(gears whirring) - Up next, I'm joined once again by Microsoft Security CVP Rob Lefferts, to take a look at the latest
integrated defenses and tools to respond in the
context of a real attack. Now we're going to show you how
Microsoft's cloud-based SIM, Azure Sentinel, along
with our XDR technologies, including Microsoft 365 Defender, provide an automated approach to threat detection and response. So, Rob, it's always a great pleasure to have you on the show, but I fear that means that
things are just getting worse. - I know, I feel like
every time I show up, it's always getting worse, but that's just the way
the threat landscape works. You can never rest on your laurels. In all seriousness, compared to my previous times on the show, things have reached a
new level of urgency, whether that's human-operated ransomware or sophisticated command
and control attacks. And the techniques getting
used are getting harder and harder to detect, like the
recent supply chain attacks that embed malware in
the apps that you trust as they are being compiled and packaged. We've also seen malware
come through IoT devices that you would never expect, like using a smart
thermometer in a fish tank to gain access to corporate resources. - Right, but you and the
team are always working on the latest technologies
to be able to keep up and respond to these types of threats. So surely you're going
to tell me there's hope. - We are working hard, but you know, there's more than just hope. That's not a strategy. We can still stop these types of attacks with the right measures and preparation. First, to protect your
users wherever they are, as well as the day-to-day operations of your organization as a whole, you want to have the right defense layers in place from your identities,
endpoints and apps, network, infrastructure,
and ultimately your data to be able to resist
attacks in the first place, which is where the Zero Trust
security model comes in. Second, it's important to increase your organization's
ability to detect and respond before an
attack does any damage. And third, if the damage
has already started, then it's all about
containing the blast radius and reversing any damage
that has already been done and reversing it quickly. On these last two points, this is where you need the visibility and depth of insight
across your organization. Which is where our integrated
SIM with Azure Sentinel and Microsoft 365 Defender and Azure Defender for XDR come into play to apply Microsoft's unique volume and diversity of threat intelligence for early warning and response. - And the nice thing about this unified detection response approach is that you're using a
minimum number of tools to stop a bad situation
from getting worse. - That's right. You really don't want
anything slowing you down, every second counts. So we give you best-in-class
and integrated tools and collect their signals
to connect the dots across the attack chain
so that you don't have to. For example, Microsoft 365
Defender, as I'll show you today, provides an aggregate view of an attack. And it's fed by best-in-class
solutions for identity, endpoints, Office 365 user data, and your apps to give you
cross-domain visibility, as well as coordinated
and automated protection. - Okay, but I really
want to make this real and show this all in the
context of a proper attack. - Yeah, my favorite part. So I'm going to show you
a data exfiltration attack based on real techniques that we've seen deployed in the wild. It's a hybrid attack and
compromise that starts on-premises and uses sophisticated methods to move to cloud-based resources. And so we want comprehensive visibility into the entire scope of the
attack across the entire estate to contain and ultimately stop it. The attack starts as an
email-based campaign. The email contains a link that when clicked starts to
download weaponized documents. It's the oldest story in the world. And it just takes one person in the domain to get duped for the
whole sequence to begin. From there, an open source
app, Mimikatz, is used to find and extract domain admin credentials from the compromised endpoint. And that's when things get seriously bad. Then the hybrid part begins. Those admin creds are used to obtain the ADFS admin
credentials in order to gain access to Active Directory Federation
Services, which by the way, maintains the trust link
between on-premises resources and cloud-based resources
via Azure Active Directory. And then it gets worse. They export the ADFS
token sign-in certificate in order to create a forged SAML token, which gives them their first
footing into the cloud. And once they have access with that token, they request and gain access
to services in the cloud. They can add their own new credentials to a privileged OAuth app in the cloud. And now they have access to high-privileged user mailboxes
hosted on Office 365. And through the graph API, they can extract and exfiltrate data. And really, for anyone who
has been reading the news, this might sound familiar. You'll recognize that this
is exactly the attack pattern that was followed in the
Nobelium exploit last winter. - Okay, so where would you
even begin to start to mitigate and kind of respond to
this type of attack? - So to get a full end-to-end
picture of the attack, we're going to start in Azure Sentinel. This gives us the
largest breadth of signal across third-party and Microsoft signals. So here I'm logged into our tenant, and you can collect signals from Microsoft and non-Microsoft apps and services via more than 100 pre-built connectors. So now let me filter by the
ones we're connected to. You'll see, there are a few
dozen including Azure Defender, Azure Defender for IoT,
and if we scroll down, we're also connected to
Fortinet for our firewall and Microsoft 365 Defender, which is important to our tagged scenario. Now on the Incidents page,
I see 27 new incidents. These comprise alerts, assets,
and evidence to investigate. I'm interested in the
high priority red ones. The first is from Fortinet that shows a data
transfer to an IP address. This could have been the ADFS
creds or token sign-in cert, and I can even see that Microsoft 365 Defender
raised the incident with the most alerts, also 27. So let's investigate this a bit further, and you'll see the info from
