SlideShare uma empresa Scribd logo

Using Microsoft 365 Defender to protect against Solorigate

Transferir como PPTX, PDF
M
Matt Soseman

Using Microsoft 365 Defender to protect against Solorigate

Tecnologia
1 de 46
Matt Soseman Senior Security Architect Microsoft – One Commercial Partner matsos@microsoft.com aka.ms/SosemanTV Using Microsoft 365 Defender to protect against Solorigate Content in deck sourced from https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender- to-coordinate-protection-against-solorigate/
IMPORTANT! There’s a lot more to this, I’m just giving you the high-level overview  (Sentinel, Microsoft 365, ASR, ADFS, AAD, AD, etc is out of scope for this presentation) Want to learn more? http://aka.ms/Solorigate
Understanding supply chain attacks
What is a supply chain attack? Targeting suppliers and software developers, the goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.
How do supply chain attacks work? 1) Attacker gains access to IT systems at a supplier/software developer vendor 2) Attacker hunts for unprotected networks, server infrastructure and unsafe coding practices 3) Attacker gains access to source code for an application 6) Attacker changes source code and hides malware in build/update processes (without the vendor’s knowledge) 5) The app code is digitally signed/certified by the vendor 4)The app (with malicious code embedded) is released to the public 7) Malicious code runs with same trust/permissions as the app (because it’s signed) 8) The end customer becomes compromised as a result 9)Actions on objective are carried out (data exfil, etc)
Types of Supply Chain Attacks • Compromised software building tools or updated infrastructure • Stolen code-sign certificates or signed malicious apps using the identity of dev company • Compromised specialized code shipped into hardware or firmware components • Pre-installed malware on devices (cameras, USB, phones, etc.)
The Solorigate Attack
(FireEye calls the remote access malware SUNBURST, Microsoft calls it Solorigate)
Techniques used by Solorigate • An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network and gain elevated credentials. Microsoft Defender now has detections for these files. Also, see SolarWinds Security Advisory. • An intruder using administrative permissions acquired through an on-premises compromise to gain access to an organization’s trusted SAML token- signing certificate. This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts. • Anomalous logins using the SAML tokens created by a compromised token-signing certificate, can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed. • Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application.
Tracking the cross-domain Solorigate attack from endpoint to the cloud
Using Microsoft Defender for Endpoint, run a threat analytics report to identify devices that have the compromised SolarWinds Orion Platform binaries or are exposed to the attack due to misconfiguration.
From the Vulnerability patching status chart, you can view the mitigation details to see a list of devices with the vulnerability ID TVM-2020-0002, which was added specifically to help with Solorigate investigations:
Threat and vulnerability management provides more info about the vulnerability ID TVM-2020-0002, as well as all relevant applications, via the Software inventory view. There are also multiple security recommendations to address this specific threat, including instructions to update the software versions installed on exposed devices.
Query: Is Solorwinds Orion running in my org? SolarWinds Orion software in your org
• Some Solorigate activities may not be directly tied to this specific threat but will trigger alerts due to generally suspicious or malicious behaviors. • All alerts in Microsoft 365 Defender provided by different Microsoft 365 products are correlated into incidents. • Incidents help you see the relationship between detected activities, better understand the end-to-end picture of the attack, and investigate, contain, and remediate the threat in a consolidated manner. Review incidents in the Incidents queue and look for those with alerts relevant to this attacker’s TTPs, as described in the threat analytics analyst report previously.
Microsoft Threat Experts & Experts On-Demand • Some alerts are specially tagged with Microsoft Threat Experts to indicate malicious activities that Microsoft researchers found in customer environments during hunting. • As part of the Microsoft Threat Experts service, researchers investigated this attack as it unfolded, hunting for associated attacker behaviors, and sent targeted attack notifications. • If you see an alert tagged with Microsoft Threat Experts, it’s strongly recommended that you give it immediate attention • Additionally, Microsoft Threat Experts customers with Experts on demand subscriptions can reach out directly to Microsoft on- demand hunters for additional help in understanding the Solorigate threat and the scope of its impact in their environments.
Hunt for related attacker activity • The threat analytics report also provides advanced hunting queries that can help analysts locate additional related or similar activities across endpoint, identity, and cloud. • Advanced hunting uses a rich set of data sources, but in response to Solorigate, Microsoft has enabled streaming of Azure Active Directory (Azure AD) audit logs into advanced hunting, available for all customers in public preview. • These logs provide traceability for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, such as adding or removing users, apps, groups, roles, and policies. • Note: Customers who do not have Microsoft Defender for Endpoint or are not early adopters for Microsoft 365 Defender can see recommended advanced hunting queries. • Currently, this data is available to customers who have Microsoft Cloud App Security with the Office365 connector. https://github.com/microsoft/Microsoft-365-Defender-Hunting- Queries/blob/master/Persistence/CredentialsAddAfterAdminConsentedToApp%5BSolorigate%5D.md
Detecting and blocking malware and malicious behavior on endpoints
Using Microsoft 365 Defender to protect against Solorigate - Microsoft Security
Discovering and blocking backdoor activity • When the compromised SolarWinds binary SolarWinds.Orion.Core.BusinessLayer.dll gets loaded on a device through normal update channels, the backdoor goes through an extensive list of checks to ensure it’s running in an actual enterprise network and not on an analyst’s machine. • It then contacts a command-and-control (C2) server using a subdomain that is generated partly with information gathered from the affected device, which means a unique subdomain is generated for each affected domain. • The backdoor allows the attackers to remotely run commands on the device and move to the next stages of the attack. For more information, read in-depth analysis of the Solorigate malware.
