Archive

Archive for the ‘Threat protection’ Category

CISO Spotlight: How diversity of data (and people) defeats today’s cyber threats

October 20th, 2020 No comments

This year, we have seen five significant security paradigm shifts in our industry. This includes the acknowledgment that the greater the diversity of our data sets, the better the AI and machine learning outcomes. This diversity gives us an advantage over our cyber adversaries and improves our threat intelligence. It allows us to respond swiftly and effectively, addressing one of the most difficult challenges for any security team. For Microsoft, our threat protection is built on an unparalleled cloud ecosystem that powers scalability, pattern recognition, and signal processing to detect threats at speed, while correlating these signals accurately to understand how the threat entered your environment, what it affected, and how it currently impacts your organization. The AI capabilities built into Microsoft Security solutions are trained on 8 trillion daily threat signals from a wide variety of products, services, and feeds from around the globe. Because the data is diverse, AI and machine learning algorithms can detect threats in milliseconds.

All security teams need insights based on diverse data sets to gain real-time protection for the breadth of their digital estates. Greater diversity fuels better AI and machine learning outcomes, improving threat intelligence and enabling faster, more accurate responses. In the same way, a diverse and inclusive cybersecurity team also drives innovation and diffuses group think.

Jason Zander, Executive Vice President, Microsoft Azure, knows firsthand the advantages organizations experience when embracing cloud-based protections that look for insights based on diverse data sets. Below, he shares how they offer real-time protection for the breadth of their digital estates:

How does diverse data make us safer?

The secret ingredient lies in the cloud itself. The sheer processing power of so many data points allows us to track more than 8 trillion daily signals from a diverse collection of products, services, and the billions of endpoints that touch the Microsoft cloud every month. Microsoft analyzes hundreds of billions of identity authentications and emails looking for fraud, phishing attacks, and other threats. Why am I mentioning all these numbers? It’s to demonstrate how our security operations take petabytes’ worth of data to assess the worldwide threat, then act quickly. We use that data in a loop—get the signals in, analyze them, and create even better defenses. At the same time, we do forensics to see where we can raise the bar.

Microsoft also monitors the dark web and scans 6 trillion IoT messages every day, and we leverage that data as part of our security posture. AI, machine learning, and automation all empower your team by reducing the noise of constant alerts, so your people can focus on meeting the truly challenging threats.

Staying ahead of the latest threats

As the pandemic swept the globe, we were able to identify new COVID-19 themed threats—often in a fraction of a second—before they breached customers’ networks. Microsoft cyber defenders determined that adversaries added new pandemic-themed lures to existing and familiar malware. Cybercriminals are always changing their tactics to take advantage of recent events. Insights based on diverse data sets empower robust real-time protection as our adversaries’ tactics shift.

Microsoft also has the Cyber Defense Operations Center (CDOC) running 24/7. We employ over 3,500 full-time security employees and spend about $1 billion in operational expenses (OPEX) every year. In this case, OPEX includes all the people, equipment, algorithms, development, and everything else needed to secure the digital estate. Monitoring those 8 trillion signals is a core part of that system protecting our end users.

Tried and proven technology

If you’re part of the Microsoft ecosystem—Windows, Teams, Microsoft 365, or even Xbox Live—then you’re already benefitting from this technology. Azure Sentinel is built on the same cybersecurity technology we use in-house. As a cloud-native security information and event management (SIEM) solution, Azure Sentinel uses scalable machine learning algorithms to provide a birds-eye view across your entire enterprise, alleviating the stress that comes from sophisticated attacks, frequent alerts, and long resolution time frames. Our research has shown that customers who use Azure Sentinel achieved a 90 percent reduction in alert fatigue.

Just as it does for us, Azure Sentinel can work continuously for your enterprise to:

  • Collect data across all users, devices, applications, and infrastructure—both on-premises and in multiple clouds.
  • Detect previously undetected threats (while minimizing false positives) using analytics and threat intelligence.
  • Investigate threats and hunt down suspicious activities at scale using powerful AI that draws upon years of cybersecurity work at Microsoft.
  • Respond to incidents rapidly with built-in orchestration and automation of common tasks.

Diversity equals better protection

As Jason explained, Microsoft is employing AI, machine learning, and quantum computing to shape our responses to cyber threats. We know we must incorporate a holistic approach that includes people at its core because technology alone will not be enough. If we don’t, cybercriminals will exploit group preconceptions and biases. According to research, gender-diverse teams make better business decisions 73 percent of the time. Additionally, teams that are diverse in age and geographic location make better decisions 87 percent of the time. Just as diverse data makes for better cybersecurity, the same holds true for the people in your organization, allowing fresh ideas to flourish. Investing in diverse teams isn’t just the right thing to do—it helps future proof against bias while protecting your organization and customers.

Watch for upcoming posts on how your organization can benefit from integrated, seamless security, and be sure to follow @Ann Johnson and @Jason Zander on Twitter for cybersecurity insights.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post CISO Spotlight: How diversity of data (and people) defeats today’s cyber threats appeared first on Microsoft Security.

Why we invite security researchers to hack Azure Sphere

October 6th, 2020 No comments

Fighting the security battle so our customers don’t have to

IoT devices are becoming more prevalent in almost every aspect of our lives—we will rely on them in our homes, our businesses, as well as our infrastructure. In February, Microsoft announced the general availability of Azure Sphere, an integrated security solution for IoT devices and equipment. General availability means that we are ready to provide OEMs and organizations with quick and cost-effective device security at scale. However, securing those devices does not stop once we put them into the hands of our customers. It is only the start of a continual battle between the attackers and the defenders.

Building a solution that customers can trust requires investments before and after deployment by complementing up-front technical measures with ongoing practices to find and mitigate risks. In April, we highlighted Azure Sphere’s approach to risk management and why securing IoT is not a one-and-done. Products improve over time, but so do hackers, as well as their skills and tools. New security threats continue to evolve, and hackers invent new ways to attack devices. So, what does it take to stay ahead?

As a Microsoft security product team, we believe in finding and fixing vulnerabilities before the bad guys do. While Azure Sphere continuously invests in code improvements, fuzzing, and other processes of quality control, it often requires the creative mindset of an attacker to expose a potential weakness that otherwise might be missed. Better than trying to think like a hacker is working with them. This is why we operate an ongoing program of red team exercises with security researchers and the hacker community: to benefit from their unique expertise and skill set. That includes being able to test our security promise not just against yesterday’s and today’s, but against even tomorrow’s attacks on IoT devices before they become known more broadly. Our recent Azure Sphere Security Research Challenge, which concluded on August 31, is a reflection of this commitment.

Partnering with MSRC to design a unique challenge

Our goal with the three-month Azure Sphere Security Research Challenge was twofold: to drive new high-impact security research, and to validate Azure Sphere’s security promise against the best challengers in their field. To do so, we partnered with the Microsoft Security Response Center (MSRC) and invited some of the world’s best researchers and security vendors to try to break our device by using the same kinds of attacks as any malicious actor might. To make sure participants had everything they needed to be successful, we provided each researcher with a dev kit, a direct line to our OS Security Engineering Team, access to weekly office hours, and email support in addition to our publicly available operating system kernel source code.

Our goal was to focus the research on the highest impact on customer security, which is why we provided six research scenarios with additional rewards of up to 20 percent on top of the Azure Bounty (up to $40,000), as well as $100,000 for two high-priority scenarios proving the ability to execute code in Microsoft Pluton or in Secure World. We received more than 3,500 applications, which is a testament to the strong interest of the research community in securing IoT. More information on the design of the challenge and our collaboration with MSRC can be found here on their blog post.

Researchers identify high impact vulnerabilities before hackers

The quality of submissions from participants in the challenge far exceeded our expectations. Several participants helped us find multiple potentially high impact vulnerabilities in Azure Sphere. The quality is a testament to the expertise, determination, and the diligence of the participants. Over the course of the challenge, we received a total of 40 submissions, of which 30 led to improvements in our product. Sixteen were bounty-eligible; adding up to a total of $374,300 in bounties awarded. The other 10 submissions identified known areas where potential risk is specifically mitigated in another part of the system—something often referred to in the field as “by design.” The high ratio of valid submissions to total submissions speaks to the extremely high quality of the research demonstrated by the participants.

Graph showing the submission breakdown and the total amount of money eligible to be received through the bounty system.

Jewell Seay, Azure Sphere Operating System Platform Security Lead, has shared detailed information of many of the cases in three recent blog posts describing the security improvements delivered in our 20.07, 20.08, and 20.09 releases. Cisco Talos and McAfee Advanced Threat Research (ATR), in particular, found several important vulnerabilities, and one particular attack chain is highlighted in Jewell’s 20.07 blog.

While the described attack required physical access to a device and could not be executed remotely, it exposed potential weaknesses spanning both cloud and device components of our product. The attack included a potential zero-day exploit in the Linux kernel to escape root privileges. The vulnerability was reported to the Linux kernel security team, leading to a fix for the larger open source community which was shared with the Linux community. If you would like to learn more and get an inside view of the challenge from one of our research partners, we highly recommend McAfee ATR’s blog post.

What it takes to provide renewable and improving security

With Azure Sphere, we provide our customers with a robust defense based on the Seven Properties of Highly Secured Devices. One of the properties, renewable security, ensures that a device can update to a more secure state—even if it has been compromised. While this is essential, it is not sufficient on its own. An organization must be equipped with the resources, people, and processes that allow for a quick resolution before vulnerabilities impact customers. Azure Sphere customers know that they have the strong commitment of our Azure Sphere Engineering team—that our team is searching for and addressing potential vulnerabilities, even from the most recently invented attack techniques.

We take this commitment to heart, as evidenced by all the fixes that went into our 20.07, 20.08, and 20.09 releases. In less than 30 days of McAfee reporting the attack chain to us, we shipped a fix to all of our customers, without the need for them to take any action due to how Azure Sphere manages updates. Although we received a high number of submissions throughout multiple release cycles, we prioritized analyzing every single report as soon as we received it. The success of our challenge should not just be measured by the number and quality of the reports, but also by how quickly reported vulnerabilities were fixed in the product. When it came to fixing the found vulnerabilities, there was no distinction made between the ones that were proven to be exploited or the ones that were only theoretical. Attackers get creative, and hope is not part of our risk assessment or our commitment to our customers.

Our engagement with the security research community

On behalf of the entire team and our customers, we would like to thank all participants for their help in making Azure Sphere more secure! We were genuinely impressed by the quality and number of high impact vulnerabilities that they found. In addition, we would also like to thank the MSRC team for partnering with us on this challenge.

Our goal is to continue to engage with this community on behalf of our customers going forward, and we will continue to review every potential vulnerability report for Azure Sphere for eligibility under the Azure Bounty Program awards.

Our team learned a lot throughout this challenge, and we will explore and announce additional opportunities to collaborate with the security research community in the future. Protecting our platform and the devices our customers build and deploy on it is a key priority for us. Working with the best security researchers in the field, we will continue to invest in finding potential vulnerabilities before the bad guys do—so you don’t have to!

If you are interested in learning more about how Azure Sphere can help you securely unlock your next IoT innovation:

The post Why we invite security researchers to hack Azure Sphere appeared first on Microsoft Security.

Microsoft Security—detecting empires in the cloud

September 24th, 2020 No comments

Microsoft consistently tracks the most advanced threat actors and evolving attack techniques. We use these findings to harden our products and platform and share them with the security community to help defenders everywhere better protect the planet.

Recently, the Microsoft Threat Intelligence Center (MSTIC) observed the evolution of attacker techniques by an actor we call GADOLINIUM using cloud services and open source tools to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection. These attacks were delivered via spear-phishing emails with malicious attachments and detected and blocked by Microsoft 365 Defender, formerly Microsoft Threat Protection (MTP), and able to be detected using Azure Sentinel.

As these attacks were detected, Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure. This action helped transparently protect our customers without requiring additional work on their end.

GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods.

Recently, MSTIC has observed newly expanded targeting outside of those sectors to include the Asia Pacific region and other targets in higher education and regional government organizations. As GADOLINIUM has evolved, MSTIC has continued to monitor its activity and work alongside our product security teams to implement customer protections against these attacks.

Historically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.

The following GADOLINIUM technique profile is designed to give security practitioners who may be targeted by this specific actor’s activity insight and information that will help them better protect from these attacks.

2016: Experimenting in the cloud

GADOLINIUM has been experimenting with using cloud services to deliver their attacks to increase both operation speed and scale for years. The image in Figure 1 is from a GADOLINIUM controlled Microsoft TechNet profile established in 2016. This early use of a TechNet profiles’ contact widget involved embedding a very small text link that contained an encoded command for malware to read.

An image of a GADOLINIUM controlled Microsoft TechNet profile established in 2016.

Figure 1: GADOLINIUM controlled TechNet profile with embedded malware link.

2018: Developing attacks in the cloud

In 2018 GADOLINIUM returned to using Cloud services, but this time it chose to use GitHub to host commands. The image in Figure 2 shows GitHub Commit history on a forked repository GADOLINIUM controlled. In this repository, the actors updated markdown text to issue new commands to victim computers. MSTIC has worked with our colleagues at GitHub to take down the actor accounts and disrupt GADOLINIUM operations on the GitHub platform.

An image of a GitHub repository controlled by GADOLINIUM.

Figure 2: GitHub repository controlled by GADOLINIUM.

2019-2020: Hiding in plain sight using open source

GADOLINIUM’s evolving techniques
Two of the most recent attack chains in 2019 and 2020 were delivered from GADOLINIUM using similar tactics and techniques. Below is a summary view of how these attacks techniques have evolved followed by a detailed analysis of each step that security practitioners can use to better understand the threat and what defenses to implement to counter the attacks.

A summary view of how these attacks techniques have evolved.

Weaponization
In the last year, Microsoft has observed GADOLINIUM migrate portions of its toolchain techniques based on open source kits. GADOLINIUM is not alone in this move. MSTIC has noticed a slow trend of several nation-state activity groups migrating to open source tools in recent years. MSTIC assesses this move is an attempt to make discovery and attribution more difficult. The other added benefit to using open-source types of kits is that the development and new feature creation is done and created by someone else at no cost. However, using open source tools isn’t always a silver bullet for obfuscation and blending into the noise.

Delivery & Exploitation (2019)
In 2019, we discovered GADOLINIUM delivering malicious Access database files to targets. The initial malicious file was an Access 2013 database (.accde format). This dropped a fake Word document that was opened along with an Excel spreadsheet and a file called mm.accdb.core which was subsequently executed. The file mm.accdb.core is a VBA dropper, based on the CactusTorch VBA module, which loads a .NET DLL payload, sets configuration information, and then runs the payload. Office 365 ATP detects and blocks malicious Microsoft Access database attachments in email. A redacted example of the configuration is displayed below.

An image showing the VBA setting config and calling the 'Run' function of the payload.

Figure 3: VBA setting config and calling the “Run” function of the payload

Command and Control (2019)
Having gained access to a victim machine the payload then uses attachments to Outlook Tasks as a mechanism for command and control (C2). It uses a GADOLINIUM-controlled OAuth access token with login.microsoftonline.com and uses it to call the Outlook Task API to check for tasks. The attacker uses attachments to Outlook tasks as a means of sending commands or .NET payloads to execute; at the victim end, the malware adds the output from executing these commands as a further attachment to the Outlook task.

Interestingly, the malware had code compiled in a manner that doesn’t seem to be used in the attacks we saw. In addition to the Outlook Tasks API method described above, the extra code contains two other ways of using Office365 as C2, via either the Outlook Contacts API (get and add contacts) or the OneDrive API (list directory, get and add a file).

Actions on Objective (2019)
GADOLINIUM used several different payloads to achieve its exploitation or intrusion objectives including a range of PowerShell scripts to execute file commands (read/write/list etc.) to enable C2 or perform SMB commands (upload/download/delete etc.) to potentially exfiltrate data.

LazyCat, one of the tools used by GADOLINIUM, includes privilege escalation and credential dumping capability to enable lateral movement across a victim network. Microsoft 365 Defender for Endpoint detects the privilege escalation technique used:

An image ofMicrosoft Defender ATP alert of detected escalation of privilege attempt.

LazyCat performs credential dumping through usage of the MiniDumpWriteDump Windows API call, also detected by Microsoft 365 Defender for Endpoint:

An image of Microsoft Defender ATP alert of detected credential dumping activity.

Delivery (2020)
In mid-April 2020 GADOLINIUM actors were detected sending spear-phishing emails with malicious attachments. The filenames of these attachments were named to appeal to the target’s interest in the COVID-19 pandemic. The PowerPoint file (20200423-sitrep-92-covid-19.ppt), when run, would drop a file, doc1.dotm. Similarly, to the 2019 example, Microsoft 365 Defender for Office detects and blocks emails with these malicious PowerPoint and Word attachments.

Command and Control (2020)
The malicious doc1.dotm had two payloads which run in succession.

  • The first payload turns off a type check DisableActivitySurrogateSelectorTypeCheck  which the second stage needs as discussed in this blog.
  • The second payload loads an embedded .Net binary which downloads, decrypts + runs a .png file.

The .png is actually PowerShell which downloads and uploads fake png files using the Microsoft Graph API to https://graph.microsoft.com/v1.0/drive/root:/onlinework/contact/$($ID)_1.png:/content where $ID is the ID of the malware. The GADOLINIUM PowerShell is a modified version of the opensource PowershellEmpire toolkit.

Actions on Objectives (2020)
The GADOLINIUM PowerShell Empire toolkit allows the attacker to load additional modules to victim computers seamlessly via Microsoft Graph API calls. It provides a command and control module that uses the attacker’s Microsoft OneDrive account to execute commands and retrieve results between attacker and victim systems. The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage. From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario,, no OAuth permissions consent prompts occur. Later in this blog post, we will provide additional information about how Microsoft proactively prevents attackers from using our cloud infrastructure in these ways.

Command and Control—Server compromise
GADOLINIUM campaigns often involve installing web shells on legitimate web sites for command and control or traffic redirection. Microsoft 365 Defender for Endpoint detects web shells by analyzing web server telemetry such as process creation and file modifications. Microsoft blogged earlier in the year on the use of web shells by multiple groups and how we detect such activities.

Microsoft Defender ATP alerts of suspicious web shell attacks

 

Microsoft Defender ATP alerts of suspicious web shell attacks.

Figure 6: Microsoft Defender ATP alerts of suspicious web shell attacks.

Web shell alerts from Microsoft 365 Defender for Endpoint can be explored in Azure Sentinel and enriched with additional information that can give key insights into the attack. MSTIC’s Azure Sentinel team recently published a blog outlining how such insights can be derived by analyzing events from the W3CIISLog.

Microsoft’s proactive steps to defend customers
In addition to detecting many of the individual components of the attacks through Microsoft’s security products and services such as Microsoft 365 Defender for Endpoint and for Microsoft 365 Defender for Office as described above, we also take proactive steps to prevent attackers from using our cloud infrastructure to perpetrate attacks. As a cloud provider, Microsoft is uniquely positioned to disrupt this attacker technique. The PowerShell Empire scenario is a good example of this. During April 2020, the Microsoft Identity Security team suspended 18 Azure Active Directory applications that we determined to be part of GADOLINIUM’s PowerShell Empire infrastructure (Application IDs listed in IOC section below). Such action is particularly beneficial to customers as suspending these applications protects all customers transparently without any action being required at their end.)

