What Is MITRE ATT&CK Used For?

Being a reference framework, ATT&CK is used to identify the root causes and data sources in an environment that, if prevented, would reduce the likelihood and capability of a successful hack. It's also a great starting point to get multiple teams on the same page, using the same terminology regarding a security-testing outlook. The framework includes information on threat actor groups, successful techniques they have previously executed in real-world breaches, information about software used in hacks, mapping of security vendors' software back to tactic detection and protection, and ultimately the data source where information on each tactic can be found in a network.

How Is MITRE ATT&CK Used and Who Uses It?

ATT&CK is a means of communication. It doesn't just give red and blue teams common terms, but it is also a conduit for other teams to interface with the security team. Using ATT&CK, security teams can easily explain strengths and weaknesses to leadership. In addition, they can learn to protect against something that they don't know about. If the security controls are reasonably mature, how does an organization determine how they would stand up to a real attack scenario?

How Is Testing Done According to MITRE?

ATT&CK is a tool to use when threat hunting for the unknown. It helps gauge a baseline to judge your current alerts to bridge the gap from what attackers are using and what the IDS/IPS is seeing. If you know certain techniques should be identified or blocked, you can verify that it is actually happening using that tool.

ATT&CK can be useful to cyberthreat intelligence as it describes adversarial behaviors in a standard fashion. Actors can be tracked with associations to techniques and tactics in ATT&CK that they have been known to utilize. This gives a roadmap to defenders to apply against their operational controls to see where they have weaknesses against certain actors and where they have strengths. Creating MITRE ATT&CK navigator entries for specific actors is a good way to visualize the environment's strengths and weaknesses against those actors or groups.

ATT&CK is valuable in a variety of everyday settings. Any defensive activities that reference attackers and their behaviors can benefit from applying ATT&CK's taxonomy. Beyond offering a common lexicon for cyber defenders, ATT&CK also provides a foundation for penetration testing and red teaming. This gives defenders and red teamers a common language when referring to adversarial behaviors.

What's most important to remember about implementing the MITRE ATT&CK Framework is that it is not a one-stop security shop. More squares filled in does not equal more protection, and technique visibility should always be verified with testing.

A list of tools that can help you accomplish this is available at MITRE ATT&CK® (https://attack.mitre.org). See Figure 3.1.

MITRE has techniques and sub-techniques. Techniques represent the broad action an adversary takes to achieve a tactical goal, whereas a sub-technique is a more specific adversary action.

Tactics

The highest level of organization in ATT&CK is tactics. The strategic goal of an attacker may be to extort ransom, steal information, or simply destroy an organization's IT environment. But attackers must reach a series of incremental, short-term objectives to achieve their ultimate, strategic goal.

MITRE ATT&CK® (https://attack.mitre.org) assigned a reference ID [TA*] , representing different tactics and sub-tactics, which you can find at https://attack.mitre.org/tactic. Most attacks begin with trying to gain Initial Access (TA0001). Then other fundamental tactics, including Execution (TA0002) and Persistence (TA0003), are usually necessary intermediate goals no matter the end goal of the attack. An attacker trying to steal information will need to accomplish Collection (TA0009) and finally Understanding MITRE ATT&CK™ Exfiltration (TA0010). Attackers may engage many other tactics in order to reach their goal, such as hopping from system to system or account to account through Lateral Movement (TA0008) or attempting to hide from your monitoring through Defense Evasion (TA005).

Attackers may engage many other tactics in order to reach their goal. It's important to understand, though, that tactics are a classification and description of short-term intent. Tactics describe what the attacker is trying to do at any given phase of the attack—not how they are specifically going about it.

