Swedish Windows Security User Group

Cybersecurity incidents are never contained to just one of your organization’s assets. Most attacks involve multiple elements across domains, including email, endpoints, identities, and applications. To rapidly understand and address incidents, your Security Operations Center (SOC) analysts need to be able to see and track all the signals from each domain, correlate and group alerts that are related, prioritize them based on their severity level, and remediate all affected assets to return them and your workforce to a secure state.

Getting a unified view of an attack is a top SOC analyst priority in quickly building the end-to-end picture of attacks and tracking all relevant details necessary for effective remediation. Navigating multiple products and switching between tools introduce friction that slows down investigations, giving attackers more time to inflict damage.

Microsoft Threat Protection (MTP) addresses this critical SOC need through incidents, which empower SOC analysts by automatically fusing attack evidence and providing a consolidated view of an attack chain and affected assets, as well as a single-click remediation with easy-to-read analyst workflows. MTP harnesses the power of multiple solutions in the Microsoft 365 security portfolio – Office 365 Advanced Threat Protection (ATP), Azure ATP, Microsoft Defender ATP, and Microsoft Cloud App Security – to deliver cross-domain visibility and coordinated defense.

A complete look at the attack chain to prevent attack sprawl

A typical attack starts with a phishing email that installs malware on an endpoint. The malware then steals the user’s credentials, which the attackers utilize to access resources on other endpoints, on-premises applications, and cloud services. Individual security solutions that focus on only one domain may alert on and remediate a portion of the attack but will likely miss other parts of the attacker operations, putting an organization at risk while creating a false sense of security.

The incidents view in Microsoft Threat Protection solves this challenge by providing a single place to view and investigate an attack across stages, from initial access to impact. Based on individual detection leads, MTP uses artificial intelligence (AI) to automatically expand an investigation, like an experienced analyst would, and gather related telemetry and other alerts that belong to the same attack. MTP also uses AI to continually analyze the vast amount of available data and, if necessary, suggest more evidence for the analyst to add to the incident. This enables your SOC analysts to focus on what matters, while MTP saves them time and helps discover undetected evidence.

Even if you don’t have all the Microsoft 365 security solutions in your organization, MTP incidents correlate threat data for the services you have deployed, reducing the clutter and providing one view of the attack, including all relevant alerts, impacted assets and associated risk levels, remediation actions and status.

Streamlining investigations across domains

Microsoft Threat Protection simplifies the complex task of investigating end-to-end attacks by allowing SOC analysts to pivot and see entities – devices, files, users, emails, and processes – in the right context within a single view.

MTP breaks down the silos and combines all alerts and insights automatically across Microsoft 365 services to reveal the full picture, helping ease digital forensics work for SOC analysts. This also enables analysts to gain comprehensive understanding of attacks that they wouldn’t otherwise get from isolated out-of-context alerts.

But MTP doesn’t stop there. To help support effective triage processes, MTP prioritizes incidents, illustrates the attack chain progression, shows the attack timeline, and generates a comprehensive name for the incident. With just one click, analysts can answer questions like: Does a file observed on one device exist on other devices? Which email messages did a file come from, and was this file also shared through a cloud app?

In addition, SOC analysts can easily search for additional related activities with Go hunt, which automatically creates and runs an advanced hunting query based on information from the incident. SOC analysts can also use attack-specific insights gained during hunting to capture fine-tuned logic and nuances in a custom detection. Custom detections continuously hunt for new activities and pull new findings to the relevant incident automatically, further enriching your view of the attack.

A clear view of the remediation status

When your organization is under attack, it’s essential to act swiftly but thoughtfully through a thorough understanding at any point in time of the remediation status of all affected assets and entities. MTP incidents play a critical part in remediation by:

• Removing some of the burden off the analysts’ shoulders by launching automated investigation and response (AIR) self-healing playbooks that conduct in-depth asset-based investigation and work to find and remediate all malicious evidence (attack tools, malware), persistence methods (Oauth apps, ASEP in devices), exfiltration activities (email FWD rules, SPO shares),
• Orchestrating cross-asset and cross-domain playbook invocations, tracking attacker activity across the environment
• Providing a comprehensive view of the remediation status based on actions taken by AIR, in addition to manual actions by the analyst

When the investigation is complete, MTP incidents capture the investigation comments for record-keeping and knowledge-sharing with peers, with easy and in-context information for reference.

