Current threat landscape

On June 27, 2017, one of the world’s most sophisticated and disruptive cyberattacks began in Europe. Microsoft researchers first saw infections in Ukraine, followed by more observed infections in another 64 countries. The malware responsible for the ensuing damage became known as NotPetya and resembled an earlier piece of malware called Petya. The primary difference between the two pieces of malware was their intended purpose. Petya was a form of ransomware whose damage could be reversed if the victims paid a ransom in Bitcoin. NotPetya was meant for pure destruction, and although it masqueraded as ransomware, there was no chance for the victim to restore the infected machines because the data was made indecipherable with encryption.

There were two components to the NotPetya attack that made it so dangerous and destructive. First, the malware was distributed and installed through a supply-chain attack against Ukrainian company M.E.Doc, which develops the M.E.Doc tax accounting software. Reports indicate that the M.E.Doc update infrastructure was compromised by attackers who then leveraged the update mechanism to distribute and install the malware on government and corporate networks that leveraged the tax accounting software.

The other component of NotPetya that made it so virulent was that it contained multiple lateral movement techniques to spread quickly following the initial infection. These propagation techniques included stealing and reusing credentials and existing active sessions, using file-shares to transfer and execute the malware on machines within the same network, and exploiting Server Message Block (SMB) vulnerabilities on unpatched machines. In some environments, NotPetya propagated and destroyed all networked computers in less than an hour. According to a White House assessment, the total financial damage from the NotPetya attacks totaled $10 billion.

Cyber criminals are also opportunistic and quickly target vulnerabilities in common software. For example, on September 7, 2017, Equifax announced a data breach affecting 143 million consumers. The Committee on Oversight and Government Reform for the US House of Representatives conducted a thorough investigation of the incident and published a report discussing the tactics used by the attackers and the lapses in security that made the breach possible. Specifically, a critical vulnerability (CVE-2017-5638) in versions of Apache Struts was publicly released on March 7, 2017. The vulnerability made it possible for attackers to remotely execute arbitrary code on susceptible servers.

Although Equifax patched several vulnerable servers, the company failed to patch the Automated Consumer Interview System, which is a custom-built consumer dispute portal. On March 13, 2017, attackers began a cyberattack against the vulnerable server and dropped “web shells” like the one shown in Figure 1-2 to control the servers remotely. The attackers leveraged their access to identify a file containing unencrypted credentials, which they leveraged to access 48 databases within the Equifax network. The attackers then began exfiltrating the data outside the Equifax network. The attack went undetected because a security system used to detect such issues was offline.

As evidenced by the Equifax breach and NotPetya attacks, information security teams are facing determined, sophisticated, and well-organized adversaries. These adversaries include nation-state actors, cybercriminals, and hacktivists. Also, the sophistication of cyberattacks continues to increase each year, as does the resulting damage and economic impact. The Equifax incident also highlights the need for security teams to develop an “assume breach” mindset. This means that security teams must invest equally in the people, processes, and technologies to enable the rapid detection and containment of security incidents.

Microsoft Security Intelligence Report

Microsoft releases a semi-annual report that captures the latest cyber-attack trends. Volume 24 of the report provides insights from data analyzed over the previous 12 months and includes the 6.5 trillion threat signals that go through the Microsoft cloud every day. Data and insights are also captured from Microsoft’s internal security researchers and for the first time, the report includes hands-on lessons from the Microsoft Detection and Response Team (DART). DART responds globally to cyber incidents involving our customers to help them tactically recover from attacks and evict those responsible from the impacted systems and networks.

One of the most notable findings in the report is that attackers have increased operations to target software supply chains to gain access to the systems and data they are after. As with NotPetya (which was discussed in the previous section), malicious software inserted into legitimate applications will run with the same permissions and trust as the valid code. In May 2017, Microsoft security researchers identified Operation WilySupply, which allowed attackers to compromise a text editor’s software updater and install a backdoor on targeted organizations. Figure 1-2 shows the timeline and process-tree views from Microsoft Defender Advanced Threat Protection that was used to pinpoint the execution chain and lead researchers back to the compromised updater. (Note that some information in this figure has been intentionally hidden for security purposes.)

