Home
Blog
Identity-investigations
March 13, 2025
5
min read

Investigating Locked Accounts: Making sense of the canary in the coal mine

Locked accounts, often overlooked in security operations, can be crucial indicators of larger security threats. This blog post explores why these common occurrences matter and how they serve as early warning signs for potential issues like brute force attempts, credential stuffing, insider threats, and misconfigured systems. The post also covers how Command Zero streamlines investigations by offering visual analysis, unified data sources, and automated timeline generation. By centralizing the process and leveraging advanced tools, security teams can more efficiently identify and respond to potential threats. The future of threat hunting lies in automation and autonomous investigations, pushing the boundaries of what's possible in cybersecurity.

Microsoft EntraID
password spray
Okta
password spray attacks
Alfred Huger
Cofounder & CPO
In this article
H2 Title
H3 Title

Introduction

Locked accounts represent one of the most common yet overlooked security patterns in modern environments. Far from being mere user experience inconveniences; these incidents often serve as the "canary in the coal mine" for more significant security concerns.

Why locked accounts matter for security operations

When an account becomes locked, it signals a fundamental security mechanism has engaged - typically because someone has attempted to authenticate repeatedly with improper credentials. The critical question every security team should ask is: why?

These incidents provide security teams with valuable artifacts that can serve as starting points for broader threat hunting activities. By investigating locked accounts systematically, analysts gain insight into potential targeting patterns and attack methodologies.

Despite their importance, locked account incidents often fly under the radar because they don't typically trigger dedicated security alerts. Instead, they manifest as operational patterns that require thoughtful investigation and correlation.

Locked account alerts: The canary in the coal mine

I like to think of locked accounts as canaries in the coal mine for security operations. They can signal various issues:

  1. Brute Force Attempts: An attacker might be systematically trying to crack passwords.
  1. Credential Stuffing: Cybercriminals could be using stolen credentials from other breaches, or perhaps from a breach directly into your environment.  
  1. Insider Threats: An employee might be attempting to access accounts they shouldn't.
  1. Misconfigured Systems: Automated processes might be using outdated credentials.

Moving beyond identity alerts: Investigating activity patterns

While a single locked account may not trigger a security alert, the pattern of lockouts across an organization can reveal critical insights. It's essential to look beyond individual incidents and analyze the broader context.

For instance, if you notice a spike in locked accounts from a particular IP range or at unusual hours, it could indicate a coordinated attack. Similarly, if specific high-value accounts are repeatedly targeted, it might suggest a focused attempt to compromise sensitive data. The volume of accounts being targeted is also telling. A single identity or small handful might indicate something very targeted, perhaps an executive or someone in infrastructure with broad access permissions. A targeted attack like this indicates an actor has done their homework and this not a casual ‘spray and pray attack’. These sorts of attacks are likely to continue and observing locked out accounts might be your first and only warning for a sophisticated attack.  

Large numbers of accounts being targeted could indicate that someone has harvested account data from your enterprise into a single bulk allotment and is testing them against your environment. The bulk harvesting from different breach lists would explain why groups of identities are in the hands of attackers focusing on your environment.  

The same approach can be done via harvesting data from spam, either way an attacker has intentionally focused on your org and that focus is likely to endure for a period of time.  

Lastly, and most worrisome is where a bulk of identities is being testing against your org and they came not from the outside but from your org, indicating a previous breach that includes your credentials. In this case, your credentials likely are in circulation within the attacker community or the dark web. This is often indicated by attacks where the bulk of the accounts were locked out due to conditional access policy controls, but the username/password pairs were actually correct. Obviously, this is a major red flag for the organization, concealed under every day locked out user alerts.  

The only way to uncover early warning signs like these is to thoroughly investigate all locked out account alerts.  

Streamlining locked account investigations with Command Zero

Traditional investigation methods often require security analysts to juggle multiple tools and data sources. The most common two reasons why locked accounts go uninvestigated are:  

  1. The analyst team is oversubscribed with other higher priority tasks.  
  1. These investigations require too many cycles to conclude. Making them an elusive task that never gets handled.  

At Command Zero, we've developed a platform that centralizes this process, making it more efficient and effective. This solution helps security operations teams take on locked account investigations by freeing up their time (through streamlining all investigations and threat hunts) and by accelerating these investigations. So analysts can find the time and an effective methodology to run these cases to the ground.  

Our approach offers several key advantages:

  1. Visual Analysis: Command Zero provides highly visual data representations, helping analysts make cognitive leaps and identify patterns quickly.
  1. Unified Data Source: Instead of switching between AWS, Okta, Intune, and endpoint data, analysts can access all relevant information in one place.
  1. Knowledge Base Integration: Built-in expertise allows even junior analysts to interact effectively with complex data sources and amplify their skills while learning on the job.  
  1. Automated Timeline Generation: The platform automatically creates timelines, saving valuable analyst time and reducing the risk of overlooked evidence.

The future of locked account investigations

Looking ahead, we're developing capabilities to further automate threat hunting around locked account incidents. Our vision includes fully autonomous investigations powered by expert systems and large language models that accelerate detection and response.

By transforming how security teams approach these common incidents, we're enabling more proactive threat hunting and reducing the time between initial detection and comprehensive response.

Book a demo with our team to see how Command Zero can transform GitHub investigations and tier-2+ analysis for your organization.

Alfred Huger
Cofounder & CPO

Continue reading

Identity-investigations
Highlight

Accelerate Okta investigations – sample account takeover analysis

Okta is one of the most used identity providers with various identity and access management solutions. Like other IDAM providers, Okta is a valuable resource for starting identity investigations. Impactful identity and authorization patterns including user password changes, password policies, multi-factor authentication (MFA) alerts and application consent grants can be reviewed on Okta during investigations. In this post, we’ll follow a potential account takeover flow starting from Okta alerts ingested by Command Zero. While we can expand any investigation to other data sources, I'll keep the focus on Okta to simplify this example flow.
Eric Hulse
Aug 2, 2024
6
min read
Identity-investigations
Highlight

Investigate Microsoft EntraID identities in minutes

Identity-based investigations are one of the most common analyses for security operations. These leads get under the spotlight because of an HR event (various watchlists or user’s last day), a potential compromise (as a result of business email compromise, phishing, password spray or other vectors) or suspicious behavior. Swiftly understanding who or what (for non-human users) these identities belong to, the historical context and recent behavior are key to conducting effective investigations. In this blog post, I’ll walk you through a sample watchlist investigation on Microsoft EntraID.
Alfred Huger
Jul 25, 2024
4
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All