Automate threat detection and response with Azure Sentinel and Microsoft 365 Defender.

Microsoft’s cloud-based SIM, Azure Sentinel, along with our XDR technologies, including Microsoft 365 Defender, provide an automated approach to threat detection and response.

Rob Lefferts, Microsoft Security CVP, joins Jeremy Chapman to show you the latest integrative defenses and tools to respond quickly in the context of a real attack.

Automated threat detection and response with Azure Sentinel and Microsoft 365 Defender

The threat landscape has reached a new level of urgency, whether it’s human operated ransomware, or sophisticated command and control attacks, and the techniques being used are getting harder to detect — like supply chain attacks that embed malware in the apps and IoT devices that you trust. Stop these types of attacks with the right measures and preparation.

Put the right defense layers in place with the Zero Trust security model. Increase your organization’s ability to detect and respond before an attack does any damage. If the damage has already started, contain the blast radius and quickly reverse any damage that has already been done.

Our integrated SIM with Azure Sentinel and Microsoft 365 Defender and Azure Defender for XDR apply Microsoft’s unique volume and diversity of threat intelligence for early warning and response to give you visibility and depth of insight across your organization.

QUICK LINKS:

00:00 — Introduction

01:07 — Preparation to stop attacks

03:02 — Demo of hybrid attack

04:56 — Where to start: Azure Sentinel

08:53 — Stop the spread: Microsoft 365 Defender

10:27 — Alerts

13:10 — Compromised user accounts

15:21 — Users on unmanaged devices

16:59 — Wrap up

Link References:

Learn more about our integrated SIM and XDR solution with Azure Sentinel and Microsoft’s Defender solutions at https://aka.ms/XDR

Watch our series on implementing the Zero Trust security model at https://aka.ms/ZeroTrustMechanics

Unfamiliar with Microsoft Mechanics?

We are Microsoft’s official video series for IT. You can watch and share valuable content and demos of current and upcoming tech from the people who build it at #Microsoft.

Keep getting this insider knowledge, join us on social:

Video Transcript

- Up next, I’m joined once again by Microsoft Security CVP Rob Lefferts, to take a look at the latest integrated defenses and tools to respond in the context of a real attack. Now we’re going to show you how Microsoft’s cloud-based SIM, Azure Sentinel, along with our XDR technologies, including Microsoft 365 Defender, provide an automated approach to threat detection and response. So, Rob, it’s always a great pleasure to have you on the show, but I fear that means that things are just getting worse.

- I know, I feel like every time I show up, it’s always getting worse, but that’s just the way the threat landscape works. You can never rest on your laurels. In all seriousness, compared to my previous times on the show, things have reached a new level of urgency, whether that’s human-operated ransomware or sophisticated command and control attacks. And the techniques getting used are getting harder and harder to detect, like the recent supply chain attacks that embed malware in the apps that you trust as they are being compiled and packaged. We’ve also seen malware come through IoT devices that you would never expect, like using a smart thermometer in a fish tank to gain access to corporate resources.

- Right, but you and the team are always working on the latest technologies to be able to keep up and respond to these types of threats. So surely you’re going to tell me there’s hope.

- We are working hard, but you know, there’s more than just hope. That’s not a strategy. We can still stop these types of attacks with the right measures and preparation. First, to protect your users wherever they are, as well as the day-to-day operations of your organization as a whole, you want to have the right defense layers in place from your identities, endpoints and apps, network, infrastructure, and ultimately your data to be able to resist attacks in the first place, which is where the Zero Trust security model comes in. Second, it’s important to increase your organization’s ability to detect and respond before an attack does any damage. And third, if the damage has already started, then it’s all about containing the blast radius and reversing any damage that has already been done and reversing it quickly. On these last two points, this is where you need the visibility and depth of insight across your organization. Which is where our integrated SIM with Azure Sentinel and Microsoft 365 Defender and Azure Defender for XDR come into play to apply Microsoft’s unique volume and diversity of threat intelligence for early warning and response.

- And the nice thing about this unified detection response approach is that you’re using a minimum number of tools to stop a bad situation from getting worse.