Block malicious binaries • Comprehensive protection against this threat • Microsoft Defender Antivirus (default antimalware in Windows 10) detects and blocks the malicious DLL and it’s behaviors. • Quarantines the malware, even if the process is running
Prevent malicious C2 callback • If the malicious code is successfully deployed, the backdoor lies dormant for up to two weeks. • It then attempts to contact numerous command and control (C2) domains, with the primary domain being *.avsvmcloud[.]com. • The backdoor uses a domain generation algorithm to evade detection. • Microsoft 365 Defender detects and blocks this behavior.
Discovering potentially tampered devices • To evade security software and analyst tools, the Solorigate malware enumerates the target system looking for certain running processes, loaded drivers, and registry keys, with the goal of disabling them. • The Microsoft Defender for Endpoint sensor is one of the processes the malware attempts to disable. Microsoft Defender for Endpoint has built-in protections against many techniques attackers use to disable endpoint sensors ranging from hardened OS protection, anti-tampering policies, and detections for a variety of tampering attempts • Successfully disabling Microsoft Defender for Endpoint can prevent the system from reporting observed activities. However, the multitude of signals reported into Microsoft 365 Defender provides a unique opportunity to hunt for systems where the tampering technique used might have been successful. • The following advanced hunting query can be used to locate devices that should be reporting but aren’t • Full query available at Using Microsoft 365 Defender to protect against Solorigate - Microsoft Security
Detecting hands-on keyboard activity within an on-premises environment
Once backdoor connection is established… • Attacker’s next goal is to achieve off-premises access to the organization’s cloud services. To do this, they must find a way to gain permissions to those services. • One technique observed have seen the attackers use is to go after the organization’s Active Directory Federation Services (AD FS) server • ADFS stores the SAML token signing certificate used to create authorization tokens for users/services to access cloud resources. • To attack the AD FS infrastructure, the attackers must first obtain appropriate domain permissions through on-premises intelligence gathering, lateral movement, and credential theft.
Identifying attacker reconnaissance • Attackers collect data from Active Directory using a renamed version of the utility ADFind, running queries against Domain Controllers as part of the reconnaissance stage of the attack. • Microsoft Defender for Endpoint detects this behavior and allows the SOC analyst to track compromised devices at this stage to gain visibility into the information the attacker is looking for.
Stopping lateral movement and credential theft • To gain access to a highly privileged account needed for later steps in the kill chain, the attackers move laterally between devices and dump credentials until an account with the needed privileges is compromised, all while remaining as stealthy as possible. • A variety of credential theft methods, such as dumping LSASS memory, are detected and blocked by Microsoft Defender for Endpoint. • The example to the right shows the detection of lateral movement using Windows Management Instrumentation (WMI) to run the attacker’s payload using the Rundll32.exe process.
Stopping lateral movement and credential theft (cont’d) • Microsoft Defender for Identity also detects and raises alerts on a variety of credential theft techniques. • In addition to watching for alerts, security analysts can hunt across identity data in Microsoft 365 Defender for signs of identity compromise. • Here are a couple of example Microsoft Defender for Identity queries looking for such patterns: • Enumeration of high-value DC assets followed by logon attempts to validate stolen credentials in time proximity • High-volume of LDAP queries in short time filtering for non-DC devices • SOC teams can take containment measures within the Microsoft 365 security center, for example, using indicators to isolate the devices involved and block the remotely executed payload across the environment, as well as mark suspect users as compromised. • Full query available at Using Microsoft 365 Defender to protect against Solorigate - Microsoft Security
Detecting and remediating persistence • Microsoft Defender for Endpoint also detects the advanced defense evasion and masquerading techniques used by the attackers to make their actions as close to normal as possible, such as binding a WMI event filter with a logical consumer to remain persistent. • Follow the recommended actions in the alert to remove persistence and prevent the attacker’s payload from loading after reboot.
Catching AD FS compromise and the attacker’s ability to impersonate users in the cloud • The next step in the attack focuses on the AD FS infrastructure and can unfold in two separate paths that lead to the same outcome—the ability to create valid SAML tokens allowing impersonation of users in the cloud: • Path 1 – Stealing the SAML signing certificate: After gaining administrative privileges in the organization’s on- premises network, and with access to the AD FS server itself, the attackers access and extract the SAML signing certificate. With this signing certificate, the attackers create valid SAML tokens to access various desired cloud resources as the identity of their choosing. • Path 2 – Adding to or modifying existing federation trust: After gaining administrative Azure Active Directory (Azure AD) privileges using compromised credentials, the attackers add their own certificate as a trusted entity in the domain either by adding a new federation trust to an existing tenant or modifying the properties of an existing federation trust. As a result, any SAML token they create and sign will be valid for the identity of their choosing. • In the first path, obtaining the SAML signing certificate normally entails first querying the private encryption key that resides on the AD FS container and then using that key to decrypt the signing certificate. The certificate can then be used to create illicit but valid SAML tokens that allow the actor to impersonate users, enabling them to access enterprise cloud applications and services.
Detecting this behavior… • Microsoft Defender for Endpoint and Microsoft Defender for Identity detect the actions that attackers take to steal the encryption key needed to decrypt the SAML signing certificate. • Both solutions leverage unique LDAP telemetry to raise high-severity alerts highlighting the attacker’s progress towards creating illicit SAML tokens.