Techniques

While tactics specify what the attacker is trying to do, techniques describe the various technical ways attackers have developed to employ a given tactic. Similar to the tactics, techniques also carry a reference ID as [T*], which represents different techniques, which you can find at https://attack.mitre.org/techniques/enterprise). For instance, attackers usually want to maintain their presence in your network over reboots or logon sessions. This is Tactic TA0003: Persistence. But you can achieve persistence many ways. For instance, on Windows systems, you can leverage certain keys in the registry whose values are executed as system commands in connection with predictable events, such as system start or logon (which is the T1060 - Registry Run Keys/Startup Folder technique). Or you can simply install your malicious program as a system service using technique T1050: New Service. Another technique is T1103: AppInit DLLs, which is a way of getting every process that loads user32.dll to also load your malicious DLL. There are many more techniques, and others will be developed in the future, but they all revolve around giving the attacker persistent access to the victim's system or network. Hence, they are all grouped under the same tactic.

Some techniques help facilitate more than one tactic, and this is reflected in ATT&CK. For instance, T1050: New Service is listed under two tactics—Persistence and Privilege Escalation. For each technique, ATT&CK lists the applicable platforms (e.g., Windows and Linux), the permissions perquisite to exploiting the technique, sources of data for detecting the technique (e.g., logs), and a cross-reference to any related attack patterns in CAPEC, which is a related catalog of common attack patterns focused on application security.

Let's take a look at an example of how some of these changes demonstrate themselves in the latest version of the MITRE ATT&CK framework.

Figure 3.2 shows “Initial Access,” which is a tactic found on the ATT&CK Framework. In the previous version of the framework, Spear Phishing Attachment, Spear Phishing Link, and Spear Phishing via Service were techniques, and in the new version, they are all sub-techniques and consolidated under Phishing, which now exists at the Technique level. You can also see that Supply Chain Compromise and Valid Accounts added new sub-techniques that were not there previously. New sub-techniques were required across the entire framework to properly scale and respond to threats as they evolve.

By combining existing similar sub-techniques into groups and developing new sub-techniques across the entire framework, MITRE has solved a problem with granularity and built a new framework that can continue to evolve and scale for years to come. ATT&CK's growth has resulted in techniques at different levels of granularity: some are very broad and cover a lot of activity, while others cover a narrow set of activity. They wanted to address the granularity challenge while also giving the community a more robust framework to build onto over time.

Applying ATT&CK tags to threat intelligence enables you to classify, correlate, and derive meaningful conclusions to help you prioritize responses and make better decisions. Incorporating ATT&CK into ThreatConnect Playbooks lets you automate how the framework is utilized in your workflow. You can find the public GitHub repository at https://github.com/ThreatConnect-Inc/threatconnect-playbooks. For example, notify your Security Operations team and add indicators to blocklists when incidents associated with tactics and techniques relevant to your organization occur.

The MITRE Enterprise matrix includes all tactics and techniques relevant to on-premise and cloud solutions. The MITRE framework also provides tactics and techniques that are relevant only to cloud solutions.

Figure 3.3 shows the tactics and techniques representing the MITRE ATT&CK Matrix for Enterprise covering cloud-based techniques. The matrix contains information for the following platforms: AWS, GCP, Azure, Azure AD, Office 365, and SaaS. Within the Cloud Matrix, you can go even further and pick up a specific cloud solution, such as O365.

Refer to Appendix G to learn more about the definitions of the MITRE Cloud Matrix tactics and its techniques.

Privilege Escalation

Privilege escalation is a common way for attackers to gain unauthorized access to systems within a security perimeter. Attackers start by finding weak points in an organization's defenses and gaining access to a system. In many cases, that first point of penetration will not grant attackers with the level of access or data they need. Especially nowadays, removing the local admin is one of the best practices to reduce the attack surface. Hence, attacks need to escalate the privilege from a normal user to a higher privilege or admin in order to gain more permissions or obtain access to additional, more sensitive systems.

In some cases, attackers attempting privilege escalation find the “doors are wide open”—inadequate security controls, or failure to follow the principle of least privilege, with users having more privileges than they actually need. In other cases, attackers exploit software vulnerabilities, or use specific techniques to overcome an operating system's permissions mechanism.

Privilege escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.

There are many privilege escalation methods in Windows operating systems. Here is a brief review of the top three common methods.

