Thank you. Welcome to this session. Good afternoon, everyone. Hope you enjoyed lunch. Didn't have lunch, but I had a late breakfast, so everything's fine. Yeah. We're gonna talk about threat hunting with the Microsoft cloud. So who of you is familiar with Microsoft? Azure? Just raise your hands. Okay. Some of you that's good.
Now, few words to me, my, my name is Tomek I'm principle, cloud security architect, working for dev team lake. We part of the dev team group here in Germany, based in Frankfurt. And in my role, I am helping, helping customers to well, to leverage cloud services and to implement cloud services in a productive way and in a secure way. So for example, customers start going to the cloud and saying, well, yeah, let's, let's start putting some virtual machines there and they forget whole the whole security story. And this is when, when I'm coming to play to, to help them for today's agenda.
While I learned, I usually I initially should have had a session for about 30 minutes, but now as we have one hour, we can do lots of demos at the end. So hopefully the internet is working because cloud without internet is not that that funny, but we're gonna start with cloud security challenges. So what are customers facing today in terms of cloud security? What actually is Azure security center?
What is the Microsoft intelligence security graph and what is Azure Sentinel and how do those three services belong together and maybe competed together
Today ago on Monday, the federal criminal agency in Germany, the Bundes criminal published their cyber crime situation report for 2018. And what they say is that last year we had 87,000 cases of cyber crime. Only in Germany. They estimated an amount of about 60 million euros, but there's an immense dark figure.
And what Bitcom says is that actually there is an estimated amount of 100 billion Euro per year, as damage referring to cloud to cyber cyber crime.
Now, why do I have a, a definition for governance?
I mean, where we're in a threat hunting and a cybersecurity session, right? Well, governance is essential for security. And if you look at this definition, then you see it comes down to policies, monitoring and implementation. We need to have policies in order to protect ourselves from ourselves. This is what I initially said. Sure. I can put a virtual machine to Microsoft Azure or to AWS or to GCP. And surely I can give it management access to the open internet, but that that's not the best idea to do, right? So monitoring, we need proper monitoring.
We need to see what actually happens in the environment. If we do not see it, we are blind. If we are blind, we cannot react. And that is about implementation. So how do we implement services in the cloud? And it's not the same way we do it, or we've done it on premises.
I've got another definition for what cyber threat hunting actually means. And cyber threat hunting comes down to proactivity. It's not only getting information, but it's gathering information. It's searching to detect and isolate advanced threats in your environment. It's not about not only about networking.
It's also about lock and lock analytics and all the stuff behind. If you wanna bring it down to a short definition.
Well, it's like, like finding the Archie duckling or in other words, it's like finding the needle in a haystack because what we need to do is we actually need to find this particular point, which, which might smell fishy, which, which doesn't belong there, which, which doesn't seem to fit into, into all the, the whole lock process, right? So we need tools that help us to achieve this goal.
Today's cloud security challenges are, are quite different compared to what they were back in the days we have rapidly changing workloads, which means that that cloud is very, very dynamic, which it's supposed to be, right. I mean, that's one of the value propositions of cloud computing. I can scale up scale down, move, left, move, right. I can do whatever I want in a very, very short time. And this is what, what customers actually do. But there's also is a security challenge because I need to keep track on all the changes we have more and more sophisticated attacks.
It's not only about fishing. It's also about really attacking one particular environment, one particular company, if you want. And attackers also use those AI and ML mechanisms and security skills are in short supply. We do not have enough people to keep track on all of this.
So what we need is kind of a, of a machine learning AI service, which helps us to yeah. To protect the environments back in the days, modernizing no back in the days, protecting your environment. Using the network.
Parameter was sufficient threats coming from externally were blocked at the outer boundary at the network boundary at your fire war. But today that's not enough because we have fishing and we have credential of theft attacks. So we get emails.
I mean, we want to get emails. Sure. We can block port 25 to the internet and we won't receive any emails any longer. That could be good for, for a security point of view, but not from a, a, from a, a working point of view. Right?
And then our data is moving out of the network. We are sharing files.
I mean, you have files in the cloud. I've seen business contracts sent over WhatsApp. This actually happens if you thinks, I mean, you shouldn't do that, but, but it happens. And so what we need to do is we need to build the identity. Perimeter identity is the new perimeter. We need to protect our identities because this is the only way to help us besides network security, to help us to protect ourselves from attacks.
Now, I'm not saying, get rid of your network parameter. You still need network firewall, whatever you had, but identity security is in addition to that. Okay.
Now what can we do in terms of identity protection? Okay. You can see it.
