Chapter 1. Security challenges for SecOps

Azure Sentinel is a cloud-native Security Incident and Event Management (SIEM) solution built to provide security analysts with a powerful tool to detect and respond to cyberattacks. Before diving into the purpose and details of the solution, it is important to understand the key challenges facing Chief Information Security Officers (CISOs) and their teams. Today’s security teams face myriad challenges, including the speed and sophistication of current threats, exponential growth in the number of digital assets and associated logs, and the lack of available and skilled staff.

In this chapter, we will discuss the current challenges facing cyberdefenders starting with a review of the current threat landscape. One concerning trend is that attackers are now targeting key software-supply chains to circumvent traditional security controls. The speed of attacks is always increasing, which makes traditional and manual response procedures ineffective.

Also, we will review the importance and use of threat intelligence in a modern Security Operations Center (SOC). Threat intelligence provides defenders with the details of an attacker’s motivations; potential targets; and tactics, techniques, and procedures (TTPs). TTPs can be used by security analysts to build custom detections to alert you to attacker activities as they occur; also, TTPs can be leveraged to hunt through data for previous indicators of an attack. We will conclude the chapter by providing a high-level overview of Azure Sentinel.

Current threat landscape

On June 27, 2017, one of the world’s most sophisticated and disruptive cyberattacks began in Europe. Microsoft researchers first saw infections in Ukraine, followed by more observed infections in another 64 countries. The malware responsible for the ensuing damage became known as NotPetya and resembled an earlier piece of malware called Petya. The primary difference between the two pieces of malware was their intended purpose. Petya was a form of ransomware whose damage could be reversed if the victims paid a ransom in Bitcoin. NotPetya was meant for pure destruction, and although it masqueraded as ransomware, there was no chance for the victim to restore the infected machines because the data was made indecipherable with encryption.

There were two components to the NotPetya attack that made it so dangerous and destructive. First, the malware was distributed and installed through a supply-chain attack against Ukrainian company M.E.Doc, which develops the M.E.Doc tax accounting software. Reports indicate that the M.E.Doc update infrastructure was compromised by attackers who then leveraged the update mechanism to distribute and install the malware on government and corporate networks that leveraged the tax accounting software.

This is an illustration of the execution chain showing the installation of the NotPetya malware on a computer.
FIGURE 1-1 NotPetya execution chain

The other component of NotPetya that made it so virulent was that it contained multiple lateral movement techniques to spread quickly following the initial infection. These propagation techniques included stealing and reusing credentials and existing active sessions, using file-shares to transfer and execute the malware on machines within the same network, and exploiting Server Message Block (SMB) vulnerabilities on unpatched machines. In some environments, NotPetya propagated and destroyed all networked computers in less than an hour. According to a White House assessment, the total financial damage from the NotPetya attacks totaled $10 billion.

Note

SMB is a network communication protocol that provides shared computer access to files, printers, and serial ports.

Cyber criminals are also opportunistic and quickly target vulnerabilities in common software. For example, on September 7, 2017, Equifax announced a data breach affecting 143 million consumers. The Committee on Oversight and Government Reform for the US House of Representatives conducted a thorough investigation of the incident and published a report discussing the tactics used by the attackers and the lapses in security that made the breach possible. Specifically, a critical vulnerability (CVE-2017-5638) in versions of Apache Struts was publicly released on March 7, 2017. The vulnerability made it possible for attackers to remotely execute arbitrary code on susceptible servers.

Note

See https://nvd.nist.gov/vuln/detail/CVE-2017-5638 for more details about the CVE-2017-5638 critical vulnerability.

Although Equifax patched several vulnerable servers, the company failed to patch the Automated Consumer Interview System, which is a custom-built consumer dispute portal. On March 13, 2017, attackers began a cyberattack against the vulnerable server and dropped “web shells” like the one shown in Figure 1-2 to control the servers remotely. The attackers leveraged their access to identify a file containing unencrypted credentials, which they leveraged to access 48 databases within the Equifax network. The attackers then began exfiltrating the data outside the Equifax network. The attack went undetected because a security system used to detect such issues was offline.