• Access Token Manipulation: Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
• Bypass User Account Control: Adversaries may bypass UAC mechanisms to elevate process privileges on a system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
• DLL Search Order Hijacking: Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

Refer to Appendix B to learn more about the definitions of the Privilege Escalation tactic and its techniques.

Credential Access

Credential access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

Here is a brief review of the top three common credential access methods.

• Credential Dumping: Adversaries attempt to dump credentials to obtain account login and credential information, normally in the form of a hash or a cleartext password, from the operating system and software. Credentials can then be used to perform lateral movement and access restricted information.
• Password Cracking: Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS credential dumping is used to obtain password hashes, which may only get an adversary so far when pass the hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a precomputed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network. The plaintext password resulting from a successfully cracked hash may be used to log in to systems, resources, and services.
• Man in the Middle: Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as network sniffing or transmitted data manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g., ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary-controlled system so they can collect information or perform additional actions.

Refer to Appendix C to learn more about the definitions of the Credential Access tactic and its techniques.

Lateral Movement

Lateral movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain control. Adversaries might install their own remote access tools to accomplish lateral movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, to move laterally within an environment and bypass normal system access controls. Here is a brief review of the top three common methods:

• Pass the Hash: Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.
• Application Access Token: Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.
• Pass the Ticket: Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.

Refer to Appendix D to learn more about the definitions of the Lateral Movement tactic and its techniques.

Command and Control

Command and control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim's network structure and defenses:

• Connection Proxy: This technique is used by attackers to facilitate the Command-and-Control Tactic (TA0011), which represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication.
• Non-standard Ports: Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088[1] or port 587[2] as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
• One-way Communication: Adversaries may use an existing, legitimate external web service as a means for sending commands to a compromised system without receiving return output over the web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.

Refer to Appendix E to learn more about the definitions of the Command and Control tactic and its techniques.

Exfiltration

Exfiltration consists of techniques that adversaries use to steal data from your network. Once they've collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

• Automation Exfiltration: Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during collection.
• Exfiltration Over Alternative Protocol: Once an attacker obtains the desired information, the attacker must get that data out of the victim's network without being noticed. This is part of the Exfiltration Tactic (TA0010) and a common technique is the Exfiltration Over Alternative Protocol, where the exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet web services such as cloud storage.
• Transfer Data to Cloud Account: Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection. A defender who is monitoring for large transfers outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.

Refer to Appendix F to learn more about the definitions of the Data Exfiltration tactic and its techniques.

Zero Trust

Before the Internet, we created networks protected by firewalls, using a methodology called castle defenses. But then the Internet started to enable us to really transform how we did things. Now, in an organization, user population spans across employees, partners, and contractors, and they are all bringing their own devices. They store sensitive data in transformative cloud services. They connect devices deployed in our supply chains, dealers, factories, vehicles, and buildings. They even share users, devices, apps, and data with our partners and vendors. Furthermore, the bolt on security tools added over the years to combat new threats is now aging and not able to keep up with the new and emerging threats. We can see this simply by seeing the number of data breaches. So, Microsoft and many other industry players are leading a new approach to modernize cybersecurity using a comprehensive Zero Trust model adapt to the changing world and protect assets, data, and customers wherever they are.

We're living in a new reality. Those old assumptions will not keep us secure in the new world. We can no longer believe everything behind the corporate firewall is safe. We need new principles to protect us.

• Verify explicitly. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
• Use least privileged access. Limit user access with Just In Time and Just Enough Access (JIT/JEA) to protect both data and productivity.
• Assume breach. Minimize blast radius for breaches and employ security strategy to prevent lateral movement.

Zero Trust is a security methodology that requires all users, even those inside the organization's enterprise network, to be authenticated, authorized, and continuously validating security configuration and posture, before being granted or keeping access to applications and data (Figure 3.5). Zero Trust is not simply a tool or product. It packages a set of existing technologies and processes like multi-factor authentication, identity and access management, and data analytics to provide defense-in-depth to thwart adversaries even after they've breached networks.