Microsoft Threat Protection provides the SOC with a complete picture of attacks in real-time

The incidents view in Microsoft Threat Protection correlates alerts and all affected entities into a cohesive view that enables your SOC to determine the full scope of threats across your Microsoft 365 services. Armed with a complete picture of attacks in real-time, your SOCs are better empowered to defend your organization against threats.

MTP delivers coordinated defense by leveraging the power of multiple Microsoft 365 security solutions. Through automation, built-in intelligence, and end-to-end visibility into malicious activities, MTP detects, correlates, blocks, remediates, and prevents attacks.

Existing Microsoft 365 licenses provide access to Microsoft Threat Protection features in Microsoft 365 security center without additional cost or deployment. Learn how Microsoft Threat Protection can help your organization to stop attacks with coordinated defense.

To learn more about coordinated defense, read these blog posts in the Inside Microsoft Threat Protection series:

• Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint
• Inside Microsoft Threat Protection: Attack modeling for finding and stopping lateral movement

 

Idan Pelleg

Microsoft Threat Protection Team

The post Inside Microsoft Threat Protection: Correlating and consolidating attacks into incidents appeared first on Microsoft Security.

Cybersecurity incidents are never contained to just one of your organization’s assets. Most attacks involve multiple elements across domains, including email, endpoints, identities, and applications. To rapidly understand and address incidents, your Security Operations Center (SOC) analysts need to be able to see and track all the signals from each domain, correlate and group alerts that are related, prioritize them based on their severity level, and remediate all affected assets to return them and your workforce to a secure state.

Getting a unified view of an attack is a top SOC analyst priority in quickly building the end-to-end picture of attacks and tracking all relevant details necessary for effective remediation. Navigating multiple products and switching between tools introduce friction that slows down investigations, giving attackers more time to inflict damage.

Microsoft Threat Protection (MTP) addresses this critical SOC need through incidents, which empower SOC analysts by automatically fusing attack evidence and providing a consolidated view of an attack chain and affected assets, as well as a single-click remediation with easy-to-read analyst workflows. MTP harnesses the power of multiple solutions in the Microsoft 365 security portfolio – Office 365 Advanced Threat Protection (ATP), Azure ATP, Microsoft Defender ATP, and Microsoft Cloud App Security – to deliver cross-domain visibility and coordinated defense.

A complete look at the attack chain to prevent attack sprawl

A typical attack starts with a phishing email that installs malware on an endpoint. The malware then steals the user’s credentials, which the attackers utilize to access resources on other endpoints, on-premises applications, and cloud services. Individual security solutions that focus on only one domain may alert on and remediate a portion of the attack but will likely miss other parts of the attacker operations, putting an organization at risk while creating a false sense of security.

The incidents view in Microsoft Threat Protection solves this challenge by providing a single place to view and investigate an attack across stages, from initial access to impact. Based on individual detection leads, MTP uses artificial intelligence (AI) to automatically expand an investigation, like an experienced analyst would, and gather related telemetry and other alerts that belong to the same attack. MTP also uses AI to continually analyze the vast amount of available data and, if necessary, suggest more evidence for the analyst to add to the incident. This enables your SOC analysts to focus on what matters, while MTP saves them time and helps discover undetected evidence.

Even if you don’t have all the Microsoft 365 security solutions in your organization, MTP incidents correlate threat data for the services you have deployed, reducing the clutter and providing one view of the attack, including all relevant alerts, impacted assets and associated risk levels, remediation actions and status.

Streamlining investigations across domains

Microsoft Threat Protection simplifies the complex task of investigating end-to-end attacks by allowing SOC analysts to pivot and see entities – devices, files, users, emails, and processes – in the right context within a single view.

MTP breaks down the silos and combines all alerts and insights automatically across Microsoft 365 services to reveal the full picture, helping ease digital forensics work for SOC analysts. This also enables analysts to gain comprehensive understanding of attacks that they wouldn’t otherwise get from isolated out-of-context alerts.

