{"id":16888,"date":"2019-11-14T10:00:33","date_gmt":"2019-11-14T18:00:33","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/14\/news-10626\/"},"modified":"2019-11-14T10:00:33","modified_gmt":"2019-11-14T18:00:33","slug":"news-10626","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/14\/news-10626\/","title":{"rendered":"Changing security incident response by utilizing the power of the cloud\u2014DART tools, techniques, and procedures: part 1"},"content":{"rendered":"<p><strong>Credit to Author: Todd VanderArk| Date: Thu, 14 Nov 2019 17:00:56 +0000<\/strong><\/p>\n<p>This is the first in a blog series discussing the tools, techniques, and procedures that the Microsoft Detection and Response Team (DART) use to investigate cybersecurity incidents at our customer organizations. Today, we introduce the team and give a brief overview of each of the tools that utilize the power of the cloud. In upcoming posts, we\u2019ll cover each tool in-depth and elaborate on techniques and procedures used by the team.<\/p>\n<h3>Key lessons learned from DART\u2019s investigation evolution<\/h3>\n<p>DART\u2019s investigation procedures and technology have evolved over 14 years of assisting our customers during some of the worst hack attacks on record. Tools have evolved from primarily bespoke (custom) tools into a blend of commercially available Microsoft detection solutions plus bespoke tools, most of which extend the core Microsoft detection capabilities. The team contributes knowledge and technology back to the product groups, who leverage that experience into our products, so our customers can benefit from our (hard-won) lessons learned during our investigations.<\/p>\n<p>This experience means that DART\u2019s tooling and communication requirements during incident investigations tend to be a bit more demanding than most in-house teams, given we\u2019re often working with complex global environments. It\u2019s not uncommon that an organization\u2019s ability to detect and respond to security incidents is inadequate to cope with skilled attackers who will spend days and weeks profiling the organization and its employees. Consequently, we help organizations across many different industry verticals and from those experiences we have collated some <strong>key lessons:<\/strong><\/p>\n<ul>\n<li><strong>Detection is critical (and weak)<\/strong>\u2014One of the first priorities when the team engages to assist with an incident investigation at a customer site is to increase the detection capability of that organization. Over the years, we\u2019ve seen that industry-wide detection has stayed the weakest of the Protect, Detect, Respond triad. While the average dwell time numbers are trending downward, it\u2019s still measured in days (usually double digit numbers) and days of access to your systems is plenty of time to do massive damage.<\/li>\n<li><strong>Inadequate auditing<\/strong>\u2014More often than not, DART finds that organizations don\u2019t turn on auditing or have misconfigured auditing with the result that there is not a full record of attacker activities. See auditing best practices for <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/plan\/security-best-practices\/audit-policy-recommendations\" target=\"_blank\" rel=\"noopener\">Active Directory<\/a> and <a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4026501\/office-auditing-in-office-365-for-admins\" target=\"_blank\" rel=\"noopener\">Office 365<\/a>. In addition, given the current prolific use of weaponized PowerShell scripts by attackers, we strongly recommend implementing <a href=\"https:\/\/devblogs.microsoft.com\/powershell\/powershell-the-blue-team\/\" target=\"_blank\" rel=\"noopener\">PowerShell auditing<\/a>.<\/li>\n<li><strong>Static plus active containment<\/strong>\u2014Static containment (protection) controls can never be 100 percent successful against skilled human attackers, so we need to add in an active containment component that can detect and contain those attackers at the edge and as they move around the environment. This second part is crucial\u2014<strong><em>as they move around the environment<\/em><\/strong>\u2014we need to move away from the traditional mindset of \u201cTime to Detect\u201d and implement a \u201cTime to Remediate\u201d approach with active containment procedures to disrupt attackers\u2019 abilities to realize their objective once in the environment. Of course, attackers that have been in the organization for a very long time require more involved investigation and planning for an eviction event to be successful and lessen any potential impact to the organization.<\/li>\n<\/ul>\n<p>These lessons have significantly influenced the methodology and toolsets we use in DART as we engage with our customers. In this blog series, we\u2019ll share lessons learned and best practices of organizations and incident responders to help ensure readiness.