Mapping MITRE ATT&CK Techniques to Advanced Identity Forensics
“We’ve identified suspicious activity in our environment, but we can’t determine when the breach began or what access paths the attackers exploited.”
This scenario has become increasingly common as identity systems become the primary target for sophisticated attacks. When identity is compromised, organizations face a critical forensic challenge: understanding not just which objects were affected, but how relationships between those objects created attack paths through the environment.
Traditional backup approaches fail at this crucial task because they focus on recovering individual objects without preserving their complex web of relationships. In this post, we’ll explore how relationship-aware recovery transforms breach investigation and why preserving the complete identity context is essential for effective security forensics.
Why Identity Relationships Matter More Than Individual Objects
Modern identity environments consist of much more than just user accounts.
They’re complex ecosystems of interrelated objects :
- Users belong to groups
- Groups have nested memberships
- Applications have assigned users and groups
- Roles have assigned scopes and permissions
- Administrative privileges flow through these relationships
This web of connections creates what security professionals call the “attack surface”—the sum total of potential paths an attacker can use to move through your environment. When investigating a breach, understanding these relationships is often more important than focusing on individual objects.
Consider a scenario where an attacker compromises a seemingly low-privilege account and then exploits group memberships and application assignments to gain access to sensitive systems. If your recovery solution only focuses on individual objects (users, groups, applications) without their relationships, you’ll miss the critical context that explains how the attack progressed.
InfoSec Institute warns: "Many enterprises spend millions of dollars on solutions that promise to bolster their security. However, much less focus is placed on the ability to detect lateral movement in a data breach."
This gap in detection capability is precisely what relationship-aware recovery is designed to address.
Acsense’s Relationship-Aware Recovery Approach
Acsense approaches identity backup and recovery fundamentally differently from traditional solutions.
Rather than simply storing objects, our platform preserves what we call the complete “identity posture”—the full context of every object and all its relationships at any point in time.
This approach is made possible by our database architecture, which captures not just objects but the connections between them:
- Who belongs to which groups
- Which groups have access to which applications
- How administrative privileges flow through the environment
- How these relationships change over time
The MITRE ATT&CK framework, which catalogs attacker tactics and techniques, identifies lateral movement as a key phase in sophisticated attacks
According to recent research published in ScienceDirect, "Lateral Movement (LM) is defined as any activity that allows adversaries to progressively move deeper into a system in seek of high-value assets."
When you recover or investigate any point in time with Acsense, you’re not just seeing individual objects—you’re seeing the complete web of relationships that existed at that moment. This provides the essential context for understanding how attackers move through your environment.
Forensic Investigation Capabilities
1. Tracing Attack Paths Through Identity Relationships
When suspicious activity is detected, security teams need to understand how attackers gained access and moved through the environment.
Acsense enables investigators to:
- View the complete identity posture at any point in time
- Trace relationship paths between compromised accounts and sensitive resources
- Identify which permissions and access rights were exploited
- Determine when critical relationship changes occurred
According to ExtraHop, "To detect this type of stealthy lateral movement inside the east-west corridor, cybersecurity teams need to be able to examine—at great detail and with tremendous skepticism—seemingly legitimate activity from their internal systems."
2. Identifying Unauthorized Relationship Changes
Sophisticated attackers often make subtle changes to identity relationships to establish persistence and backdoor access. These changes can be nearly impossible to detect without relationship-aware recovery.
As Exabeam notes, "lateral movement actions often eschew malware in favor of stealing or reusing a valid user's credentials...impersonating a valid user gives attackers a quieter and subtler way to spread through a network than directly exploiting multiple machines."
Acsense allows security teams to:
- Compare identity posture before and after suspected breach points
- Identify unexpected or unauthorized relationship changes
- Detect subtle permission escalations that might otherwise go unnoticed
- Pinpoint exactly when relationship changes occurred
Harlan Carvey, a digital forensics expert, explains in his Windows Incident Response blog:
“When there’s been lateral movement there are usually two systems involved; system A (the source) and system B (the destination).”
Acsense helps security teams identify both systems and the relationship paths between them.
3. Creating Comprehensive Forensic Timelines
Effective breach investigation requires establishing a precise timeline of events.