As part of Microsoft’s broader work to foster a secure and trustworthy app ecosystem, we research and develop detection techniques for both known and novel malicious applications. Applications exhibiting malicious behavior are quickly suspended to ensure our customers are protected.

GADOLINIUM will no doubt evolve their tactics in pursuit of its objectives. As those threats target Microsoft customers, we will continue to build detections and implement protections to defend against them. For security practitioners looking to expand your own hunting on GADOLINIUM, we are sharing the below indicators of compromise (IOCs) associated with their activity.

List of related GADOLINIUM indicators

Hashes from malicious document attachments

faebff04d7ca9cca92975e06c4a0e9ce1455860147d8432ff9fc24622b7cf675
f61212ab1362dffd3fa6258116973fb924068217317d2bc562481b037c806a0a

Actor-owned email addresses

Chris.sukkar@hotmail.com
PhillipAdamsthird@hotmail.com
sdfwfde234sdws@outlook.com
jenny1235667@outlook.com
fghfert32423dsa@outlook.com
sroggeveen@outlook.com
RobertFetter.fdmed@hotmail.com
Heather.mayx@outlook.com

Azure Active Directory App IDs associated with malicious apps

ae213805-a6a2-476c-9c82-c37dfc0b6a6c
afd7a273-982b-4873-984a-063d0d3ca23d
58e2e113-b4c9-4f1a-927a-ae29e2e1cdeb
8ba5106c-692d-4a86-ad3f-fc76f01b890d
be561020-ba37-47b2-99ab-29dd1a4312c4
574b7f3b-36da-41ee-86b9-c076f999b1de
941ec5a5-d5bf-419e-aa93-c5afd0b01eff
d9404c7d-796d-4500-877e-d1b49f02c9df
67e2bb25-1f61-47b6-9ae3-c6104e587882
9085bb9e-9b56-4b84-b21e-bd5d5c7b0de0
289d71ad-54ee-44a4-8d9a-9294f19b0069
a5ea2576-4191-4e9a-bfed-760fff616fbf
802172dc-8014-42a9-b765-133c07039f9f
fb33785b-f3f7-4b2b-b5c1-f688d3de1bde
c196c17d-1e3c-4049-a989-c62f7afaf7f3
79128217-d61e-41f9-a165-e06e1d672069
f4a41d96-2045-4d75-a0ec-9970b0150b52
88d43534-4128-4969-b5c4-ceefd9b31d02

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security—detecting empires in the cloud appeared first on Microsoft Security.

Microsoft Security—detecting empires in the cloud

September 24th, 2020 No comments

Microsoft consistently tracks the most advanced threat actors and evolving attack techniques. We use these findings to harden our products and platform and share them with the security community to help defenders everywhere better protect the planet.

Recently, the Microsoft Threat Intelligence Center (MSTIC) observed the evolution of attacker techniques by an actor we call GADOLINIUM using cloud services and open source tools to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection. These attacks were delivered via spear-phishing emails with malicious attachments and detected and blocked by Microsoft 365 Defender, formerly Microsoft Threat Protection (MTP), and able to be detected using Azure Sentinel.

As these attacks were detected, Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure. This action helped transparently protect our customers without requiring additional work on their end.

GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods.

Recently, MSTIC has observed newly expanded targeting outside of those sectors to include the Asia Pacific region and other targets in higher education and regional government organizations. As GADOLINIUM has evolved, MSTIC has continued to monitor its activity and work alongside our product security teams to implement customer protections against these attacks.

Historically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.

The following GADOLINIUM technique profile is designed to give security practitioners who may be targeted by this specific actor’s activity insight and information that will help them better protect from these attacks.

2016: Experimenting in the cloud

GADOLINIUM has been experimenting with using cloud services to deliver their attacks to increase both operation speed and scale for years. The image in Figure 1 is from a GADOLINIUM controlled Microsoft TechNet profile established in 2016. This early use of a TechNet profiles’ contact widget involved embedding a very small text link that contained an encoded command for malware to read.

An image of a GADOLINIUM controlled Microsoft TechNet profile established in 2016.

Figure 1: GADOLINIUM controlled TechNet profile with embedded malware link.

2018: Developing attacks in the cloud

In 2018 GADOLINIUM returned to using Cloud services, but this time it chose to use GitHub to host commands. The image in Figure 2 shows GitHub Commit history on a forked repository GADOLINIUM controlled. In this repository, the actors updated markdown text to issue new commands to victim computers. MSTIC has worked with our colleagues at GitHub to take down the actor accounts and disrupt GADOLINIUM operations on the GitHub platform.

An image of a GitHub repository controlled by GADOLINIUM.

Figure 2: GitHub repository controlled by GADOLINIUM.

2019-2020: Hiding in plain sight using open source

GADOLINIUM’s evolving techniques
Two of the most recent attack chains in 2019 and 2020 were delivered from GADOLINIUM using similar tactics and techniques. Below is a summary view of how these attacks techniques have evolved followed by a detailed analysis of each step that security practitioners can use to better understand the threat and what defenses to implement to counter the attacks.

A summary view of how these attacks techniques have evolved.

Weaponization
In the last year, Microsoft has observed GADOLINIUM migrate portions of its toolchain techniques based on open source kits. GADOLINIUM is not alone in this move. MSTIC has noticed a slow trend of several nation-state activity groups migrating to open source tools in recent years. MSTIC assesses this move is an attempt to make discovery and attribution more difficult. The other added benefit to using open-source types of kits is that the development and new feature creation is done and created by someone else at no cost. However, using open source tools isn’t always a silver bullet for obfuscation and blending into the noise.

Delivery & Exploitation (2019)
In 2019, we discovered GADOLINIUM delivering malicious Access database files to targets. The initial malicious file was an Access 2013 database (.accde format). This dropped a fake Word document that was opened along with an Excel spreadsheet and a file called mm.accdb.core which was subsequently executed. The file mm.accdb.core is a VBA dropper, based on the CactusTorch VBA module, which loads a .NET DLL payload, sets configuration information, and then runs the payload. Office 365 ATP detects and blocks malicious Microsoft Access database attachments in email. A redacted example of the configuration is displayed below.

An image showing the VBA setting config and calling the 'Run' function of the payload.

Figure 3: VBA setting config and calling the “Run” function of the payload

Command and Control (2019)
Having gained access to a victim machine the payload then uses attachments to Outlook Tasks as a mechanism for command and control (C2). It uses a GADOLINIUM-controlled OAuth access token with login.microsoftonline.com and uses it to call the Outlook Task API to check for tasks. The attacker uses attachments to Outlook tasks as a means of sending commands or .NET payloads to execute; at the victim end, the malware adds the output from executing these commands as a further attachment to the Outlook task.

Interestingly, the malware had code compiled in a manner that doesn’t seem to be used in the attacks we saw. In addition to the Outlook Tasks API method described above, the extra code contains two other ways of using Office365 as C2, via either the Outlook Contacts API (get and add contacts) or the OneDrive API (list directory, get and add a file).

Actions on Objective (2019)
GADOLINIUM used several different payloads to achieve its exploitation or intrusion objectives including a range of PowerShell scripts to execute file commands (read/write/list etc.) to enable C2 or perform SMB commands (upload/download/delete etc.) to potentially exfiltrate data.

LazyCat, one of the tools used by GADOLINIUM, includes privilege escalation and credential dumping capability to enable lateral movement across a victim network. Microsoft 365 Defender for Endpoint detects the privilege escalation technique used:

An image ofMicrosoft Defender ATP alert of detected escalation of privilege attempt.

LazyCat performs credential dumping through usage of the MiniDumpWriteDump Windows API call, also detected by Microsoft 365 Defender for Endpoint:

An image of Microsoft Defender ATP alert of detected credential dumping activity.

Delivery (2020)
In mid-April 2020 GADOLINIUM actors were detected sending spear-phishing emails with malicious attachments. The filenames of these attachments were named to appeal to the target’s interest in the COVID-19 pandemic. The PowerPoint file (20200423-sitrep-92-covid-19.ppt), when run, would drop a file, doc1.dotm. Similarly, to the 2019 example, Microsoft 365 Defender for Office detects and blocks emails with these malicious PowerPoint and Word attachments.

Command and Control (2020)
The malicious doc1.dotm had two payloads which run in succession.

  • The first payload turns off a type check DisableActivitySurrogateSelectorTypeCheck  which the second stage needs as discussed in this blog.
  • The second payload loads an embedded .Net binary which downloads, decrypts + runs a .png file.

The .png is actually PowerShell which downloads and uploads fake png files using the Microsoft Graph API to https://graph.microsoft.com/v1.0/drive/root:/onlinework/contact/$($ID)_1.png:/content where $ID is the ID of the malware. The GADOLINIUM PowerShell is a modified version of the opensource PowershellEmpire toolkit.

Actions on Objectives (2020)
The GADOLINIUM PowerShell Empire toolkit allows the attacker to load additional modules to victim computers seamlessly via Microsoft Graph API calls. It provides a command and control module that uses the attacker’s Microsoft OneDrive account to execute commands and retrieve results between attacker and victim systems. The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage. From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario,, no OAuth permissions consent prompts occur. Later in this blog post, we will provide additional information about how Microsoft proactively prevents attackers from using our cloud infrastructure in these ways.

Command and Control—Server compromise
GADOLINIUM campaigns often involve installing web shells on legitimate web sites for command and control or traffic redirection. Microsoft 365 Defender for Endpoint detects web shells by analyzing web server telemetry such as process creation and file modifications. Microsoft blogged earlier in the year on the use of web shells by multiple groups and how we detect such activities.

Microsoft Defender ATP alerts of suspicious web shell attacks

 

Microsoft Defender ATP alerts of suspicious web shell attacks.

Figure 6: Microsoft Defender ATP alerts of suspicious web shell attacks.

Web shell alerts from Microsoft 365 Defender for Endpoint can be explored in Azure Sentinel and enriched with additional information that can give key insights into the attack. MSTIC’s Azure Sentinel team recently published a blog outlining how such insights can be derived by analyzing events from the W3CIISLog.

Microsoft’s proactive steps to defend customers
In addition to detecting many of the individual components of the attacks through Microsoft’s security products and services such as Microsoft 365 Defender for Endpoint and for Microsoft 365 Defender for Office as described above, we also take proactive steps to prevent attackers from using our cloud infrastructure to perpetrate attacks. As a cloud provider, Microsoft is uniquely positioned to disrupt this attacker technique. The PowerShell Empire scenario is a good example of this. During April 2020, the Microsoft Identity Security team suspended 18 Azure Active Directory applications that we determined to be part of GADOLINIUM’s PowerShell Empire infrastructure (Application IDs listed in IOC section below). Such action is particularly beneficial to customers as suspending these applications protects all customers transparently without any action being required at their end.)

As part of Microsoft’s broader work to foster a secure and trustworthy app ecosystem, we research and develop detection techniques for both known and novel malicious applications. Applications exhibiting malicious behavior are quickly suspended to ensure our customers are protected.

GADOLINIUM will no doubt evolve their tactics in pursuit of its objectives. As those threats target Microsoft customers, we will continue to build detections and implement protections to defend against them. For security practitioners looking to expand your own hunting on GADOLINIUM, we are sharing the below indicators of compromise (IOCs) associated with their activity.

List of related GADOLINIUM indicators

Hashes from malicious document attachments

faebff04d7ca9cca92975e06c4a0e9ce1455860147d8432ff9fc24622b7cf675
f61212ab1362dffd3fa6258116973fb924068217317d2bc562481b037c806a0a

Actor-owned email addresses

Chris.sukkar@hotmail.com
PhillipAdamsthird@hotmail.com
sdfwfde234sdws@outlook.com
jenny1235667@outlook.com
fghfert32423dsa@outlook.com
sroggeveen@outlook.com
RobertFetter.fdmed@hotmail.com
Heather.mayx@outlook.com

Azure Active Directory App IDs associated with malicious apps

ae213805-a6a2-476c-9c82-c37dfc0b6a6c
afd7a273-982b-4873-984a-063d0d3ca23d
58e2e113-b4c9-4f1a-927a-ae29e2e1cdeb
8ba5106c-692d-4a86-ad3f-fc76f01b890d
be561020-ba37-47b2-99ab-29dd1a4312c4
574b7f3b-36da-41ee-86b9-c076f999b1de
941ec5a5-d5bf-419e-aa93-c5afd0b01eff
d9404c7d-796d-4500-877e-d1b49f02c9df
67e2bb25-1f61-47b6-9ae3-c6104e587882
9085bb9e-9b56-4b84-b21e-bd5d5c7b0de0
289d71ad-54ee-44a4-8d9a-9294f19b0069
a5ea2576-4191-4e9a-bfed-760fff616fbf
802172dc-8014-42a9-b765-133c07039f9f
fb33785b-f3f7-4b2b-b5c1-f688d3de1bde
c196c17d-1e3c-4049-a989-c62f7afaf7f3
79128217-d61e-41f9-a165-e06e1d672069
f4a41d96-2045-4d75-a0ec-9970b0150b52
88d43534-4128-4969-b5c4-ceefd9b31d02

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security—detecting empires in the cloud appeared first on Microsoft Security.

STRONTIUM: Detecting new patterns in credential harvesting

September 10th, 2020 No comments

Microsoft has tied STRONTIUM to a newly uncovered pattern of Office365 credential harvesting activity aimed at US and UK organizations directly involved in political elections. Analysts from Microsoft Threat Intelligence Center (MSTIC) and Microsoft Identity Security have been tracking this new activity since April 2020. Credential harvesting is a known tactic used by STRONTIUM to obtain valid credentials that enable future surveillance or intrusion operations. Subsequent analysis revealed that between September 2019 and June 2020, STRONTIUM launched credential harvesting attacks against tens of thousands of accounts at more than 200 organizations. In the two weeks between August 18 and September 3, the same attacks targeted 6,912 accounts belonging to 28 organizations. None of these accounts were successfully compromised.

Not all the targeted organizations were election-related. However, we felt it important to highlight a potential emerging threat to the 2020 US Presidential Election and future electoral contests in the UK.

Microsoft CVP Customer Security and Trust, Tom Burt provided some additional details on this campaign in his recent On The Issues blog post. The purpose of this post is to provide defenders in any organization, but especially those directly or indirectly affiliated with electoral systems, insight into the technical nature of this activity. By providing these details, we hope to enable better defense against future attacks and share best practices for securing cloud environments against this type of activity.

Tactical Details

STRONTIUM relied heavily upon spear phishing in its credential harvesting efforts leading up to the 2016 US presidential election. In 2016, spear-phishing was the most common tactic for stealing credentials from targeted accounts. This time around, STRONTIUM appears to be taking a different approach, namely, brute-force/password-spray tooling. This shift in tactics, also made by several other nation-state actors, allows them to execute large-scale credential harvesting operations in a more anonymized manner. The tooling STRONTIUM is using routes its authentication attempts through a pool of approximately 1,100 IPs, the majority associated with the Tor anonymizing service. This pool of infrastructure has evolved over time, with an average of approximately 20 IPs added and removed from it per day. STRONTIUM’s tooling alternates its authentication attempts amongst this pool of IPs approximately once per second. Considering the breadth and speed of this technique, it seems likely that STRONTIUM has adapted its tooling to use an anonymizer service to obfuscate its activity, evade tracking, and avoid attribution.

During the two-week period, August 19 – September 3, STRONTIUM’s credential harvesting tooling utilized a daily average of 1,294 IPs associated with 536 netblocks and 273 ASNs. Of these netblocks, some were much more heavily utilized by the tooling than others, both in terms of the total number of authentications attempted from them and the total number of IPs utilized within them. Figure 1 below represents the 5 netblocks from which the highest number of total auth attempts were observed. As highlighted in the table, several of these netblocks had much higher IP utilization rates than the rest. This observed behavior indicates that the underlying anonymization services providing the infrastructure backbone for STRONTIUM auth attempts are, in a sense, over-serving IPs in these specific netblocks.

Figure 1: Highest volume netblocks used in STRONTIUM auth attempts.

Figure 1: Highest volume netblocks used in STRONTIUM auth attempts.

The fact that the anonymization service is over-serving specific netblocks gives defenders an opportunity to hunt for activity associated both with this STRONTIUM activity or other malicious tooling that is utilizing the same anonymization service. The following Azure Sentinel query (GitHub link) is designed to identify failed authentication attempts from the three highest-signal, highest-utilization netblocks highlighted above, and group the results by UserAgent.

An image of code.

Microsoft Threat Protection (MTP) also provides a platform for users to identify failed authentication attempts. The following query will give MTP users the ability to hunt and address these threats as well:

An image of code. MSTIC has observed that the STRONTIUM tooling operates in two modes when targeting accounts: brute-force and password-spray.

In password-spray mode, the tooling attempts username: password combinations in a ‘low-‘n-slow’ manner. Organizations targeted by the tooling running in this mode typically see approximately four authentication attempts per hour per targeted account over the course of several days or weeks, with nearly every attempt originating from a different IP address.

In brute-force mode, the tooling attempts many username: password attempts very rapidly for a much shorter time period. Organizations targeted by the tooling running in this mode typically see over 300 authentication attempts per hour per targeted account over the course of several hours or days.

Tooling Operating Mode Avg ## of Attempts Per Account Per Hour Avg # Of IPs Utilized for Auth Attempts Per Account Per Hour Avg Length of Attack
Password-Spray 4 4 Days-Weeks
Brute-Force 335 200 Hours-Days

Organizations targeted by STRONTIUM using this tooling saw auth attempts against an average of 20% of their total accounts. In some instances, MSTIC assesses the tooling may have discovered these accounts simply by attempting authentications against a large number of possible account names until it found ones that were valid.

Guidance: Proactive defense 

There are some very simple steps businesses and targeted individuals can take to significantly improve the security of their accounts and make these types of attacks much more difficult.

1. Enable multi-factor authentication

We have seen clear proof that enabling multi-factor authentication (MFA) across both business and personal email accounts successfully thwarts the majority of credential harvesting attacks. Our colleagues in Azure Active Directory put it more precisely—

“… doing any form of MFA takes you out of reach of most attacks. MFA (using any mechanism) is just too costly to break – unless a highly motivated attacker is after that high-value account or asset.”

However, most enterprise accounts have not implemented this simple protection:

“When we evaluate all the tokens issued with MFA claims, we see that less than 10% of users use MFA per month in our enterprise accounts (and that includes on-premises and third-party MFA). Until MFA is more broadly adopted, there is little reason for attackers to evolve.”

2. Actively monitor failed authentications

When monitoring login activity in your accounts, look for any type of discernable patterns in these failed authentications and track them over time. Password spray is an increasingly common tactic of nation-state actors.