<\/p>\n<h3>Observe-Orient-Decide-Act (OODA) framework<\/h3>\n<p>Before we can act in any meaningful way, we need to observe attacker activities, so we can orient ourselves and decide what to do. Orientation is the most critical step in the Observe-Orient-Decide-Act (OODA) framework developed by <a href=\"https:\/\/en.wikipedia.org\/wiki\/John_Boyd_(military_strategist)\" target=\"_blank\" rel=\"noopener\">John Boyd<\/a> and overviewed in this <a href=\"https:\/\/en.wikipedia.org\/wiki\/OODA_loop\" target=\"_blank\" rel=\"noopener\">OODA article<\/a>. Wherever possible, the team will light up several tools in the organization, installing the Microsoft Management Agent (MMA) and trial versions of the Microsoft Threat Protection suite, which includes Microsoft Defender ATP, Azure ATP, Office 365 ATP, and Microsoft Cloud App Security (our Cloud Access Security Broker (CASB) solution named illustrated in Figure 1).\u00a0Why? Because these technologies were developed specifically to form an end-to-end picture across the attacker <a href=\"https:\/\/www.lockheedmartin.com\/en-us\/capabilities\/cyber\/cyber-kill-chain.html\" target=\"_blank\" rel=\"noopener\">cyber kill-chain<\/a> framework (reference Lockheed Martin) and together work swiftly to gather indicators of anomaly, attack, and compromise necessary for successful blocking of the attacker.<\/p>\n<p>The Microsoft ATP platform of tools are used extensively by the Microsoft Corporate IT security operations center (SOC) in our Cyber Defence Operations Center (CDOC), whose slogan is \u201c<strong>Minutes Matter<\/strong>.\u201d Using these technologies, the CDOC has dropped their time to remediate incidents from hours to minutes\u2014a game changer we\u2019ve replicated at many of our customers.<\/p>\n<h3>Microsoft Threat Protection<\/h3>\n<p>The Microsoft Threat Protection platform includes Microsoft Defender ATP, Azure ATP, Office 365 ATP, as well as additional services that strengthen security for specific attack vectors, while adding security for attack vectors that would not be covered by the ATP solutions alone.\u00a0Read <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Security-Privacy-and-Compliance\/Announcing-Microsoft-Threat-Protection\/ba-p\/262783\" target=\"_blank\" rel=\"noopener\">Announcing Microsoft Threat Protection<\/a> for more information. In this blog, we focus on the tools that give DART a high return on investment in terms of speed to implement versus visibility gained.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/11\/Changing-security-incident-response-by-utilizing-the-power-of-the-cloud-1.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-90190 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/11\/Changing-security-incident-response-by-utilizing-the-power-of-the-cloud-1.png\" alt=\"Infographic showing maximum detection during attack stages, with Office 365 ATP, Azure AD Identity Protection, and Cloud App Security.\" width=\"800\" height=\"450\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/11\/Changing-security-incident-response-by-utilizing-the-power-of-the-cloud-1.png 800w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/11\/Changing-security-incident-response-by-utilizing-the-power-of-the-cloud-1-300x169.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/11\/Changing-security-incident-response-by-utilizing-the-power-of-the-cloud-1-768x432.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/11\/Changing-security-incident-response-by-utilizing-the-power-of-the-cloud-1-687x385.png 687w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/11\/Changing-security-incident-response-by-utilizing-the-power-of-the-cloud-1-767x431.png 767w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/11\/Changing-security-incident-response-by-utilizing-the-power-of-the-cloud-1-539x303.png 539w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/a><\/p>\n<p><em>Figure 1. Microsoft Threat Protection and the cyber kill-chain.<\/em><\/p>\n<p>Although the blog series discusses Microsoft technologies preferentially, the intent here is not to replicate data or signals\u2014the team uses what the customer has\u2014but to close gaps where the organization might be missing signal.\u00a0With that in mind, let\u2019s move on to a brief discussion of the tools.<\/p>\n<p><strong>Horizontal tools: Visibility across the cyber kill-chain<\/strong><\/p>\n<p>Horizonal tools include Azure Sentinel and Azure Security Center:<\/p>\n<ul>\n<li><strong>Azure Sentinel<\/strong>\u2014New to DART\u2019s arsenal is <a href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-sentinel-general-availability-a-modern-siem-reimagined-in-the-cloud\/\" target=\"_blank\" rel=\"noopener\">Azure Sentinel<\/a>\u2014the first cloud-native SIEM (security investigation and event management). Over the past few months, DART has deployed Azure Sentinel as a mechanism to combine the different signal sets in what we refer to as a SIEM and SOAR as a service. SOAR, which stands for security orchestration and automation, is indispensable in its capability to respond to attacker actions with speed and accuracy. Our intention is not to replicate a customer SIEM but to use the power of the cloud and machine learning to quickly combine alerts across the cyber kill-chain in a fusion model to lessen the time it takes an investigator to understand what the attacker is doing.<\/li>\n<\/ul>\n<p style=\"padding-left: 60px;\">Importantly, machine learning gives DART the ability to aggregate diverse signals and get an end-to-end picture of what is going on quickly and to act on that information. In this way, information important to the investigation can be forwarded to the existing SIEM, allowing for efficient and speedy analysis utilizing the power of the cloud.