Note

You can read more about the investigation at https://aka.ms/wilysupplycyberattack/.

The first major software supply chain attack occurred in March 2018, and the attackers compromised the update process for a peer-to-peer application. The poisoned updater then installed coin-mining malware.

Note

Coin-mining malware is software that is illegally installed on a victim’s computer and mines for Bitcoins. This malware allows cybercriminals to utilize the system’s computer resources for their own financial gain.

The other major finding from Volume 24 of the Microsoft Security Intelligence Report is that phishing continues to be the preferred method for attackers looking to gain a foothold within a company’s network. Based on the 470 billion email messages scanned monthly by Office 365, Microsoft researchers identified a 250 percent increase in phishing attempts from January to December 2018. As defenses have gotten better, attackers have begun to evolve their phishing methods to evade detection. One common and highly effective method is the use of legitimate hosted- and public-cloud infrastructure as part of the attack, which allows attackers to hide within the noise of commonly leveraged document sharing and collaboration sites and services.

In one specific case investigated by Microsoft DART, a large manufacturing organization was compromised via a targeted phishing attack in which a phishing email was delivered to several company employees. The email body included a link that when clicked redirected employees to a spoofed webpage. Once on the webpage, the employees were asked to authenticate using their domain credentials to gain access to a sensitive document. Once the attacker got access to several legitimate Office 365 accounts, the attacker began sending additional emails to high-value individuals within the company. In this case, DART was able to resolve the situation in just three hours, and it used Azure Sentinel to do it! Using Azure Sentinel’s advanced analytics engine, DART was able to correlate the relevant system events and alerts that were generated by the customer’s systems and quickly identify the specific actions taken by the attackers.

Note

As part of the investigation process, DART deploys software that captures and sends system and network logs and telemetry to an Azure Sentinel Workspace. Because Azure Sentinel is a cloud-native SIEM, it can be stood-up, configured, and scaled easily—typically in less than 20 minutes.

Security challenges for SecOps

Security Operations (SecOps) is a subdiscipline within the information security industry focused on running the day-to-day tasks of a security operations center (SOC). Before diving into specific challenges facing SecOps, it is important to understand the basic functions and operations required to conduct effective security operations. For most organizations, the SOC is the central hub responsible for identifying and responding to cybersecurity threats. Mitre (www.mitre.org) defines a SOC as “a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents.”

Although there are different ways to structure an SOC, analysts are typically divided into tiers based on their levels of experience and associated responsibilities. A commonly found pattern would include:

• Tier 1–High Speed Remediation Typically, Tier 1 analysts are new security professionals and the most junior staff members in the SOC. Their job is to perform the initial triage of an alert or reported incident and resolve the alert based on established operating procedures for common alert scenarios. Tier 1 is a high-volume, low-touch operation, and the analyst should spend no more than a few minutes on an alert before escalating to Tier 2 for deeper investigation. Tier 1 analysts handle the majority of the SOC’s workload.

• Tier 2–Advanced Analysis, Investigation, and Remediation Tier 2 analysts are more senior security analysts and take escalations from the Tier 1 analysts. Depending on the situation, resolution for this tier will take hours or days to complete. This could include the need to capture and analyze media images or potential malware samples for deeper review.

• Tier 3–Proactive Hunting and Advanced Forensics Tier 3 analysts have specialized skills in attacker techniques, tactics, and procedures; malware analysis; threat intelligence; and threat hunting. These analysts leverage all tools and data sources to proactively look for malicious actors who have evaded traditional detection techniques. Also, these specialists evaluate trends and use advanced analytics and correlation techniques to find malicious activities.