You can also maintain broader visibility into behavioral anomalies like failed login attempts by running detections and monitoring using Microsoft Cloud App Security (MCAS) which monitors user sessions for third-party cloud apps, including G-Suite, AWS, and Salesforce. The MCAS detection engine looks for anomalous user activity for indicators of compromise. One indicator, “multiple failed login attempts,” can be used to create a dynamic baseline per user, across the tenant, and alert on anomalous login behavior that may represent an active brute force or password spray attack.

Microsoft Threat Protection (MTP) can help to automatically track and rebuild the Incident view of all the compromised identities by password-spray leveraged later by the attacker to expand the breach to endpoint or cloud assets.

3. Test your organization’s resilience

Attack Simulator in Office 365 ATP lets you run realistic, but simulated phishing and password attack campaigns in your organization. Pick a password and then run the campaign against as many users as you want. The results will let you know how many people are using that password. Use the data to train users and build your custom list of banned passwords.

The post STRONTIUM: Detecting new patterns in credential harvesting appeared first on Microsoft Security.

Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning

August 27th, 2020 No comments

When attackers successfully breach a target network, their typical next step is to perform reconnaissance of the network, elevate their privileges, and move laterally to reach specific machines or spread as widely as possible. For these activities, attackers often probe the affected network’s Active Directory, which manages domain authentication and permissions for resources. Attackers take advantage of users’ ability to enumerate and interact with the Active Directory for reconnaissance, which allows lateral movement and privilege escalation. This is a common attack stage in human-operated ransomware campaigns like Ryuk.

These post-exploitation activities largely rely on scripting engines like PowerShell and WMI because scripts provide attackers flexibility and enable them to blend into the normal hum of enterprise endpoint activity. Scripts are lightweight, can be disguised and obfuscated relatively easily, and can be run fileless by loading them directly in memory through command-line or interacting with scripting engines in memory.

Antimalware Scan Interface (AMSI) helps security software to detect such malicious scripts by exposing script content and behavior. AMSI integrates with scripting engines on Windows 10 as well as Office 365 VBA to provide insights into the execution of PowerShell, WMI, VBScript, JavaScript, and Office VBA macros. Behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection (ATP) take full advantage of AMSI’s visibility into scripts and harness the power of machine learning and cloud-delivered protection to detect and stop malicious behavior. In the broader delivery of coordinated defense, the AMSI-driven detection of malicious scripts on endpoints helps Microsoft Threat Protection, which combines signals from Microsoft Defender ATP and other solutions in the Microsoft 365 security portfolio, to detect cross-domain attack chains.

On endpoints, performance-optimized machine learning models inspect script content and behavior through AMSI. When scripts run and malicious or suspicious behavior is detected, features are extracted from the content, including expert features, features selected by machine learning, and fuzzy hashes. The lightweight client machine learning models make inferences on the content. If the content is classified as suspicious, the feature description is sent to the cloud for full real-time classification. In the cloud, heavier counterpart machine learning models analyze the metadata and uses additional signals like file age, prevalence, and other such information to determine whether the script should be blocked or not.

These pairs of AMSI-powered machine learning classifiers, one pair for each scripting engine, allow Microsoft Defender ATP to detect malicious behavior and stop post-exploitation techniques and other script-based attacks, even after they have started running. In this blog, we’ll discuss examples of Active Directory attacks, including fileless threats, foiled by AMSI machine learning.

Diagram showing pairs of machine learning models on the endpoint and in the cloud using AMSI to detect malicious scripts

Figure 1. Pair of AMSI machine learning models on the client and in the cloud

Blocking BloodHound attacks

BloodHound is a popular open-source tool for enumerating and visualizing the domain Active Directory and is used by red teams and attackers as a post-exploitation tool. The enumeration allows a graph of domain devices, users actively signed into devices, and resources along with all their permissions. Attackers can discover and abuse weak permission configurations for privilege escalation by taking over other user accounts or adding themselves to groups with high privileges, or for planning their lateral movement path to their target privileges. Attackers, including those behind human-operated ransomware campaigns such as Ryuk, use BloodHound as part of their attacks.

To work, BloodHound uses a component called SharpHound to enumerate the domain and collect various categories of data: local admin collection, group membership collection, session collection, object property collection, ACL collection, and trust collection. This enumeration would typically then be exfiltrated to be visualized and analysed by the attacker as part of planning their next steps. SharpHound performs the domain enumeration and is officially published as a fileless PowerShell in-memory version, as well as a file-based executable tool version. It is critical to identify the PowerShell fileless variant enumeration if it is active on a network.

Code snippet of the SharpHound ingestor

Figure 2. SharpHound ingestor code snippets

When the SharpHound fileless PowerShell ingestor is run in memory, whether by a pen tester or an attacker, AMSI sees its execution buffer. The machine learning model on the client featurizes this buffer and sends it to the cloud for final classification.

Code snippet of SharpHound ingestor showing featurized details

Figure 3. Sample featurized SharpHound ingestor code

The counterpart machine learning model in the cloud analyzes the metadata, integrates other signals, and returns a verdict. Malicious scripts are detected and stopped on endpoints in real time:

Screenshot of Microsoft Defender Antivirus alert for detection of SharpHound

Figure 4. Microsoft Defender Antivirus detection of SharpHound

Detections are reported in Microsoft Defender Security Center, where SOC analysts can use Microsoft Defender ATP’s rich set of tools to investigate and respond to attacks:

Screenshot of Microsoft Defender Security Center showing detection of SharpHound

Figure 5. Microsoft Defender Security Center alert showing detection of SharpHound

This protection is provided by AI that has learned to identify and block these attacks automatically, and that will continue to adapt and learn new attack methods we observe.

Stopping Kerberoasting

Kerberoasting, like BloodHound attacks, is a technique for stealing credentials used by both red teams and attackers. Kerberoasting attacks abuse the Kerberos Ticket Granting Service (TGS) to gain access to accounts, typically targeting domain accounts for lateral movement.

Kerberoasting attacks involve scanning an Active Directory environment to generate a list of user accounts that have Kerberos Service Principal Name (SPN). Attackers then request these SPN to grant Kerberos Service Tickets to these accounts. The tickets are dumped from memory using various tools like Mimikatz and then exfiltrated for offline brute forcing on the encrypted segment of the tickets. If successful, attackers can identify the passwords associated with the accounts, which they then use to remotely sign into machines or access resources.

All the Kerberoasing attack steps leading to the hash extraction can be accomplished using a single PowerShell (Invoke-Kerberoast.ps1), and has been integrated into popular post-exploitation frameworks like PowerSploit and PowerShell Empire:

Figure 6. Single command line to download and execute Kerberoasting to extract user password hashes

Code snippet of Kerberoasting

Figure 7. Kerberoasting code

Because AMSI has visibility into PowerShell scripts, when the Invoke-Kerberoast.ps1 is run, AMSI allows for inspection of the PowerShell content during runtime. This buffer is featurized and analyzed by client-side machine learning models, and sent to the cloud for real-time ML classification.

Code snippet of Kerberoasting showing featurized details

Figure 8. Sample featurized Kerberoasting code

Microsoft Defender ATP raises an alert for the detection of Invoke-Kerberoast.ps1:

Figure 9. Microsoft Defender Security Center alert showing detection of Invoke-Kerberoast.ps1

Training the machine learning models

To ensure continued high-quality detection of threats, the AMSI machine learning models are trained per scripting engine using real-time protection data and threat investigations.

Featurization is key to machine learning models making intelligent decisions about whether content is malicious or benign. For behavior-based script logs, we extract the set of libraries, COM object, and function names used by the script. Learning the most important features within the script content is performed through a combination of character ngramming the script or behavior log, followed by semi-asynchronous stochastic dual coordinate ascent (SA-SDCA) algorithm with L1 regularization feature trimming to learn and deploy the most important character ngram features.

On top of the same features used to train the client models, other complex features used to train the cloud modes include fuzzy hashes, cluster hashes, partial hashes, and more. In addition, the cloud models have access to other information like age, prevalence, global file information, reputation and others, which allow cloud models to make more accurate decisions for blocking.

Conclusion: Broad visibility informs AI-driven protections

Across Microsoft, AI and machine learning protection technologies use Microsoft’s broad visibility into various surfaces to identify new and unknown threats. Microsoft Threat Protection uses these machine learning-driven protections to detect threats across endpoints, email and data, identities, and apps.

On endpoints, Microsoft Defender ATP uses multiple next-generation protection engines that detect a wide range of threats. One of these engines uses insights from AMSI and pairs of machine learning models on the client and in the cloud working together to detect and stop malicious scripts post-execution.

These pairs of AMSI models, one pair for each scripting engine, are part of the behavior-based blocking and containment capabilities in Microsoft Defender ATP, which are designed to detect and stop threats even after they have started running. When running, threats are exposed and can’t hide behind encryption or obfuscation. This adds another layer of protection for instances where sophisticated threats are able to slip through pre-execution defenses.

Diagram showing different next-generation protection engines on the client and in the cloud

Figure 10. Microsoft Defender ATP next-generation protection engines

In this blog post, we showed how these AMSI-driven behavior-based machine learning protections are critical in detecting and stopping post-exploitation activities like BloodHound-based and Kerberoasting attacks, which employ evasive malicious scripts, including fileless components. With AMSI, script content and behavior are exposed, allowing Microsoft Defender ATP to foil reconnaissance activities and prevent attacks from progressing.

To learn more about behavior-based blocking and containment, read the following blog posts:

 

Ankit Garg and Geoff McDonald

Microsoft Defender ATP Research Team

The post Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning appeared first on Microsoft Security.

How can Microsoft Threat Protection help reduce the risk from phishing?

August 26th, 2020 No comments

Microsoft Threat Protection can help you reduce the cost of phishing

The true cost of a successful phishing campaign may be higher than you think. Although phishing defenses and user education have become common in many organizations, employees still fall prey to these attacks. This is a problem because phishing is often leveraged as the first step in other cyberattack methods. As a result, its economic impact remains hidden. Understanding how these attacks work is key to mitigating your risk.

One reason phishing is so insidious is that attackers continuously evolve their methods. In this blog, I’ve described why you need to take phishing seriously and how different phishing methods work. You’ll also find links to Microsoft Threat Protection solutions that can help you reduce your risk.

Nearly 1 in 3 attacks involve phishing

According to Accenture’s Ninth Annual Cost of Cybercrime Study, phishing attacks cost the average organization USD1.4 million in 2018, an eight percent rise over 2017. This likely underestimates the cost because the report only considers four major consequences when determining the cost of an attack: business disruption, information loss, revenue loss, and equipment damage. However, phishing is used as the delivery method for several other attacks, including business email compromise, malware, ransomware, and botnet attacks. The 2019 Verizon Data Breach Report finds that almost one in three attacks involved phishing. And according to the 2019 Internet Crime Complaint Center, phishing/vishing/smishing/pharming are the most common methods for scamming individuals online.

Since the costs of other attacks can often be attributed to phishing, a comprehensive cyber risk mitigation strategy should place a high value on phishing defenses and user education.

Phishing campaigns can be well-targeted and sophisticated

As attackers have developed new methods to evade detection by defenders and victims, phishing has transformed. Phishing now uses mediums other than email, including voicemail, instant messaging, and collaboration platforms, as people have enhanced email-based defenses, but may have not considered these other attack vectors. The success of phishing as the delivery of other cyberattacks makes it critically important for defenders to be able to identify the many types of phishing and how to defend against them, including:

  • Mass market phishing: When you think of phishing this is likely what comes to mind. These emails go out to a large group of people and use a generic message to trick users into clicking a link or downloading a file. Attacks often use email spoofing, so that the message appears to come from a legitimate source.
  • Spear phishing: Spear phishing is a more targeted social engineering method. Attackers pick an individual, such as a global administrator or an HR professional, conduct research, and then craft an email that makes use of that research to dupe the victim.
  • Whaling: These emails target someone on the executive team. Like spear phishing, these attacks start with research, which the attacker uses to write an email that appears legitimate.
  • Business-email compromise: In these attacks, adversaries compromise an executive’s account, such as the CEO, and then use that account to ask a direct report to wire money.
  • Clone phishing: Attackers clone a legitimate email and then change the link or attachment.
  • Vishing: Vishing is a phishing attempt using the phone. Victims are asked to call back and enter a PIN number or account number.

Fahmida Y. Rashid provides more details about these type of phishing attacks on CSO.

An emerging phishing method exploits the increase in remote work

Recently, another phishing type was identified called consent phishing. In response to COVID-19, people have increased their usage of cloud apps and mobile devices to facilitate work from home. Bad actors have taken advantage of this shift by leveraging application-based attacks to gain unwarranted access to valuable data in cloud services. By using application prompts similar to that on mobile devices, they trick victims into allowing the malicious applications permission to access services and data (see Figure 2).

An image showing the Microsoft "Permissions requested" dialogue.

Figure 1: Familiar application prompts trick users into giving malicious apps access to services and data.

The following best practices can help you defend against this new threat:

  • Educate your organization on how to identify a consent phishing message. Poor spelling and grammar are two indicators that the request isn’t legitimate. Users may also notice that the URL doesn’t quite look right.
  • Promote and allow access to apps you trust. Use publisher verified to identify apps that have been validated by the Microsoft platform. Configure application consent policies, so employees are guided to applications you trust.
  • Educate your organization on how permissions and consent framework works in the Microsoft platform.

Office 365 Advanced Threat Protection helps prevent and remediate phishing attacks

Office 365 Advanced Threat Protection (Office 365 ATP), natively protects all of Office 365 against advanced attacks. The service leverages industry-leading intelligence fueled by trillions of signals to continuously evolve to prevent emerging threats, like phishing and impersonation attacks. As part of Microsoft Threat Protection, Office 365 ATP provides security teams with the tools to investigate and remediate these threats, and integrates with other Microsoft Threat Protection products like Microsoft Defender Advanced Threat Protection and Azure Advanced Threat Protection to help stop cross-domain attacks spanning email, collaboration tools, endpoints, identities, and cloud apps.

Microsoft Threat Protection increases analyst efficiency

Microsoft Threat Protection stops attacks across Microsoft 365 services and auto-heals affected assets. It leverages the Microsoft 365 security portfolio to automatically analyze threat data across identities, endpoints, cloud applications, and email and docs. By fusing related alerts into incidents, defenders can respond to threats and attacks immediately and in their entirety, saving precious time. (see Figure 3).

The following actions will help you gain greater visibility into attacks to protect your organization.

An image of : Microsoft Threat Protection and Office 365 ATP provide several capabilities to help you protect your organization from phishing attacks.

Figure 2: Microsoft Threat Protection and Office 365 ATP provide several capabilities to help you protect your organization from phishing attacks.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How can Microsoft Threat Protection help reduce the risk from phishing? appeared first on Microsoft Security.

Seeing the big picture: Deep learning-based fusion of behavior signals for threat detection

July 23rd, 2020 No comments

The application of deep learning and other machine learning methods to threat detection on endpoints, email and docs, apps, and identities drives a significant piece of the coordinated defense delivered by Microsoft Threat Protection. Within each domain as well as across domains, machine learning plays a critical role in analyzing and correlating massive amounts of data to detect increasingly evasive threats and build a complete picture of attacks.

On endpoints, Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) detects malware and malicious activities using various types of signals that span endpoint and network behaviors. Signals are aggregated and processed by heuristics and machine learning models in the cloud. In many cases, the detection of a particular type of behavior, such as registry modification or a PowerShell command, by a single heuristic or machine learning model is sufficient to create an alert.

Detecting more sophisticated threats and malicious behaviors considers a broader view and is significantly enhanced by fusion of signals occurring at different times. For example, an isolated event of file creation is generally not a very good indication of malicious activity, but when augmented with an observation that a scheduled task is created with the same dropped file, and combined with other signals, the file creation event becomes a significant indicator of malicious activity. To build a layer for these kinds of abstractions, Microsoft researchers instrumented new types of signals that aggregate individual signals and create behavior-based detections that can expose more advanced malicious behavior.

In this blog, we describe an application of deep learning, a category of machine learning algorithms, to the fusion of various behavior detections into a decision-making model. Since its deployment, this deep learning model has contributed to the detection of many sophisticated attacks and malware campaigns. As an example, the model uncovered a new variant of the Bondat worm that attempts to turn affected machines into zombies for a botnet. Bondat is known for using its network of zombie machines to hack websites or even perform cryptocurrency mining. This new version spreads using USB devices and then, once on a machine, achieves a fileless persistence. We share more technical details about this attack in latter sections, but first we describe the detection technology that caught it.

Powerful, high-precision classification model for wide-ranging data

Identifying and detecting malicious activities within massive amounts of data processed by Microsoft Defender ATP require smart automation methods and AI. Machine learning classifiers digest large volumes of historical data and apply automatically extracted insights to score each new data point as malicious or benign. Machine learning-based models may look at, for example, registry activity and produce a probability score, which indicates the probability of the registry write being associated with malicious activity. To tie everything together, behaviors are structured into virtual process trees, and all signals associated with each process tree are aggregated and used for detecting malicious activity.

With virtual process trees and signals of different types associated to these trees, there’s still large amounts of data and noisy signals to sift through. Since each signal occurs in the context of a process tree, it’s necessary to fuse these signals in the chronological order of execution within the process tree. Data ordered this way requires a powerful model to classify malicious vs. benign trees.

Our solution comprises several deep learning building blocks such as Convolutional Neural Networks (CNNs) and Long Short-Term Memory Recurrent Neural Networks (LSTM-RNN). The neural network can take behavior signals that occur chronologically in the process tree and treat each batch of signals as a sequence of events. These sequences can be collected and classified by the neural network with high precision and detection coverage.

Behavior-based and machine learning-based signals

Microsoft Defender ATP researchers instrument a wide range of behavior-based signals. For example, a signal can be for creating an entry in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

A folder and executable file name added to this location automatically runs after the machine starts. This generates persistence on the machine and hence can be considered an indicator of compromise (IoC). Nevertheless, this IoC is generally not enough to generate detection because legitimate programs also use this mechanism.

Another example of behavior-based signal is service start activity. A program that starts a service through the command line using legitimate tools like net.exe is not considered a suspicious activity. However, starting a service created earlier by the same process tree to obtain persistence is an IoC.

On the other hand, machine learning-based models look at and produce signals on different pivots of a possible attack vector. For example, a machine learning model trained on historical data to discern between benign and malicious command lines will produce a score for each processed command line.

Consider the following command line:

 cmd /c taskkill /f /im someprocess.exe

This line implies that taskill.exe is evoked by cmd.exe to terminate a process with a particular name. While the command itself is not necessarily malicious, the machine learning model may be able to recognize suspicious patterns in the name of the process being terminated, and provide a maliciousness probability, which is aggregated with other signals in the process tree. The result is a sequence of events during a certain period of time for each virtual process tree.

The next step is to use a machine learning model to classify this sequence of events.

Data modeling

The sequences of events described in the previous sections can be represented in several different ways to then be fed into machine learning models.

