Video Transcript:
- Up next, with quick detection and response key to navigating today’s fast moving cyber attacks which can span across clouds and infrastructure, we’re going to look at updates to Microsoft’s integrated XDR solutions to discover and contain even the most sophisticated state-sponsored attacks in real-time. From deconstructing a multi-stage and multi-cloud incident inspired by real tactics, techniques, and procedures in Microsoft Sentinel, visibility and depth into the attack sequence and timeline of alerts with Microsoft 365 Defender, to using Threat Intelligence to investigate threat actors and stop them in their tracks with real-time attack disruption, and automating mitigations to contain and roll back the damage. And joining me once again is Microsoft Cybersecurity Expert and CVP, Rob Lefferts. Welcome back.
- It’s great to be back. Thank you for having me.
- And it’s always really good to have you on because you and your team get to examine firsthand what attacks are evolving, and in turn, you’re always strategizing against kind of the next level of detections and mitigation. So what’s the focus then on the current round of updates?
- In many ways, it’s where it’s always been, streamlining the workflow of security teams, working across security teams to address the velocity of the attacks that we see today where attackers like to jump between your on-prem and cloud resources. The less visibility and control that you have over your app or your data across services and your data center or other clouds, the faster the attack can spread. It gives attackers more places to evade detection by finding blind spots in your protection like over permission workload identities, which provide more covert places to hide. And this is where we are constantly changing things up as we see new tactics in play. Our threat detection and response works across your multi-cloud, multi SaaS, and hybrid architectures using our integrated SIEM plus XDR stack. This is combined with the strength Microsoft has in identity protection, which not only spans your users and devices, but your SaaS workloads and connected apps. We’ve expanded our signal beyond the trillions of signals we get from Microsoft Services to detect active threats to include signal from across the internet. And this is in addition to the work of the thousands of Microsoft employee security experts that we have globally who share threat intelligence through live raw data and in-depth published reports.
- All right, and just to be clear, this is a new level of intelligence really above and beyond what we had before and that’s also true compared to the rest of the industry. So why don’t you show us what all of this looks like in action?
- Yeah, let’s get going. Let’s take a look. I’m going to show you an example of sophisticated attacks inspired by the real tactics and procedures that we are seeing today where there are multiple concurrent attack vectors and the attack is state-sponsored. Now, fun fact, in order for this attack to actually work, we had to disable quite a few protections across Microsoft 365 Defender, Microsoft Sentinel, and Microsoft Purview.
- And I can see how that could be a deterrent in and of itself in terms of being able to demo something like this.
- Yeah, well, that’s a great problem to have that it’s such good protection, it’s hard to demo. But let me start by explaining the attack and then we’ll replay it in Microsoft Sentinel and Microsoft 365 Defender. It starts like so many attacks do, with an email phishing campaign. Using insider knowledge, they’ve stopped going after end user credentials, but instead convince a user to consent to cloud app level permissions. People see these forms and approve them all day long. And from there, the attacker can send internal emails with a valid sender address to gain trust and send a weaponized email with a macro enabled document to establish a backdoor. And now equipped with both workload identity permissions and stolen user credentials, the attacker can broaden the phishing campaign to third party services. This lets their foothold extend from internal users to managed infrastructure, and then even to connected multi-cloud SaaS services. I’m not going to give all the details away yet, but we’ll see this during the investigation. And trust me, these attackers have run totally amok. And once it starts, it happens so fast. You need to respond quickly and get full visibility into the sequence of the attack and who these attackers are, and then do everything in your power to evict them, contain the data loss, clean up their mess, and absolutely prevent them from ever coming back.
- Right, I can see how something like this might be really tough to do because you’ve got a few attacks typically that you’re working on. So how would you even know what to prioritize and where to start?