To cut through the complexity, simply put, Zero Trust is next-generation defense-in-depth risk-based security—a journey toward intelligent security for an organization where we move away from a trust-by-default perspective to a trust-by-exception one.

An integrated capability to automatically manage those exceptions and alerts is important so you can more easily find and detect threats, respond to them, and prevent or block undesired events across your organization. This provides visibility across your environment and allows leveraging automation to make intelligent risk-based access decisions. It's not a point solution, but a holistic modular approach that adapts and grows with you and your business.

Zero Trust is one of the most effective ways for organizations to control access to their networks, applications, endpoints, identity, infrastructure, and data. It combines a wide range of preventative techniques including identity verification, micro segmentation, endpoint security, and least privilege controls to deter would-be attackers and limit their access in the event of a breach.

This added layer of security is critical as companies increase the number of endpoints within their network and expand their infrastructure to include cloud-based applications and servers. Both of these trends make it more difficult to establish, monitor, and maintain secure perimeters. Furthermore, a borderless security strategy is especially important for those organizations that have a global workforce and offer employees the ability to work remotely.

By segmenting the network and restricting user access, Zero Trust security helps the organization contain breaches and minimize potential damage. This is an important security measure as some of the most sophisticated attacks are orchestrated by internal users.

Zero Trust is targeted at both outside attackers that have already breached the network and malicious insiders, and is designed to prevent them from moving laterally through the network as they seek out sensitive data. For example, Edward Snowden had legitimate credentials to operate as a subcontractor within the National Security Agency's network. There was no way to know, however, that he was downloading top-secret material about NSA surveillance programs because there wasn't an additional micro-perimeter that prevented downloads without proper authentication. Zero Trust would have hypothetically uncovered or prevented his activities through the principle known as least privilege, which gives users the least network privileges they need to access the data, applications, and services necessary to do their job.

Cloud deployments are excellent candidates for implementing Zero Trust concepts. If the cloud infrastructure itself is ever compromised, a Zero Trust–compliant architecture provides protection from adversaries seeking to entrench themselves in our virtual network. Different organizational requirements, existing technology implementations, and security stages affect how the Zero Trust model implementation takes place. Integration between multiple technologies, like endpoint management and SIEM, helps make implementations simple, operationally efficient, and adaptive.

While commercial clouds offer an excellent opportunity to scale capability and control costs, they pose risks since we do not control the infrastructure and there may be delays in communicating compromises. The assumption Zero Trust makes—that you are compromised—is particularly suited to cloud infrastructures.

Build Cloud-Based Defense-in-Depth

The last section outlined three principles of Zero Trust—verify explicitly, least privilege access, and assume breach. The guiding principle is assume breach, which is an extension of the defense-in-depth strategy. By constantly challenging the security capabilities, organizations can stay ahead of emerging threats.

There is no perfect defense. Even cutting the network cables between systems isn't enough to stop attackers from getting in. Attackers are strongly motivated to invent new ways to sneak or smash their way into our networks and steal our stuff. The better strategy we need is to assume breach and realize that any control can be overcome. See Figure 3.6.

Say you've got a hundred attacks coming into your organization at a given moment. Control One filters out 80% of threats to give you only 20 attacks to worry about. Not bad. And then Control Two whacks nearly a third of those. Now the total has dropped to 13. Not a great control, but it still reduced things a bit. Finally, Control Three takes another 80% off that, dropping the number of attacks to just 3. By overlapping these three limited controls, you've created a single control that's 97% effective.