our alert from Fortinet data. We can also see that through
an automation playbook, Sentinel has already
enriched this incident with RiskIQ data for the IP address found. RiskIQ is a cybersecurity
threat intelligence service. And we can see that it's provided the DNS and domain details to help
with our investigation. This type of automated enrichment is a unique capability for Sentinel. So now I'll click into
Actions, Investigate. And that brings me to
our investigation graph. From here, I can take a closer
look at the entities involved and how they connect to other incidents. I'll zoom into a machine
in our environment, the ADFS server, and it transferred
data to this IP address, which was captured by Fortinet
and triggered the alert. There are also a bunch
of other alerts related to this machine from
Microsoft 365 Defender. So let's click into this one for the ADFS private
key extraction attempt. If I go to our malicious
IP, we can also see that pgustavo has recently
signed in from here. And another alert from
the Microsoft 365 Defender called Unusual addition of
credentials to an OAuth app. So this is our compromised account logging in from attacker infrastructure, adding new credentials
that I talked about before. So now I can look at
the Entity Insights page for the user pgustavo. Using normal behavioral
patterns for this user, something we call user and
entity behavioral analytics, or UEBA, you can see
that Sentinel detected that a number of actions
were really out of character, such as the location they logged in from, and it looks like they've
also accessed resources that they shouldn't have normally done. So those are flagged as
anomalies for this account. Now let's hop back to the Incidents page, and because this is a
pretty nasty incident I'll need to add a few more people to help investigate and address it. So again, from Actions,
I can create a team, and for this incident, and assign it to the SOC channel group to it. So now Jeremy, you and I
can start to collaborate on how we solve this problem. - All right, so if we
switch over to my machine, we can see that there's some
super useful information as a member of the team. In fact, we can see
contributions already flowing in to the team's channel, and
I can see a hunting query that's posted to look
for processes calling out to our malicious IP address,
all in Defender data. - Great. Let's go hunting. So I'll open up a Hunting page. And in here you can see a ton of out-of-the-box hunting queries across different data sources. Now let's use search to find
the one our colleague created and run it and view the results. And here I can see my
ADFS server called out to this IP address with some
suspicious looking PowerShell. And this third one was running in the context of our ADFS administrator. - So there's really a
breadth of information then about this attack that's in Sentinel, but how do we get more depth on the attack and actually stop it from spreading? - Yeah, there's more you can
do in Microsoft 365 Defender, especially given the
nature of this attack. The good news is that Sentinel
links you directly to it. So back in the Incidents page, I'll select the multi-stage incident with 27 correlated alerts. Those will provide a link directly to the same incident in
Microsoft 365 Defender. So now I'm in Microsoft 365 Defender. This is the unified portal
that we've been building for all Microsoft 365
security experiences. And we can see Defender
capabilities for Endpoints, as well as email and collaboration, and it's been integrated
with signal from identity and cloud app security. The Incident Overview
page we're looking at here shows us the most important
data points about this incident. We can see the scope of the attack with impacted devices,
users, and mailboxes. And if I scroll down, I can
see a detailed attack timeline. So here we're just showing
the one linked incident, but to get a broader perspective, I can hop up a level to
see all active incidents. We automatically correlate
related incidents, and the system does a lot
of the manual work for you. It helps you prioritize
incidents at a glance with information like
incident severity or category, impacted entities,
including devices, users, and mailboxes, and any tags assigned by the security team to
help give more context. - Okay, so if you're
one of our SOC analysts that are watching, this
makes it a lot easier than to sift through the noise and really find out what's important. - Yeah, it's back to those
seconds and minutes matter. It saves a bunch of
time and manual effort. So now let's go back to our
incident and look at the alerts. Here's everything we've
observed for this attack, all nicely correlated together. There's our malicious email that started it all with Phish detections, followed by multiple alerts for endpoint activities
on compromised devices. There's our process
injection to run Mimikatz, and then the sensitive credential read for our domain admin account and domain controller sync attack. I can see the ADFS compromise and the unusual addition
of OAuth app credentials, and finally anomalous email access. So let's click into this alert
with the threat experts tag, and you'll see that our
Microsoft security experts have already identified
this incident as critical and provided the SOC more
context about the attack. So we can see that it's
linked to the Nobelium attack. There's a timeline of observed events, recommendations with details
for how to respond to it, top indicators of compromise, along with advanced hunting
queries to find out more. At the top, I can see the
initially compromised device, workstation6, and our effected user, our Vice President Lucho Rodriguez, along with the full execution sequence. Now let's drill into
this one from PowerShell, and I can see it's downloading and executing a script from the web. And let's look at the
PowerShell script itself. You'll see it's obfuscated
and totally unreadable. So not even Jeffrey Snover would be able to tell
what's going on here. Luckily, through our AMSI integration, we can view the de-obfuscated
syntax for this, and actually see the
script that got executed and see it calling and
executing Mimikatz in memory. - So Rob, I don't think you're giving Jeffrey enough credit here in terms of that script, but now we've got Mimikatz running and the attacker is then able