Detect domain federation changes • For the second path, the attackers create their own SAML signing certificate outside of the organization’s environment. With Azure AD administrative permissions, they then add the new certificate as a trusted object. • The following advanced hunting query over Azure AD audit logs shows when domain federation settings are changed, helping to discover where the attackers configured the domain to accept authorization tokens signed by their own signing certificate. • As these are rare actions, verify that any instances identified are the result of legitimate administrative activity. • If the SAML signing certificate is confirmed to be compromised or the attacker has added a new one, follow the best practices for invalidating through certificate rotation to prevent further use and creation of SAML tokens by the attacker. Additionally, affected AD FS servers may need to be isolated and remediated to ensure no remaining attacker control or persistence. • If the attackers accomplish either path, they gain the ability to create illicit SAML tokens for the identities of their choosing and bypass multifactor authentication (MFA), since the service or application accepting the token assumes MFA is a necessary previous step in creating a properly signed token. To prevent attackers from progressing to the next stage, which is to access cloud resources, the attack should be discovered and remediated at this stage. ADFSDomainTrustMods
Detecting the hands-on- keyboard activity in the cloud environment
About this stage of the attack… • With the ability to create illicit SAML tokens, the attackers can access sensitive data without having to originate from a compromised device or be confined to on-premises persistence. • By abusing API access via existing OAuth applications or service principals, they can attempt to blend into the normal pattern of activity, most notably apps or service principals with existing Mail.Read or Mail.ReadWrite permission s to read email content via Microsoft Graph from Exchange Online. • If the application does not already have read permissions for emails, then the app may be modified to grant those permissions.
Identifying unusual addition of credentials to an OAuth app • Microsoft Cloud App Security (MCAS) has added new automatic detection of unusual credential additions to an OAuth application to alert SOCs about apps that have been compromised to extract data from the organization. • This detection logic is built on an anomaly detection engine that learns from each user in the environment, filtering out normal usage patterns to ensure alerts highlight real attacks and not false positives. • If you see this alert in your environment and confirm malicious activity, you should take immediate action to suspend the user, mark the user as compromised, reset the user’s password, and remove the credential additions. • You may consider disabling the application during investigation and remediation.
Detecting this behavior… • SOCs can use the following Microsoft 365 Defender advanced hunting query over Azure AD audit logs to examine when new credentials have been added to a service principle or application. • In general, credential changes may be rare depending on the type and use of the service principal or application. • SOCs should verify unusual changes with their respective owners to ensure they are the result of legitimate administrative actions. NewAppOrServicePrincipalCredential
Discovering malicious access to mail items • OAuth applications or service principals with Mail.Read or Mail.ReadWrite permissio ns can read email content from Exchange Online via the Microsoft Graph. • To help increase visibility on these behaviors, the MailItemsAccessed action is now available via the new Exchange mailbox advanced audit functionality. • See if this feature is enabled by default for you. • Important note for customers: If you have customized the list of audit events you are collecting, you may need to manually enable this telemetry.
Detecting this behavior… • If more than 1,000 MailItemsAccessed audit records are generated in less than 24 hours, Exchange Online stops generating auditing records for MailItemsAccessed activity for 24 hours and then resumes logging after this period. • This throttling behavior is a good starting point for SOCs to discover potentially compromised mailboxes. MailItemsAccessedThrottling
Hunt for Oauth apps reading mail via Graph API • In addition to looking for throttled telemetry, you can also hunt for OAuth applications reading mail via the Microsoft Graph API whose behavior has changed prior to a baseline period. OAuthGraphAPIAnomalies
Resources
Additional Solorigate Guidance – MUST READ! • Microsoft Internal Solorigate Investigation Update • Customer guidance on recent nation-state cyber attacks • Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack • SolarWinds post-compromise hunting with Azure Sentinel • Advice for incident responders on recovery from systemic identity compromises • Solorigate Resource Center • Using Microsoft 365 Defender to protect against Solorigate - Microsoft Security (this deck)
Additional Advanced Hunting Queries Attack stage Query link in GitHub repo General Microsoft Defender for Endpoint Threat and Vulnerability Management: •SolarWinds Orion software in your org Initial access Microsoft Defender for Endpoint: •Malicious DLLs loaded in memory •Malicious DLLs created in the system or locally •Compromised SolarWinds certificate Execution Microsoft Defender for Endpoint: •SolarWinds processes launching PowerShell with Base64 •SolarWinds processes launching CMD with echo •ADFS adapter process spawning: DeviceProcessEvents | where InitiatingProcessFileName =~”Microsoft.IdentityServer.ServiceHost.exe” | where FileName in~(“werfault.exe”, “csc.exe”) | where ProcessCommandLine !contains (“nameId”) Command and Control Microsoft Defender for Endpoint •C2 communications •C2 lookup Credential access Azure Active Directory (Microsoft Cloud App Security): •Credentials added to AAD app after admin consent •New access credential added to application or service principal •Domain federation trust settings modified •Add uncommon credential type to application •Service Principal Added To Role Exfiltration Exchange Online (Microsoft Cloud App Security): •Mail Items Accessed Throttling Analytic •Mail Items Accessed Anomaly Analytic •OAuth Apps reading mail via GraphAPI anomaly •OAuth Apps reading mail both via GraphAPI and directly
Microsoft Security Best Practices Microsoft Security Best Practices | Microsoft Docs
Privileged Access Workstations Why are privileged access devices important | Microsoft Docs