- Oh, you’re absolutely right. That’s the most important thing is helping the security team figure out what’s important, what matters the most. In most organizations, it can be overwhelming. So we give you a place to start and that starts in the SIEM. I have Microsoft Sentinel open to the incident page right here. And as you said, there will be other attacks competing for time, attention, and effort, so the first task is really going after the biggest threats that you need to worry about. We’ve got a couple of bad incidents here with multiple alerts grouped together, and a few of these are sophisticated multi-stage incidents like the one I described before. In this case, let’s focus on this incident as the top one with more than 150 alerts from pretty much every component in our XDR stack. On the right, you can see the top level details and entities affected. Let’s drill into it and talk about some of the tactics and techniques. Here’s our email, credential access, and also some more information about defense invasions that I’ll go into in a second. Discovery is where the attacker has done reconnaissance against our resources. And here’s how the attacker got in with initial access vectors and how they are able to maintain their foothold over time. And as you can see, they’re using login scripts, event triggered executions, scheduled tasks, and they’re all set up to establish persistence. And much of this needs elevated privilege to run. So the attacker pretty much owns this device at this point. Now, of course, Microsoft Defender for Endpoint would’ve blocked this, but we wanted to show a demo.
- Okay, so Sentinel’s kind of taking all of these things like Microsoft 365 Defender, Defender for Endpoint and cloud apps, and Azure AD signal, and kind of bringing everything together in one view.
- That’s right. It correlates the data together, fuses it into one view, and automates the investigation for you. And it gets even better because you can also see the sequence of the attack. And this importantly spans between on-prem and all of the cloud services that you use. In fact, here I can see the incident timeline with all of the individual alerts that built up to form this attack over time. More details about what was attacked and we see three big spikes in anomalous activities over three days. And now, let’s look deeper into the entities. These are all the hosts, accounts, IP addresses, apps, files, and more. I can see they’ve moved into hosts as well as which accounts are stolen, and that they’ve moved laterally even into an AWS hosted resource.
- So this looks like a pretty formidable attack. They’ve kind of moved into every nook and cranny, corner they can.
- Yeah, that’s right. Like I said, they have run completely amok. This is a complex attack, but it’s also very representative of the sophistication of attacks that we’re seeing out there today. So let’s dig into the attack investigation. You know it’s bad when there are so many events that these related pockets of events look like tiny dandelion seeds scattered all over the screen. Of course, I can zoom in for more fidelity in each area to get a better view and hover over a few things on the timeline. But what I like to do with really complex attacks like this one with lots of activity in play is play them back in Microsoft 365 Defender. And I can get right to that from the incident view. And now that we’re in the Defender console, I can play back the whole attack story and timeline. First, I see the OAuth consent coming from Adele. Next, here’s that backdoor email containing the weaponized document attachment. And from there, we can see it ran a PowerShell script on Jonathan Walcott’s machine to execute a few scheduled tasks and establish persistence. And we can see the attempts from the attackers to steal the primary refresh token so it can be reused to access other applications. And inevitably, as we’ve seen happen multiple times, it just gets worse from there. Mimi Katz was then used to steal local credentials on this device, which by the way, happens to belong to a help desk technician with higher than average privileges. So this could be as bad as domain admin or at least elevated domain privileges. Compared to some other solutions, we get signal from across the stack. Beyond endpoints and basic identities, we have a full set of identity protections. So here, for example, you see that the Help Desk account was used to create email forwarding rules in Exchange and access documents in SharePoint. And that’s something that we are really good at detecting. But not only that, here you can see it’s also able to use these help desk credentials to access other clouds beyond Office 365 infrastructure with Google Services and AWS.
- So if the payload the targets are after are in the Microsoft Cloud, why would they amount move to other clouds?
- Well, the first answer of course is why not? But on and beyond that, they create these little islands off to the side where perhaps things aren’t as tightly monitored that they can always use to come back in and attack again. So they’ve used an AWS S3 bucket as a place to try to move exfiltrated data out to like this spreadsheet. Thankfully, that action was blocked thanks to DLP. I guess we forgot to disable that part of the protection in this demo. But you can see they’ve made the AWS S3 bucket location public. And as you can see here, this custom policy using our Contoso DevOps entry, the help desk account even allowed them to make our private GitHub repo public. Now let’s pause for a moment to think about that because I’m sure that the developers on your team are perfect and never store secret credentials in their code. But for some other companies and organizations, I’ve heard that might be a problem if their private repos become public. At this point, using these account lookups, the attackers are finding more accounts to stay under the radar. A ransomware payload is dropped, ready to encrypt some files.