The first and simple way is to construct a “dictionary” of all possible events, and to assign a unique identifier (index) to each event in the dictionary. This way, a sequence of events is represented by a vector, where each slot constitutes the number of occurrences (or other related measure) for an event type in the sequence.

For example, if all possible events in the system are X,Y, and Z, a sequence of events “X,Z,X,X” is represented by the vector [3, 0, 1], implying that it contains three events of type X, no events of type Y, and a single event of type Z. This representation scheme, widely known as “bag-of-words”,  is suitable for traditional machine learning models and has been used for a long time by machine learning practitioners. A limitation of the bag-of-words representation is that any information about the order of events in the sequence is lost.

The second representation scheme is chronological. Figure 1 shows a typical process tree: Process A raises an event X at time t1, Process B raises an event Z at time t2, D raises X at time t3, and E raises X at time t4. Now the entire sequence “X,Z,X,X”  (or [1,3,1,1] replacing events by their dictionary indices) is given to the machine learning model.

Diagram showing process tree

Figure 1. Sample process tree

In threat detection, the order of occurrence of different events is important information for the accurate detection of malicious activity. Therefore, it’s desirable to employ a representation scheme that preserves the order of events, as well as machine learning models that are capable of consuming such ordered data. This capability can be found in the deep learning models described in the next section.

Deep CNN-BiLSTM

Deep learning has shown great promise in sequential tasks in natural language processing like sentiment analysis and speech recognition. Microsoft Defender ATP uses deep learning for detecting various attacker techniques, including malicious PowerShell.

For the classification of signal sequences, we use a Deep Neural Network that combines two types of building blocks (layers): Convolutional Neural Networks (CNN) and Bidirectional Long Short-Term Memory Recurrent Neural Networks (BiLSTM-RNN).

CNNs are used in many tasks relating to spatial inputs such as images, audio, and natural language. A key property of CNNs is the ability to compress a wide-field view of the input into high-level features.  When using CNNs in image classification, high-level features mean parts of or entire objects that the network can recognize. In our use case, we want to model long sequences of signals within the process tree to create high-level and localized features for the next layer of the network. These features could represent sequences of signals that appear together within the data, for example, create and run a file, or save a file and create a registry entry to run the file the next time the machine starts. Features created by the CNN layers are easier to digest for the ensuing LSTM layer because of this compression and featurization.

LSTM deep learning layers are famous for results in sentence classification, translation, speech recognition, sentiment analysis, and other sequence modeling tasks. Bidirectional LSTM combine two layers of LSTMs that process the sequence in opposite directions.

The combination of the two types of neural networks stacked one on top of the other has shown to be very effective and can classify long sequences of hundreds of items and more. The final model is a combination of several layers: one embedding layer, two CNNs, and a single BiLSTM. The input to this model is a sequence of hundreds of integers representing the signals associated with a single process tree during a unit of time. Figure 2 shows the architecture of our model.

Diagram showing layers of the CNN BiLSTM model

Figure 2. CNN-BiLSTM model

Since the number of possible signals in the system is very high, input sequences are passed through an embedding layer that compresses high-dimensional inputs into low-dimensional vectors that can be processed by the network. In addition, similar signals get a similar vector in lower dimensional space, which helps with the final classification.

Initial layers of the network create increasingly high-level features, and the final layer performs sequence classification. The output of the final layer is a score between 0 and 1 that indicates the probability of the sequence of signals being malicious. This score is used in combination with other models to predict if the process tree is malicious.

Catching real-world threats

Microsoft Defender ATP’s endpoint detection and response capabilities use this Deep CNN-BiLSTM model to catch and raise alerts on real-world threats. As mentioned, one notable attack that this model uncovered is a new variant of the Bondat worm, which was seen propagating in several organizations through USB devices.

Diagram showing the Bondat attack chain

Figure 3. Bondat malware attack chain

Even with an arguably inefficient propagation method, the malware could persist in an organization as users continue to use infected USB devices. For example, the malware was observed in hundreds of machines in one organization. Although we detected the attack during the infection period, it continued spreading until all malicious USB drives were collected. Figure 4 shows the infection timeline.

Column chart showing daily encounters of the Bondat malware in one organization

Figure 4. Timeline of encounters within a single organization within a period of 5 months showing reinfection through USB devices

The attack drops a JavaScript payload, which it runs directly in memory using wscript.exe. The JavaScript payload uses a randomly generated filename as a way to evade detections. However, Antimalware Scan Interface (AMSI) exposes malicious script behaviors.

To spread via USB devices, the malware leverages WMI to query the machine’s disks by calling “SELECT * FROM Win32_DiskDrive”. When it finds a match for “/usb” (see Figure 5), it copies the JavaScript payload to the USB device and creates a batch file on the USB device’s root folder. The said batch file contains the execution command for the payload. As part of its social engineering technique to trick users into running the malware in the removable device, it creates a LNK file on the USB pointing to the batch file.

Screenshot of malware code showing infection technique

Figure 5. Infection technique

The malware terminates processes related to antivirus software or debugging tools. For Microsoft Defender ATP customers, tamper protection prevents the malware from doing this. Notably, after terminating a process, the malware pops up a window that imitates a Windows error message to make it appear like the process crashed (See figure 6).

Screenshot of malware code showing infection technique

Figure 6. Evasion technique

The malware communicates with a remote command-and-control (C2) server by implementing a web client (MSXML). Each request is encrypted with RC4 using a randomly generated key, which is sent within the “PHPSESSID” cookie value to allow attackers to decrypt the payload within the POST body.

Every request sends information about the machine and its state following the output of the previously executed command. The response is saved to disk and then parsed to extract commands within an HTML comment tag. The first five characters from the payload are used as key to decrypt the data, and the commands are executed using the eval() method. Figures 7 and 8 show the C2 communication and HTML comment eval technique.

Once the command is parsed and evaluated by the JavaScript engine, any code can be executed on an affected machine, for example, download other payloads, steal sensitive info, and exfiltrate stolen data. For this Bondat campaign, the malware runs coin mining or coordinated distributed denial of service (DDoS) attacks.

Figure 7. C2 communication

Figure 8. Eval technique (parsing commands from html comment)

The malware’s activities triggered several signals throughout the attack chain. The deep learning model inspected these signals and the sequence with which they occurred, and determined that the process tree was malicious, raising an alert:

  1. Persistence – The malware copies itself into the Startup folder and drops a .lnk file pointing to the malware copy that opens when the computer starts
  2. Renaming a known operating system tool – The malware renames exe into a random filename
  3. Dropping a file with the same filename as legitimate tools – The malware impersonates legitimate system tools by dropping a file with a similar name to a known tool.
  4. Suspicious command line – The malware tries to delete itself from previous location using a command line executed by a process spawned by exe
  5. Suspicious script content – Obfuscated JavaScript payload used to hide the attacker’s intentions
  6. Suspicious network communication – The malware connects to the domain legitville[.]com

Conclusion

Modeling a process tree, given different signals that happen at different times, is a complex task. It requires powerful models that can remember long sequences and still be able to generalize well enough to churn out high-quality detections. The Deep CNN-BiLSTM model we discussed in this blog is a powerful technology that helps Microsoft Defender ATP achieve this task. Today, this deep learning-based solution contributes to Microsoft Defender ATP’s capability to detect evolving threats like Bondat.

Microsoft Defender ATP raises alerts for these deep learning-driven detections, enabling security operations teams to respond to attacks using Microsoft Defender ATP’s other capabilities, like threat and vulnerability management, attack surface reduction, next-generation protection, automated investigation and response, and Microsoft Threat Experts. Notably, these alerts inform behavioral blocking and containment capabilities, which add another layer of protection by blocking threats if they somehow manage to start running on machines.

The impact of deep learning-based protections on endpoints accrues to the broader Microsoft Threat Protection (MTP), which combines endpoint signals with threat data from email and docs, identities, and apps to provide cross-domain visibility. MTP harnesses the power of Microsoft 365 security products to deliver unparalleled coordinated defense that detects, blocks, remediates, and prevents attacks across an organization’s Microsoft 365 environment. Through machine learning and AI technologies like the deep-learning model we discussed in this blog, MTP automatically analyzes cross-domain data to build a complete picture of each attack, eliminating the need for security operations centers (SOC) to manually build and track the end-to-end attack chain and relevant details. MTP correlates and consolidates attack evidence into incidents, so SOCs can save time and focus on critical tasks like expanding investigations and proacting threat hunting.

 

Arie Agranonik, Shay Kels, Guy Arazi

Microsoft Defender ATP Research Team

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Threat Protection and Microsoft Defender ATP tech communities.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Seeing the big picture: Deep learning-based fusion of behavior signals for threat detection appeared first on Microsoft Security.

Afternoon Cyber Tea: Cybersecurity & IoT: New risks and how to minimize them

July 2nd, 2020 No comments

Recently, Microsoft announced our acquisition of CyberX, a comprehensive network-based security platform with continuous threat monitoring and analytics. This solution builds upon our commitment to provide a unified IoT security solution that addresses connected devices spread across both industrial and IT environments and provides a trusted, easy-to-use platform for our customers and partners to build connected solutions – no matter where they are starting in their IoT journey.

Every year billions of new connected devices come online. These devices enable businesses to finetune operations, optimize processes, and develop analytics-based services. Organizations are clearly benefiting from IoT as shared in the IoT Signals research report produced by Microsoft. But while the benefit is great, we must not ignore the potential security risks. To talk about how companies can reduce their risk from connected devices, Dr. Andrea Little Limbago joined me on Cyber Tea with Ann Johnson.

Dr. Andrea Little Limbago is a cybersecurity researcher, quant analyst, and computational social scientist at Virtru. With a background in social science, Andera has a unique perspective that I think you’ll find interesting.

Andrea and I talked about the role of automation in attacks and defense and how privacy and security advocates can come together to accomplish their overlapping goals. We also talked about how to safeguard your organization when you can’t inventory all your IoT devices.

It isn’t just businesses that are investing in connected devices. If you have IoT devices in your home, Andrea offered some great advice for protecting your privacy and your data. Listen to Cybersecurity and IoT: New Risks and How to Minimize Them to hear our conversation.

Lack of visibility into the devices currently connected to the network is a widespread problem. Many organizations also struggle to manage security on existing devices. The acquisition of CyberX complements existing Azure IoT security capabilities. I’m excited because this helps our customers discover their existing IoT assets, and both manage and improve the security posture of those devices. Expect more innovative solutions as we continue to integrate CyberX into Microsoft’s IoT security portfolio.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, Internet of Things (IoT), and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

§  Apple Podcasts—You can also download the episode by clicking the Episode Website link.

§  Podcast One—Includes option to subscribe, so you’re notified as soon as new episodes are available.

§  CISO Spotlight page—Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

If you are interested in how businesses across the globe are benefiting from IoT, read IoT Signals, a research report produced by Microsoft.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Cybersecurity & IoT: New risks and how to minimize them appeared first on Microsoft Security.

Best security, compliance, and privacy practices for the rapid deployment of publicly facing Microsoft Power Apps intake forms

June 29th, 2020 No comments

With the dawn of the COVID-19 pandemic, state and federal agencies around the globe were looking at ways to modernize data intake for social services recipients. The government of a country of about 40 million citizens reached out to Microsoft and asked us to assist in this endeavor. Going paperless eliminates waiting in line at an agency office, and lowers the chance of COVID-19 transmission. The ability to make requests or apply for federal or local assistance online makes the process safer and more efficient, as once data is collected citizens should start receiving funds more accurately and quickly.

Security is a major concern of not only major governments but of other entities using Microsoft Power App intake forms. Organizations and agencies needed to be certain that Microsoft Power App intake forms could not be used to collect data from large, sensitive databases containing personal information like names, addresses, Social Security or national security identification numbers, telephone numbers, or bank account information for direct deposit. If internet-facing forms collect personal information, and are not securely implemented, bad actors can use those forms to cleverly gain access to millions—if not billions—of personal records.

We authored this white paper specifically for those agencies and organizations who are transforming data intake to partially or 100-percent paperless. Microsoft wants to ensure that customers are implementing our technologies with the most secure approach possible, and adhering to compliance with all data privacy laws. Microsoft is also making recommendations in the white paper regarding the best way to implement the NIST Cybersecurity Framework in order to identify, protect, detect, respond, and recover from cybersecurity attacks.

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Best security, compliance, and privacy practices for the rapid deployment of publicly facing Microsoft Power Apps intake forms appeared first on Microsoft Security.

Lessons learned from the Microsoft SOC—Part 3d: Zen and the art of threat hunting

June 25th, 2020 No comments

An image of a black male developer at work in an Enterprise office workspace.

Threat hunting is a powerful way for the SOC to reduce organizational risk, but it’s commonly portrayed and seen as a complex and mysterious art form for deep experts only, which can be counterproductive. In this and the next blog we will shed light on this important function and recommend simple ways to get immediate and meaningful value out of threat hunting.

This is the seventh blog in the Lessons learned from the Microsoft SOC series designed to share our approach and experience from the front lines of our security operations center (SOC) protecting Microsoft, and our Detection and Response Team (DART) helping our customers with their incidents. For a visual depiction of our SOC philosophy, download our Minutes Matter poster.

Before we dive in, let’s clarify the definition of “threat hunting.”  There are various disciplines and processes that contribute to the successful proactive discovery of threat actor operations. For example, our Hunting Team works with threat intelligence to help shape and guide their efforts, but our threat intelligence teams are not “threat hunters.”  When we use the term “threat hunting,” we are talking about the process of experienced analysts proactively and iteratively searching through the environment to find attacker operations that have evaded other detections.

Hunting is a complement to reactive processes, alerts, and detections, and enables you to proactively get ahead of attackers. What sets hunting apart from reactive activities is the proactive nature of it, where hunters spend extended focus time thinking through issues, identifying trends and patterns, and getting a bigger picture perspective.

A successful hunting program is not purely proactive however as it requires continuously balancing attention between reactive efforts and proactive efforts. Threat hunters will still need to maintain a connection to the reactive side to keep their skills sharp and fresh and keep attuned to trends in the alert queue. They will also need to jump in to help with major incidents at a moment’s notice to help put out the fire. The amount of time available for proactive activities will depend heavily on whether or not you have a full-time or part-time hunting mission.

Our SOC approaches threat hunting by applying our analysts to different types of threat hunting tasks:

1. Proactive adversary research and threat hunting

This is what most of our threat hunters spend the majority of their time doing. The team searches through a variety of sources including alerts, external indicators of compromise and other sources. The team primarily works to build and refine structured hypotheses of what the attackers may do based on threat intelligence (TI), unusual observations in the environment, and their own experience. In practice, this type of threat hunting includes:

  • Proactive search through the data (queries or manual review).
  • Proactive development of hypotheses based on TI and other sources.

2. Red and purple teaming

Some of our threat hunters work with red teams who simulate attacks and others who conduct authorized penetration testing against our environment. This is a rotating duty for our threat hunters and typically involves purple teaming, where both red and blue teams work to do their jobs and learn from each other. Each activity is followed up by fully transparent reviews that capture lessons learned which are shared throughout the SOC, with product engineering teams, and with other security teams in the company.

3. Incidents and escalations

Proactive hunters aren’t sequestered somewhere away from the watch floor. They are co-located with reactive analysts; they frequently check in with each other, share what they are working on, share interesting findings/observations, and generally maintain situational awareness of current operations. Threat hunters aren’t necessarily assigned to this task full time; they may simply remain flexible and jump in to help when needed.

These are not isolated functions— the members of these teams work in the same facility and frequently check in with each other, share what they are working on, and share interesting findings/observations.

What makes a good threat hunter?

While any high performing analyst has good technical skills, a threat hunter must be able to see past technical data and tools to attackers’ actions, motivations, and ideas. They need to have a “fingertip feel” (sometimes referred to as Fingerspitzengefühl), which is a natural sense of what is normal and abnormal in security data and the environment. Threat hunters can recognize when an alert (or cluster of alerts/logs) seem different or out of place.

One way to think about the qualities that make up a good threat hunter is to look at the Three F’s.

Functionality

This is technical knowledge and competency of investigating and remediating incidents. Security analysts (including threat hunters) should be proficient with the security tools, general flow of investigation and remediation, and the types technologies commonly deployed in enterprise environments.

Familiarity

This is “know thyself” and “know thy enemy” and includes familiarity with your organization’s specific environment and familiarity with attacker tactics, techniques, and procedures (TTPs). Attacker familiarity starts with understanding common adversary behaviors and then grows into a deeper sense of specific adversaries (including technologies, processes, playbooks, business priorities and mission, industry, and typical threat patterns). Familiarity also includes the relationships threat hunters develop with the people in your organization, and their roles/responsibilities. Familiarity with your organization is highly valued for analysts on investigation teams, and critical for effective threat hunting.

Flexibility

Flexibility is a highly valued attribute of any analyst role, but it is absolutely required for a threat hunter. Flexibility is a mindset of being adaptable in what you may do every day and how you do it. This manifests in how you understand problems, process information, and pursue solutions. This mindset comes from within each person and is reflected in almost everything they do.

Where any threat analyst (or threat hunter) can take a particular alert or event and run it into the ground, a good threat hunter will take a step back and look at a collection of data, alerts or events. Threat hunters must be inquisitive and unrelentingly curious about things—to the point that it bugs them if they don’t have a clear understanding of something. Instead of just answering a question, threat hunters are constantly trying to ask better questions of the data, coming up with creative new angles to answer them, and seeing what new questions they raise. Threat hunting also requires humility, to be able to quickly admit your mistakes so you can rapidly re-enter learning mode.

Threat hunting tooling

Threat hunting naturally pulls in a wide variety of tools, but our team has grown to prefer a few of the Microsoft tools whose design they have influenced.

  • Advanced hunting in Microsoft Threat Protection (MTP) tends to be the go-to tool for anything related to endpoints, identities, email, Azure resources, and SaaS applications.
  • Our teams also use Azure Sentinel, Jupyter notebooks, and custom analytics to hunt across broad datasets like application and network data, as well as diving deeper into identity, endpoint, Office 365, and other log data.

Our threat hunting teams across Microsoft contribute queries, playbooks, workbooks, and notebooks to the Azure Sentinel Community, including specific hunting queries that your teams can adapt and use.

Conclusion

We have discussed the art of threat hunting, different approaches to it, and what makes a good threat hunter. In the next entry, we dive deeper into how to build and refine a threat hunting program. If you are looking for more information on the SOC and other cybersecurity topics, check out previous entries in the series (Part 1 | Part 2a | Part 2b | Part 3a | Part 3b| Part 3c), Mark’s List, and our new security documentation site. Be sure to bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Lessons learned from the Microsoft SOC—Part 3d: Zen and the art of threat hunting appeared first on Microsoft Security.

Defending Exchange servers under attack

June 24th, 2020 No comments

Securing Exchange servers is one of the most important things defenders can do to limit organizational exposure to attacks. Any threat or vulnerability impacting Exchange servers should be treated with the highest priority because these servers contain critical business data, as well as highly privileged accounts that attackers attempt to compromise to gain admin rights to the server and, consequently, complete control of the network.

If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance. This is exacerbated by the fact that Exchange servers have traditionally lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions. Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.