- That’s right. You really don’t want anything slowing you down, every second counts. So we give you best-in-class and integrated tools and collect their signals to connect the dots across the attack chain so that you don’t have to. For example, Microsoft 365 Defender, as I’ll show you today, provides an aggregate view of an attack. And it’s fed by best-in-class solutions for identity, endpoints, Office 365 user data, and your apps to give you cross-domain visibility, as well as coordinated and automated protection.

- Okay, but I really want to make this real and show this all in the context of a proper attack.

- Yeah, my favorite part. So I’m going to show you a data exfiltration attack based on real techniques that we’ve seen deployed in the wild. It’s a hybrid attack and compromise that starts on-premises and uses sophisticated methods to move to cloud-based resources. And so we want comprehensive visibility into the entire scope of the attack across the entire estate to contain and ultimately stop it. The attack starts as an email-based campaign. The email contains a link that when clicked starts to download weaponized documents. It’s the oldest story in the world. And it just takes one person in the domain to get duped for the whole sequence to begin. From there, an open source app, Mimikatz, is used to find and extract domain admin credentials from the compromised endpoint. And that’s when things get seriously bad. Then the hybrid part begins. Those admin creds are used to obtain the ADFS admin credentials in order to gain access to Active Directory Federation Services, which by the way, maintains the trust link between on-premises resources and cloud-based resources via Azure Active Directory. And then it gets worse. They export the ADFS token sign-in certificate in order to create a forged SAML token, which gives them their first footing into the cloud. And once they have access with that token, they request and gain access to services in the cloud. They can add their own new credentials to a privileged OAuth app in the cloud. And now they have access to high-privileged user mailboxes hosted on Office 365. And through the graph API, they can extract and exfiltrate data. And really, for anyone who has been reading the news, this might sound familiar. You’ll recognize that this is exactly the attack pattern that was followed in the Nobelium exploit last winter.

- Okay, so where would you even begin to start to mitigate and kind of respond to this type of attack?

- So to get a full end-to-end picture of the attack, we’re going to start in Azure Sentinel. This gives us the largest breadth of signal across third-party and Microsoft signals. So here I’m logged into our tenant, and you can collect signals from Microsoft and non-Microsoft apps and services via more than 100 pre-built connectors. So now let me filter by the ones we’re connected to. You’ll see, there are a few dozen including Azure Defender, Azure Defender for IoT, and if we scroll down, we’re also connected to Fortinet for our firewall and Microsoft 365 Defender, which is important to our tagged scenario. Now on the Incidents page, I see 27 new incidents. These comprise alerts, assets, and evidence to investigate. I’m interested in the high priority red ones. The first is from Fortinet that shows a data transfer to an IP address. This could have been the ADFS creds or token sign-in cert, and I can even see that Microsoft 365 Defender raised the incident with the most alerts, also 27. So let’s investigate this a bit further, and you’ll see the info from our alert from Fortinet data. We can also see that through an automation playbook, Sentinel has already enriched this incident with RiskIQ data for the IP address found. RiskIQ is a cybersecurity threat intelligence service. And we can see that it’s provided the DNS and domain details to help with our investigation. This type of automated enrichment is a unique capability for Sentinel. So now I’ll click into Actions, Investigate. And that brings me to our investigation graph. From here, I can take a closer look at the entities involved and how they connect to other incidents. I’ll zoom into a machine in our environment, the ADFS server, and it transferred data to this IP address, which was captured by Fortinet and triggered the alert. There are also a bunch of other alerts related to this machine from Microsoft 365 Defender. So let’s click into this one for the ADFS private key extraction attempt. If I go to our malicious IP, we can also see that pgustavo has recently signed in from here. And another alert from the Microsoft 365 Defender called Unusual addition of credentials to an OAuth app. So this is our compromised account logging in from attacker infrastructure, adding new credentials that I talked about before. So now I can look at the Entity Insights page for the user pgustavo. Using normal behavioral patterns for this user, something we call user and entity behavioral analytics, or UEBA, you can see that Sentinel detected that a number of actions were really out of character, such as the location they logged in from, and it looks like they’ve also accessed resources that they shouldn’t have normally done. So those are flagged as anomalies for this account. Now let’s hop back to the Incidents page, and because this is a pretty nasty incident I’ll need to add a few more people to help investigate and address it. So again, from Actions, I can create a team, and for this incident, and assign it to the SOC channel group to it. So now Jeremy, you and I can start to collaborate on how we solve this problem.