Well, the first thing you should do is use past phrases rather than complex passwords. Who've used using window server active directory. And do you have a group policy object that will block your user accounts after let's say five failed lock-ins for a particular time?
Well, if you have, you have built in denial of service, this is pretty cool, right? You do not want to have denial of service in your environment. Why do you have it? So what actually happens is every authenticated user. So every user who's allowed to authenticate against your environment can read this group policy object, and he can get a list of all the user objects you have in your active directory. Now bring both together and write your little power shed script that tries to lock on with every user account.
Let's say after every 10 minutes.
And so your accounts will be blocked forever and no one is able to lock on again, or you go passwordless and you will see a demo for this later on going passwordless against the cloud environment, which in my opinion is pretty cool. The second thing is to implement multifactor authentication, 99.9%. Let's say that in other words, only one attack out of 1000 will possibly be successful if you implement MFA. In other words, one out of 1000 attacks against environments are identity based.
Now, if you enable MFA and you start getting rid of passwords, then password attacks like we're doing one later on in life demo, won't be successful any longer. Then there is an a principle which is called the principle of least privilege. Sure. You can get every administrative user in your environment, domain administrator and enterprise administrator rights, maybe schema admin, or exchange organization, admin.
Why would you well, because you can and because it might easy up administrators' lives, but not from a security point of view, the principle of least privilege means you only get the rights you need to do for your job. So if you do not need to have domain administrator rights, you won't get them. If your user administrator, you will get right to manage user accounts, but not your service,
Then there's a principle called privileged identity or privileged access management PI or Pam. This goes one step further.
So you won't get more rights than you need, but the rights you get, aren't there forever, but you only get them when you need them. Let's say that, that in other words, your administrative users are illigible to well, to, to apply for getting rights, but they only get them when they need them to do their job. For example, you want to create a mailbox in, in exchange online. Therefore you do not need to have full access rights for your exchange service. It's enough to have mailbox administrative rights.
I'm not sure what the role is called at the moment, but there is a role, or you can even build your, your custom roles if you want. So you, you will only be eligible to get this role, and you only will get this role when you need it. And only for a particular time. And of course, I've mentioned monitoring before, this is all tracked down. This is all monitored. So you will always know who had which access rights at what point in time. And then of course you can see what actually is done with these rights.
And then there are conditional access policies, which in fact brings it all together.
You do not want to challenge your users with an MFA challenge for every and every and every single lock on. Right?
Okay. So let's say if your users are working in their office, or if your users are working with a corporate owned device, then you could say, okay, in these cases, I do not want to challenge my users with an MFA challenge. But if they're working with their private devices, or if they're working from anywhere, I do not want to have them to work from.
Or if there is a user lock on from, let's say New York and the user has never been before in New York, then you could say, well, there's something not, not the way it should be. So let's challenge the user, the user with an MFA challenge. If the challenge is, is accepted. So if the user can pro prove that he is who he wants, or he, he claims to be, then you can say, everything's good.
But if he, he does not, you have blocked this lock on a 10. Now I do not say you need to implement all these principles, but you should, because if you don't, then you could say, well, it's not a security breach if it wasn't secure before, right? And if you adhere to these principles, you may be, might end up like this.
And again, MFA, only MFA will protect you from 99.9% of all the attack attempts. Now let's talk about Azure security center for a bit. Who of you is familiar with Azure security center.
Okay. Whoa.
So Azure security center is a service running on Azure, which helps you to protect your environment. And it does it in, in different ways. First thing is to strengthen your hybrid security posture. So what it does is it will give you insights into how secure is your hybrid environment and hybrid in this case, doesn't only mean cloud and on-prem, but also multi-cloud because what you actually do is you install an agent on your virtual machines or on your on-premises service on your physical machines.
And this agent is reporting back to the backend service, and then you will see what, what configuration issues you might have. And then you can remediate them. This looks like this. So I'm not sure if you can see it back in, in the, in the last row, but we can, we can zoom in later in the, in the demo. So we have a section in it where you can identify shadow it subscriptions.
I mean, in a company, and I've often been in companies where something like this happens is that subscriptions are deployed from team to team, to team and the internal it, or the owner of, of the, the Azure tenant doesn't know about all the subscriptions.
There are times that you're sitting together with a customer at Microsoft. Microsoft says, well, you have 25 subscriptions. The customer's like, no, I have two, no, you have 25 because I can prove it's in my system. So with security center, you will know about the subscriptions. This is what I've mentioned before.