• Support Engineers Also, an SOC will have support engineers who are responsible for maintaining the infrastructure needed to run an effective cyberdefense program. This will include the installation, maintenance, and tuning of the SIEM and other specialized tools.

Microsoft has adopted a fusion center model for cyberdefense operations that connects SOC teams from across the company into a shared facility known as the Cyber Defense Operations Center (CDOC). This model allows Microsoft to maintain its deep specialization while sharing situational awareness and subject matter expertise across teams. As you can see in Figure 1-3, the Microsoft CDOC has also adopted a tiered response model that begins with automation known as Tier 0. Tier 0 requires no human intervention and is used to triage and respond to common and extremely high-fidelity alerts (+95 percent true positive). Automation is achieved using playbooks that include programmatic steps for dealing with common alerts, such as automatically adding a confirmed malicious URL to a firewall’s blacklist. Tier 1 analysts focus on high-speed, low-touch remediation efforts, and they escalate more advanced cases to Tier 2 analysts. Tier 3 analysts work on proactive threat hunting, advanced correlation and trend analysis, and first-party threat intelligence production and dissemination.

Threat intelligence

Knowledge of your adversaries is essential. Cyberthreat intelligence (CTI) is the collection, analysis and synthesis, and dissemination of information related to cyberattackers’ tactics, techniques, and procedures (TTPs). CTI also includes an evaluation of a threat actor’s intent, motivations, and overall capabilities. Studying threat actors makes it easier to detect attacks because our security teams know what to look for. CTI is broken into three types:

• Strategic CTI is primarily intended for senior decision makers and executives. Strategic CTI is focused on developing an overall picture of threat actors’ capabilities and maintaining overall situational awareness of emerging threats. Strategic CTI is often performed by national computer emergency response and information-sharing centers to provide timely warnings to their constituencies.

• Operational CTI assesses specific incidents to identify and report on attacker campaigns and commonly used malware and/or tools by identified and named threat actors, such as Advanced Persistent Threat or APT 34.

• Tactical CTI assesses real-time events and activities and provides actionable information to SOC operators. Key tactical CTI products include threat detection signatures, such as Yara rules for malware and indicators of compromise (IOC).

As seen in Figure 1-4, CTI informs each of the SOC functions by providing context and actionable alerts to leaders, analysts, and hunt teams.

Structured Threat Information Expression (STIX) makes it easier to share CTI across organizations. STIX format is open source and free for anyone to use. STIX information is stored as JSON, which makes it easy to integrate with existing security tools. Listing 1-1 shows an example of a STIX indicator object representing a malicious URL from the project’s documentation page.

LISTING 1-1 Example STIX object representing a malicious URL

Click here to view code image

{
 "type": "bundle",
 "id": "bundle--44af6c39-c09b-49c5-9de2-394224b04982",
 "spec_version": "2.0",
 "objects": [
  {
   "type": "indicator",
   "id": "indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
   "created": "2014-06-29T13:49:37.079Z",
   "modified": "2014-06-29T13:49:37.079Z",
   "labels": [
    "malicious-activity"
   ],
   "name": "Malicious site hosting downloader",
   "pattern": "[url:value = 'http://x4z9arb.cn/4712/']",
   "valid_from": "2014-06-29T13:49:37.079000Z"
  },
  {
   "type": "malware",
   "id": "malware--162d917e-766f-4611-b5d6-652791454fca",
   "created": "2014-06-30T09:15:17.182Z",
   "modified": "2014-06-30T09:15:17.182Z",
   "name": "x4z9arb backdoor",
   "labels": [
    "backdoor",
    "remote-access-trojan"
   ],
   "description": "This malware attempts to download remote files after establishing a foothold as a backdoor.",
   "kill_chain_phases": [
    {
     "kill_chain_name": "mandiant-attack-lifecycle-model",
     "phase_name": "establish-foothold"
    }
   ]
  },
  {
   "type": "relationship",
   "id": "relationship--6ce78886-1027-4800-9301-40c274fd472f",
   "created": "2014-06-30T09:15:17.182Z",
   "modified": "2014-06-30T09:15:17.182Z",
   "relationship_type": "indicates",
   "source_ref": "indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
   "target_ref": "malware--162d917e-766f-4611-b5d6-652791454fca"
  }
 ]
}

