Account compromise (Part 2): Enrich alerts, avoid toil, and regain control during incidents

In the second part of a series on security automation for combating account compromise, the focus is on enrichment and case management following detection. It highlights the growing threat of misconfigurations, as reported by the 2020 Verizon Data Breach Investigations Report, and emphasizes the importance of rapid response to minimize exploitation windows. The process involves leveraging the HaveIBeenPwned API and other services to enrich data about compromised emails and automate case creation for both Helpdesk and Infosec teams. The enrichment process gathers detailed breach information, checks if compromised emails have been used elsewhere using emailrep.io, and packages this data into incident cases. The separation of duties between teams ensures sensitive information is handled appropriately, and individual cases are created for each compromised account. This setup facilitates tracking and operational actions, such as locking user accounts and terminating sessions, while integrating with case management systems like TheHive and Jira Service Desk to improve collaboration and reduce Mean Time to Respond (MTTR). The series will continue with a focus on active response and user engagement in Part 3.