Investigating Locked Accounts: Making sense of the canary in the coal mine

Introduction

Locked accounts represent one of the most common yet overlooked security patterns in modern environments. Far from being mere user experience inconveniences; these incidents often serve as the "canary in the coal mine" for more significant security concerns.

Why locked accounts matter for security operations

When an account becomes locked, it signals a fundamental security mechanism has engaged - typically because someone has attempted to authenticate repeatedly with improper credentials. The critical question every security team should ask is: why?

These incidents provide security teams with valuable artifacts that can serve as starting points for broader threat hunting activities. By investigating locked accounts systematically, analysts gain insight into potential targeting patterns and attack methodologies.

Despite their importance, locked account incidents often fly under the radar because they don't typically trigger dedicated security alerts. Instead, they manifest as operational patterns that require thoughtful investigation and correlation.

Locked account alerts: The canary in the coal mine

I like to think of locked accounts as canaries in the coal mine for security operations. They can signal various issues:

1. Brute Force Attempts: An attacker might be systematically trying to crack passwords.

2. Credential Stuffing: Cybercriminals could be using stolen credentials from other breaches, or perhaps from a breach directly into your environment.  

3. Insider Threats: An employee might be attempting to access accounts they shouldn't.

4. Misconfigured Systems: Automated processes might be using outdated credentials.

Moving beyond identity alerts: Investigating activity patterns

While a single locked account may not trigger a security alert, the pattern of lockouts across an organization can reveal critical insights. It's essential to look beyond individual incidents and analyze the broader context.

For instance, if you notice a spike in locked accounts from a particular IP range or at unusual hours, it could indicate a coordinated attack. Similarly, if specific high-value accounts are repeatedly targeted, it might suggest a focused attempt to compromise sensitive data. The volume of accounts being targeted is also telling. A single identity or small handful might indicate something very targeted, perhaps an executive or someone in infrastructure with broad access permissions. A targeted attack like this indicates an actor has done their homework and this not a casual ‘spray and pray attack’. These sorts of attacks are likely to continue and observing locked out accounts might be your first and only warning for a sophisticated attack.  

Large numbers of accounts being targeted could indicate that someone has harvested account data from your enterprise into a single bulk allotment and is testing them against your environment. The bulk harvesting from different breach lists would explain why groups of identities are in the hands of attackers focusing on your environment.  

The same approach can be done via harvesting data from spam, either way an attacker has intentionally focused on your org and that focus is likely to endure for a period of time.  

Lastly, and most worrisome is where a bulk of identities is being testing against your org and they came not from the outside but from your org, indicating a previous breach that includes your credentials. In this case, your credentials likely are in circulation within the attacker community or the dark web. This is often indicated by attacks where the bulk of the accounts were locked out due to conditional access policy controls, but the username/password pairs were actually correct. Obviously, this is a major red flag for the organization, concealed under every day locked out user alerts.  

The only way to uncover early warning signs like these is to thoroughly investigate all locked out account alerts.  

Streamlining locked account investigations with Command Zero

Traditional investigation methods often require security analysts to juggle multiple tools and data sources. The most common two reasons why locked accounts go uninvestigated are:  

1. The analyst team is oversubscribed with other higher priority tasks.  

2. These investigations require too many cycles to conclude. Making them an elusive task that never gets handled.  

At Command Zero, we've developed a platform that centralizes this process, making it more efficient and effective. This solution helps security operations teams take on locked account investigations by freeing up their time (through streamlining all investigations and threat hunts) and by accelerating these investigations. So analysts can find the time and an effective methodology to run these cases to the ground.  

Our approach offers several key advantages:

1. Visual Analysis: Command Zero provides highly visual data representations, helping analysts make cognitive leaps and identify patterns quickly.

2. Unified Data Source: Instead of switching between AWS, Okta, Intune, and endpoint data, analysts can access all relevant information in one place.

3. Knowledge Base Integration: Built-in expertise allows even junior analysts to interact effectively with complex data sources and amplify their skills while learning on the job.  

4. Automated Timeline Generation: The platform automatically creates timelines, saving valuable analyst time and reducing the risk of overlooked evidence.

The future of locked account investigations

Looking ahead, we're developing capabilities to further automate threat hunting around locked account incidents. Our vision includes fully autonomous investigations powered by expert systems and large language models that accelerate detection and response.

By transforming how security teams approach these common incidents, we're enabling more proactive threat hunting and reducing the time between initial detection and comprehensive response.

Book a demo with our team to see how Command Zero can transform GitHub investigations and tier-2+ analysis for your organization.