But MTP doesn’t stop there. To help support effective triage processes, MTP prioritizes incidents, illustrates the attack chain progression, shows the attack timeline, and generates a comprehensive name for the incident. With just one click, analysts can answer questions like: Does a file observed on one device exist on other devices? Which email messages did a file come from, and was this file also shared through a cloud app?

In addition, SOC analysts can easily search for additional related activities with Go hunt, which automatically creates and runs an advanced hunting query based on information from the incident. SOC analysts can also use attack-specific insights gained during hunting to capture fine-tuned logic and nuances in a custom detection. Custom detections continuously hunt for new activities and pull new findings to the relevant incident automatically, further enriching your view of the attack.

A clear view of the remediation status

When your organization is under attack, it’s essential to act swiftly but thoughtfully through a thorough understanding at any point in time of the remediation status of all affected assets and entities. MTP incidents play a critical part in remediation by:

• Removing some of the burden off the analysts’ shoulders by launching automated investigation and response (AIR) self-healing playbooks that conduct in-depth asset-based investigation and work to find and remediate all malicious evidence (attack tools, malware), persistence methods (Oauth apps, ASEP in devices), exfiltration activities (email FWD rules, SPO shares),
• Orchestrating cross-asset and cross-domain playbook invocations, tracking attacker activity across the environment
• Providing a comprehensive view of the remediation status based on actions taken by AIR, in addition to manual actions by the analyst

When the investigation is complete, MTP incidents capture the investigation comments for record-keeping and knowledge-sharing with peers, with easy and in-context information for reference.

Microsoft Threat Protection provides the SOC with a complete picture of attacks in real-time

The incidents view in Microsoft Threat Protection correlates alerts and all affected entities into a cohesive view that enables your SOC to determine the full scope of threats across your Microsoft 365 services. Armed with a complete picture of attacks in real-time, your SOCs are better empowered to defend your organization against threats.

MTP delivers coordinated defense by leveraging the power of multiple Microsoft 365 security solutions. Through automation, built-in intelligence, and end-to-end visibility into malicious activities, MTP detects, correlates, blocks, remediates, and prevents attacks.

Existing Microsoft 365 licenses provide access to Microsoft Threat Protection features in Microsoft 365 security center without additional cost or deployment. Learn how Microsoft Threat Protection can help your organization to stop attacks with coordinated defense.

To learn more about coordinated defense, read these blog posts in the Inside Microsoft Threat Protection series:

• Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint
• Inside Microsoft Threat Protection: Attack modeling for finding and stopping lateral movement

 

Idan Pelleg

Microsoft Threat Protection Team

The post Inside Microsoft Threat Protection: Correlating and consolidating attacks into incidents appeared first on Microsoft Security.

The increasing pervasiveness of cloud services in today’s work environments, accelerated by a crisis that forced companies around the globe to shift to remote work, is significantly changing how defenders must monitor and protect organizations. Corporate data is spread across multiple applications—on-premises and in the cloud—and accessed by users from anywhere using any device. With traditional surfaces expanding and network perimeters disappearing, novel attack scenarios and techniques are introduced.

Every day, we see attackers mount an offensive against target organizations through the cloud and various other attack vectors with the goal of finding the path of least resistance, quickly expanding foothold, and gaining control of valuable information and assets. To help organizations fend off these advanced attacks, Microsoft Threat Protection (MTP) leverages the Microsoft 365 security portfolio to automatically analyze cross-domain threat data, building a complete picture of each attack in a single dashboard. With this breadth and depth of clarity, defenders can focus on critical threats and hunting for sophisticated breaches across endpoints, email, identities and applications.

Among the wide range of actors that Microsoft tracks—from digital crime groups to nation-state activity groups—HOLMIUM is one of the most proficient in using cloud-based attack vectors. Attributed to a Middle East-based group and active since at least 2015, HOLMIUM has been performing espionage and destructive attacks targeting aerospace, defense, chemical, mining, and petrochemical-mining industries. HOLMIUM’s activities and techniques overlap with what other researchers and vendors refer to as APT33, StoneDrill, and Elfin.