NIST recommends comprehensive recovery strategies that address both technical and organizational aspects of cybersecurity events.
Acsense’s relationship-aware approach allows security teams to:
- Create detailed timelines of identity changes
- Correlate relationship changes with observed attack activity
- Determine the initial breach point with greater precision
- Document the attack progression for reporting and remediation
This capability dramatically accelerates investigation time—turning what might be weeks of manual correlation into hours of structured analysis.
Tenant Cloning for Isolated Investigation
Beyond relationship awareness, effective forensics requires the ability to investigate without disrupting production environments or alerting attackers to your investigation. Acsense’s tenant cloning capability addresses this need directly.
With tenant cloning, security teams can:
- Create an exact copy of their identity environment at any point in time
- Perform detailed investigations in an isolated environment
- Test remediation strategies before implementation
- Preserve forensic evidence for regulatory reporting and potential legal proceedings
This capability is particularly valuable during active incident response, when security teams need to investigate quickly without tipping off attackers or causing additional disruption to business operations.
Collaboration with Security Teams
Effective breach response requires close collaboration between identity teams and security operations.
Acsense facilitates this collaboration through:
- Detailed exports of identity relationships for security analysis
- Visual representations of identity posture for easier understanding
- Integration capabilities with security information and event management (SIEM) systems
- Comprehensive reporting for incident response documentation
This collaboration is essential for connecting identity forensics with broader security investigations, creating a complete picture of breach activity across the environment.
Beyond Forensics: Proactive Identity Security
While the forensic capabilities discussed here are critical during breach response, they also enable proactive security initiatives:
- Regular review of identity relationships to identify potential vulnerabilities
- Verification that security policies are properly implemented
- Validation that administrative access follows least-privilege principles
- Detection of drift from security baselines
As InfoSec Institute recommends, "By carefully monitoring login activity, you may be able to detect compromises before critical actions, such as data access and third-party compromise, take place. That makes login monitoring a pre-attack indicator – logon after hours or at a strange time of day can indicate lateral movement."
By making identity relationships visible and trackable, Acsense turns identity management from a potential security blind spot into a powerful security tool.
Evaluating Your Identity Forensic Capabilities
As you assess your organization’s ability to respond to identity-based attacks, consider these questions:
- Can you determine exactly what identity relationships existed at any point in time?
- Would you be able to trace how an attacker moved through your identity environment?
- Can you identify subtle relationship changes that might indicate compromise?
- Do you have the ability to investigate without disrupting production or alerting attackers?
Organizations subject to regulations like GDPR must maintain detailed records of processing activities and conduct regular impact assessments.
If these questions reveal gaps in your identity forensic capabilities, it may be time to consider a relationship-aware approach to identity resilience.
The Complete Identity Resilience Picture
The forensic capabilities discussed in this post build on the foundation established in our previous articles:
- Secure backup foundations (3-2-1, air gaps, immutability)
- Point-in-time recovery for compliance and investigation
- Automated testing to ensure recovery confidence
Together, these capabilities create a comprehensive identity resilience platform that addresses the full spectrum of operational, compliance, and security needs.
Ready to transform your identity security capabilities?
Contact us for a demonstration of Acsense’s relationship-aware recovery and forensic capabilities.
References:
- Microsoft. “Understand and investigate Lateral Movement Paths – Microsoft Defender for Identity.” 2024. https://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths
- InfoSec Institute. “10 Steps to Detect Lateral Movement in a Data Breach.” 2024. https://resources.infosecinstitute.com/topics/penetration-testing/10-steps-detect-lateral-movement-data-breach/
- ScienceDirect. “Detecting lateral movement: A systematic survey.” 2024. https://www.sciencedirect.com/science/article/pii/S240584402402348X
- ExtraHop. “How to Detect Lateral Movement.” 2024. https://www.extrahop.com/blog/detect-and-stop-lateral-movement
- Exabeam. “Detecting Suspicious Lateral Movements During a Cybersecurity Breach.” 2024. https://www.exabeam.com/information-security/lateral-movements/
- Windows Incident Response Blog. “HowTo: Track Lateral Movement.” 2024. http://windowsir.blogspot.com/2013/07/howto-track-lateral-movement.html
