish an accurate normal baseline for the accounts, which in return will assist in auditing and conducting periodic privilege audits of the accounts in the environment. Any deviations in a service accounts baseline that does not match the proposal created for the change or creation could be a sign the account is being misused.
ReliaQuest GreyMatter, our SaaS security platform, offers unparalleled visibility by integrating and normalizing data from disparate technologies including SIEM, EDR, multi-cloud and point tools, on demand, so you always have a unified view to immediately and comprehensively detect and respond to threats from across your environment. With this visibility, organizations not only find themselves with clear and relevant data to quickly and thoroughly investigate incidents, it also provides the ability to transition from reactive to proactive security programs. Through GreyMatter’s threat hunting capabilities, our customers can create custom Hunts or leverage Hunt packages developed by our R&D team to identify Service Account misuse. GreyMatter Detect also gives our customers access to a content library of over 600 technology agnostic alerts, 30+ of which are specifically focused around detecting Service Account misuse.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.