In today's cloud-enabled world, the perimeter of the network is an increasingly blurry line. Defense-in-depth involves defining a clear separation of “inside” and “outside” network operations and building multiple lines of defense separating the two. While some security controls are not applicable to implementing defense-in-depth in the cloud, it is possible to apply a variety of requirements. While a cloud consumer cannot implement physical controls (due to lack of physical access to cloud servers), they can implement both technical and administrative controls based upon the type of cloud architecture in use. Controls can be classified as external or internal to the cloud environment:

• External Cloud Security: The first step in implementing cloud-based defense-in-depth is identifying the use of each cloud resource and the associated level of appropriate security and trust. For example, an IaaS cloud environment such as AWS, and Azure being used to host a public website has very different requirements than environments hosting databases containing sensitive or confidential information. The security needs of each resource should be considered separately, and the controls applied to each environment must be commensurate with the level of risk associated with an exposure. Ideally, public-facing and internal resources should be kept in cloud environments completely isolated from one another unless absolutely necessary to do otherwise. If isolation is impossible, strictly defined interconnections should be utilized and can be implemented using both the tools available within the CSP's management interface as well as third-party tools, which can be integrated into the environment. An important part of external cloud security is locking down access to the cloud systems. One of the advantages of the cloud is that it can be accessed from anywhere; however, this also presents security concerns. Regardless of the technology implemented, all organizations should implement strong authentication controls, including multifactor authentication. Organizations with multiple cloud presences should implement a Cloud Access Security Broker (CASB) tool to ensure Identity and Access Management controls are applied consistently across all cloud resources.
• Internal Cloud Security: Cloud resources should also have strong internal security. “Compartmentalization” is often used to segregate data and services that do not need to be stored in the same location or accessed by the same groups of individuals. Within a virtual machine, access should be limited based upon the principles of need-to-know and least privilege to minimize the impact of a potential breach. For example, Amazon S3 buckets should always be set to private with access granted on an individual basis—a very common misconfiguration enables S3 buckets, often containing sensitive information, to be accessed by anyone. Sensitive information should be encrypted whether “at-rest” (being stored) or “in-transit” (being transmitted) with keys stored within the organizational network, not on cloud servers. All connections to cloud resources should use encrypted protocols like SSH and HTTPS or be tunneled using a VPN connection if possible.

Monitoring the cloud for potential threats will help you stay situationally aware of when your defense strategies fail so you can quickly mitigate a threat before it becomes a compromise.

There is no cut-and-copy checklist on what controls and defenses to leverage. It's going to vary based on an organization's business, technological infrastructure, culture, and relevant threats. The key is analyzing and understanding the threats you face and the assets you care about, and then applying divergent but overlapping controls to remediate as much risk as you can. The good news is that a coordinated collection of useful but imperfect defenses is not only more effective than a single bulletproof control, it's a lot more attainable.

Microsoft Tools

Microsoft Azure Sentinel (see Figure 3.7) is a scalable, cloud-native SIEM and Security Orchestration, Automation, and Response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel is your bird's-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames. You can:

• Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
• Detect previously undetected threats and minimize false positives using Microsoft's analytics and unparalleled threat intelligence.
• Investigate threats with artificial intelligence and hunt for suspicious activities at scale, tapping into years of cybersecurity work at Microsoft.
• Respond to incidents rapidly with built-in orchestration and automation of common tasks.

Building on the full range of existing Azure services, Azure Sentinel natively incorporates proven foundations, like log analytics and logic apps. Azure Sentinel enriches your investigation and detection with AI and provides Microsoft's threat intelligence stream and enables you to bring your own threat intelligence.

Connect To All Your Data

To on-board Azure Sentinel, you first need to connect to your security sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, available out-of-the-box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity (formerly Azure ATP), Microsoft Cloud App Security, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog, or REST-API to connect your data sources with Azure Sentinel. See Figure 3.8.

Analytics

To help you reduce noise and minimize the number of alerts you have to review and investigate, Azure Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that together create an actionable possible threat that you can investigate and resolve (see Figure 3.10). Use the built-in correlation rules as-is, or use them as a starting point to build your own. Azure Sentinel also provides machine learning rules to map your network behavior and then look for anomalies across your resources. These analytics connect the dots, by combining low-fidelity alerts about different entities into potential high-fidelity security incidents.

