1 / 19

Attack discovery and investigation with Azure Advanced Threat Protection

Attack discovery and investigation with Azure Advanced Threat Protection. Astrid McClean. THR3037. THE DAILY NEWS. Attack shuts down xxxxxx organization for 2 days. Investigation determined that threat actor was present on network for over 5 months.

christier
Download Presentation

Attack discovery and investigation with Azure Advanced Threat Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attack discovery and investigation with Azure Advanced Threat Protection Astrid McClean THR3037

  2. THE DAILY NEWS Attack shuts down xxxxxx organization for 2 days Investigation determined that threat actor was present on network for over 5 months. Data sources indicate dozens of other institutions may be similarly impacted. Wrecking ball malware was used to distract victim and response teams from main attack.

  3. Attack timeline DOMAIN DOMINANCE 2 Day 84 – 129: Moves laterally through network; obtains privileged credentials and accesses sensitive systems. 1 3 Day 134: Threat actor executes fraudulent transfers of funds. LATERAL MOVEMENT EXFILTRATE DATA Day 1: Attackers successfully target Patient Zero with backdoor malware DENIAL OF ACCESS 4 5 Day 135: Uses remote code execution from a local machine to domain controller, gaining domain admin accounts Day 135: After customer detects fraudulent transactions, wrecking ball malware is delivered. Operations are brought to a halt!

  4. MaximizeDetection During Attack Stages Office 365 ATP Windows ATP ATA Azure AD Identity Protection Azure AD Identity Protection Cloud App Security Email End Point User Identity protection & conditional access Identity protection & conditional access Extends protection & conditional access to other cloud apps Brute force account or use stolen account credentials Phishing mail Opens attachment Exfiltrate data + Clicks on a URL Exploitation & Installation Command & Control Attacker accesses sensitive data User browses to a website User account is compromised Attacker attempts lateral movement Privileged account compromised Domain compromised Azure ATP Identity protection

  5. Detect and investigate advanced attacks, compromised identities, and insider threats Azure ATP

  6. Detect advanced attacks throughout the kill chain Account enumeration   Users group membership enumeration Users & IP address enumeration Hosts & server name enumeration (DNS) Golden ticket attack DCShadow Skeleton Key Remote code execution on DC Service creation on DC CompromisedCredential LateralMovement ! ! ! Domain Dominance Reconnaissance Brute force attempts Suspicious VPN connection Suspicious groups membership modifications Honey Token account suspicious activities Pass-the-Ticket  Pass-the-Hash  Overpass-the-Hash 

  7. Demo Let’s Investigate an Advanced Threat!

  8. Demo Recap • Alerts timeline • Simple alert timeline • Using Honey-Tokens and Sensitive accounts • Real-life detections at compromised organizations • Investigation experience • Investigation through user activities & user behavior • Lateral movement path • Device suspicious activitity – continue investigation in Windows Defender ATP

  9. Azure Advanced Threat Protection Detectthreatsfast with Behavioral Analytics Focuson what is important using attack timeline Reducethe fatigue of false positives Protect at scale with the power of the cloud Best-in-class security powered by the Intelligent Security Graph

  10. Azure ATP Strategy What’s Next

  11. ROADMAPPreview Q4’2018 Introducing: Unified identity investigation across on-prem & cloud activities • One SecOp experience to investigate identity activities across on-prem & cloud • Complete user-information & insights in Identity page • New detections & alerts for the hybrid organization • Identity Investigation priority - based on User and Entity Behavior Analytics Azure ATP Microsoft CAS Azure ADIdentityProtection

  12. ROADMAPPreview Q4’2018

  13. Start using Azure ATP

  14. How do I get started using Azure ATP? • Crawl: Deploy Azure ATP to protect your primary user domains • Set sensitive groups and honeytoken • Look at the reports & lateral movement paths • Walk: Protect all domains & forests • Monitor all alerts – investigate lateral movement & domain dominance alerts. • Work with the security alert guide. • Run: Integrate the alerts into your SecOps flows.

  15. Azure ATP Resources Learn more about Azure ATP through our Technical Documentation When you are ready, start a trial from our Azure Advanced Threat Protection Product Page Join the conversation through our Technical Community or on Yammer.  Send us feedback through the Azure ATP console or email aatpfeedback@microsoft.com

  16. Take the Microsoft Security challenge and win! Find kiosks with these signs in the Expo Hall, West Building in the Security area. Take the short survey to collect a button Collect all 4 buttons and win prizes! Identity & access management Security management Information protection Threat protection

  17. Please evaluate this sessionYour feedback is important to us! Please evaluate this session through MyEvaluations on the mobile appor website. Download the app:https://aka.ms/ignite.mobileApp Go to the website: https://myignite.techcommunity.microsoft.com/evaluations

More Related