<\/p>\n<ul>\n<li><strong>Azure Security Center<\/strong>\u2014DART also onboards the organization into <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/security-center\/security-center-intro\" target=\"_blank\" rel=\"noopener\">Azure Security Center<\/a>, if not already enabled for the organization. This tool significantly adds to our ability to investigate and pivot across the infrastructure, especially given the fact that many organizations don\u2019t yet have Windows 10 devices deployed throughout. Security Center also does much more with machine learning for next-generation detection and simplifying security management across clouds and platforms (Windows\/Linux).<\/li>\n<\/ul>\n<p style=\"padding-left: 60px;\">DART\u2019s focus for the tool is primarily on the log analytics capabilities that allow us to pivot our investigation and, furthermore, utilize the recommended hardening suggestions during our rapid recovery work. We also recommend the implementation of Security Center proactively, as it gives clear security recommendations that an organization can implement to secure their on-premises and cloud infrastructures.\u00a0See <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/security-center\/security-center-faq\" target=\"_blank\" rel=\"noopener\">Azure Security Center FAQs<\/a> for more information.<\/p>\n<p><strong>Vertical tools: Depth visibility in designated areas of the cyber kill-chain<\/strong><\/p>\n<p>Vertical tools include Azure ATP, Office 365 ATP, Microsoft Defender ATP, Cloud App Security, and custom tooling:<\/p>\n<ul>\n<li><strong>Azure ATP<\/strong>\u2014The Verizon Data Breach Report of 2018 reported that 81 percent of breaches are caused by compromised credentials.\u00a0Every incident that DART has responded to over the last few years has had some component of credential theft; consequently <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure-advanced-threat-protection\/what-is-atp\" target=\"_blank\" rel=\"noopener\">Azure ATP<\/a> is one of the first tools we implement when we get to a site\u2014before, if possible\u2014to get insight into what users and entities are doing in the environment.\u00a0This allows us to utilize built-in detections to determine suspicious behaviour, such as suspicious changes of identity metadata and user privileges.<\/li>\n<li><strong>Office 365 ATP<\/strong>\u2014With approximately 90 percent of all attacks starting with a phishing email, having ways to detect when a phishing email makes it past email perimeter defences is critical. DART investigators are always interested in which mechanism the attacker compromised the environment\u2014simply so we can be sure to block that vector. We use <a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/servicedescriptions\/office-365-advanced-threat-protection-service-description\" target=\"_blank\" rel=\"noopener\">Office 365 ATP<\/a> capabilities\u2014 such as security playbooks and investigation graphs\u2014to investigate and remediate attacks faster.<\/li>\n<li><strong>Microsoft Defender ATP<\/strong>\u2014If the organization has Windows 10 devices, we can implement <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/microsoft-defender-advanced-threat-protection\" target=\"_blank\" rel=\"noopener\">Microsoft Defender ATP<\/a> (previously Windows Defender ATP)\u2014a cloud-based solution that leverages a built-in agent in Windows 10.\u00a0Otherwise, we\u2019ll utilize MMA to gather information from older versions of Windows and Linux machines and pull that information into our investigation.\u00a0This makes it possible to detect attacker activities, aggregate this information, and prioritize the investigation of detected activity.<\/li>\n<li><strong>Cloud App Security<\/strong>\u2014<a href=\"https:\/\/docs.microsoft.com\/en-us\/cloud-app-security\/what-is-cloud-app-security\" target=\"_blank\" rel=\"noopener\">Cloud App Security<\/a> is a multi-mode cloud access security broker that natively integrates with the other tools DART deploys, giving access to sophisticated analytics to identify and combat cyberthreats across the organizations. This allows us to detect any malicious activity using cloud resources that the attacker might be undertaking.\u00a0Cloud App Security, combined with Azure ATP, allows us to see if the attacker is exfiltrating data from the organization, and also allows organizations to proactively determine and assess any shadow IT they may be unaware of.<\/li>\n<li><strong>Custom tooling<\/strong>\u2014Bespoke custom tooling is deployed depending on attacker activities and the software present in the organization.\u00a0Examples include infrastructure health-check tools, which allow us to check for any modification of Microsoft technologies\u2014such as Active Directory, Microsoft\u2019s public key infrastructure (PKI), and Exchange health (where Office 365 is not in use) as well as tools designed to detect use of specific specialist attack vectors and persistence mechanisms. Where machines are in frame for a deeper investigation, we normally utilize a tool that runs against a live machine to acquire more information about that machine, or even run a full disk acquisition forensic tool, depending on legal requirements.