to access more credentials and all this is bad. - They can. So now let's see how far they got. Back in the incident, I can see the ADFS private
key extraction alert from one of our servers. So it's important to not only
protect your user devices with Defender for Endpoint, but many times the servers
are the crown jewels of your organization. In fact, let's drill into our ADFS server. Remember, this is the key
piece of infrastructure that links our on-prem
environment to the cloud. So we'll see a unified
view of device details along with user log on
information from the last 30 days, and a detailed timeline
of recent activities, including a couple of suspicious events. The nice thing here is that the SOC analyst can
take actions directly from here, like isolating the device
until investigation and remediation completes. - Right, and we had some
compromised user accounts. So what about those? - We can take care of that too. Let's go back to our incident. I'll go to the Users tab with everyone impacted by this attack. You can see they went straight to the top of the organization and targeted our executives,
including our VP and CIO. You'll also see the ADFS admin accounts, and I can click into its details
and take action here too, like suspending the account or confirming the user was compromised, which is a flag for Azure
AD conditional access to block authorization. And like we saw on Azure Sentinel, from here I can also go
hunt for similar activities just in case this isn't
an isolated incident. It's the same KQL query language like I showed before in Azure Sentinel. And there are a bunch of
great samples to get started. So it's the same backend
and view in the cloud. And as you'll see in this case, I can run the same exact hunting query we ran earlier in Sentinel. And I've saved it to my queries. I'll go ahead and open it. And if I run it for the last 30 days, you'll see identical results to what we saw in Azure Sentinel. It's really two different views on the same brain in the cloud. Finally, as our SOC analysts
execute recommended actions, their actions and anything
automated by the system can be monitored in the Action Center, so you can track how we're doing
on remediating this attack. - Alright, so now we've gone
through the investigation and we've taken some remediation
steps, but what's next? - So once we're done investigating and remediating this incident, we can zoom out and look at
the organizational level. Here in threat analytics, new reports are published into the portal whenever a new threat or campaign emerges. Let's search for this
particular Nobelium attack. And I get a nice overview
of what's going on, like whether I have any
active alerts for it in my organization along
with impacted assets. In the analyst report,
there's even more details, including the anatomy of the attack, motivations of the attack group, a great visualization showing
the sequence of events with even more drilled down content as you read through the report. And this level of insight will help you to build the resilience and muscle to respond to future attacks. It's really that connection from the Microsoft security research team into your security team. - Got it, but before we close though, we saw that this particular
attack actually started out at the endpoint. So what happens then if users
are on unmanaged devices that we can't see because they
aren't logging up information to Microsoft 365 Defender? - You're right, not all
devices might be known or are already directly under
your management and control. And so to address this,
we've created a new mechanism to do device discovery across platforms. You start in Device Inventory in Microsoft Defender for Endpoint, which is where you can
find out the onboarding and health status of the
devices in your environment. We support a wide range of devices, including various versions
of Windows, as well as Linux, macOS, and even iOS and
Android operating systems. This has been part of
our Microsoft journey to make sure that we
protect all the things that you care about. Additionally, Device Discovery then lets your managed devices detect
the network around them and discover unmanaged devices, so you have a full view
of any onboarding gaps and can classify even a variety
of enterprise IoT devices, like we see here with this
unexpected Raspberry Pi device. And this can extend to
printers, smart TVs, and even fish tank thermometers, as long as they are connected
to the corporate network. Of course, great IoT protection works with Azure Defender for IoT. And we'll talk about that
more in upcoming months. - Thanks so much, Rob. And, of course, all of this
really shows the advantage of using the cloud to make sure that you have the latest defenses and threat analytics in place. - Look, attackers are
constantly upping their game and we need to as well. It takes all of us working together and all of us pushing much, much harder to protect our customers,
employees, and data. - Right, and as we've all seen, especially in the last 18 months, things have been particularly bad, but where can people go to learn more? - Well to learn more
about our integrated SIM and XDR solution with Azure Sentinel and Microsoft's Defender
solutions, check out aka.ms/XDR. Try out SimuLand, which is an open source
initiative from Microsoft, where we deploy a lab environment that reproduces the techniques used in real attack scenarios,
like the one you saw today, and shows you how our
solutions help you detect and respond to them. And, of course, keep implementing a Zero
Trust security model. This is going to give you
the best starting point to reduce your attack surface, take a proactive approach
to your organization and start you on the journey for making sure your whole environment is becoming more and more secure. - And speaking of Zero Trust, you know, we just completed a whole series of implementing the Zero
Trust security model that you can watch right now
at aka.ms/ZeroTrustMechanics. - I watched every second of
them and they were great. - Glad to hear it. So also keep following Microsoft Mechanics for the latest tech updates. Subscribe to our channel
if you haven't yet, and thanks so much for watching. (upbeat music)