Recomendados

Mcas log collector deck
Mcas log collector deckMcas log collector deck
Mcas log collector deckMatt Soseman
 
Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Matt Soseman
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021Matt Soseman
 
7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure SentinelMighty Guides, Inc.
 
Microsoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewMicrosoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewAllessandra Negri
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionMicrosoft
 
Nicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterNicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterMicrosoft Österreich
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security CenterMicrosoft
 

Recomendados

Mcas log collector deck
Mcas log collector deckMcas log collector deck
Mcas log collector deckMatt Soseman
 
Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Matt Soseman
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021Matt Soseman
 
7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure SentinelMighty Guides, Inc.
 
Microsoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewMicrosoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewAllessandra Negri
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionMicrosoft
 
Nicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterNicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterMicrosoft Österreich
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security CenterMicrosoft
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alAlert Logic
 
Azure Sentinel Tips
Azure Sentinel Tips Azure Sentinel Tips
Azure Sentinel Tips Mario Worwell
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
Microsoft Cloud App Security
Microsoft Cloud App SecurityMicrosoft Cloud App Security
Microsoft Cloud App SecurityMicrosoft
 
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Qualys
 
Getting Started with Azure Security Center
Getting Started with Azure Security CenterGetting Started with Azure Security Center
Getting Started with Azure Security CenterCheah Eng Soon
 
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
CCI2018 - Azure Security Center - Stato dell’arte e roadmapCCI2018 - Azure Security Center - Stato dell’arte e roadmap
CCI2018 - Azure Security Center - Stato dell’arte e roadmapwalk2talk srl
 
Protect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloudProtect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloudMicrosoft
 
Document fingerprinting in Microsoft 365 Compliance
Document fingerprinting in Microsoft 365 ComplianceDocument fingerprinting in Microsoft 365 Compliance
Document fingerprinting in Microsoft 365 ComplianceMatt Soseman
 
Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelCheah Eng Soon
 
Global Azure Bootcamp 2018 - Azure Security Center
Global Azure Bootcamp 2018 - Azure Security CenterGlobal Azure Bootcamp 2018 - Azure Security Center
Global Azure Bootcamp 2018 - Azure Security CenterScott Hoag
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureQualys
 
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveySecurity Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveyQualys
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinelMarius Sandbu
 
Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Microsoft Österreich
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyMicrosoft Österreich
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelDavid J Rosenthal
 
ExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATPExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATPTim De Keukelaere
 
Microsoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfMicrosoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfKranthi Aragonda
 

Mais conteúdo relacionado

Mais procurados

How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alAlert Logic
 
Azure Sentinel Tips
Azure Sentinel Tips Azure Sentinel Tips
Azure Sentinel Tips Mario Worwell
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
Microsoft Cloud App Security
Microsoft Cloud App SecurityMicrosoft Cloud App Security
Microsoft Cloud App SecurityMicrosoft
 
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Qualys
 
Getting Started with Azure Security Center
Getting Started with Azure Security CenterGetting Started with Azure Security Center
Getting Started with Azure Security CenterCheah Eng Soon
 
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
CCI2018 - Azure Security Center - Stato dell’arte e roadmapCCI2018 - Azure Security Center - Stato dell’arte e roadmap
CCI2018 - Azure Security Center - Stato dell’arte e roadmapwalk2talk srl
 
Protect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloudProtect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloudMicrosoft
 
Document fingerprinting in Microsoft 365 Compliance
Document fingerprinting in Microsoft 365 ComplianceDocument fingerprinting in Microsoft 365 Compliance
Document fingerprinting in Microsoft 365 ComplianceMatt Soseman
 
Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelCheah Eng Soon
 
Global Azure Bootcamp 2018 - Azure Security Center
Global Azure Bootcamp 2018 - Azure Security CenterGlobal Azure Bootcamp 2018 - Azure Security Center
Global Azure Bootcamp 2018 - Azure Security CenterScott Hoag
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureQualys
 
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveySecurity Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveyQualys
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Microsoft Österreich
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyMicrosoft Österreich
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelDavid J Rosenthal
 

Mais procurados (20)

How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
 
Azure Sentinel Tips
Azure Sentinel Tips Azure Sentinel Tips
Azure Sentinel Tips
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
Microsoft Cloud App Security
Microsoft Cloud App SecurityMicrosoft Cloud App Security
Microsoft Cloud App Security
 
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
 
Getting Started with Azure Security Center
Getting Started with Azure Security CenterGetting Started with Azure Security Center
Getting Started with Azure Security Center
 
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
CCI2018 - Azure Security Center - Stato dell’arte e roadmapCCI2018 - Azure Security Center - Stato dell’arte e roadmap
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
 
Protect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloudProtect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloud
 
Document fingerprinting in Microsoft 365 Compliance
Document fingerprinting in Microsoft 365 ComplianceDocument fingerprinting in Microsoft 365 Compliance
Document fingerprinting in Microsoft 365 Compliance
 
Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure Sentinel
 
Global Azure Bootcamp 2018 - Azure Security Center
Global Azure Bootcamp 2018 - Azure Security CenterGlobal Azure Bootcamp 2018 - Azure Security Center
Global Azure Bootcamp 2018 - Azure Security Center
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
 
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveySecurity Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinel
 
Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity story
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure Sentinel
 

Semelhante a Using Microsoft 365 Defender to protect against Solorigate

ExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATPExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATPTim De Keukelaere
 
Microsoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfMicrosoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfKranthi Aragonda
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security OverviewRobert Crane
 
endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfOlufemi37
 
The 15 best cloud security practices
The 15 best cloud security practices The 15 best cloud security practices
The 15 best cloud security practices Cloudride LTD
 
03_Azure Security Center_GAB2019
03_Azure Security Center_GAB201903_Azure Security Center_GAB2019
03_Azure Security Center_GAB2019Kumton Suttiraksiri
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesSymantec
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Microsoft Security adoptionguide for the enterprise
Microsoft Security adoptionguide for the enterpriseMicrosoft Security adoptionguide for the enterprise
Microsoft Security adoptionguide for the enterprisessuserd58af7
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAmazon Web Services
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxAmrMousa51
 

Semelhante a Using Microsoft 365 Defender to protect against Solorigate (20)

ExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATPExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATP
 
Microsoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfMicrosoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdf
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security Overview
 
endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdf
 
The 15 best cloud security practices
The 15 best cloud security practices The 15 best cloud security practices
The 15 best cloud security practices
 
03_Azure Security Center_GAB2019
03_Azure Security Center_GAB201903_Azure Security Center_GAB2019
03_Azure Security Center_GAB2019
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Microsoft Security adoptionguide for the enterprise
Microsoft Security adoptionguide for the enterpriseMicrosoft Security adoptionguide for the enterprise
Microsoft Security adoptionguide for the enterprise
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
CA_Module_2.pdf
CA_Module_2.pdfCA_Module_2.pdf
CA_Module_2.pdf
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS Cloud
 
C01461422
C01461422C01461422
C01461422
 
Secure remote work
Secure remote workSecure remote work
Secure remote work
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - Overview
 

