Incident Response Play by Play with Microsoft Defender and Sentinel
Does your organization have the ability to detect and respond, either during or after a cyber attack, and more crucially, prevent attacks even before they happen?
Even in today’s economic uncertainty, the drivers of digital transformation aren’t letting up. At the same time, organizations have to be defended against cyber threats. The cybersecurity challenge is growing because people and data are increasing targeted by external cyber attack and put at risk due to low security awareness and organization change.
A hardened perimeter helps, but it’s not enough. Siloed on-premises tools and datasets that hinder visibility and speed make it even worse. It turns out, adding more tools can actually make your organization less secure due to complexities, compatibility issues and false assumptions.
In this play-by-play, we’ll show how to use?Microsoft’s unified security solution, Microsoft 365 and Azure Defender combined with Sentinel, to speed up attack response and build investigation muscle to prevent future threats. For incidents that have already compromised the environment, we’ll also show how to contain the blast radius and quickly reverse the damage.
Solutions Featured
Microsoft Sentinel
Microsoft Defender for Identity
Microsoft Defender for Endpoint
Microsoft for Office 365
Microsoft Cloud App Security
We’ll use the cyber kill chain to sequence the attack.
Let’s get started!
This scenario was inspired by an episode of?Microsoft Mechanics??Automate threat detection and response with Azure Sentinel and Microsoft 365 Defender
Data Exfiltration Attack
To demonstrate how to automate incident response, we’ll walk through a simulated data exfiltration attack based on real techniques that have been used by recent attacks in the wild. It's a hybrid attack and compromise that starts on premises and uses sophisticated methods to move to cloud-based resources.
For such an attack (and most attack types) you’d want end-to-end visibility into the entire scope of the attack across your network (on-prem and cloud) to contain and ultimately stop it.
Reconnaissance and Intrusion
The attack starts as an?email-based?campaign. The email contains a link that when clicked starts to download weaponized documents.
Unfortunately, this is?one of the most common attack vectors?and takes just one user in the domain to get duped for the rest of the sequence to kick off from there.
In this case, an open source app mini cat is used to find and extract domain admin credentials from the compromised endpoint.
Read More:
Exploitation and Privilege Escalation
From this point, the attacker is able to move into the hybrid cloud domain. The domain admin credentials are used to obtain the ADFS admin credentials in order to gain access to Active Directory (AD) Federation services, which maintain the trust link between on-premises resources and cloud-based resources via Azure Active Directory.
Lateral Movement
With access to Azure AD, the attacker exports the ADFS token signing certificate in order to create a forged sample token, which gives them their first entry into the cloud environment. With the ADFS token, they request and gain access to services in the cloud. Now, they are able to add their own new credentials to a privileged OAuth app in the cloud.
Exfiltration
From here, they now have access to high-privileged user mailboxes on Office 365 and through the graph API, they can extract and exfiltrate data.
Detection and Response with Automated Investigation
Now that we’ve laid out the attack simulation, we’ll begin looking into how we can use best practices and industry leading tools to put our incident response plan into action. Our approach uses Microsoft's cloud-based SIEM, Azure Sentinel, along with the Microsoft 365 Defender XDR solution.
To get a full picture of the attack, we’re going to start in Azure Sentinel. This gives us the largest breadth of collated signals from 3rd?parties as well as Microsoft and non-Microsoft Apps services via more than 100 pre-built connectors.?
In the Incidents panel, we see all of the active alerts and mapped MITRE attack tactics, across impacted devices, users and mailboxes. The highest priority issues are highlighted, along with alerts, assets and evidence to further our investigation. The first incident we’ll investigate is from?Fortinet?that shows a data transfer to an IP address.
This could have been the ADFS creds or token signing cert. To aid our investigation, we can also review alerts from Fortinet data incorporated into an automation playbook. Sentinel has enriched this information with Risk IQ data for the IP address found. Risk IQ is a cybersecurity threat intelligence service that provides the DNS and domain details to help with our investigation.
From here, we’ll click into suggested actions, which offers an investigation graph to get a closer look at the entities involved and how they connect to other incidents. We can use this to zoom into a machine in our environment, the ADFS server, and how it transferred data to this IP address, which was captured by Fortinet and triggered the alert.
Discovering the Entry Point
There are also several other alerts related to this machine from Microsoft 365 defendant., such as the ADFS private key extraction attempt. In reviewing the malicious IP, we can see that a suspicious user has recently signed in from here. Another alert from Microsoft 365 defender for an unusual addition of credentials to an OAuth app.