There are two primary ways in which Exchange servers are compromised. The first and more common scenario is attackers launching social engineering or drive-by download attacks targeting endpoints, where they steal credentials and move laterally to other endpoints in a progressive dump-escalate-move method until they gain access to an Exchange server.

The second scenario is where attackers exploit a remote code execution vulnerability affecting the underlying Internet Information Service (IIS) component of a target Exchange server. This is an attacker’s dream: directly landing on a server and, if the server has misconfigured access levels, gain system privileges.

The first scenario is more common, but we’re seeing a rise in attacks of the second variety; specifically, attacks that exploit Exchange vulnerabilities like CVE-2020-0688. The security update that fixes this vulnerability has been available for several months, but, notably, to this day, attackers find vulnerable servers to target.

In many cases, after attackers gain access to an Exchange server, what follows is the deployment of web shell into one of the many web accessible paths on the server. As we discussed in a previous blog, web shells allow attackers to steal data or perform malicious actions for further compromise.

Behavior-based detection and blocking of malicious activities on Exchange servers

Adversaries like using web shells, which are relatively small pieces of malicious code written in common programming languages, because these can be easily modified to evade traditional file-based protections. A more durable approach to detecting web shell activity involves profiling process activities originating from external-facing Exchange applications.

Behavior-based blocking and containment capabilities in Microsoft Defender ATP, which use engines that specialize in detecting threats by analyzing behavior, surface suspicious and malicious activities on Exchange servers. These detection engines are powered by cloud-based machine learning classifiers that are trained by expert-driven profiling of legitimate vs. suspicious activities in Exchange servers.

In April, multiple Exchange-specific behavior-based detections picked up unusual activity. The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells. Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain. Common services, for example Outlook on the web  (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC; formerly known as the  Exchange Control Panel or ECP), executing net.exe, cmd.exe, and other known living-off-the-land binaries (LOLBins) like mshta.exe is very suspicious and should be further investigated.

Figure 1. Behavior-based detections of attacker activity on Exchange servers

In this blog, we’ll share our investigation of the Exchange attacks in early April, covering multiple campaigns occurring at the same time. The data and techniques from this analysis make up an anatomy of Exchange server attacks. Notably, the attacks used multiple fileless techniques, adding another layer of complexity to detecting and resolving these threats, and demonstrating how behavior-based detections are key to protecting organizations.

Figure 2. Anatomy of an Exchange server attack

Initial access: Web shell deployment

Attackers started interacting with target Exchange servers through web shells they had deployed. Any path accessible over the internet is a potential target for web shell deployment, but in these attacks, the most common client access paths were:

  • %ProgramFiles%\Microsoft\Exchange Server\<version>\ClientAccess
  • %ProgramFiles%\Microsoft\Exchange Server\<version>\FrontEnd

The ClientAccess and FrontEnd directories provide various client access services such as Outlook on the web, EAC, and AutoDiscover, to name a few. These IIS virtual directories are automatically configured during server installation and provide authentication and proxy services for internal and external client connections.

These directories should be monitored for any new file creation. While file creation events alone cannot be treated as suspicious, correlating such events with the responsible process results in more reliable signals. Common services like OWA or ECP dropping .aspx or .ashx files in any of the said directories is highly suspicious.

In our investigation, most of these attacks used the China Chopper web shell. The attackers tried to blend the web shell script file with other .aspx files present on the system by using common file names. In many cases, hijacked servers used the ‘echo’ command to write the web shell. In other cases, certutil.exe or powershell.exe were used. Here are some examples of the China Chopper codes that were dropped in these attacks:

We also observed the attackers switching web shells or introducing two or more for various purposes. In one case, the attackers created an .ashx version of a popular, publicly available .aspx web shell, which exposes minimum functionality:

Figure 3. Microsoft Defender ATP alert for web shell

Reconnaissance

After web shell deployment, attackers typically ran an initial set of exploratory commands like whoami, ping, and net user. In most cases, the hijacked application pool services were running with system privileges, giving attackers the highest privilege.

Attackers enumerated all local groups and members on the domain to identify targets. Interestingly, in some campaigns, attackers used open-source user group enumerating tools like lg.exe instead of the built-in net.exe. Attackers also used the EternalBlue exploit and nbtstat scanner to identify vulnerable machines on the network.

Next, the attackers ran built-in Exchange Management Shell cmdlets to gain more information about the exchange environment. Attackers used these cmdlets to perform the following:

  • List all Exchange admin center virtual directories in client access services on all Mailbox servers in the network
  • Get a summary list of all the Exchange servers in the network
  • Get information on mailboxes, such as size and number of items, along with role assignments and permissions.

Figure 4. Microsoft Defender ATP alert showing process tree for anomalous account lookups

Persistence

On misconfigured servers where they have gained the highest privileges, attackers were able to add a new user account on the server. This gave the attackers the ability to access the server without the need to deploy any remote access tools.

The attackers then added the newly created account to high-privilege groups like Administrators, Remote Desktop Users, and Enterprise Admins, practically making the attackers a domain admin with unrestricted access to any users or group in the organization.

Figure 5. Microsoft Defender ATP alert showing process tree for addition of local admin using Net commands

Credential access

Exchange servers contain the most sensitive users and groups in an organization. Gaining credentials to these accounts could virtually give attackers domain admin privileges.

In our investigation, the attackers first dumped user hashes by saving the Security Account Manager (SAM) database from the registry.

Next, the attackers used the ProcDump tool to dump the Local Security Authority Subsystem Service (LSASS) memory. The dumps were later archived and uploaded to a remote location.

In some campaigns, attackers dropped Mimikatz and tried to dump hashes from the server.

Figure 6. Microsoft Defender ATP alert on detection of Mimikatz

In environments where Mimiktaz was blocked, attackers dropped a modified version with hardcoded implementation to avoid detection. Attackers also added a wrapper written in the Go programming language to make the binary more than 5 MB. The binary used the open-source MemoryModule library to load the binary using reflective DLL injection. Thus, the payload never touched the disk and was present only in memory, achieving a fileless persistence.

The attackers also enabled ‘wdigest’ registry settings, which forced the system to use WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user’s plaintext password in memory. This change allowed the attacker to steal the actual password, not just the hash.

Another example of stealthy execution that attackers implemented was creating a wrapper binary for ProcDump and Mimikatz. When run, the tool dropped and executed the ProcDump binary to dump the LSASS memory. The memory dump was loaded inside the same binary and parsed to extract passwords, another example of reflective DLL injection where the Mimikatz binary was present only in memory.

With attacker-controlled accounts now part of Domain Admins group, the attackers performed a technique called DCSYNC attack, which abuses the Active Directory replication capability to request account information, such as the NTLM hashes of all the users’ passwords in the organization. This technique is extremely stealthy because it can be performed without running a single command on the actual domain controller.

Lateral movement

In these attacks, the attackers used several known methods to move laterally:

  • The attackers heavily abused WMI for executing tools on remote systems.

  • The attackers also used other techniques such as creating service or schedule task on remote systems.

  • In some cases, the attackers simply run commands on remote systems using PsExec.

Exchange Management Shell abuse

The Exchange Management Shell is the PowerShell interface for administrators to manage the Exchange server. As such, it exposes many critical Exchange PowerShell cmdlets to allow admins to perform various maintenance tasks, such as assigning roles and permissions, and migration, including importing and exporting mailboxes. These cmdlets are available only on Exchange servers in the Exchange Management Shell or through remote PowerShell connections to the Exchange server.

To understand suspicious invocation of the Exchange Management Shell, we need to go one step back in the process chain and analyze the responsible process. As mentioned, common application pools MSExchangeOWAAppPool or MSExchangeECPAppPool accessing the shell should be considered suspicious.

In our investigation, attackers leveraged these admin cmdlets to perform critical tasks such as exporting mailboxes or running arbitrary scripts. Attackers used different ways to load and run PowerShell cmdlets through the Exchange Management Shell.

In certain cases, attackers created a PowerShell wrapper around the commands to effectively hide behind legitimate PowerShell activity.

These cmdlets allowed the attackers to perform the following:

  • Search received email

In our investigations, attackers were primarily interested in received emails. They searched for message delivery information filtered by the event ‘Received’. The search time frame showed the attackers were initially interested in the entire log history. Later, a similar command was run with a trimmed timeline of one year.

  • Export mailbox

Attackers exported mailboxes through these four steps:

    1. Granted ApplicationImpersnation role to the attacker-controlled account. This effectively allowed the supplied account to access all mailboxes in the organization.
    2. Granted ‘Mailbox Import Export’ role to the attacker-controlled account. This role is required to be added before attempting mailbox export.
    3. Exported the mailbox with filter “Received -gt ‘01/01/2020 0:00:00’”.
    4. Removed the mailbox export request to avoid raising suspicion.

Tampering with security tools

As part of lateral movement, the attackers attempted to disable Microsoft Defender Antivirus. Attackers also disabled archive scanning to bypass detection of tools and data compressed in .zip files, as well as created exclusion for .dat extension. The attackers tried to disable automatic updates to avoid any detection by new intelligence updates. For Microsoft Defender ATP customers, tamper protection prevents such malicious and unauthorized changes to security settings.

Remote access

The next step for attackers was to create a network architecture using port forwarding tools like plink.exe, a command line connection tool like ssh. Using these tools allowed attackers to bypass network restrictions and remotely access machines through Remote Desktop Protocol (RDP). This is a very stealthy technique: attackers reused dumped credentials to access the machines through encrypted tunneling software, eliminating the need to deploy backdoors, which may have a high chance of getting detected.

Exfiltration

Finally, dumped data was compressed using the utility tool rar.exe. The compressed data mostly comprised of the extracted .pst files, along with memory dumps.

Improving defenses against Exchange server compromise

As these attacks show, Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive, fileless techniques. For example, at every stage in the attack chain above, the attackers abused existing tools (LOLBins) and scripts to accomplish various tasks. Even in cases where non-system binaries were introduced, they were either legitimate and signed, like plink.exe, or just a proxy for the malicious binary, for example, the modified Mimikatz where the actual malicious payload never touched the disk.

Keeping these servers safe from these advanced attacks is of utmost importance. Here are steps that organizations can take to ensure they don’t fall victim to Exchange server compromise.

  1. Apply the latest security updates

Identify and remediate vulnerabilities or misconfigurations in Exchange servers. Deploy the latest security updates, especially for server components like Exchange, as soon as they become available. Specifically, check that the patches for CVE-2020-0688 is in place. Use threat and vulnerability management to audit these servers regularly for vulnerabilities, misconfigurations, and suspicious activity.

  1. Keep antivirus and other protections enabled

It’s critical to protect Exchange servers with antivirus software and other security solutions like firewall protection and MFA. Turn on cloud-delivered protection and automatic sample submission to use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Use attack surface reduction rules to automatically block behaviors like credential theft and suspicious use of PsExec and WMI. Turn on tamper protection features to prevent attackers from stopping security services.

If you are worried that these security controls will affect performance or disrupt operations, engage with IT pros to help determine the true impact of these settings. Security teams and IT pros should collaborate on applying mitigations and appropriate settings.

  1. Review sensitive roles and groups

Review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Attackers add accounts to these groups to gain foothold on a server. Regularly review these groups for suspicious additions or removal. To identify Exchange-specific anomalies, review the list of users in sensitive roles such as mailbox import export and Organization Management using the Get-ManagementRoleAssignment cmdlet in Exchange PowerShell.

  1. Restrict access

Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords and Enable MFA. Use tools like LAPS.

Place access control list (ACL) restrictions on ECP and other virtual directories in IIS. Don’t expose the ECP directory to the web if it isn’t necessary and to anyone in the company who doesn’t need to access it. Apply similar restrictions to other application pools.

  1. Prioritize alerts

Pay attention to and immediately investigate alerts indicating suspicious activities on Exchange servers. Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Common application pools like ‘MSExchangeOWAAppPool’ or ‘MSExchangeECPAppPool’ are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as net.exe, cmd.exe, and mshta.exe originating from these pools or w3wp.exe in general.

Behavior-based blocking and containment capabilities in Microsoft Defender Advanced Threat Protection stop many of the malicious activities we described in this blog. Behavior-based blocking and containment stops advanced attacks in their tracks by detecting and halting malicious processes and behaviors.

 

 

Figure 7. Microsoft Defender ATP alerts on blocked behaviors

In addition, Microsoft Defender ATP’s endpoint detection and response (EDR) sensors provide visibility into other suspicious and malicious activities on Exchange servers, which are raised as alerts. The new alert page presents data in an investigation-driven approach meant to empower SecOps teams to easily investigate and take actions.

Figure 8. Microsoft Defender ATP alert and process tree

If these alerts are immediately prioritized, security operations teams can better mitigate attacks and prevent further damage. Beyond resolving these alerts in the shortest possible time, however, organizations should focus on investigating the end-to-end attack chain and trace the vulnerability, misconfiguration, or other weakness in the infrastructure that allowed the attack to occur.

Microsoft Defender ATP is a component of the broader Microsoft Threat Protection (MTP), which provides comprehensive visibility into advanced attacks by combining the capabilities of Office 365 ATP, Azure ATP, Microsoft Cloud App Security, and Microsoft Defender ATP. Through the incidents view, MTP provides a consolidated picture of related attack evidence that shows the complete attack story, empowering SecOps teams to thoroughly investigate attacks.

In addition, MTP’s visibility into malicious artifacts and behavior empowers security operations teams to proactively hunt for threats on Exchange servers. For example, MTP can be connected to Azure Sentinel to enable web shell threat hunting.

Through built-in intelligence and automation, Microsoft Threat Protection coordinates protection, detection, and response across endpoints, identity, data, and apps. Learn more.

 

Hardik Suri

Microsoft Defender ATP Research Team

 

MITRE ATT&CK techniques

Initial access

Execution

Persistence

Privilege escalation

Defense evasion

Credential access

Discovery

Lateral movement

Collection

Command and control

Exfiltration

 

The post Defending Exchange servers under attack appeared first on Microsoft Security.

Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint

June 18th, 2020 No comments

The increasing pervasiveness of cloud services in today’s work environments, accelerated by a crisis that forced companies around the globe to shift to remote work, is significantly changing how defenders must monitor and protect organizations. Corporate data is spread across multiple applications—on-premises and in the cloud—and accessed by users from anywhere using any device. With traditional surfaces expanding and network perimeters disappearing, novel attack scenarios and techniques are introduced.

Every day, we see attackers mount an offensive against target organizations through the cloud and various other attack vectors with the goal of finding the path of least resistance, quickly expanding foothold, and gaining control of valuable information and assets. To help organizations fend off these advanced attacks, Microsoft Threat Protection (MTP) leverages the Microsoft 365 security portfolio to automatically analyze cross-domain threat data, building a complete picture of each attack in a single dashboard. With this breadth and depth of clarity, defenders can focus on critical threats and hunting for sophisticated breaches across endpoints, email, identities and applications.

Among the wide range of actors that Microsoft tracks—from digital crime groups to nation-state activity groups—HOLMIUM is one of the most proficient in using cloud-based attack vectors. Attributed to a Middle East-based group and active since at least 2015, HOLMIUM has been performing espionage and destructive attacks targeting aerospace, defense, chemical, mining, and petrochemical-mining industries. HOLMIUM’s activities and techniques overlap with what other researchers and vendors refer to as APT33, StoneDrill, and Elfin.

HOLMIUM has been observed using various vectors for initial access, including spear-phishing email, sometimes carrying archive attachments that exploit the CVE-2018-20250 vulnerability in WinRAR, and password-spraying. Many of their recent attacks, however, have involved the penetration testing tool Ruler used in tandem with compromised Exchange credentials.

The group used Ruler to configure a specially crafted Outlook Home Page URL to exploit the security bypass vulnerability CVE-2017-11774, which was fixed shortly after it was discovered. Successful exploitation automatically triggered remote code execution of a script when an Outlook client synced with a mailbox and rendered the profile Home Page URL. These scripts, usually VBScript followed by PowerShell, in turn initiated the delivery of various payloads.

In this blog, the first in the Inside Microsoft Threat Protection series, we will show how MTP provides unparalleled end-to-end visibility into the activities of nation-state level attacks like HOLMIUM. In succeeding blog posts in this series, we will shine a spotlight on aspects of the coordinated defense delivered by Microsoft Threat Protection.

Tracing an end-to-end cloud-based HOLMIUM attack

HOLMIUM has likely been running cloud-based attacks with Ruler since 2018, but a notable wave of such attacks was observed in the first half of 2019. These attacks combined the outcome of continuous password spray activities against multiple organizations, followed by successful compromise of Office 365 accounts and the use of Ruler in short sequences to gain control of endpoints. This wave of attacks was the subject of a warning from US Cybercom in July 2019.

These HOLMIUM attacks typically started with intensive password spray against exposed Active Directory Federation Services (ADFS) infrastructure; organizations that were not using multi-factor authentication (MFA) for Office 365 accounts had a higher risk of having accounts compromised through password spray. After successfully identifying a few user and password combinations via password spray, HOLMIUM used virtual private network (VPN) services with IP addresses associated with multiple countries to validate that the compromised accounts also had access to Office 365.

Figure 1. Password spray and compromised account sign-ins by HOLMIUM as detected in Azure Advanced Threat Protection (ATP) and Microsoft Cloud App Security (MCAS)

Armed with a few compromised Office 365 accounts and not blocked by MFA defense, the group launched the next step with Ruler and configured a malicious Home Page URL which, once rendered during a normal email session, resulted in the remote code execution of a PowerShell backdoor through the exploitation of a vulnerability like CVE-2017-11774. The two domains abused by HOLMIUM and observed during this 2019 campaign were “topaudiobook.net” and “customermgmt.net”.

Figure 2. Exploitation of Outlook Home Page feature using Ruler-like tools

Figure 3. Weaponized home page and initial PowerShell payload

This initial foothold allowed HOLMIUM to run their custom PowerShell backdoor (known as POWERTON) directly from an Outlook process and to perform the installation of additional payloads on the endpoint with different persistence mechanisms, such as WMI subscription (T1084) or registry autorun keys (T1060). Once the group has taken control of the endpoint (in addition to the cloud identity), the next phase was hours of exploration of the victim’s network, enumerating user accounts and machines for additional compromise, and lateral movement within the perimeter. HOLMIUM attacks typically took less than a week from initial access via the cloud to obtaining unhampered access and full domain compromise, which then allowed the attackers to stay persistent for long periods of time, sometimes for months on end.

Figure 4. Snippets of HOLMIUM PowerShell backdoor (POWERTON) implementing two different persistence mechanisms: WMI event subscription (T1084) and Registry run keys or Startup folder (T1060)

HOLMIUM attacks as seen and acted upon by Microsoft Threat Protection

HOLMIUM attacks demonstrate how hybrid attacks that span from cloud to endpoints require a wide range of sensors for comprehensive visibility. Enabling organizations to detect attacks like these by correlating events in multiple domains – cloud, identity, endpoints – is the reason why we build products like Microsoft Threat Protection. As we described in our analysis of HOLMIUM attacks, the group compromised identities in the cloud and leveraged cloud APIs to gain code execution or persist. The attackers then used a cloud email configuration to run specially crafted PowerShell on endpoints every time the Outlook process is opened.