Último

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 

Using Microsoft 365 Defender to protect against Solorigate

  • 1. Matt Soseman Senior Security Architect Microsoft – One Commercial Partner matsos@microsoft.com aka.ms/SosemanTV Using Microsoft 365 Defender to protect against Solorigate Content in deck sourced from https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender- to-coordinate-protection-against-solorigate/
  • 2. IMPORTANT! There’s a lot more to this, I’m just giving you the high-level overview  (Sentinel, Microsoft 365, ASR, ADFS, AAD, AD, etc is out of scope for this presentation) Want to learn more? http://aka.ms/Solorigate
  • 4. What is a supply chain attack? Targeting suppliers and software developers, the goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.
  • 5. How do supply chain attacks work? 1) Attacker gains access to IT systems at a supplier/software developer vendor 2) Attacker hunts for unprotected networks, server infrastructure and unsafe coding practices 3) Attacker gains access to source code for an application 6) Attacker changes source code and hides malware in build/update processes (without the vendor’s knowledge) 5) The app code is digitally signed/certified by the vendor 4)The app (with malicious code embedded) is released to the public 7) Malicious code runs with same trust/permissions as the app (because it’s signed) 8) The end customer becomes compromised as a result 9)Actions on objective are carried out (data exfil, etc)
  • 6. Types of Supply Chain Attacks • Compromised software building tools or updated infrastructure • Stolen code-sign certificates or signed malicious apps using the identity of dev company • Compromised specialized code shipped into hardware or firmware components • Pre-installed malware on devices (cameras, USB, phones, etc.)
  • 8. (FireEye calls the remote access malware SUNBURST, Microsoft calls it Solorigate)
  • 9. Techniques used by Solorigate • An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network and gain elevated credentials. Microsoft Defender now has detections for these files. Also, see SolarWinds Security Advisory. • An intruder using administrative permissions acquired through an on-premises compromise to gain access to an organization’s trusted SAML token- signing certificate. This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts. • Anomalous logins using the SAML tokens created by a compromised token-signing certificate, can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed. • Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application.
  • 10. Tracking the cross-domain Solorigate attack from endpoint to the cloud
  • 11. Using Microsoft Defender for Endpoint, run a threat analytics report to identify devices that have the compromised SolarWinds Orion Platform binaries or are exposed to the attack due to misconfiguration.
  • 12. From the Vulnerability patching status chart, you can view the mitigation details to see a list of devices with the vulnerability ID TVM-2020-0002, which was added specifically to help with Solorigate investigations:
  • 13. Threat and vulnerability management provides more info about the vulnerability ID TVM-2020-0002, as well as all relevant applications, via the Software inventory view. There are also multiple security recommendations to address this specific threat, including instructions to update the software versions installed on exposed devices.
  • 14. Query: Is Solorwinds Orion running in my org? SolarWinds Orion software in your org
  • 15. • Some Solorigate activities may not be directly tied to this specific threat but will trigger alerts due to generally suspicious or malicious behaviors. • All alerts in Microsoft 365 Defender provided by different Microsoft 365 products are correlated into incidents. • Incidents help you see the relationship between detected activities, better understand the end-to-end picture of the attack, and investigate, contain, and remediate the threat in a consolidated manner. Review incidents in the Incidents queue and look for those with alerts relevant to this attacker’s TTPs, as described in the threat analytics analyst report previously.
  • 16. Microsoft Threat Experts & Experts On-Demand • Some alerts are specially tagged with Microsoft Threat Experts to indicate malicious activities that Microsoft researchers found in customer environments during hunting. • As part of the Microsoft Threat Experts service, researchers investigated this attack as it unfolded, hunting for associated attacker behaviors, and sent targeted attack notifications. • If you see an alert tagged with Microsoft Threat Experts, it’s strongly recommended that you give it immediate attention • Additionally, Microsoft Threat Experts customers with Experts on demand subscriptions can reach out directly to Microsoft on- demand hunters for additional help in understanding the Solorigate threat and the scope of its impact in their environments.
  • 17. Hunt for related attacker activity • The threat analytics report also provides advanced hunting queries that can help analysts locate additional related or similar activities across endpoint, identity, and cloud. • Advanced hunting uses a rich set of data sources, but in response to Solorigate, Microsoft has enabled streaming of Azure Active Directory (Azure AD) audit logs into advanced hunting, available for all customers in public preview. • These logs provide traceability for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, such as adding or removing users, apps, groups, roles, and policies. • Note: Customers who do not have Microsoft Defender for Endpoint or are not early adopters for Microsoft 365 Defender can see recommended advanced hunting queries. • Currently, this data is available to customers who have Microsoft Cloud App Security with the Office365 connector. https://github.com/microsoft/Microsoft-365-Defender-Hunting- Queries/blob/master/Persistence/CredentialsAddAfterAdminConsentedToApp%5BSolorigate%5D.md
  • 18. Detecting and blocking malware and malicious behavior on endpoints
  • 19. Using Microsoft 365 Defender to protect against Solorigate - Microsoft Security
  • 20. Discovering and blocking backdoor activity • When the compromised SolarWinds binary SolarWinds.Orion.Core.BusinessLayer.dll gets loaded on a device through normal update channels, the backdoor goes through an extensive list of checks to ensure it’s running in an actual enterprise network and not on an analyst’s machine. • It then contacts a command-and-control (C2) server using a subdomain that is generated partly with information gathered from the affected device, which means a unique subdomain is generated for each affected domain. • The backdoor allows the attackers to remotely run commands on the device and move to the next stages of the attack. For more information, read in-depth analysis of the Solorigate malware.