These corroborating alerts provide the evidence we need to determine that this is our compromised account, which was used to login from the attacker’s infrastructure. They were able to add new credentials. So, we can now determine with high confidence that this attack started at an endpoint with a specific user account.?
The Microsoft 365 Defender Incident Summary provides:
????Collection of all attack collateral in one place automatically
????MITRE mapping
????Scope and impacted entities
????Correlated alerts
????Auto-healing state
????All collected evidence
For faster and more efficient investigation.
Using Behavioral Analytics to Investigate Anomalous User Activities
Next, we continue our investigation using Sentinel’s?User and Entity Behavioral Analytics (UEBA)?feature. The UEBA insights section summarizes anomalous user activities - across geographical locations, devices, and environments; across time and frequency horizons (compared to user's own history); compared to a normal baseline of peer and organizational behavior.?
We can see that a number of actions were abnormal for this account, such as their login location, and it looks like they've also accessed resources that don’t fit this user’s pattern. So those are flagged as anomalies for this account.
?
领英推荐
Taking Action: Automatically Assign Incident Team
With the extent of this attack becoming more apparent, we decide to bring in other people to help us extend our investigative analysis and develop our remediation plan.?Luckily, Defender and Sentinel make this easy. With a few clicks we can create an incident team for this incident and assign a SOC channel group to build an action plan and collaborate on each step.
Each team member will then able to see contributions already flowing in to the team's channel, and collaborate on hunting queries to look for processes calling out to our malicious IP address.
Threat Hunting to Pinpoint Entry and Next Steps
Microsoft Sentinel has powerful hunting search and query tools to help security analysts proactively seek out new anomalies that weren't previously detected by security apps or scheduled analytics rules.
With out of the box hunting queries across different data sources, Sentinel also makes threat hunting a lot easier. Queries run on data stored in log tables, such as for process creation, DNS events, or other event types.
?As we begin the queries, we can see that the ADFS server called out to this IP address with some suspicious looking power shell. And this third one was running in the context of our ADF as administrator.?
Attack Containment
With the tight integration of Microsoft 365 Defender and Sentinel features, we can get a fuller picture of this attack across all of its stages with 27 correlated alerts linked directly to the same incident in Microsoft 365 Defender. This gives us more depth on the attack so we can actually stop it from spreading.
In Microsoft 365 Defender, we can see the incident overview which shows the most important data points about this incident. We can see the scope of the attack with impacted devices, users, and mailboxes.
We’ll also see a detailed attack timeline. First, we can zoom in on the one linked incident.?To get a broader perspective, we can also move up a level to see all active incidents.
Defender automatically correlates and prioritizes related incidents, which saves a lot of manual work. The incident priority provides an at-a-glance view with incident severity, alert category impacted entities, including devices, users, and mailboxes, and any tags aside by the security team to help give more context.
This combination of end-to-end visibility with deep-dive investigation details makes it a lot easier to sift through the noise of hundreds of alerts and really find out what's important. All of this translates to?reduced alert fatigue, and much?faster response times, which ultimately translates to reduced risk exposure and damage.??
Incident Summary and Alerts
When it comes to incident remediation, minutes and hours can literally mean the difference between business as usual and a full blown crisis.
With Microsoft security solutions, you don't want to have to deal with multiple tools and stitch together the attack story line yourself. With this attack, we’re going to show the power of having a unified tool that collects signals to connect the dots across the attack chain so that you don't have to.?
In the Microsoft Defender incident alerts area, we see an aggregate view of the attack, with all of the alerts correlated together. For instance, we see the malicious email that started it all with phish detections, followed by multiple alerts for endpoint activities on compromised devices. There's also the process injection and sensitive credential read for our domain admin account and domain controller sync attack.?
Adding Threat Intelligence and Recommendations
In the alerts panel we see the ADFS compromise and the unusual addition of OAuth AD?credentials, and the anomalous email access. If we click into the threat tag, we see that Microsoft security experts have already identified this incident as critical, with a linkage to a known attack.
This report provides a timeline of observed events, as well as recommendations with details for how to respond to it, top indicators of compromise along with advanced hunting queries.
Overcoming Obfuscation
We can also see the initially compromised device workstation and user account, along with the full execution sequence. A drill down into the PowerShell alert shows it downloading and executing a script from the web. The PowerShell script itself is obfuscated and totally unreadable.