- All right, so if we switch over to my machine, we can see that there’s some super useful information as a member of the team. In fact, we can see contributions already flowing in to the team’s channel, and I can see a hunting query that’s posted to look for processes calling out to our malicious IP address, all in Defender data.

- Great. Let’s go hunting. So I’ll open up a Hunting page. And in here you can see a ton of out-of-the-box hunting queries across different data sources. Now let’s use search to find the one our colleague created and run it and view the results. And here I can see my ADFS server called out to this IP address with some suspicious looking PowerShell. And this third one was running in the context of our ADFS administrator.

- So there’s really a breadth of information then about this attack that’s in Sentinel, but how do we get more depth on the attack and actually stop it from spreading?

- Yeah, there’s more you can do in Microsoft 365 Defender, especially given the nature of this attack. The good news is that Sentinel links you directly to it. So back in the Incidents page, I’ll select the multi-stage incident with 27 correlated alerts. Those will provide a link directly to the same incident in Microsoft 365 Defender. So now I’m in Microsoft 365 Defender. This is the unified portal that we’ve been building for all Microsoft 365 security experiences. And we can see Defender capabilities for Endpoints, as well as email and collaboration, and it’s been integrated with signal from identity and cloud app security. The Incident Overview page we’re looking at here shows us the most important data points about this incident. We can see the scope of the attack with impacted devices, users, and mailboxes. And if I scroll down, I can see a detailed attack timeline. So here we’re just showing the one linked incident, but to get a broader perspective, I can hop up a level to see all active incidents. We automatically correlate related incidents, and the system does a lot of the manual work for you. It helps you prioritize incidents at a glance with information like incident severity or category, impacted entities, including devices, users, and mailboxes, and any tags assigned by the security team to help give more context.

- Okay, so if you’re one of our SOC analysts that are watching, this makes it a lot easier than to sift through the noise and really find out what’s important.

- Yeah, it’s back to those seconds and minutes matter. It saves a bunch of time and manual effort. So now let’s go back to our incident and look at the alerts. Here’s everything we’ve observed for this attack, all nicely correlated together. There’s our malicious email that started it all with Phish detections, followed by multiple alerts for endpoint activities on compromised devices. There’s our process injection to run Mimikatz, and then the sensitive credential read for our domain admin account and domain controller sync attack. I can see the ADFS compromise and the unusual addition of OAuth app credentials, and finally anomalous email access. So let’s click into this alert with the threat experts tag, and you’ll see that our Microsoft security experts have already identified this incident as critical and provided the SOC more context about the attack. So we can see that it’s linked to the Nobelium attack. There’s a timeline of observed events, recommendations with details for how to respond to it, top indicators of compromise, along with advanced hunting queries to find out more. At the top, I can see the initially compromised device, workstation6, and our effected user, our Vice President Lucho Rodriguez, along with the full execution sequence. Now let’s drill into this one from PowerShell, and I can see it’s downloading and executing a script from the web. And let’s look at the PowerShell script itself. You’ll see it’s obfuscated and totally unreadable. So not even Jeffrey Snover would be able to tell what’s going on here. Luckily, through our AMSI integration, we can view the de-obfuscated syntax for this, and actually see the script that got executed and see it calling and executing Mimikatz in memory.

- So Rob, I don’t think you’re giving Jeffrey enough credit here in terms of that script, but now we’ve got Mimikatz running and the attacker is then able to access more credentials and all this is bad.

- They can. So now let’s see how far they got. Back in the incident, I can see the ADFS private key extraction alert from one of our servers. So it’s important to not only protect your user devices with Defender for Endpoint, but many times the servers are the crown jewels of your organization. In fact, let’s drill into our ADFS server. Remember, this is the key piece of infrastructure that links our on-prem environment to the cloud. So we’ll see a unified view of device details along with user log on information from the last 30 days, and a detailed timeline of recent activities, including a couple of suspicious events. The nice thing here is that the SOC analyst can take actions directly from here, like isolating the device until investigation and remediation completes.