HOLMIUM has been observed using various vectors for initial access, including spear-phishing email, sometimes carrying archive attachments that exploit the CVE-2018-20250 vulnerability in WinRAR, and password-spraying. Many of their recent attacks, however, have involved the penetration testing tool Ruler used in tandem with compromised Exchange credentials.

The group used Ruler to configure a specially crafted Outlook Home Page URL to exploit the security bypass vulnerability CVE-2017-11774, which was fixed shortly after it was discovered. Successful exploitation automatically triggered remote code execution of a script when an Outlook client synced with a mailbox and rendered the profile Home Page URL. These scripts, usually VBScript followed by PowerShell, in turn initiated the delivery of various payloads.

In this blog, the first in the Inside Microsoft Threat Protection series, we will show how MTP provides unparalleled end-to-end visibility into the activities of nation-state level attacks like HOLMIUM. In succeeding blog posts in this series, we will shine a spotlight on aspects of the coordinated defense delivered by Microsoft Threat Protection.

Tracing an end-to-end cloud-based HOLMIUM attack

HOLMIUM has likely been running cloud-based attacks with Ruler since 2018, but a notable wave of such attacks was observed in the first half of 2019. These attacks combined the outcome of continuous password spray activities against multiple organizations, followed by successful compromise of Office 365 accounts and the use of Ruler in short sequences to gain control of endpoints. This wave of attacks was the subject of a warning from US Cybercom in July 2019.

These HOLMIUM attacks typically started with intensive password spray against exposed Active Directory Federation Services (ADFS) infrastructure; organizations that were not using multi-factor authentication (MFA) for Office 365 accounts had a higher risk of having accounts compromised through password spray. After successfully identifying a few user and password combinations via password spray, HOLMIUM used virtual private network (VPN) services with IP addresses associated with multiple countries to validate that the compromised accounts also had access to Office 365.

Figure 1. Password spray and compromised account sign-ins by HOLMIUM as detected in Azure Advanced Threat Protection (ATP) and Microsoft Cloud App Security (MCAS)

Armed with a few compromised Office 365 accounts and not blocked by MFA defense, the group launched the next step with Ruler and configured a malicious Home Page URL which, once rendered during a normal email session, resulted in the remote code execution of a PowerShell backdoor through the exploitation of a vulnerability like CVE-2017-11774. The two domains abused by HOLMIUM and observed during this 2019 campaign were “topaudiobook.net” and “customermgmt.net”.

Figure 2. Exploitation of Outlook Home Page feature using Ruler-like tools

Figure 3. Weaponized home page and initial PowerShell payload

This initial foothold allowed HOLMIUM to run their custom PowerShell backdoor (known as POWERTON) directly from an Outlook process and to perform the installation of additional payloads on the endpoint with different persistence mechanisms, such as WMI subscription (T1084) or registry autorun keys (T1060). Once the group has taken control of the endpoint (in addition to the cloud identity), the next phase was hours of exploration of the victim’s network, enumerating user accounts and machines for additional compromise, and lateral movement within the perimeter. HOLMIUM attacks typically took less than a week from initial access via the cloud to obtaining unhampered access and full domain compromise, which then allowed the attackers to stay persistent for long periods of time, sometimes for months on end.

Figure 4. Snippets of HOLMIUM PowerShell backdoor (POWERTON) implementing two different persistence mechanisms: WMI event subscription (T1084) and Registry run keys or Startup folder (T1060)

HOLMIUM attacks as seen and acted upon by Microsoft Threat Protection

HOLMIUM attacks demonstrate how hybrid attacks that span from cloud to endpoints require a wide range of sensors for comprehensive visibility. Enabling organizations to detect attacks like these by correlating events in multiple domains – cloud, identity, endpoints – is the reason why we build products like Microsoft Threat Protection. As we described in our analysis of HOLMIUM attacks, the group compromised identities in the cloud and leveraged cloud APIs to gain code execution or persist. The attackers then used a cloud email configuration to run specially crafted PowerShell on endpoints every time the Outlook process is opened.