During these attacks, many target organizations reacted too late in the attack chain—when the malicious activities started manifesting on endpoints via the PowerShell commands and subsequent lateral movement behavior. The earlier attack stages like cloud events and password spray activities were oftentimes missed or sometimes not linked with activities observed on the endpoint. This resulted in gaps in visibility and, subsequently, incomplete remediation.

While it’s relatively easy to remediate and stop malicious processes and downloaded malware on endpoints using endpoint security solutions, such a conventional approach would mean that the attack is persistent in the cloud, so the endpoint could be immediately compromised again. Remediating identities in the cloud is a different story.

Figure 5. The typical timeline of a HOLMIUM attack kill-chain

In an organization utilizing MTP, multiple expert systems that monitor various aspects of the network would detect and raise alerts on HOLMIUM’s activities. MTP sees the full attack chain across domains beyond simply blocking on endpoints or zapping emails, thus putting organizations in a superior position to fight the threat.

Figure 6. MTP components able to prevent or detect HOLMIUM techniques across the kill chain.

These systems work in unison to prevent attacks or detect, block, and remediate malicious activities. Across affected domains, MTP detects signs of HOLMIUM’s attacks:

  • Azure ATP identifies account enumeration and brute force attacks
  • MCAS detects anomalous Office 365 sign-ins that use potentially compromised credentials or from suspicious locations or networks
  • Microsoft Defender ATP exposes malicious PowerShell executions on endpoints triggered from Outlook Home Page exploitation

Figure 7. Activities detected across affected domains by different MTP expert systems

Traditionally, these detections would each be surfaced in its own portal, alerting on pieces of the attack but requiring the security team to stitch together the full picture. With Microsoft Threat Protection, the pieces of the puzzle are fused automatically through deep threat investigation. MTP generates a combined incident view that shows the end-to-end attack, with all related evidence and affected assets in one view.

Figure 8. The MTP incident brings together in one view the entire end-to-end attack across domain boundaries

Understanding the full attack chain enables MTP to automatically intervene to block the attack and remediate assets holistically across domains. In HOLMIUM attacks, MTP not only stops the PowerShell activity on endpoints but also contains the impact of stolen user accounts by marking them as compromised in Azure AD. This invokes Conditional Access as configured in Azure AD and applies conditions like MFA or limitations on the user account’s permissions to access organizational resources until the account is remediated fully.

Figure 9. Coordinated automatic containment and remediation across email, identity, and endpoints

Security teams can dig deep and expand their investigation into the incident in Microsoft 365 Security Center, where all details and related activities are available in one place. Furthermore, security teams can hunt for more malicious activities and artifacts through advanced hunting, which brings together all the raw data collected across product domains into one unified schema with powerful query constructs.

Figure 10. Hunting for activities across email, identity, endpoint and cloud applications

Finally, when the attack is blocked and all affected assets are remediated, MTP helps organizations identify improvements to their security configuration that would prevent the attacker from returning. The Threat Analytics report provides an exposure view and recommends prevention measures relevant to the threat. For example, the Analytics Report for HOLMIUM recommended, among other things, applying the appropriate security updates to prevent tools like Ruler from operating, as well as completely eliminating this attack vector in the organization.

Figure 11. Threat Analytics provides organizational exposure and recommended mitigations for HOLMIUM 

Microsoft Threat Protection: Stop attacks with automated cross-domain security

HOLMIUM exemplifies the sophistication of today’s cyberattacks, which leverage techniques spanning organizational cloud services and on-prem devices. Organizations must equip themselves with security tools that enable them to see the attack sprawl and respond to these attacks holistically and automatically. Protecting organizations from sophisticated attacks like HOLMIUM is the backbone of MTP.

Microsoft Threat Protection harnesses the power of Microsoft 365 security products and brings them together into an unparalleled coordinated defense that detects, correlates, blocks, remediates, and prevents such attacks across an organization’s Microsoft 365 environment. Existing Microsoft 365 licenses provide access to Microsoft Threat Protection features in Microsoft 365 security center without additional cost. Learn how Microsoft Threat Protection can help your organization to stop attacks with coordinated defense.

 

The post Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint appeared first on Microsoft Security.

Exploiting a crisis: How cybercriminals behaved during the outbreak

June 16th, 2020 No comments

In the past several months, seemingly conflicting data has been published about cybercriminals taking advantage of the COVID-19 outbreak to attack consumers and enterprises alike. Big numbers can show shifts in attacker behavior and grab headlines. Cybercriminals did indeed adapt their tactics to match what was going on in the world, and what we saw in the threat environment was parallel to the uptick in COVID-19 headlines and the desire for more information.

If one backtracked to early February, COVID-19 news and themed attacks were relatively scarce. It wasn’t until February 11, when the World Health Organization named the global health emergency as “COVID-19”, that attackers started to actively deploy opportunistic campaigns. The week following that declaration saw these attacks increase eleven-fold. While this was below two percent of overall attacks Microsoft saw each month, it was clear that cybercriminals wanted to exploit the situation: eople around the world were becoming aware of the outbreak and were actively seeking information and solutions to combat it.

Worldwide, we observed COVID-19 themed attacks peak in the first two weeks of March. That coincided with many nations beginning to take action to reduce the spread of the virus and travel restrictions coming into effect. By the end of March, every country in the world had seen at least one COVID-19 themed attack.

Graph showing trend of COVID-19 themed attacks and mapping key events during the outbreak

Figure 1. Trend of COVID-19 themed attacks

The rise in COVID-19 themed attacks closely mirrored the unfolding of the worldwide event. The point of contention was whether these attacks were new or repurposed threats. Looking through Microsoft’s broad threat intelligence on endpoints, email and data, identities, and apps, we concluded that this surge of COVID-19 themed attacks was really a repurposing from known attackers using existing infrastructure and malware with new lures.

In fact, the overall trend of malware detections worldwide (orange line in Figure 2) did not vary significantly during this time. The spike of COVID-19 themed attacks you see above (yellow line in Figure 1) is barely a blip in the total volume of threats we typically see in a month. Malware campaigns, attack infrastructure, and phishing attacks all showed signs of this opportunistic behavior. As we documented previously, these cybercriminals even targeted key industries and individuals working to address the outbreak. These shifts were typical of the global threat landscape, but what was peculiar in this case was how the global nature and universal impact of the crisis made the cybercriminal’s work easier. They preyed on our concern, confusion, and desire for resolution.

Graph showing trend of all attacks versus COVID-19 themed attacks

Figure 2. Trend of overall global attacks vs. COVID-19 themed attacks

After peaking in early March, COVID-19 themed attacks settled into a “new normal”. While these themed attacks are still higher than they were in early February and are likely to continue as long as COVID-19 persists, this pattern of changing lures prove to be outliers, and the vast majority of the threat landscape falls into typical phishing and identity compromise patterns.

Cybercriminals are adaptable and always looking for the best and easiest ways to gain new victims. Commodity malware attacks, in particular, are looking for the biggest risk-versus-reward payouts. The industry sometimes focuses heavily on advanced attacks that exploit zero-day vulnerabilities, but every day the bigger risk for more people is being tricked into running unknown programs or Trojanized documents. Likewise, defenders adapt and drive up the cost of successful attacks. Starting in April, we observed defenders greatly increasing phishing awareness and training for their enterprises, raising the cost and complexity barrier for cybercriminals targeting their employees. These dynamics behave very much like economic models if you turn “sellers” to “cybercriminals” and “customers” to “victims”.

Graph showing trend of COVID-19 themed attacks

Figure 3. Trend of COVID-19 themed attacks

Lures, like news, are always local

Cybercriminals are looking for the easiest point of compromise or entry. One way they do this is by ripping lures from the headlines and tailoring these lures to geographies and locations of their intended victims. This is consistent with the plethora of phishing studies that show highly localized social engineering lures. In enterprise-focused phishing attacks this can look like expected documents arriving and asking the user to take action.

During the COVID-19 outbreak, cybercriminals closely mimicked the local developments of the crisis and the reactions to them. Here we can see the global trend of concern about the outbreak playing out with regional differences. Below we take a deeper look at three countries and how local events landed in relation to observed attacks.

FOCUS: United Kingdom

Attacks targeting the United Kingdom initially followed a trajectory similar to the global data, but spiked early, appearing to be influenced by the news and concerns in the nation. Data shows a first peak approximately at the first confirmed COVID-19 death in the UK, with growth beginning again with the FTSE 100 stock crash on March 9, and then ultimately peaking around the time the United States announced a travel ban to Europe.

Graph showing trend of COVID-19 themed attacks and mapping key events during the outbreak in the UK

Figure 4. Trend of COVID-19 themed attacks in the United Kingdom showing unique encounters (distinct malware files) and total encounters (number of times the files are detected)

In the latter half of March, the United Kingdom increased transparency and information to the public as outbreak protocols were implemented, including the closure of schools. The attacks dropped considerably all the way to April 5, when Queen Elizabeth II made a rare televised address to the nation. The very next day, Prime Minister Boris Johnson, who was hospitalized on April 6 due to COVID-19, was moved to intensive care. Data shows a corresponding increase in attacks until April 12, the day the Prime Minister was discharged from the hospital. The level of themed attacks then plateaued at about 3,500 daily attacks until roughly the end of April. The UK government proclaimed the country had passed the peak of infections and began to restore a new normalcy. Attacks took a notable drop to around 2,000 daily attacks.

Sample phishing email with COVID-19 themed lure

Sample phishing email using COVID-19 themed lure

Figure 5. Sample COVID-19 themed lures in attacks seen in the UK

FOCUS: Republic of Korea

The Republic of Korea was one of the earliest countries hit by COVID-19 and one of the most active in combating the virus. We observed attacks in Korea increase and, like the global trend, peak in early March. However, the spike in attacks for this country is steeper than the worldwide average, coinciding with the earlier arrival of the virus here.

Graph showing trend of COVID-19 themed attacks and key events during the outbreak in South Korea

Figure 6. Trend of COVID-19 themed attacks in the Republic of Korea showing unique encounters (distinct malware files) and total encounters (number of times the files are detected)

Interestingly, themed attacks were minimal at the beginning of February despite the impact of the virus. Cybercriminals did not truly ramp up attacks until the middle of February, closely mapping key events like identifying patients from the Shincheonji religious organization, military base lock downs, and international travel restrictions. While these national news events did not create the attacks, it’s clear cybercriminals saw an opening to compromise more victims.

Increased testing and transparency about the outbreak mapped to a downward trajectory of attacks in the first half of March. Looking forward through the end of May, the trend of themed attacks targeting Korean victims significantly departed from the global trajectory. We observed increasing attacks as the country restored some civic life. Attacks ultimately reached a peak around May 23. Analysis is still ongoing to understand the dynamics that drove this atypical increase.

FOCUS: United States

COVID-19 themed attacks in the United States largely followed the global attack trend. The initial ascent began mid-February after the World Health Organization officially named the virus. Attacks reached first peak at the end of February, coinciding with the first confirmed COVID-19 death in the country, and hit its highest point by mid-March, coinciding with the announced international travel ban. The last half of March saw a significant decrease in themed attacks. Telemetry from April and May shows themed attacks leveling off between 20,000 and 30,000 daily attacks. The same pattern of themed attacks mirroring the development of the outbreak and local concern likely played out at the state level, too.

Graph showing trend of COVID-19 themed attacks and mapping key events during the outbreak in the United States

Figure 7. Trend of COVID-19 themed attacks in the United States showing unique encounters (distinct malware files) and total encounters (number of times the files are detected)

Sample COVID-19 themed lure

Figure 8. Sample COVID-19 themed lures in attacks seen in the US

Conclusions

The COVID-19 outbreak has truly been a global event. Cybercriminals have taken advantage of the crisis to lure new victims using existing malware threats. In examining the telemetry, these attacks appear to be highly correlated to local interest and news.

Overall, COVID-19 themed attacks are just a small percentage of the overall threats the Microsoft has observed over the last four months. There was a global spike of themed attacks cumulating in the first two weeks of March. Based on the overall trend of attacks it appears that the themed attacks were at the cost of other attacks in the threat environment.

These last four months have seen a lot of focus on the outbreak – both virus and cyber. The lessons we draw from Microsoft’s observations are:

  • Cybercriminals adapt their tactics to take advantage of local events that are likely to lure the most victims to their schemes. Those lures change quickly and fluidly while the underlying malware threats remain.
  • Defender investment is best placed in cross-domain signal analysis, update deployment, and user education. These COVID-19 themed attacks show us that the threats our users face are constant on a global scale. Investments that raise the cost of attack or lower the likelihood of success are the optimal path forward.
  • Focus on behaviors of attackers will be more effective than just examining indicators of compromise, which tend to be more signals in time than durable.

To help organizations stay protected from the opportunistic, quickly evolving threats we saw during the outbreak, as well as the much larger total volume of threats, Microsoft Threat Protection (MTP) provides cross-domain visibility. It delivers coordinated defense by orchestrating protection, detection, and response across endpoints, identities, email, and apps.

Organizations should further improve security posture by educating end users about spotting phishing and social engineering attacks and practicing credential hygiene. Organizations can use Microsoft Secure Score to assesses and measure security posture and apply recommended improvement actions, guidance, and control. Using a centralized dashboard in Microsoft 365 security center, organizations can compare their security posture with benchmarks and establish key performance indicators (KPIs).

 

The post Exploiting a crisis: How cybercriminals behaved during the outbreak appeared first on Microsoft Security.

Misconfigured Kubeflow workloads are a security risk

June 10th, 2020 No comments

Azure Security Center (ASC) monitors and defends thousands of Kubernetes clusters running on top of AKS. Azure Security Center regularly searches for and research for new attack vectors against Kubernetes workloads. We recently published a blog post about a large scale campaign against Kubernetes clusters that abused exposed Kubernetes dashboards for deploying cryptocurrency miners.

In this blog, we’ll reveal a new campaign that was observed recently by ASC that targets Kubeflow, a machine learning toolkit for Kubernetes. We observed that this attack effected on tens of Kubernetes clusters.

Kubeflow is an open-source project, started as a project for running TensorFlow jobs on Kubernetes. Kubeflow has grown and become a popular framework for running machine learning tasks in Kubernetes. Nodes that are used for ML tasks are often relatively powerful, and in some cases include GPUs. This fact makes Kubernetes clusters that are used for ML tasks a perfect target for crypto mining campaigns, which was the aim of this attack.

During April, we observed deployment of a suspect image from a public repository on many different clusters. The image is ddsfdfsaadfs/dfsdf:99. By inspecting the image’s layers, we can see that this image runs an XMRIG miner:

We can see that this image runs an XMRIG miner:

This repository contains several more images, which differ in the mining configuration. We saw some deployments of those images too.

Looking at the various clusters that the above image ran on showed that most of them run Kubeflow. This fact implies that the access vector in this attacker is the machine-learning framework.

The question is how can Kubeflow be used as an access vector for such an attack?

Kubeflow framework consists of many different services. Some of those services include: frameworks for training models, Katib and Jupyter notebook server, and more.

Kubeflow is a containerized service: the various tasks run as containers in the cluster. Therefore, if attackers somehow get access to Kubeflow, they have multiple ways to run their malicious image in the cluster.

The framework is divided into different namespaces, which are a collection of Kubeflow services. Those namespaces are translated into Kubernetes namespaces in which the resources are deployed.

In first access to Kubeflow, the user is prompted to create a namespace:

In first access to Kubeflow, the user is prompted to create a namespace.

In the picture above, we created a new namespace with the default name anonymous. This namespace is broadly seen in the attack and was one of the indicators to the access vector in this campaign.

Kubeflow creates multiple CRDs in the cluster which expose some functionality over the API server:

Kubeflow creates multiple CRDs in the cluster.

In addition, Kubeflow exposes its UI functionality via a dashboard that is deployed in the cluster:

Kubeflow exposes its UI functionality via a dashboard.

The dashboard is exposed by Istio ingress gateway, which is by default accessible only internally. Therefore, users should use port-forward to access the dashboard (which tunnels the traffic via the Kubernetes API server).

In some cases, users modify the setting of the Istio Service to Load-Balancer which exposes the Service (istio-ingressgateway in the namespace istio-system) to the Internet. We believe that some users chose to do it for convenience: without this action, accessing to the dashboard requires tunneling through the Kubernetes API server and isn’t direct. By exposing the Service to the Internet, users can access to the dashboard directly. However, this operation enables insecure access to the Kubeflow dashboard, which allows anyone to perform operations in Kubeflow, including deploying new containers in the cluster.

If attackers have access to the dashboard, they have multiple methods to deploy a backdoor container in the cluster. We will demonstrate two options:

  1. Kubeflow enables users to create a Jupyter notebook server. Kubeflow allows users to choose the image for the notebook server, including an option to specify a custom image:

Image of a Jupyter notebook server custom image deployment option.

This image doesn’t necessarily have to be a legitimate notebook image, thus attackers can run their own image using this feature.

  1. Another method that attackers can use is to deploy a malicious container from a real Jupyter notebook: attackers can use a new or existing notebook for running their Python code. The code runs from the notebook server, which is a container by itself with a mounted service account. This service account (by default configuration) has permissions to deploy containers in its namespace. Therefore, attackers can use it to deploy their backdoor container in the cluster. Here’s an example of deploying a container from the notebook using its service account:

Here’s an example of deploying a container from the notebook using its service account.

The Kubernetes threat matrix that we recently published contains techniques that can be used by attackers to attack the Kubernetes cluster. A representation of this campaign in the matrix would look like:

A representation of this campaign in the matrix.

The attacker used an exposed dashboard (Kubeflow dashboard in this case) for gaining initial access to the cluster. The execution and persistence in the cluster were performed by a container that was deployed in the cluster. The attacker managed to move laterally and deploy the container using the mounted service account. Finally, the attacker impacted the cluster by running a cryptocurrency miner.

How to check if your cluster is impacted?

  1. Verify that the malicious container is not deployed in the cluster. The following command can help you to check it:

kubectl get pods –all-namespaces -o jsonpath=”{.items[*].spec.containers[*].image}”  | grep -i ddsfdfsaadfs 

  1. In case Kubeflow is deployed in the cluster, make sure that its dashboard isn’t exposed to the internet: check the type of the Istio ingress service by the following command and make sure that it is not a load balancer with a public IP:

kubectl get service istio-ingressgateway -n istio-system

Conclusion

Azure Security Center has detected multiple campaigns against Kubernetes clusters in the past that have a similar access vector: an exposed service to the internet. However, this is the first time that we have identified an attack that targets Kubeflow environments specifically.

When deploying a service like Kubeflow within a cluster it is crucial to be aware of security aspects such as:

  1. Authentication and access control to the application.
  2. Monitor the public-facing endpoints of the cluster. Make sure that sensitive interfaces are not exposed to the internet in an unsecure method. You can restrict public load balancers in the cluster by using Azure Policy, which now has integration with Gatekeeper.
  3. Regularly monitor the runtime environment. This includes monitoring the running containers, their images, and the processes that they run.
  4. Allow deployments of only trusted images and scan your images for vulnerabilities. The allowed images in the cluster can be restricted by using Azure Policy.