- Right, and we had some compromised user accounts. So what about those?

- We can take care of that too. Let’s go back to our incident. I’ll go to the Users tab with everyone impacted by this attack. You can see they went straight to the top of the organization and targeted our executives, including our VP and CIO. You’ll also see the ADFS admin accounts, and I can click into its details and take action here too, like suspending the account or confirming the user was compromised, which is a flag for Azure AD conditional access to block authorization. And like we saw on Azure Sentinel, from here I can also go hunt for similar activities just in case this isn’t an isolated incident. It’s the same KQL query language like I showed before in Azure Sentinel. And there are a bunch of great samples to get started. So it’s the same backend and view in the cloud. And as you’ll see in this case, I can run the same exact hunting query we ran earlier in Sentinel. And I’ve saved it to my queries. I’ll go ahead and open it. And if I run it for the last 30 days, you’ll see identical results to what we saw in Azure Sentinel. It’s really two different views on the same brain in the cloud. Finally, as our SOC analysts execute recommended actions, their actions and anything automated by the system can be monitored in the Action Center, so you can track how we’re doing on remediating this attack.

- Alright, so now we’ve gone through the investigation and we’ve taken some remediation steps, but what’s next?

- So once we’re done investigating and remediating this incident, we can zoom out and look at the organizational level. Here in threat analytics, new reports are published into the portal whenever a new threat or campaign emerges. Let’s search for this particular Nobelium attack. And I get a nice overview of what’s going on, like whether I have any active alerts for it in my organization along with impacted assets. In the analyst report, there’s even more details, including the anatomy of the attack, motivations of the attack group, a great visualization showing the sequence of events with even more drilled down content as you read through the report. And this level of insight will help you to build the resilience and muscle to respond to future attacks. It’s really that connection from the Microsoft security research team into your security team.

- Got it, but before we close though, we saw that this particular attack actually started out at the endpoint. So what happens then if users are on unmanaged devices that we can’t see because they aren’t logging up information to Microsoft 365 Defender?

- You’re right, not all devices might be known or are already directly under your management and control. And so to address this, we’ve created a new mechanism to do device discovery across platforms. You start in Device Inventory in Microsoft Defender for Endpoint, which is where you can find out the onboarding and health status of the devices in your environment. We support a wide range of devices, including various versions of Windows, as well as Linux, macOS, and even iOS and Android operating systems. This has been part of our Microsoft journey to make sure that we protect all the things that you care about. Additionally, Device Discovery then lets your managed devices detect the network around them and discover unmanaged devices, so you have a full view of any onboarding gaps and can classify even a variety of enterprise IoT devices, like we see here with this unexpected Raspberry Pi device. And this can extend to printers, smart TVs, and even fish tank thermometers, as long as they are connected to the corporate network. Of course, great IoT protection works with Azure Defender for IoT. And we’ll talk about that more in upcoming months.

- Thanks so much, Rob. And, of course, all of this really shows the advantage of using the cloud to make sure that you have the latest defenses and threat analytics in place.

- Look, attackers are constantly upping their game and we need to as well. It takes all of us working together and all of us pushing much, much harder to protect our customers, employees, and data.

- Right, and as we’ve all seen, especially in the last 18 months, things have been particularly bad, but where can people go to learn more?

- Well to learn more about our integrated SIM and XDR solution with Azure Sentinel and Microsoft’s Defender solutions, check out aka.ms/XDR. Try out SimuLand, which is an open source initiative from Microsoft, where we deploy a lab environment that reproduces the techniques used in real attack scenarios, like the one you saw today, and shows you how our solutions help you detect and respond to them. And, of course, keep implementing a Zero Trust security model. This is going to give you the best starting point to reduce your attack surface, take a proactive approach to your organization and start you on the journey for making sure your whole environment is becoming more and more secure.

- And speaking of Zero Trust, you know, we just completed a whole series of implementing the Zero Trust security model that you can watch right now at aka.ms/ZeroTrustMechanics.

- I watched every second of them and they were great.

- Glad to hear it. So also keep following Microsoft Mechanics for the latest tech updates. Subscribe to our channel if you haven’t yet, and thanks so much for watching.