With Antimalware Scan Interface (AMSI) integration, we can view the de obfuscated syntax for the script that got executed and see it calling and executing MimiKatz in memory.?AMSI allows applications and services to integrate with any antimalware product that's present on a machine,?providing enhanced malware protection.
With this, the attacker is then able to access more credentials. From there, they extracted the ADFS private key from one of our servers – all apparent from the alerts.
Drilling Down to Prepare Remediation
We start with a drill down into impacted devices and infrastructure. As we drill into our ADFS server, the key infrastructure link between our on-prem and cloud, we see a unified view of device details along with user log on information from the last 30 days and a detailed timeline of recent activities, including a couple of suspicious events.
This level of detail will help our SOC analysts?isolate this evidence until investigation and remediation steps are ready to execute.
Next, we’ll investigate user accounts that were targeted and/or compromised. In the Users area in Defender, we see everyone impacted by this attack. Right away, we can see that two high level users were targeted, a VP and the CIO. We also see the ADFS admin accounts were compromised.
Starting Remediation Actions
From our user impact analysis, we can do two things.
First, we can take immediate action such as suspending the account or confirming the user was compromised, which is a flag for Azure AD conditional access to block authorization.
Second, we can hunt for similar activities just in case this isn't an isolated incident, using a custom or sample K QL hunting query. We can also save and compare this query to run against previous hunting queries to aid in the investigation. The previously saved queries are easily accessible via connection to this incident.
Tracking Actions
As we complete our incident response runbook, and execute recommended actions, our SOC can easily track actions and as well as automated remediations in the action center. So we can track how we're doing on remediating this attack.
Threat Analytics
After we’re done investigating and remediating this incident, we can zoom out and review a dynamically updated organizational level threat analytics dashboard in Defender. New reports are published into the portal whenever a new threat or campaign emerges, so once we know which attack our incident is associated with, we can incorporate those learnings.
Here, Microsoft provides any active alerts relevant to your organization along with impacted assets. For more detail, the analysts report provides a visual map of the attack sequence with even more drill down content as you read through the report. This level of insight will help you to build the resilience and muscle to respond to future attacks.
Wrapping Up With Endpoint Discovery
As we established earlier in our investigation, this particular attack began at the endpoint. So what happens if users are on unmanaged devices that we can't see because those devices aren't sending information to Microsoft 365 Defender?
This may be a common problem, especially when not all devices might be known or already directly under your management and control. To address this, Microsoft Defender offers a features to build a device inventory so you can determine the onboarding and health status of the devices in your environment. A wide range of devices are supported including various versions of Windows as well as Linux, Macs, iOS and Android, as well as printers, smart TVs, and even IoT devices.??
Microsoft’s advanced device discovery features allows your managed devices to detect the network around them, so you can discover unmanaged devices. This feature helps root out onboarding gaps and other future device risks.
Optimize SecOps with Microsoft 365 Defender and Azure Sentinel
Microsoft 365 Defender and Azure Sentinel combine the breadth of a SIEM with the depth of XDR, to fight against attacks and protect the most complex enterprise environments, across on-prem and multiple clouds. Empower defenders to hunt and resolve critical threats faster, eliminate alert fatigue and boost confidence levels of remediation actions.
Are Your Ready for This Kind of Attack?
The cyber threat landscape continues to evolve and reach new levels of urgency. Attack techniques are getting harder and harder to pre-empt and detect. From advanced persistent ransomware, and sophisticated command and control attacks, to supply chain attacks that embed malware in apps and IoT devices, the stakes have never been higher for incident response teams defending their organizations.
With Microsoft Defender + Sentinel industry leading incident response capabilities, you’ll have the tools and depth of insights you need to stop these types of attacks -- not just as they happen, but also before they happen – through comprehensive coverage, time saving automation, simplified management and enhanced intelligence.
Plus+ Consulting Can Help
Our cybersecurity experts have helped many organizations prepare for and recover from these attacks and several others.
We help mid-size to large organizations identify their security vulnerabilities and implement comprehensive, adaptive programs to detect, remediate, and continuously manage cyber risks across the entire attack surface.
Get the guidance and?end-to-end cybersecurity capabilities?you need for peace of mind knowing your sensitive business assets are safeguarded, before during and after incidents.
To get started,?speak with one of our cybersecurity advisors today.
Enjoy this article? Get more insights and resources to help you move from aspiration to results in our?+Insights Center.