To learn more about AKS Support in Azure Security Center, please see this documentation.

Start a trial of Azure Security Center Standard to get advanced threat protection capabilities.

The post Misconfigured Kubeflow workloads are a security risk appeared first on Microsoft Security.

The science behind Microsoft Threat Protection: Attack modeling for finding and stopping evasive ransomware

June 10th, 2020 No comments

The linchpin of successful cyberattacks, exemplified by nation state-level attacks and human-operated ransomware, is their ability to find the path of least resistance and progressively move across a compromised network. Determining the full scope and impact of these attacks is one the most critical, but often most challenging, parts of security operations.

To provide security teams with the visibility and solutions to fight cyberattacks, Microsoft Threat Protection (MTP) correlates threat signals across multiple domains and point solutions, including endpoints, identities, data, and applications. This comprehensive visibility allows MTP to coordinate prevention, detection, and response across your Microsoft 365 data.

One of the many ways that MTP delivers on this promise is by providing high-quality consolidation of attack evidence through the concept of incidents. Incidents combine related alerts and attack behaviors within an enterprise. An example of an incident is the consolidation of all behaviors indicating ransomware is present on multiple machines, and connecting lateral movement behavior with initial access via brute force. Another example can be found in the latest MITRE ATT&CK evaluation, where Microsoft Threat Protection automatically correlated 80 distinct alerts into two incidents that mirrored the two attack simulations.

The incident view helps empower defenders to quickly understand and respond to the end-to-end scope of real-world attacks. In this blog we will share details about a data-driven approach for identifying and augmenting incidents with behavioral evidence of lateral movement detected through statistical modeling. This novel approach, an intersection of data science and security expertise, is validated and leveraged by our own Microsoft Threat Experts in identifying and understanding the scope of attacks.

Identifying lateral movement

Attackers move laterally to escalate privileges or to steal information from specific machines in a compromised network. Lateral movement typically involves adversaries attempting to co-opt legitimate management and business operation capabilities, including applications such as Server Message Block (SMB), Windows Management Instrumentation (WMI), Windows Remote Management (WinRM), and Remote Desktop Protocol (RDP). Attackers target these technologies that have legitimate uses in maintaining functionality of a network because they provide ample opportunities to blend in with large volumes of expected telemetry and provide paths to their objectives. More recently, we have observed attackers performing lateral movement, and then using the aforementioned WMI or SMB to deploy ransomware or data-wiping malware to multiple target machines in the network.

A recent attack from the PARINACOTA group, known for human-operated attacks that deploy the Wadhrama ransomware, is notable for its use of multiple methods for lateral movement. After gaining initial access to an internet-facing server via RDP brute force, the attackers searched for additional vulnerable machines in the network by scanning on ports 3389 (RDP), 445 (SMB), and 22 (SSH).

The adversaries downloaded and used Hydra to brute force targets via SMB and SSH. In addition, they used credentials that they stole through credential dumping using Mimikatz to sign into multiple other server machines via Remote Desktop. On all additional machines they were able to access, the attackers performed mainly the same activities, dumping credentials and searching for valuable information.

Notably, the attackers were particularly interested in a server that did not have Remote Desktop enabled. They used WMI in conjunction with PsExec to allow remote desktop connections on the server and then used netsh to disable blocking on port 3389 in the firewall. This allowed the attackers to connect to the server via RDP.

They eventually used this server to deploy ransomware to a huge portion of the organization’s server machine infrastructure. The attack, an example of a human-operated ransomware campaign, crippled much of the organization’s functionality, demonstrating that detecting and mitigating lateral movement is critical.

PARINACOTA ransomware attack chain

Figure 1. PARINACOTA attack with multiple lateral movement methods

A probabilistic approach for inferring lateral movement

Automatically correlating alerts and evidence of lateral movement into distinct incidents requires understanding the full scope of an attack and establishing the links of an attacker’s activities that show movement across a network. Distinguishing malicious attacker activities among the noise of legitimate logons in complex networks can be challenging and time-consuming. Failing to get an aggregated view of all related alerts, assets, investigations, and evidence may limit the action that defenders take to mitigate and fully resolve an attack.

Microsoft Threat Protection uses its unique cross-domain visibility and built-in automation powered to detect lateral movement The data-driven approach to detecting lateral movement involves understanding and statistically quantifying behaviors that are observed to a part of one attack chain, for example, credential theft followed by remote connections to other devices and further unexpected or malicious activity.

Dynamic probability models, which are capable of self-learning over time using new information, quantify the likelihood of observing lateral movement given relevant signals. These signals can include the frequency of network connections between endpoints over certain ports, suspicious dropped files, and types of processes that are executed on endpoints. Multiple behavioral models encode different facets of an attack chain by correlating specific behaviors associated with attacks. These models, in combination with anomaly detection, drive the discovery of both known and unknown attacks.

Evidence of lateral movement can be modeled using a graph-based approach, which involves constructing appropriate nodes and edges in the right timeline. Figure 2 depicts a graphical representation of how an attacker might laterally move through a network. The objective of graphing an attack is to discover related subgraphs with high enough confidence to surface for immediate further investigation. Building behavioral models that can accurately compute probabilities of attacks is key to ensuring that confidence is correctly measured and all related events are combined.

Visualization of network with an attacker moving laterally

Figure 2. Visualization of network with an attacker moving laterally (combining incidents 1, 2, 4, 5)

Figure 3 outlines the steps involved for modeling lateral movement and encoding behaviors that are later referenced for augmenting incidents. Through advanced hunting, examples of lateral movement are surfaced, and real attack behaviors are analyzed. Signals are then formed by aggregating telemetry, and behavioral models are defined and computed.

Diagram showing steps for specifying statistical models for detecting lateral movement

Figure 3. Specifying statistical models to detect lateral movement encoding behaviors

Behavioral models are carefully designed by statisticians and threat experts working together to combine best practices from probabilistic reasoning and security, and to precisely reflect the attacker landscape.

With behavioral models specified, the process for incident augmentation proceeds by applying fuzzy mapping to respective behaviors, followed by estimating the likelihood of an attack. For example, if there’s sufficient confidence that the relative likelihood of an attack is higher, including the lateral movement behaviors, then the events are linked. Figure 4 shows the flow of this logic. We have demonstrated that the combination of this modeling with a feedback loop based on expert knowledge and real-world examples accurately discovers attack chains.

Diagram showing steps of algorithm for augmenting incidents using graph inference

Figure 4. Flow of incident augmentation algorithm based on graph inference

Chaining together the flow of this logic in a graph exposes attacks as they traverse a network. Figure 5 shows, for instance, how alerts can be leveraged as nodes and DCOM traffic (TCP port 135) as edges to identify lateral movement across machines. The alerts on these machines can then be fused together into a single incident. Visualizing these edges and nodes in a graph shows how a single compromised machine could allow an attacker to move laterally to three machines, one of which was then used for even further lateral movement.

Diagram showing relevant alerts as an attack move laterally from one machine to other machines

Figure 5. Correlating attacks as they pivot through machines

Augmenting incidents with lateral movement intel

The PARINACOTA attack we described earlier is a human-operated ransomware campaign that involved compromising six newly onboarded servers. Microsoft Threat Protection automatically correlated the following events into an incident that showed the end-to-end attack chain:

  • A behavioral model identified RDP inbound brute force attempts that started a few days before the ransomware was deployed, as depicted in Figure 6.
  • When the initial compromise was detected, the brute force attempts were automatically identified as the cause of the breach.
  • Following the breach, attackers dropped multiple suspicious files on the compromised server and proceeded to move laterally to multiple other servers and deploy the ransomware payload. This attack chain raised 16 distinct alerts that Microsoft Threat Protection, applying the probabilistic reasoning method, correlated into the same incident indicating the spread of ransomware, as illustrated in Figure 7.

Graph showing increased daily inbound RDP traffic

Figure 6. Indicator of brute force attack based on time series count of daily inbound public IP

Diagram showing ransomware being deployed after an attacker has moved laterally

Figure 7. Representation of post breach and ransomware spreading from initial compromised server

Another area where constructing graphs is particularly useful is when attacks originate from unknown devices. These unknown devices can be misconfigured machines, rogue devices, or even IoT devices within a network. Even when there’s no robust telemetry from devices, they can still be used as linking points for correlating activity across multiple monitored devices.

In one example, as demonstrated in figure 8, we saw lateral movement from an unmonitored device via SMB to a monitored device. That device then established a connection back to a command-and-control (C2), set up persistence, and collected a variety of information from the device. Later, the same unmonitored device established an SMB connection to a second monitored device. This time, the only actions the attacker took was to collect information from the device.

The two devices shared a common set of events that were correlated into the same incident:

  • Sign-in from an unknown device via SMB
  • Collecting device information

Diagram showing suspicious traffic from unknown devices

Figure 8: Correlating attacks from unknown devices

Conclusion

Lateral movement is one of the most challenging areas of attack detection because it can be a very subtle signal amidst the normal hum of a large environment. In this blog we described a data-driven approach for identifying lateral movement in enterprise networks, with the goal of driving incident-level discovery of attacks, delivering on the Microsoft Threat Protection (MTP) promise to provide coordinated defense against attacks. This approach works by:

  • Consolidating signals from Microsoft Threat Protection’s unparalleled visibility into endpoints, identities, data, and applications.
  • Forming automated, compound questions of the data to identify evidence of an attack across the data ecosystem.
  • Building subgraphs of lateral movement across devices by modeling attack behavior probabilistically.

This approach combines industry-leading optics, expertise, and data science, resulting in automated discovery of some of the most critical threats in customer environments today. Through Microsoft Threat Protection, organizations can uncover lateral movement in their networks and gain understanding of end-to-end attack chains. Microsoft Threat Protection empowers defenders to automatically stop and resolve attacks, so security operations teams can focus their precious time and resources to more critical tasks, including performing mitigation actions that can remove the ability of attackers to move laterally in the first place, as outlined in some of our recent investigations here and here.

 

 

Justin Carroll, Cole Sodja, Mike Flowers, Joshua Neil, Jonathan Bar Or, Dustin Duran

Microsoft Threat Protection Team

 

The post The science behind Microsoft Threat Protection: Attack modeling for finding and stopping evasive ransomware appeared first on Microsoft Security.

Zero Trust—Part 1: Networking

June 8th, 2020 No comments

Enterprises used to be able to secure their corporate perimeters with traditional network controls and feel confident that they were keeping hackers out. However, in a mobile- and cloud-first world, in which the rate and the sophistication level of security attacks are increasing, they can no longer rely on this approach. Taking a Zero Trust approach can help to ensure optimal security without compromising end user application experiences.

Microsoft has a long history of working with customers on how to protect against a broad range of security attacks and we are one of the largest producers of threat intelligence built on the variety of data that flows through our network.

Today, I’d like to share how you can be successful implementing the Zero Trust model by rethinking your network strategy. Here’s a video that will give you a quick overview:

Over a series of three blogs (of which this is the first), we will take a deeper dive into the aspects of the Networking pillar in the Microsoft Zero Trust security model. We will go through each of the dimensions listed (network segmentation, threat protection, and encryption) and show design patterns and helpful guidance on using Microsoft Azure services to achieve optimality.

As mentioned in our Maturity Model paper, all data is ultimately accessed over network infrastructure. Networking controls can provide critical “in pipe” controls to enhance visibility and help prevent attackers from moving laterally across the network. Networks should be segmented (including deep in network micro-segmentation) and real-time threat protection, end-to-end encryption, monitoring, and analytics should be employed.

Maturity model

Maturity model.

We will go over the first one, network segmentation, in this blog. One thing to keep in mind is that while moving straight from the traditional stage to optimal is ideal, most organizations will need to take a phased approach that generally follows along the maturity model journey.

The need for network segmentation

If you refer to the three core principles (Verify Explicitly, Use Least Privilege Access, and Assume Breach), a Zero Trust approach encourages you to think that a security incident can happen anytime and you are always under attack. One of the things you want to be ready with is a setup that minimizes the blast radius of such an incident—this is where segmenting your network while you design its layout becomes important. In addition, by implementing these software-defined perimeters with increasingly granular controls, you will increase the “cost” to attackers to propagate through your network and thereby dramatically reduce the lateral movement of threats.

Network segmentation in Azure

When you operate on Azure, you have a wide and diverse set of segmentation controls available to help create isolated environments. Here are the five basic controls that you can use to perform network segmentation in Azure:

Network segmentation in Azure

Segmentation patterns

There are three common segmentation patterns when it comes to organizing your workload in Azure:

  1. Single Virtual Network
  2. Multiple Virtual Networks with peering
  3. Multiple Virtual Networks in hub-and-spoke model

Each of these provide a different type of isolation and connectivity. As to which one works best for your organization is a planning decision based on your organization’s needs. Here’s where you can read about Segmenting Virtual Networks in more detail and learn how each of these models can be done using Azure Networking services.

The internet boundary

Whether you are building a modern application in the cloud or you just migrated a set of applications to Azure, most applications require some ability to send and receive data to/from the public internet. Any time you expose a resource to a network you increase threat risk, and with internet exposure this is further compounded by a large set of possible threats.

The recommended approach in Azure is to use Azure DDoS Protection Service, Azure Firewall, and Azure Web Application Firewall to provide comprehensive threat protection. This setup of having an internet boundary using these services is important in a segmentation architecture since it essentially segments your application stack away from the internet while providing carefully inspected traffic to/from it.

The datacenter or on-premises network boundary

In addition to internet connectivity, your application stack on Azure might need connectivity back to your IT footprint in your on-premises datacenter(s) and/or other public clouds. You have multiple options to achieve that: you can choose to have direct connectivity using Express Route, use our VPN Gateway, or have a more unified distributed connectivity experience using Azure Virtual WAN. The same concept of segmenting away your application stack applies here, so that any threats that might affect your datacenter or on-premises network will have a harder time propagating to your cloud platform (and vice-versa). 

The PaaS services boundary

As with most modern applications, chances are that your application will be using one of the many platform-as-a-service (PaaS) offerings available on Azure. Some examples of PaaS services you may want your application to call into include Azure Storage, Azure SQL Database, and Azure KeyVault. These are segmented away from your workload in an Azure virtual network since they run as a separate service built and operated by Azure.

On top of this built-in segmentation of PaaS services, Azure also makes it possible for you to do all your interactions with these services in the private address space using Azure PrivateLink. This connectivity capability ensures that all your interactions with PrivateLink-enabled PaaS services are done securely and all data exchanged remains in the Microsoft Network.

The PaaS services boundary.

In closing

Networking represents a great opportunity to make meaningful headway in your Zero Trust journey. Your Zero Trust efforts will not only help your security posture, but most efforts will also help you modernize your environment and improve organizational productivity. In this blog, we discussed how you can use networking services from Azure to build three types of segmentation patterns. In future blogs, we will dive deeper into how you can do the same for threat protection and encryption, the other two dimensions in the networking pillar described in our Zero Trust vision paper. In the meantime, we also invite you to watch our Ignite session to get additional information about network security offerings from Azure.

Make sure to check out the other deployment guides in the series by following the Microsoft Security blog. For more information on Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust—Part 1: Networking appeared first on Microsoft Security.

Categories: Threat protection, Zero Trust Tags:

Managing cybersecurity like a business risks: Part 1—Modeling opportunities and threats

May 28th, 2020 No comments

In recent years, cybersecurity has been elevated to a C-suite and board-level concern. This is appropriate given the stakes. Data breaches can have significant impact on a company’s reputation and profits. But, although businesses now consider cyberattacks a business risk, management of cyber risks is still siloed in technology and often not assessed in terms of other business drivers. To properly manage cybersecurity as a business risk, we need to rethink how we define and report on them.

The blog series, “Managing cybersecurity like a business risk,” will dig into how to update the cybersecurity risk definition, reporting, and management to align with business drivers. In today’s post, I’ll talk about why we need to model both opportunities as well as threats when we evaluate cyber risks. In future blogs, I’ll dig into some reporting tools that businesses can use to keep business leaders informed.

Digital transformation brings both opportunities and threats

Technology innovations such as artificial intelligence (AI), the cloud, and the internet of things (IoT) have disrupted many industries. Much of this disruption has been positive for businesses and consumers alike. Organizations can better tailor products and services to targeted segments of the population, and businesses have seized on these opportunities to create new business categories or reinvent old ones.

These same technologies have also introduced new threats. Legacy companies risk losing loyal customers by exploiting new markets. Digital transformation can result in a financial loss if big bets don’t pay off. And of course, as those of us in cybersecurity know well, cybercriminals and other adversaries have exploited the expanded attack surface and the mountains of data we collect.

The threats and opportunities of technology decisions are intertwined, and increasingly they impact not just operations but the core business. Too often decisions about digital transformation are made without evaluating cyber risks. Security is brought in at the very end to protect assets that are exposed. Cyber risks are typically managed from a standpoint of loss aversion without accounting for the possible gains of new opportunities. This approach can result in companies being either too cautious or not cautious enough. To maximize digital transformation opportunities, companies need good information that helps them take calculated risks.

It starts with a SWOT analysis

Threats and opportunities are external forces that may be factors for a company and all its competitors. One way to determine how your company should respond is by also understanding your weaknesses and strengths, which are internal factors.

  • Strengths: Characteristics or aspects of the organization or product that give it a competitive edge.
  • Weaknesses: Characteristics or aspects of the organization or product that puts it at a disadvantage compared to the competition.
  • Opportunities: Market conditions that could be exploited for benefit.
  • Threats: Market conditions that could cause damage or harm.

To crystallize these concepts, let’s consider a hypothetical brick and mortar retailer in the U.K. that sells stylish maternity clothes at an affordable price. In Europe, online retail is big business. Companies like ASOS and Zalando are disrupting traditional fashion. If we apply a SWOT analysis to them, it might look something like this.

  • Strength: Stylish maternity clothes sold at an affordable price, loyal referral-based clientele.
  • Weakness: Only available through brick and mortar stores, lack technology infrastructure to quickly go online, and lack security controls.
  • Opportunity: There is a market for these clothes beyond the U.K.
  • Threats: Retailers are a target for cyberattacks, customers trends indicate they will shop less frequently at brick and mortar stores in the future.

For this company, there isn’t an obvious choice. The retailer needs to figure out a way to maintain the loyalty of its current customers while preparing for a world where in-person shopping decreases. Ideally the company can use its strengths to overcome its weaknesses and confront threats. For example, the company’s loyal clients that already refer a lot of business could be incented to refer business via online channels to grow business. The company may also recognize that building security controls into an online business from the ground up is critical and take advantage of its steady customer base to buy some time and do it right.

Threat modeling and opportunity modeling paired together can help better define the potential gains and losses of different approaches.

Opportunity and threat modeling

Many cybersecurity professionals are familiar with threat modeling, which essentially poses the following questions, as recommended by the Electronic Frontier Foundation.