As evidenced by the Equifax breach and NotPetya attacks, information security teams are facing determined, sophisticated, and well-organized adversaries. These adversaries include nation-state actors, cybercriminals, and hacktivists. Also, the sophistication of cyberattacks continues to increase each year, as does the resulting damage and economic impact. The Equifax incident also highlights the need for security teams to develop an “assume breach” mindset. This means that security teams must invest equally in the people, processes, and technologies to enable the rapid detection and containment of security incidents.

Microsoft Security Intelligence Report

Microsoft releases a semi-annual report that captures the latest cyber-attack trends. Volume 24 of the report provides insights from data analyzed over the previous 12 months and includes the 6.5 trillion threat signals that go through the Microsoft cloud every day. Data and insights are also captured from Microsoft’s internal security researchers and for the first time, the report includes hands-on lessons from the Microsoft Detection and Response Team (DART). DART responds globally to cyber incidents involving our customers to help them tactically recover from attacks and evict those responsible from the impacted systems and networks.

One of the most notable findings in the report is that attackers have increased operations to target software supply chains to gain access to the systems and data they are after. As with NotPetya (which was discussed in the previous section), malicious software inserted into legitimate applications will run with the same permissions and trust as the valid code. In May 2017, Microsoft security researchers identified Operation WilySupply, which allowed attackers to compromise a text editor’s software updater and install a backdoor on targeted organizations. Figure 1-2 shows the timeline and process-tree views from Microsoft Defender Advanced Threat Protection that was used to pinpoint the execution chain and lead researchers back to the compromised updater. (Note that some information in this figure has been intentionally hidden for security purposes.)

This is a screenshot showing the process and time-tree view from Microsoft Defender Advanced Threat Protection, which pinpointed the Operation WilySupply infection mechanism that compromised a text editor updater.
FIGURE 1-2 Microsoft Defender Advanced Threat Protection’s detection of Operation WilySupply

Note

You can read more about the investigation at https://aka.ms/wilysupplycyberattack/.

The first major software supply chain attack occurred in March 2018, and the attackers compromised the update process for a peer-to-peer application. The poisoned updater then installed coin-mining malware.

Note

Coin-mining malware is software that is illegally installed on a victim’s computer and mines for Bitcoins. This malware allows cybercriminals to utilize the system’s computer resources for their own financial gain.

The other major finding from Volume 24 of the Microsoft Security Intelligence Report is that phishing continues to be the preferred method for attackers looking to gain a foothold within a company’s network. Based on the 470 billion email messages scanned monthly by Office 365, Microsoft researchers identified a 250 percent increase in phishing attempts from January to December 2018. As defenses have gotten better, attackers have begun to evolve their phishing methods to evade detection. One common and highly effective method is the use of legitimate hosted- and public-cloud infrastructure as part of the attack, which allows attackers to hide within the noise of commonly leveraged document sharing and collaboration sites and services.

In one specific case investigated by Microsoft DART, a large manufacturing organization was compromised via a targeted phishing attack in which a phishing email was delivered to several company employees. The email body included a link that when clicked redirected employees to a spoofed webpage. Once on the webpage, the employees were asked to authenticate using their domain credentials to gain access to a sensitive document. Once the attacker got access to several legitimate Office 365 accounts, the attacker began sending additional emails to high-value individuals within the company. In this case, DART was able to resolve the situation in just three hours, and it used Azure Sentinel to do it! Using Azure Sentinel’s advanced analytics engine, DART was able to correlate the relevant system events and alerts that were generated by the customer’s systems and quickly identify the specific actions taken by the attackers.

Note

As part of the investigation process, DART deploys software that captures and sends system and network logs and telemetry to an Azure Sentinel Workspace. Because Azure Sentinel is a cloud-native SIEM, it can be stood-up, configured, and scaled easily—typically in less than 20 minutes.

Security challenges for SecOps

Security Operations (SecOps) is a subdiscipline within the information security industry focused on running the day-to-day tasks of a security operations center (SOC). Before diving into specific challenges facing SecOps, it is important to understand the basic functions and operations required to conduct effective security operations. For most organizations, the SOC is the central hub responsible for identifying and responding to cybersecurity threats. Mitre (www.mitre.org) defines a SOC as “a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents.”

Note

Mitre is a not-for-profit company that operates multiple U.S. federally funded research and development centers and is known for its innovative research in cybersecurity.