During these attacks, many target organizations reacted too late in the attack chain—when the malicious activities started manifesting on endpoints via the PowerShell commands and subsequent lateral movement behavior. The earlier attack stages like cloud events and password spray activities were oftentimes missed or sometimes not linked with activities observed on the endpoint. This resulted in gaps in visibility and, subsequently, incomplete remediation.

While it’s relatively easy to remediate and stop malicious processes and downloaded malware on endpoints using endpoint security solutions, such a conventional approach would mean that the attack is persistent in the cloud, so the endpoint could be immediately compromised again. Remediating identities in the cloud is a different story.

Figure 5. The typical timeline of a HOLMIUM attack kill-chain

In an organization utilizing MTP, multiple expert systems that monitor various aspects of the network would detect and raise alerts on HOLMIUM’s activities. MTP sees the full attack chain across domains beyond simply blocking on endpoints or zapping emails, thus putting organizations in a superior position to fight the threat.

Figure 6. MTP components able to prevent or detect HOLMIUM techniques across the kill chain.

These systems work in unison to prevent attacks or detect, block, and remediate malicious activities. Across affected domains, MTP detects signs of HOLMIUM’s attacks:

• Azure ATP identifies account enumeration and brute force attacks
• MCAS detects anomalous Office 365 sign-ins that use potentially compromised credentials or from suspicious locations or networks
• Microsoft Defender ATP exposes malicious PowerShell executions on endpoints triggered from Outlook Home Page exploitation

Figure 7. Activities detected across affected domains by different MTP expert systems

Traditionally, these detections would each be surfaced in its own portal, alerting on pieces of the attack but requiring the security team to stitch together the full picture. With Microsoft Threat Protection, the pieces of the puzzle are fused automatically through deep threat investigation. MTP generates a combined incident view that shows the end-to-end attack, with all related evidence and affected assets in one view.

Figure 8. The MTP incident brings together in one view the entire end-to-end attack across domain boundaries

Understanding the full attack chain enables MTP to automatically intervene to block the attack and remediate assets holistically across domains. In HOLMIUM attacks, MTP not only stops the PowerShell activity on endpoints but also contains the impact of stolen user accounts by marking them as compromised in Azure AD. This invokes Conditional Access as configured in Azure AD and applies conditions like MFA or limitations on the user account’s permissions to access organizational resources until the account is remediated fully.

Figure 9. Coordinated automatic containment and remediation across email, identity, and endpoints

Security teams can dig deep and expand their investigation into the incident in Microsoft 365 Security Center, where all details and related activities are available in one place. Furthermore, security teams can hunt for more malicious activities and artifacts through advanced hunting, which brings together all the raw data collected across product domains into one unified schema with powerful query constructs.

Figure 10. Hunting for activities across email, identity, endpoint and cloud applications

Finally, when the attack is blocked and all affected assets are remediated, MTP helps organizations identify improvements to their security configuration that would prevent the attacker from returning. The Threat Analytics report provides an exposure view and recommends prevention measures relevant to the threat. For example, the Analytics Report for HOLMIUM recommended, among other things, applying the appropriate security updates to prevent tools like Ruler from operating, as well as completely eliminating this attack vector in the organization.

Figure 11. Threat Analytics provides organizational exposure and recommended mitigations for HOLMIUM 

Microsoft Threat Protection: Stop attacks with automated cross-domain security

HOLMIUM exemplifies the sophistication of today’s cyberattacks, which leverage techniques spanning organizational cloud services and on-prem devices. Organizations must equip themselves with security tools that enable them to see the attack sprawl and respond to these attacks holistically and automatically. Protecting organizations from sophisticated attacks like HOLMIUM is the backbone of MTP.

Microsoft Threat Protection harnesses the power of Microsoft 365 security products and brings them together into an unparalleled coordinated defense that detects, correlates, blocks, remediates, and prevents such attacks across an organization’s Microsoft 365 environment. Existing Microsoft 365 licenses provide access to Microsoft Threat Protection features in Microsoft 365 security center without additional cost. Learn how Microsoft Threat Protection can help your organization to stop attacks with coordinated defense.

 

The post Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint appeared first on Microsoft Security.