Security Automation and Orchestration

Automate your common tasks and simplify security orchestration with playbooks that integrate with Azure services as well as your existing tools. Built on the foundation of Azure Logic Apps, Azure Sentinel's automation and orchestration solution provides a highly extensible architecture that enables scalable automation as new technologies and threats emerge. To build playbooks with Azure Logic Apps, you can choose from a growing gallery of built-in playbooks. These include more than 200 connectors for services such as Azure functions. The connectors allow you to apply any custom logic in code, ServiceNow, Jira, Zendesk, HTTP requests, Microsoft Teams, Slack, Windows Defender ATP, and Cloud App Security.

For example, if you use the ServiceNow ticketing system, you can use the tools provided to use Azure Logic Apps to automate your workflows and open a ticket in ServiceNow each time a particular event is detected. See Figure 3.11.

Threat hunting is all about proactive analysis of data to detect the anomalous behavior that is undetectable by the security products. As the threat-hunting team's analytics become more sophisticated, it may begin developing a set of repeatable analytics, enrichments, or data gathering steps. If it's repeatable and articulate, it can be automated. SOAR leverages the data storage and enrichment of the SIEM, understands basic rules of infrastructure integration, and allows the easy buildout of playbooks to automate a course of action. Gathering potential logs to analyze and automating the enriching processes when necessary could save threat hunters tedious and repetitive work. It could also help provide quicker triage. The SIEM with a SOAR could significantly improve speed to analysis. Taking the playbook a step further, it's possible to use data pushed to the SIEM and SOAR, such as the SQL injection detection logs from the WAF, and initiate an action.

This automated response action allows the team to limit what passive data has to be managed, and makes it easier to correlate the process logs returned with the suspicious SQL injection attacks.

Investigation

Currently in preview, Azure Sentinel's deep investigation tools help you to understand the scope and find the root cause of a potential security threat. You can choose an entity on the interactive graph to ask interesting questions for a specific entity, and drill down into that entity and its connections to get to the root cause of the threat. See Figure 3.12.

Hunting

Azure Sentinel's powerful hunting search-and-query tools, based on the MITRE framework, enable you to proactively hunt for security threats across your organization's data sources, before an alert is triggered (see Figure 3.13). After you discover which hunting query provides high-value insights into possible attacks, you can also create custom detection rules based on your query, and surface those insights as alerts to your security incident responders. While hunting, you can create bookmarks for interesting events, enabling you to return to them later, share them with others, and group them with other correlating events to create a compelling incident for investigation.

Community

The Azure Sentinel community is a powerful resource for threat detection and automation. Microsoft security analysts constantly create and add new workbooks, playbooks, hunting queries, and more, posting them to the community for you to use in your environment. You can download sample content from the private community GitHub repository to create custom workbooks, hunting queries, notebooks, and playbooks for Azure Sentinel. See Figure 3.14.

AWS Tools

Amazon Web Services (AWS) provides several services that can be used and chained together for scripts and analytical use.

Analyzing Logs Directly

Amazon CloudWatch is the core service for monitoring an AWS environment, because it is easy to get up and running and provides basic metrics, alarming, and dashboards (Figure 3.15). Amazon CloudWatch and AWS CloudTrail can be used together to interact directly with collected data. AWS offers methods of exporting Amazon CloudWatch logs, collected from custom applications to Amazon S3, AWS Lambda, or the Amazon ElasticSearch Service.

AWS provides another service called Amazon Athena, which runs SQL queries against data in an Amazon S3 bucket (Figure 3.16). Customers build virtual tables that organize and format the underlying log data inside the bucket objects. It takes time to ensure that data is formatted and managed. Amazon GuardDuty is a managed service that is evaluating a growing number of findings that detect adversary behaviors and alerting the customer. Amazon GuardDuty evaluates potential behaviors by analyzing Amazon Virtual Private Cloud (VPC) Flow Logs. A similar real-time VPC flow logs analysis engine can be created using AWS Lambda, Amazon Kinesis, Amazon S3, Amazon Athena, and Amazon QuickSight.