Although there are different ways to structure an SOC, analysts are typically divided into tiers based on their levels of experience and associated responsibilities. A commonly found pattern would include:

  • Tier 1–High Speed Remediation Typically, Tier 1 analysts are new security professionals and the most junior staff members in the SOC. Their job is to perform the initial triage of an alert or reported incident and resolve the alert based on established operating procedures for common alert scenarios. Tier 1 is a high-volume, low-touch operation, and the analyst should spend no more than a few minutes on an alert before escalating to Tier 2 for deeper investigation. Tier 1 analysts handle the majority of the SOC’s workload.

  • Tier 2–Advanced Analysis, Investigation, and Remediation Tier 2 analysts are more senior security analysts and take escalations from the Tier 1 analysts. Depending on the situation, resolution for this tier will take hours or days to complete. This could include the need to capture and analyze media images or potential malware samples for deeper review.

  • Tier 3–Proactive Hunting and Advanced Forensics Tier 3 analysts have specialized skills in attacker techniques, tactics, and procedures; malware analysis; threat intelligence; and threat hunting. These analysts leverage all tools and data sources to proactively look for malicious actors who have evaded traditional detection techniques. Also, these specialists evaluate trends and use advanced analytics and correlation techniques to find malicious activities.

  • Support Engineers Also, an SOC will have support engineers who are responsible for maintaining the infrastructure needed to run an effective cyberdefense program. This will include the installation, maintenance, and tuning of the SIEM and other specialized tools.

Microsoft has adopted a fusion center model for cyberdefense operations that connects SOC teams from across the company into a shared facility known as the Cyber Defense Operations Center (CDOC). This model allows Microsoft to maintain its deep specialization while sharing situational awareness and subject matter expertise across teams. As you can see in Figure 1-3, the Microsoft CDOC has also adopted a tiered response model that begins with automation known as Tier 0. Tier 0 requires no human intervention and is used to triage and respond to common and extremely high-fidelity alerts (+95 percent true positive). Automation is achieved using playbooks that include programmatic steps for dealing with common alerts, such as automatically adding a confirmed malicious URL to a firewall’s blacklist. Tier 1 analysts focus on high-speed, low-touch remediation efforts, and they escalate more advanced cases to Tier 2 analysts. Tier 3 analysts work on proactive threat hunting, advanced correlation and trend analysis, and first-party threat intelligence production and dissemination.

This is a figure showing the tiered security operations response framework leveraged by the Microsoft Cyber Defense Operations Center that moves from automation to Tier 3, Proactive Hunting and Advanced Forensics.
FIGURE 1-3 Microsoft CDOC tiered SOC model

Note

You can learn more about the CDOC at http://aka.ms/minutesmatter.

Resource challenges

(ISC)2 is an international nonprofit organization for information security practitioners with more than 140,000 certified members. In their 2018 Cybersecurity workforce study, they found that there is a global shortage of nearly 3 million cybersecurity professionals. In that same study, 59 percent of organizations said that they are at extreme or moderate risk because of cybersecurity staff shortages.

Staffing shortages have hit SOCs especially hard for a few reasons:

  • First, SOCs run operations 24x7x365 and therefore require a heavy investment in personnel. Not only must all shifts be covered, but enough staffing must be added to account for analysts’ vacation and sick leave.

  • Second, Tier 1 analysts—who make up the bulk of an SOC’s personnel—are difficult to retain. Entry-level analysts are required to work less-desirable days and shifts, such as weekends, holidays, and nights. Also, entry-level analysts are prone to burnout because they sit in front of a computer monitor triaging an unending number of alerts. Tier 1 analysts are also under pressure to move quickly while knowing that misdiagnosing one alert could result in a major breach.

  • Finally, security analysts require a unique set of knowledge and skills that are difficult to find in today’s competitive employment environment. An analyst must:

    • Understand common attacker techniques

    • Have strong intuition

    • Have a desire to dig into the details and volumes of alerts and logs

    • Be driven to continuously learn

With these staffing challenges, CISOs (Chief Information Security Officers) and their SOC leaders are looking for solutions that make their analysts more efficient; reduce the volume of mundane, manual tasks; and provide robust automation and orchestration capabilities.

Security data challenges

Corporate security teams are drowning in the volumes of data being generated by the digital assets they are paid to protect. Data volumes are increasing every day as more operations are being digitized and with the deployment of smart sensors and Industrial Internet of Things (IIoT) devices within corporate networks. Security has truly become a big data problem. As an example, the Microsoft CDOC receives more than 15 billion individual events per month.

