Google Workspace - Account suspension support or agressive deauth
B
Byron Garcia
Based on conversations with Huntress support as well as our account manager it seems that ITDR for Google workspace currently revokes an active session once, but does not de-authenticate the account and does not perform more aggressive de authentication on subsequent logins.
The Cited concerns for this in documentation is that it may be too aggressive and can break some google workspace functionality.
I for one would find this acceptable so long as what breaks is documented and can be resolved by the admin.
I would much rather cleanup a broken config if it is feasible, as opposed to allow malicious actors to freely roam on re-entry.
Alternatively, if what breaks is not repairable or creates a massive support burden, we would like to at least see a far more aggressive session de-authentication for the user account, continuous, until the incident is resolved.
Perhaps a forced credential rotation as well to help keep those sessions de-authenticated.
If we can't block access completely via revoking access, I would hope it can be made far more difficult by other means.
I understand perhaps the huntress team and some other administrators may not share the wish for this level of protection, so perhaps this could be implemented in an opt-in and granular level
For example:
Default experience: Current
Opt-in settings/levels:
- Continue revoking sessions
- Force credential rotation
- Suspend and break integrations (The aggressive level Huntress suspects is too aggressive)
This way we can keep those actions separate if anyone was interested in a more aggressive de-auth but not rotating credentials and not breaking those application connections.
Some granular choice would ultimately be ideal in the matter.
And as with anything, we would prefer this to be on a per-organization level, because each org may have their own preference of how aggressive they want to have it as well.
Thanks for your consideration
S
Stephen Cranfill
Amen! +1 for this. I don't want to wake up to an email that account is still active when likely compromised. I'd rather suspend and be safe rather than potentially have someone lurking around in an account for hours.