  • What do you want to protect?
  • Who do you want to protect it from?
  • How likely is it that you will need to protect it?
  • How bad are the consequences if you fail?
  • How much trouble are you willing to go through in order to try to prevent those?

But once we’ve begun to consider not just the threats but the opportunities available in each business decision, it becomes clear that this approach misses half the equation. Missed opportunity is a risk that isn’t captured in threat modeling. This is where opportunity modeling becomes valuable. Some of my thinking around opportunity modeling was inspired by a talk by John Sherwood at SABSA, and he suggested the following questions to effectively model opportunity:

  • What is the value of the asset you want to protect?
  • What is the potential gain of the opportunity?
  • How likely is it that the opportunity will be realized?
  • How likely is it that a strength be exploited?

This gives us a framework to consider the risk from both a threat and opportunity standpoint. Our hypothetical retailer knows it wants to protect the revenue generated by the current customers and referral model, which is the first question on each model. The other questions help quantify the potential loss if threats materialize and the potential gains of opportunities are realized. The company can use this information to better understand the ratio of risk to reward.

It’s never easy to make big decisions in light of potential risks, but when decisions are informed by considering both the potential gains and potential losses, you can also better define a risk management strategy, including the types of controls you will need to mitigate your risk.

In my next post in the “Managing cybersecurity like a business risk” series, I’ll review some qualitative and quantitative tools you can use to manage risk.

Read more about risk management from SABSA.  To learn more about Microsoft security solutions visit our website. In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Managing cybersecurity like a business risks: Part 1—Modeling opportunities and threats appeared first on Microsoft Security.

Open-sourcing new COVID-19 threat intelligence

May 14th, 2020 No comments

A global threat requires a global response. While the world faces the common threat of COVID-19, defenders are working overtime to protect users all over the globe from cybercriminals using COVID-19 as a lure to mount attacks. As a security intelligence community, we are stronger when we share information that offers a more complete view of attackers’ shifting techniques. This more complete view enables us all to be more proactive in protecting, detecting, and defending against attacks.

At Microsoft, our security products provide built-in protections against these and other threats, and we’ve published detailed guidance to help organizations combat current threats (Responding to COVID-19 together). Our threat experts are sharing examples of malicious lures and we have enabled guided hunting of COVID-themed threats using Azure Sentinel Notebooks. Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack. Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. Microsoft Threat Protection (MTP) customers are already protected against the threats identified by these indicators across endpoints with Microsoft Defender Advanced Threat Protection (ATP) and email with Office 365 ATP.

In addition, we are publishing these indicators for those not protected by Microsoft Threat Protection to raise awareness of attackers’ shift in techniques, how to spot them, and how to enable your own custom hunting. These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.

This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.

This COVID-specific threat intelligence feed represents a start at sharing some of Microsoft’s COVID-related IOCs. We will continue to explore ways to improve the data over the duration of the crisis. While some threats and actors are still best defended more discreetly, we are committed to greater transparency and taking community feedback on what types of information is most useful to defenders in protecting against COVID-related threats. This is a time-limited feed. We are maintaining this feed through the peak of the outbreak to help organizations focus on recovery.

Protection in Azure Sentinel and Microsoft Threat Protection

Today’s release includes file hash indicators related to email-based attachments identified as malicious and attempting to trick users with COVID-19 or Coronavirus-themed lures. The guidance below provides instructions on how to access and integrate this feed in your own environment.

For Azure Sentinel customers, these indicators can be either be imported directly into Azure Sentinel using a Playbook or accessed directly from queries.

The Azure Sentinel Playbook that Microsoft has authored will continuously monitor and import these indicators directly into your Azure Sentinel ThreatIntelligenceIndicator table. This Playbook will match with your event data and generate security incidents when the built-in threat intelligence analytic templates detect activity associated to these indicators.

These indicators can also be accessed directly from Azure Sentinel queries as follows:

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"]
with (format="csv"));
covidIndicators

Azure Sentinel logs.

A sample detection query is also provided in the Azure Sentinel GitHub. With the table definition above, it is as simple as:

  1. Join the indicators against the logs ingested into Azure Sentinel as follows:
covidIndicators
| join ( CommonSecurityLog | where TimeGenerated >= ago(7d)
| where isnotempty(FileHashValue)
) on $left.FileHashValue == $right.FileHash
  1. Then, select “New alert rule” to configure Azure Sentinel to raise incidents based on this query returning results.

CyberSecurityDemo in Azure Sentinel logs.

You should begin to see Alerts in Azure Sentinel for any detections related to these COVID threat indicators.

Microsoft Threat Protection provides protection for the threats associated with these indicators. Attacks with these Covid-19-themed indicators are blocked by Office 365 ATP and Microsoft Defender ATP.

While MTP customers are already protected, they can also make use of these indicators for additional hunting scenarios using the MTP Advanced Hunting capabilities.

Here is a hunting query to see if any process created a file matching a hash on the list.

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"]
with (format="csv"))
| where FileHashType == 'sha256' and TimeGenerated > ago(1d);
covidIndicators
| join (DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == 'FileCreated'
| take 100) on $left.FileHashValue  == $right.SHA256

Advanced hunting in Microsoft Defender Security Center.

This is an Advanced Hunting query in MTP that searches for any recipient of an attachment on the indicator list and sees if any recent anomalous log-ons happened on their machine. While COVID threats are blocked by MTP, users targeted by these threats may be at risk for non-COVID related attacks and MTP is able to join data across device and email to investigate them.

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )    [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"] with (format="csv"))
| where FileHashType == 'sha256' and TimeGenerated > ago(1d);
covidIndicators
| join (  EmailAttachmentInfo  | where Timestamp > ago(1d)
| project NetworkMessageId , SHA256
) on $left.FileHashValue  == $right.SHA256
| join (
EmailEvents
| where Timestamp > ago (1d)
) on NetworkMessageId
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0])
| join (
DeviceLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
| where (LogonTime - TimeEmail) between (0min.. 90min)
| take 10

Advanced hunting in Microsoft 365 security.

Connecting an MISP instance to Azure Sentinel

The indicators published on the Azure Sentinel GitHub page can be consumed directly via MISP’s feed functionality. We have published details on doing this at this URL: https://aka.ms/msft-covid19-misp. Please refer to the Azure Sentinel documentation on connecting data from threat intelligence providers.

Using the indicators if you are not an Azure Sentinel or MTP customer

Yes, the Azure Sentinel GitHub is public: https://aka.ms/msft-covid19-Indicators

Examples of phishing campaigns in this threat intelligence

The following is a small sample set of the types of COVID-themed phishing lures using email attachments that will be represented in this feed. Beneath each screenshot are the relevant hashes and metadata.

Figure 1: Spoofing WHO branding with “cure” and “vaccine” messaging with a malicious .gz file.

Name: CURE FOR CORONAVIRUS_pdf.gz

World Health Organization phishing email.

Figure 2: Spoofing Red Cross Safety Tips with malicious .docm file.

Name: COVID-19 SAFETY TIPS.docm

Red Cross phishing email.

Figure 3: South African banking lure promoting COVID-19 financial relief with malicious .html files.

Name: SBSA-COVID-19-Financial Relief.html

Financial relief phishing email.

Figure 4: French language spoofed correspondence from the WHO with malicious XLS Macro file.

Name:✉-Covid-19 Relief Plan5558-23636sd.htm

Coronavirus-themed phishing email.

If you have questions or feedback on this COVID-19 feed, please email msft-covid19-ti@microsoft.com.

The post Open-sourcing new COVID-19 threat intelligence appeared first on Microsoft Security.

Microsoft Threat Protection leads in real-world detection in MITRE ATT&CK evaluation

May 1st, 2020 No comments

The latest round of MITRE ATT&CK evaluations proved yet again that Microsoft customers can trust they are fully protected even in the face of such an advanced attack as APT29. When looking at protection results out of the box, without configuration changes, Microsoft Threat Protection (MTP):

  • Provided nearly 100 percent coverage across the attack chain stages.
  • Delivered leading out-of-box visibility into attacker activities, dramatically reducing manual work for SOCs vs. vendor solutions that relied on specific configuration changes.
  • Had the fewest gaps in visibility, diminishing attacker ability to operate undetected.

Beyond just detection and visibility, automation, prioritization, and prevention are key to stopping this level of advanced attack. During testing, Microsoft:

  • Delivered automated real-time alerts without the need for configuration changes or custom detections; Microsoft is one of only three vendors who did not make configuration changes or rely on delayed detections.
  • Flagged more than 80 distinct alerts, and used built-in automation to correlate these alerts into only two incidents that mirrored the two MITRE ATT&CK simulations, improving SOC analyst efficiency and reducing attacker dwell time and ability to persist.
  • Identified seven distinct steps during the attack in which our protection features, which were disabled during testing, would have automatically intervened to stop the attack.

Microsoft Threat Experts provided further in-depth context and recommendations for further investigation through our comprehensive in-portal forensics. The evaluation also proved how Microsoft Threat Protection goes beyond just simple visibility into attacks, but also records all stages of the attack in which MTP would have stepped in to block the attack and automatically remediate any affected assets.

While the test focused on endpoint detection and response, MITRE’s simulated APT29 attack spans multiple attack domains, creating opportunities to empower defenders beyond just endpoint protection. Microsoft expanded defenders’ visibility beyond the endpoint with Microsoft Threat Protection (MTP). MTP has been recognized by both Gartner and Forrester as having extended detection and response capabilities. MTP takes protection to the next level by combining endpoint protection from Microsoft Defender ATP (EDR) with protection for email and productivity tools (Office 365 ATP), identity (Azure ATP), and cloud applications (Microsoft Cloud App Security [MCAS]). Below, we will share a deep-dive analysis and explanation of how MTP successfully demonstrated novel optic and detection advantages throughout the MITRE evaluation that only our solution can provide.

Incident-based approach enables real-time threat prioritization and remediation

Analyzing the MITRE evaluation results from the lens of breadth and coverage, as the diagrams below show, MTP provided exceptional coverage for all but one of the 19 tested attack stages. This means that in real life, the SOC would have received alerts and given full visibility into each of the stages of the two simulated attack scenarios across initial access, deployment of tools, discovery, persistence, credential access, lateral movement, and exfiltration. In Microsoft Threat Protection, alerts carry with them rich context—including a detailed process tree showing the recorded activities (telemetry) that led to the detection, the assets involved, all supporting evidence, as well as a description of what the alert means and recommendations for SOC action. Note that true alerts are attributed in the MITRE evaluation with the “Alert” modifier, and not all items marked as “Tactic” or “Technique” are actual alerts.

MTP detection coverage across the attack kill-chain stages, with block opportunities.

Figure 1: MTP detection coverage across the attack kill-chain stages, with block opportunities.

Figure 1: MTP detection coverage across the attack kill-chain stages, with block opportunities.

Note: Step 10, persistence execution, is registered as a miss due to a software bug, discovered during the test, that restricted visibility on Step 10—“Persistence Execution.” These evaluations are a valuable opportunity to continually improve our product, and this bug was fixed shortly after testing completed.

The MITRE APT29 evaluation focused solely on detection of an advanced attack; it did not measure whether or not participants were able to also prevent an attack. However, we believe that real-world protection is more than just knowing that an attack occurred—prevention of the attack is a critical element. While protections were intentionally turned off to allow the complete simulation to run, using the audit-only prevention configuration, MTP also captured and documented where the attack would have been completely prevented, including—as shown in the diagram above – the very start of the breach, if protections had been left on.

Microsoft Threat Protection also demonstrated how it promotes SOC efficiency and reduces attacker dwell time and sprawl. SOC alert fatigue is a serious problem; raising a large volume of alerts to investigate does not help SOC analysts understand where to devote their limited time and resources. Detection and response products must prioritize the most important attacker actions with the right context in near real time.

In contrast to alert-only approaches, MTP’s incident-based approach automatically identifies complex links between attacker activities in different domains including endpoint, identity, and cloud applications at an altitude that only Microsoft can provide because we have optics into each of these areas. In this scenario, MTP connected seemingly unrelated alerts using supporting telemetry across domains into just two end-to-end incidents, dramatically simplifying prioritization, triage, and investigation. In real life, this also simplifies automated response and enables SOC teams to scale capacity and capabilities. MITRE addresses a similar problem with the “correlated” modifier on telemetry and alerts but does not reference incidents (just yet).

Figure 2: MTP portal showing 2nd day attack incident including correlated alerts and affected assets.

Figure 2: MTP portal showing 2nd day attack incident including correlated alerts and affected assets.

Figure 3: 2nd day incident with all correlated alerts for SOC efficiency, and the attack incident graph.

Figure 3: 2nd day incident with all correlated alerts for SOC efficiency, and the attack incident graph.

Microsoft is the leader in out-of-the-box performance

Simply looking at the number of simulation steps covered—or, alternatively, at the number of steps with no coverage, where less is more—the MITRE evaluation showed MTP provided the best protection with zero delays or configuration changes.

Microsoft believes protection must be durable without requiring a lot of SOC configuration changes (especially during an ongoing attack), and it should not create friction by delivering false positives.

The chart below shows Microsoft as the vendor with the least number of steps categorized as “None” (also referred to as “misses”) out of the box. The chart also shows the number of detections marked with “Configuration Change” modifier, which was done quite considerably, as well as delayed detections (“Delayed” modifier), which indicate in-flight modifications and latency in detections.

Microsoft is one of only three vendors that made no modifications or had any delays during the test.

Microsoft is one of only three vendors that made no modifications or had any delays during the test.

Similarly, when looking at visibility and coverage for the 57 MITRE ATT&CK techniques replicated during this APT29 simulation, Microsoft’s coverage shows top performance at 95 percent of the techniques covered, as shown in the chart below.

A product’s coverage of techniques is an important consideration for customers when evaluating security solutions, often with specific attacker(s) in mind, which in turn determines the attacker techniques they are most concerned with and, consequently, the coverage they most care about.
Figure 5: Coverage across all attack techniques in the evaluation.

Figure 5: Coverage across all attack techniques in the evaluation.

MTP provided unique detection and visibility across identity, cloud, and endpoints

The powerful capabilities of Microsoft Threat Protection originate from unique signals not just from endpoints but also from identity and cloud apps. This combination of capabilities provides coverage where other solutions may lack visibility. Below are three examples of sophisticated attacks simulated during the evaluation that span across domains (i.e., identity, cloud, endpoint) and showcase the unique visibility and unmatched detections provided by MTP:

  • Detecting the most dangerous lateral movement attack: Golden Ticket—Unlike other vendors, MTP’s unique approach for detecting Golden Ticket attacks does not solely rely on endpoint-based command-line sequences, PowerShell strings like “Invoke-Mimikatz”, or DLL-loading heuristics that can all be evaded by advanced attackers. MTP leverages direct optics into the Domain Controller via Azure ATP, the identity component of MTP. Azure ATP detects Golden Ticket attacks using a combination of machine learning and protocol heuristics by looking at anomalies such as encryption downgrade, forged authorization data, nonexistent account, ticket anomaly, and time anomaly. MTP is the only product that provided the SOC context of the encryption downgrade, together with the source and target machines, resources accessed, and the identities involved.
  • Exfiltration over alternative protocol: Catching and stopping attackers as they move from endpoint to cloud—MTP leverages exclusive signal from Microsoft Cloud App Security (MCAS), the cloud access security broker (CASB) component of MTP, which provides visibility and alerts for a large variety of cloud services, including OneDrive. Using the MCAS Conditional Access App Control mechanism, MTP was able to monitor cloud traffic for data exfiltration and raise an automatic alert when a ZIP archive with stolen files was exfiltrated to a remote OneDrive account controlled by the attacker. It is important to note the OneDrive account used by MITRE Redteam was unknown to the Microsoft team prior to being automatically detected during the evaluation.
  • Uncovering Remote System Discovery attacks that abuse LDAP—Preceding lateral movement, attackers commonly abuse the Lightweight Directory Access Protocol (LDAP) protocol to query user groups and user information. Microsoft introduced a powerful new sensor for unique visibility of LDAP queries, aiding security analyst investigation and allowing detection of suspicious patterns of LDAP activity. Through this sensor, Microsoft Defender ATP, the endpoint component of MTP, avoids reliance on PowerShell strings and snippets. Rather, Microsoft Defender ATP uses the structure and fields of each LDAP query originating from the endpoint to the Domain Controller (DC) to spot broad requests or suspicious queries for accounts and groups. Where possible, MTP also combines and correlates LDAP attacks detected on the endpoint by Microsoft Defender ATP with LDAP events seen on the DC by Azure ATP.

Figure 6: Golden Ticket alert based on optics on Domain Controller activity.

Figure 6: Golden Ticket alert based on optics on Domain Controller activity.

Figure 7: Suspicious LDAP activity detected using deep native OS sensor.

Figure 7: Suspicious LDAP activity detected using deep native OS sensor.

Microsoft Threat Experts: Threat context and hunting skills when and where needed

In this edition of MITRE ATT&CK evaluation, for the first time, Microsoft products were configured to take advantage of the managed threat hunting service Microsoft Threat Experts. Microsoft Threat Experts provides proactive hunting for the most important threats in the network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. During the evaluation, the service operated with the same strategy normally used in real customer incidents: the goal is to send targeted attack notifications that provide real value to analysts with contextual analysis of the activities. Microsoft Threat Experts enriches security signals and raises the risk level appropriately so that the SOC can focus on what’s important, and breaches don’t go unnoticed.

Microsoft Threat Experts notifications stand out among other participating vendors as these notifications are fully integrated into the experience, incorporated into relevant incidents and connected to relevant events, alerts, and other evidence. Microsoft Threat Experts is enabling SOC teams to effortlessly and seamlessly receive and merge additional data and recommendations in the context of the incident investigation.

Figure 8: Microsoft Threat Experts alert integrates into the portal and provides hyperlinked rich context.

Figure 8: Microsoft Threat Experts alert integrates into the portal and provides hyperlinked rich context.

Transparency in testing is key to threat detection, prevention

Microsoft Threat Protection delivers real-world detection, response, and, ultimately, protection from advanced attacks, as demonstrated in the latest MITRE evaluation. Core to MITRE’s testing approach is emulating real-world attacks to understand whether solutions are able to adequately detect and respond to them. We saw that Microsoft Threat Protection provided clear detection across all categories and delivered additional context that shows the full scope of impact across an entire environment. MTP empowers customers not only to detect attacks, offering human experts as needed, and easily return to a secured state with automated remediation. As is true in the real world, our human Threat Experts were available on demand to provide even more context and help with.

We thank MITRE for the opportunity to contribute to the test with unique threat intelligence that only three participants stepped forward to share. Our unique intelligence and breadth of signal and visibility across the entire environment is what enables us to continuously score top marks. We look forward to participating in the next evaluation, and we welcome your feedback and partnership throughout our journey.

Thanks,

Moti and the entire Microsoft Threat Protection team

Related Links:

 

The post Microsoft Threat Protection leads in real-world detection in MITRE ATT&CK evaluation appeared first on Microsoft Security.