For the past decade, SOC leaders have tried to leverage SIEM technologies to establish a “single pane of glass” for their analysts. A “single pane of glass” means analysts require only a SIEM for identifying and investigating security issues, which means large volumes of data need to be ingested, processed, correlated, and stored. Unfortunately, challenges with early SIEM technologies made this single pane of glass view difficult because of the constant need to buy and install more hardware to handle increasing data volumes. SOC leaders faced a variety of challenges, including the following:

  • Often, security teams were required to forgo connecting data sources because of the costs associated with scaling out their SIEMs.

  • Early search and correlation engines could not handle the volume of data, and analysts’ queries would time out before they completed their tasks.

  • Static correlation rules often missed anomalies that (when combined with other contextual data) indicated that an attacker had successfully infiltrated a system.

  • Typically, early SIEMs were not built with machine-learning models to help identify such anomalies.

  • As mentioned in the “Resource challenges” section earlier in this chapter most corporate security teams cannot afford to hire their own data scientists to build, test, and deploy their own models.

  • Finally, many SIEM deployments were done with a “deploy and forget” mentality. This resulted in analysts working on a high number of false positives that strained personnel and made identifying the true, high-value events difficult. To be effective, SIEMs and their associated log providers require constant attention and fine tuning to be effective.

Threat intelligence

Knowledge of your adversaries is essential. Cyberthreat intelligence (CTI) is the collection, analysis and synthesis, and dissemination of information related to cyberattackers’ tactics, techniques, and procedures (TTPs). CTI also includes an evaluation of a threat actor’s intent, motivations, and overall capabilities. Studying threat actors makes it easier to detect attacks because our security teams know what to look for. CTI is broken into three types:

  • Strategic CTI is primarily intended for senior decision makers and executives. Strategic CTI is focused on developing an overall picture of threat actors’ capabilities and maintaining overall situational awareness of emerging threats. Strategic CTI is often performed by national computer emergency response and information-sharing centers to provide timely warnings to their constituencies.

  • Operational CTI assesses specific incidents to identify and report on attacker campaigns and commonly used malware and/or tools by identified and named threat actors, such as Advanced Persistent Threat or APT 34.

  • Tactical CTI assesses real-time events and activities and provides actionable information to SOC operators. Key tactical CTI products include threat detection signatures, such as Yara rules for malware and indicators of compromise (IOC).

As seen in Figure 1-4, CTI informs each of the SOC functions by providing context and actionable alerts to leaders, analysts, and hunt teams.

This is a figure that highlights how threat intelligence provides context to SOC Analysts, incident responders, and SOC leadership.
FIGURE 1-4 Cyberthreat intelligence’s place in the SOC reference operational model

Structured Threat Information Expression (STIX) makes it easier to share CTI across organizations. STIX format is open source and free for anyone to use. STIX information is stored as JSON, which makes it easy to integrate with existing security tools. Listing 1-1 shows an example of a STIX indicator object representing a malicious URL from the project’s documentation page.

LISTING 1-1 Example STIX object representing a malicious URL


{
 "type": "bundle",
 "id": "bundle--44af6c39-c09b-49c5-9de2-394224b04982",
 "spec_version": "2.0",
 "objects": [
  {
   "type": "indicator",
   "id": "indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
   "created": "2014-06-29T13:49:37.079Z",
   "modified": "2014-06-29T13:49:37.079Z",
   "labels": [
    "malicious-activity"
   ],
   "name": "Malicious site hosting downloader",
   "pattern": "[url:value = 'http://x4z9arb.cn/4712/']",
   "valid_from": "2014-06-29T13:49:37.079000Z"
  },
  {
   "type": "malware",
   "id": "malware--162d917e-766f-4611-b5d6-652791454fca",
   "created": "2014-06-30T09:15:17.182Z",
   "modified": "2014-06-30T09:15:17.182Z",
   "name": "x4z9arb backdoor",
   "labels": [
    "backdoor",
    "remote-access-trojan"
   ],
   "description": "This malware attempts to download remote files after establishing a foothold as a backdoor.",
   "kill_chain_phases": [
    {
     "kill_chain_name": "mandiant-attack-lifecycle-model",
     "phase_name": "establish-foothold"
    }
   ]
  },
  {
   "type": "relationship",
   "id": "relationship--6ce78886-1027-4800-9301-40c274fd472f",
   "created": "2014-06-30T09:15:17.182Z",
   "modified": "2014-06-30T09:15:17.182Z",
   "relationship_type": "indicates",
   "source_ref": "indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
   "target_ref": "malware--162d917e-766f-4611-b5d6-652791454fca"
  }
 ]
}