  • 21. Block malicious binaries • Comprehensive protection against this threat • Microsoft Defender Antivirus (default antimalware in Windows 10) detects and blocks the malicious DLL and it’s behaviors. • Quarantines the malware, even if the process is running
  • 22. Prevent malicious C2 callback • If the malicious code is successfully deployed, the backdoor lies dormant for up to two weeks. • It then attempts to contact numerous command and control (C2) domains, with the primary domain being *.avsvmcloud[.]com. • The backdoor uses a domain generation algorithm to evade detection. • Microsoft 365 Defender detects and blocks this behavior.
  • 23. Discovering potentially tampered devices • To evade security software and analyst tools, the Solorigate malware enumerates the target system looking for certain running processes, loaded drivers, and registry keys, with the goal of disabling them. • The Microsoft Defender for Endpoint sensor is one of the processes the malware attempts to disable. Microsoft Defender for Endpoint has built-in protections against many techniques attackers use to disable endpoint sensors ranging from hardened OS protection, anti-tampering policies, and detections for a variety of tampering attempts • Successfully disabling Microsoft Defender for Endpoint can prevent the system from reporting observed activities. However, the multitude of signals reported into Microsoft 365 Defender provides a unique opportunity to hunt for systems where the tampering technique used might have been successful. • The following advanced hunting query can be used to locate devices that should be reporting but aren’t • Full query available at Using Microsoft 365 Defender to protect against Solorigate - Microsoft Security
  • 24. Detecting hands-on keyboard activity within an on-premises environment
  • 25.
  • 26. Once backdoor connection is established… • Attacker’s next goal is to achieve off-premises access to the organization’s cloud services. To do this, they must find a way to gain permissions to those services. • One technique observed have seen the attackers use is to go after the organization’s Active Directory Federation Services (AD FS) server • ADFS stores the SAML token signing certificate used to create authorization tokens for users/services to access cloud resources. • To attack the AD FS infrastructure, the attackers must first obtain appropriate domain permissions through on-premises intelligence gathering, lateral movement, and credential theft.
  • 27. Identifying attacker reconnaissance • Attackers collect data from Active Directory using a renamed version of the utility ADFind, running queries against Domain Controllers as part of the reconnaissance stage of the attack. • Microsoft Defender for Endpoint detects this behavior and allows the SOC analyst to track compromised devices at this stage to gain visibility into the information the attacker is looking for.
  • 28. Stopping lateral movement and credential theft • To gain access to a highly privileged account needed for later steps in the kill chain, the attackers move laterally between devices and dump credentials until an account with the needed privileges is compromised, all while remaining as stealthy as possible. • A variety of credential theft methods, such as dumping LSASS memory, are detected and blocked by Microsoft Defender for Endpoint. • The example to the right shows the detection of lateral movement using Windows Management Instrumentation (WMI) to run the attacker’s payload using the Rundll32.exe process.
  • 29. Stopping lateral movement and credential theft (cont’d) • Microsoft Defender for Identity also detects and raises alerts on a variety of credential theft techniques. • In addition to watching for alerts, security analysts can hunt across identity data in Microsoft 365 Defender for signs of identity compromise. • Here are a couple of example Microsoft Defender for Identity queries looking for such patterns: • Enumeration of high-value DC assets followed by logon attempts to validate stolen credentials in time proximity • High-volume of LDAP queries in short time filtering for non-DC devices • SOC teams can take containment measures within the Microsoft 365 security center, for example, using indicators to isolate the devices involved and block the remotely executed payload across the environment, as well as mark suspect users as compromised. • Full query available at Using Microsoft 365 Defender to protect against Solorigate - Microsoft Security
  • 30. Detecting and remediating persistence • Microsoft Defender for Endpoint also detects the advanced defense evasion and masquerading techniques used by the attackers to make their actions as close to normal as possible, such as binding a WMI event filter with a logical consumer to remain persistent. • Follow the recommended actions in the alert to remove persistence and prevent the attacker’s payload from loading after reboot.
  • 31. Catching AD FS compromise and the attacker’s ability to impersonate users in the cloud • The next step in the attack focuses on the AD FS infrastructure and can unfold in two separate paths that lead to the same outcome—the ability to create valid SAML tokens allowing impersonation of users in the cloud: • Path 1 – Stealing the SAML signing certificate: After gaining administrative privileges in the organization’s on- premises network, and with access to the AD FS server itself, the attackers access and extract the SAML signing certificate. With this signing certificate, the attackers create valid SAML tokens to access various desired cloud resources as the identity of their choosing. • Path 2 – Adding to or modifying existing federation trust: After gaining administrative Azure Active Directory (Azure AD) privileges using compromised credentials, the attackers add their own certificate as a trusted entity in the domain either by adding a new federation trust to an existing tenant or modifying the properties of an existing federation trust. As a result, any SAML token they create and sign will be valid for the identity of their choosing. • In the first path, obtaining the SAML signing certificate normally entails first querying the private encryption key that resides on the AD FS container and then using that key to decrypt the signing certificate. The certificate can then be used to create illicit but valid SAML tokens that allow the actor to impersonate users, enabling them to access enterprise cloud applications and services.
  • 32. Detecting this behavior… • Microsoft Defender for Endpoint and Microsoft Defender for Identity detect the actions that attackers take to steal the encryption key needed to decrypt the SAML signing certificate. • Both solutions leverage unique LDAP telemetry to raise high-severity alerts highlighting the attacker’s progress towards creating illicit SAML tokens.