Those who are threat hunters are common consumers of threat intelligence. Given the example in Listing 1-1, a hunt team would use the STIX object and hunt within Azure Sentinel for indicators that a corporate computer attempted to access the malicious domain. This hunting query would search all associated logs to determine whether any user and/or computer communicated with the domain http://x4z9arb.cn/4712/. If communication with http://x4z9arb.cn/4712/ occurred, further queries would be written to determine the scope of the attack (compromised credentials, lateral movement, and so on).

Trusted Automated Exchange of Intelligence Information (TAXII) is a companion to STIX and acts as a transport-sharing mechanism for sharing CTI written in STIX format. TAXII is not an application itself; instead, it is a set of specifications for exchanging CTI.

Cloud-native SIEM

Azure Sentinel is Microsoft’s new cloud-native SIEM solution. It is the first SIEM solution built into a major public cloud platform. Azure Sentinel also contains a Security Orchestration and Automated Response (SOAR) capability. Azure Sentinel’s SOAR capability is fully customizable and allows security teams to write playbooks that can (if desired) automate the entire response to a security event. For example, once Sentinel identifies a malicious domain, a playbook can be triggered that would automatically add a block rule to the company’s firewalls for that domain.

Gartner defines a SIEM as technology that supports “threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of event and contextual data sources.” Most traditional SIEMs started as on-premises solutions comprised of hardware and software that supported log ingestion and storage. Also, these SIEMs provided a user interface and search engine to correlate system events and security alerts. As log ingestion and storage requirements increased, customers needed to buy larger hardware or distribute the workload across multiple servers.

Over the last several years, many vendors have re-tooled their SIEMs to make them available in a Software as a Service or SaaS model. However, these SIEMS are typically built on top of a public cloud provider’s infrastructure and don’t offer the same automatic scaling and storage benefits of Azure Sentinel. With Azure Sentinel, there are no requirements on the customer to open support tickets to scale out their services like other SaaS-based SIEMs. This is handled automatically by Microsoft, and the customer can focus on the main task at hand, which is identifying and responding to cyberthreats.

Azure Sentinel has been engineered to address the SecOps challenges identified earlier by:

• Automatically scaling to meet the data-collection and storage requirements for enterprises of any size

• Integrating directly with the Microsoft Intelligent Security Graph to help increase the likelihood of detecting advanced threats by leveraging Microsoft’s and its partners’ threat intelligence

• Including advanced anomaly detections using Microsoft’s machine learning algorithms, thus removing the need for companies to hire their own data scientists

• Reducing the need for human intervention by leveraging an open and flexible automation capability for investigating and responding to alerts

• Providing dashboards and user interfaces that are intuitive to analysts and built to streamline the typical operations within an SOC

Core capabilities

While the purpose of this chapter is not to go into depth in any particular area, it is important that you understand the core capabilities of Azure Sentinel. Azure Sentinel provides security teams with unprecedented visibility into their digital estates. As shown in Figure 1-5, the core capabilities of the solution include:

• Data collection and storage across all users, devices, applications, and infrastructure—whether on-premises or in the cloud

• Threat detection that leverages Microsoft’s analytics and threat intelligence

• Investigation of threats by hunting for suspicious activities at scale

• Rapid response to incidents by leveraging built-in orchestration and automation of common tasks

Now that you have an idea of Azure Sentinel’s core capabilities as a cloud-native SIEM, we’ll delve into the details of using Azure Sentinel in Chapter 2.