<\/li>\n<\/ul>\n<p>Together, the vertical tools give us unparalleled view into what is happening in the organization. These signals can be collated and aggregated into both Security Center and Azure Sentinel, where we can pull other data sources as available to the organization\u2019s SOC.<\/p>\n<p>Figure 2 represents how we correlate the signal and utilize machine learning to quickly identify compromised entities inside the organization.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/11\/Changing-security-incident-response-by-utilizing-the-power-of-the-cloud-2.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-90191 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/11\/Changing-security-incident-response-by-utilizing-the-power-of-the-cloud-2.png\" alt=\"Infographic showing combined signals: Identity, Cloud Apps, Data, and Devices.\" width=\"940\" height=\"417\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/11\/Changing-security-incident-response-by-utilizing-the-power-of-the-cloud-2.png 940w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/11\/Changing-security-incident-response-by-utilizing-the-power-of-the-cloud-2-300x133.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/11\/Changing-security-incident-response-by-utilizing-the-power-of-the-cloud-2-768x341.png 768w\" sizes=\"auto, (max-width: 940px) 100vw, 940px\" \/><\/a><\/p>\n<p><em>Figure 2. Combining signals to identify compromised users and devices.<\/em><\/p>\n<p>This gives us a very swift way to bubble up anomalous activity and allows us to rapidly orient ourselves against attacker activity. In many cases, we can then use automated playbooks to block attacker activity once we understand the attacker\u2019s tools, techniques, and procedures; but that will be the subject of another post.<\/p>\n<h3>Next up\u2014how Azure Sentinel helps DART<\/h3>\n<p>Today, in Part 1 of our blog series, we introduced the suite of tools used by DART and the Microsoft CDOC to rapidly detect attacker activity and actions\u2014because in the case of cyber incident investigations, <strong>minutes matter<\/strong>. In our next blog we&#8217;ll drill down into Azure Sentinel capabilities to highlight how it helps DART; stay posted!<\/p>\n<div class=\"interruption interruption-image-type\">\n<div class=\"interruption-image-container\"> \t\t\t\t<img decoding=\"async\" class=\"interruption-image\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/10\/Azure-Sentinal.png\"> \t\t\t<\/div>\n<div class=\"interruption-content-wrap\">\n<h3 class=\"interruption-title\">Azure Sentinel<\/h3>\n<p class=\"interruption-text\">Intelligent security analytics for your entire enterprise.<\/p>\n<p> \t\t\t\t<a class=\"interruption-link c-glyph\" href=\"https:\/\/azure.microsoft.com\/en-us\/services\/azure-sentinel\/\"> \t\t\t\t\tLearn more\t\t\t\t<\/a> \t\t\t<\/div>\n<p><!-- .interruption-content-wrap --> \t\t<\/div>\n<p><!-- .interruption -->  \t\t <\/p>\n<p>Bookmark the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\" rel=\"noopener\">Security blog<\/a> to keep up with our expert coverage on security matters. Also, follow us at <a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noopener\">@MSFTSecurity<\/a> for the latest news and updates on cybersecurity.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/11\/14\/security-incident-response-utilizing-cloud-dart-tools-techniques-procedures-part-1\/\">Changing security incident response by utilizing the power of the cloud\u2014DART tools, techniques, and procedures: part 1<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/\">Microsoft Security<a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/11\/14\/security-incident-response-utilizing-cloud-dart-tools-techniques-procedures-part-1\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Todd VanderArk| Date: Thu, 14 Nov 2019 17:00:56 +0000<\/strong><\/p>\n<p>A series on DART\u2019s tools, techniques, and procedures for investigating cybersecurity incidents at their customer organizations. Part 1 introduces the team and gives a brief overview of the tools that DART utilizes.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/11\/14\/security-incident-response-utilizing-cloud-dart-tools-techniques-procedures-part-1\/\">Changing security incident response by utilizing the power of the cloud\u2014DART tools, techniques, and procedures: part 1<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/\">Microsoft Security<a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[21500,21494,22452,21484,23445],"class_list":["post-16888","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-azure-security","tag-microsoft-cloud-app-security","tag-microsoft-defender-advanced-threat-protection","tag-microsoft-defender-atp","tag-microsoft-detection-and-response-team-dart"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16888","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16888"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16888\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16888"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}