  • 33. Detect domain federation changes • For the second path, the attackers create their own SAML signing certificate outside of the organization’s environment. With Azure AD administrative permissions, they then add the new certificate as a trusted object. • The following advanced hunting query over Azure AD audit logs shows when domain federation settings are changed, helping to discover where the attackers configured the domain to accept authorization tokens signed by their own signing certificate. • As these are rare actions, verify that any instances identified are the result of legitimate administrative activity. • If the SAML signing certificate is confirmed to be compromised or the attacker has added a new one, follow the best practices for invalidating through certificate rotation to prevent further use and creation of SAML tokens by the attacker. Additionally, affected AD FS servers may need to be isolated and remediated to ensure no remaining attacker control or persistence. • If the attackers accomplish either path, they gain the ability to create illicit SAML tokens for the identities of their choosing and bypass multifactor authentication (MFA), since the service or application accepting the token assumes MFA is a necessary previous step in creating a properly signed token. To prevent attackers from progressing to the next stage, which is to access cloud resources, the attack should be discovered and remediated at this stage. ADFSDomainTrustMods
  • 34. Detecting the hands-on- keyboard activity in the cloud environment
  • 35.
  • 36. About this stage of the attack… • With the ability to create illicit SAML tokens, the attackers can access sensitive data without having to originate from a compromised device or be confined to on-premises persistence. • By abusing API access via existing OAuth applications or service principals, they can attempt to blend into the normal pattern of activity, most notably apps or service principals with existing Mail.Read or Mail.ReadWrite permission s to read email content via Microsoft Graph from Exchange Online. • If the application does not already have read permissions for emails, then the app may be modified to grant those permissions.
  • 37. Identifying unusual addition of credentials to an OAuth app • Microsoft Cloud App Security (MCAS) has added new automatic detection of unusual credential additions to an OAuth application to alert SOCs about apps that have been compromised to extract data from the organization. • This detection logic is built on an anomaly detection engine that learns from each user in the environment, filtering out normal usage patterns to ensure alerts highlight real attacks and not false positives. • If you see this alert in your environment and confirm malicious activity, you should take immediate action to suspend the user, mark the user as compromised, reset the user’s password, and remove the credential additions. • You may consider disabling the application during investigation and remediation.
  • 38. Detecting this behavior… • SOCs can use the following Microsoft 365 Defender advanced hunting query over Azure AD audit logs to examine when new credentials have been added to a service principle or application. • In general, credential changes may be rare depending on the type and use of the service principal or application. • SOCs should verify unusual changes with their respective owners to ensure they are the result of legitimate administrative actions. NewAppOrServicePrincipalCredential
  • 39. Discovering malicious access to mail items • OAuth applications or service principals with Mail.Read or Mail.ReadWrite permissio ns can read email content from Exchange Online via the Microsoft Graph. • To help increase visibility on these behaviors, the MailItemsAccessed action is now available via the new Exchange mailbox advanced audit functionality. • See if this feature is enabled by default for you. • Important note for customers: If you have customized the list of audit events you are collecting, you may need to manually enable this telemetry.
  • 40. Detecting this behavior… • If more than 1,000 MailItemsAccessed audit records are generated in less than 24 hours, Exchange Online stops generating auditing records for MailItemsAccessed activity for 24 hours and then resumes logging after this period. • This throttling behavior is a good starting point for SOCs to discover potentially compromised mailboxes. MailItemsAccessedThrottling
  • 41. Hunt for Oauth apps reading mail via Graph API • In addition to looking for throttled telemetry, you can also hunt for OAuth applications reading mail via the Microsoft Graph API whose behavior has changed prior to a baseline period. OAuthGraphAPIAnomalies
  • 43. Additional Solorigate Guidance – MUST READ! • Microsoft Internal Solorigate Investigation Update • Customer guidance on recent nation-state cyber attacks • Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack • SolarWinds post-compromise hunting with Azure Sentinel • Advice for incident responders on recovery from systemic identity compromises • Solorigate Resource Center • Using Microsoft 365 Defender to protect against Solorigate - Microsoft Security (this deck)
  • 44. Additional Advanced Hunting Queries Attack stage Query link in GitHub repo General Microsoft Defender for Endpoint Threat and Vulnerability Management: •SolarWinds Orion software in your org Initial access Microsoft Defender for Endpoint: •Malicious DLLs loaded in memory •Malicious DLLs created in the system or locally •Compromised SolarWinds certificate Execution Microsoft Defender for Endpoint: •SolarWinds processes launching PowerShell with Base64 •SolarWinds processes launching CMD with echo •ADFS adapter process spawning: DeviceProcessEvents | where InitiatingProcessFileName =~”Microsoft.IdentityServer.ServiceHost.exe” | where FileName in~(“werfault.exe”, “csc.exe”) | where ProcessCommandLine !contains (“nameId”) Command and Control Microsoft Defender for Endpoint •C2 communications •C2 lookup Credential access Azure Active Directory (Microsoft Cloud App Security): •Credentials added to AAD app after admin consent •New access credential added to application or service principal •Domain federation trust settings modified •Add uncommon credential type to application •Service Principal Added To Role Exfiltration Exchange Online (Microsoft Cloud App Security): •Mail Items Accessed Throttling Analytic •Mail Items Accessed Anomaly Analytic •OAuth Apps reading mail via GraphAPI anomaly •OAuth Apps reading mail both via GraphAPI and directly
  • 45. Microsoft Security Best Practices Microsoft Security Best Practices | Microsoft Docs
  • 46. Privileged Access Workstations Why are privileged access devices important | Microsoft Docs