Those who are threat hunters are common consumers of threat intelligence. Given the example in Listing 1-1, a hunt team would use the STIX object and hunt within Azure Sentinel for indicators that a corporate computer attempted to access the malicious domain. This hunting query would search all associated logs to determine whether any user and/or computer communicated with the domain http://x4z9arb.cn/4712/. If communication with http://x4z9arb.cn/4712/ occurred, further queries would be written to determine the scope of the attack (compromised credentials, lateral movement, and so on).

Trusted Automated Exchange of Intelligence Information (TAXII) is a companion to STIX and acts as a transport-sharing mechanism for sharing CTI written in STIX format. TAXII is not an application itself; instead, it is a set of specifications for exchanging CTI.

Note

You can find more details about STIX and TAXII at https://oasis-open.github.io/cti-documentation/.

Cloud-native SIEM

Azure Sentinel is Microsoft’s new cloud-native SIEM solution. It is the first SIEM solution built into a major public cloud platform. Azure Sentinel also contains a Security Orchestration and Automated Response (SOAR) capability. Azure Sentinel’s SOAR capability is fully customizable and allows security teams to write playbooks that can (if desired) automate the entire response to a security event. For example, once Sentinel identifies a malicious domain, a playbook can be triggered that would automatically add a block rule to the company’s firewalls for that domain.

Note

You can find the official Microsoft documentation at https://azure.microsoft.com/en-us/services/azure-sentinel/.

Gartner defines a SIEM as technology that supports “threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of event and contextual data sources.” Most traditional SIEMs started as on-premises solutions comprised of hardware and software that supported log ingestion and storage. Also, these SIEMs provided a user interface and search engine to correlate system events and security alerts. As log ingestion and storage requirements increased, customers needed to buy larger hardware or distribute the workload across multiple servers.

Over the last several years, many vendors have re-tooled their SIEMs to make them available in a Software as a Service or SaaS model. However, these SIEMS are typically built on top of a public cloud provider’s infrastructure and don’t offer the same automatic scaling and storage benefits of Azure Sentinel. With Azure Sentinel, there are no requirements on the customer to open support tickets to scale out their services like other SaaS-based SIEMs. This is handled automatically by Microsoft, and the customer can focus on the main task at hand, which is identifying and responding to cyberthreats.

Azure Sentinel has been engineered to address the SecOps challenges identified earlier by:

  • Automatically scaling to meet the data-collection and storage requirements for enterprises of any size

  • Integrating directly with the Microsoft Intelligent Security Graph to help increase the likelihood of detecting advanced threats by leveraging Microsoft’s and its partners’ threat intelligence

  • Including advanced anomaly detections using Microsoft’s machine learning algorithms, thus removing the need for companies to hire their own data scientists

  • Reducing the need for human intervention by leveraging an open and flexible automation capability for investigating and responding to alerts

  • Providing dashboards and user interfaces that are intuitive to analysts and built to streamline the typical operations within an SOC

Core capabilities

While the purpose of this chapter is not to go into depth in any particular area, it is important that you understand the core capabilities of Azure Sentinel. Azure Sentinel provides security teams with unprecedented visibility into their digital estates. As shown in Figure 1-5, the core capabilities of the solution include:

  • Data collection and storage across all users, devices, applications, and infrastructure—whether on-premises or in the cloud

  • Threat detection that leverages Microsoft’s analytics and threat intelligence

  • Investigation of threats by hunting for suspicious activities at scale

  • Rapid response to incidents by leveraging built-in orchestration and automation of common tasks

This is an illustration depicting Azure Sentinel’s core capabilities, which include data collection, threat detection, AI-guided investigation, and automated response.
FIGURE 1-5 Azure Sentinel core capabilities

Now that you have an idea of Azure Sentinel’s core capabilities as a cloud-native SIEM, we’ll delve into the details of using Azure Sentinel in Chapter 2.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.15.57.3