- Okay, so now something like Microsoft 365 Defender would’ve stopped them from getting any further than this stage, right?
- It would’ve, but as I mentioned, we switched off a bunch of capabilities to get the demo scenario to work. In fact, real-time attack disruption in Microsoft 365 Defender would’ve disabled all of the identities and machines that the attacker had taken over and dramatically reduced the number of compromised assets in this ransomware attack. Now, of course, with it disabled, that didn’t happen, but back to the demo, the attacker now uses an identity to go after high value infrastructure. And in Sentinel, I can see they use these credentials that they acquired in order to access SAP, and download files, and send them to this IP address that we can investigate further in Microsoft Defender Threat Intelligence from this comment right here on the left. An SAP is critical infrastructure where it isn’t a given that your security tools will monitor it and send you alerts. Sentinel has this, and not only that, but I can see the high level details around the group involved, HAFNIUM and the tools that have been used in this case. HAFNIUM is a name that we’ve assigned to a state-sponsored group from China. And here, we can see all of the details. This isn’t good. They’re using Cobalt Strike on this endpoint. If you’re new to Cobalt Strike, it was a set of tools initially built for good and used for penetration testing, but bad actors also use it to carry out command and control attacks. So we’ve expanded our Threat Intelligence experience so you can easily find more information about active threat actors, their unique tactics, techniques, and procedures, associated malware, and put together a deeper picture about what’s actually happening to your state. And now with these granular details, you can see indicators of compromise, know what to look for in your environment and what you should be worried about. The good news here is that we can use automated playbooks to help the SOC team initiate the response to this attack. The alert, as you can see here, goes straight into Microsoft Teams so you can select which playbooks to execute. And then if you need more context, it links you directly to the incident in Sentinel and the information in Threat Intelligence that we saw earlier. In my case, since I’m part of the team working on this attack since day one, I’m going to run all of these playbooks and that will run all of our automated mitigations to contain this threat and make sure that it doesn’t spread further.
- So now you’re removing their access then with their user and workload identities, and you can clean up the damage that they’ve done, but big question is, how do you prevent something like this from happening in the future?
- Yeah, that is in many ways the most important question. It’s the question that every CISO gets asked when they go and talk to the board about what happened here. Once you’ve stopped the spread and evict the bad actors, you can go back to work on getting everything back to normal and to prevent future attacks like this. We give a great set of recommendations per entity involved. Of course, these are really best practices that also apply to similar devices, accounts, or workloads.
- And this is really a great example in terms of the integrated visibility that you get across the XDR stack and how you’re able to drive more proactive protections and also speed up your response. So for the people that are watching right now that want to get started and go down this road, what do you recommend?
- Well, in order to get started, I recommend getting your hands dirty. You can start with a few free trials for Sentinel and Microsoft 365 Defender. Microsoft Defender Threat Intelligence has a community edition where you can get a lot of the insights from the past 14 days and the rest is in preview. We also have our Secure event on demand that you can watch now at aka.ms/mssecureevent to learn more about our investments in AI. This extends the built-in techniques that I showed today that use things like advanced behavioral detection models to find anomalies and to detect attacks. We’re ramping that up even more with AI as a full assistant to make detection and protection against attacks even more efficient and supercharge your security team.
- Thank you so much for joining us today, Rob. And by the way, we’ve also got an entire show with Security Expert and CVP, Lou Manousos, to go deeper on Microsoft Defender Threat Intelligence updates, which you can watch right now at aka.ms/TiMechanics. Of course, keep checking back to Microsoft Mechanics for all the latest updates in tech and we’ll see you soon.