These are the recommendations. So what we see here for example, is that MFA should be enabled on all accounts with owner permissions
And MFA should be enabled for all the accounts in your environment. Or you should, for example, you should patch your virtual machines or your physical machines to the latest patch level. These are all recommendations, which are reflected in the Azure security center. And then there are continuous assessments with these. This is the, the network map you get from the security center.
You see at a glance, if you have a configuration issue in terms of security, let me give you an example for this. This is a, a network hierarchy I've built at a customer site, but it's, it's a little bit strange. So what we had at, at the end was we had an on premises network. We had a network in between, which is the, let's say the jump network, the network where your virtual private network terminates and a jump box next to it.
There was a third network, which only had an Azure firewall as a network, virtual appliance in it, and on the, on the far right, right side, right side, you see lots of spoke networks. And in these spoke net networks, there were OpenShift and Kubernetes clusters and Jenkins service and stuff like this.
So when we deployed this and it was a, a process of six to nine months at any point in time, a developer said, well, that's not the way I want to work because I have to lock onto the jump box from the jump box to the next server, through the firewall, to the Jenkins server, to deploy my, my stuff. I don't want that, but I'm a developer. And we are in a, in a environment where we're developing. What I could do is I could take one of my virtual machines and give it management access to the open internet.
And he did well, if you do so.
And I tell you that at this point in time, the Asia firewall was only, there was one rule which said any, any, it was only a router. It wasn't the firewall at this moment. At this point in time, there could have something happened, which you never ever want to have. Because if this server is compromised, you will get in trouble back to your on-premises network. And this is where the network map helped.
Because at the same day, I was looking at the network map and I said, one of the road, ex red exclamation marks, I clicked there and said, well, you have a management open, open management interface on one of your service in one of your 900 virtual networks. So we could close it. We could talk to the developer again. He will never ever do it again. And now he understands why he shouldn't do it. But you see it's, it's easy to, to implement security issues in your environments. So you need a tool that helps you to, to keep track on it now, adaptive threat prevention.
What does it mean while security center integrates into Microsoft defender ATP for windows machines and into the ATD advanced threat detection for Linux service?
Do you know about Microsoft defender ATP?
Well, this is a, a kernel based solution. So it's integrated in, into the windows operating system today, which will find security issues on your windows server. And in the life demo later, we were doing it on windows and Linux service. We will see some, some, let's say real time alerts that are reflected in security center and they are coming from Microsoft defender ATP. And then there's the intelligent detection and response because of the integration into the intelligent security graph.
Now, let's talk a little bit about that. The intelligent security graph is let's say the back end of all the security based services, Microsoft users, what you see in the see, and there are 6.5 trillion of threat signals that are analyzed every day. And they're fueled by lots, for example, outlook.com and the Xbox live network and Bing and the old MSN networks and all the public available authentication based networks. Microsoft has out there are putting information into the security graph, but also the security services are giving their information back to the graph.
And they're fueled by graph. Again, this works in this way. So the graph starts with having some sample zoos and honey pots and all the service that are there to be attacked. And if there is an attack which is found, then this information will feed into the security graph where data is collected, analyzed, and then published to Microsoft's internal I P APIs.
And from there, it fuels all the security related services, for example, on the left side, Azure Senti and Azure security center, but also Microsoft defender ATP are the office, Phillip 65 ATP, Microsoft cloud app security.
So all services that are related to security in the Microsoft environment rely on the security graph. And then there are hunters. This are people, this is not a solution, but there's, there's people that identify attacks either in the Microsoft network, in the Microsoft environment or at customer sites. And the information they gather is, again, feed it back to the security graph where it's collected, analyzed, and then again, published to internal APIs.
Now, the interesting thing here is if I sent an email to any one of you with a bad attachment, which might not be found from a, from an antivirus solution from a, from a one of the back in the days we had with the, the, the antivirus signatures and the exchange online protection will find that this is malware. Then the information about this particular item is feed back to the security graph. And if any, one of you will download a file in his tenant.
So in a, in a completely different Azure environment will download a file, which contains the same malware, Microsoft defender ATP. Our agile security center will inform and warn you why that, because all the information is anonymized and feed it back to the security graph and then used from all customers that are using the, any, any solutions of them. Microsoft published the, the internal security, the intelligent security graph for third parties.
So if you have a, if you're developing a third party solution and you, you want to rely on this information, you're allowed to, so you can have integration into seams, for example, into Splunk or into curator or other third party solutions, and then query all the backend services you have there, and then get a response from there. You can even trigger actions. For example, you could say, well,
If there is a user with who is well, who is under attack.
So let's say we estimate that the user, that the user credentials have been leaked, then you could block the user from lock on with a simpler command, or you can block management parts on a virtual machine when you say, well, in my opinion, this machine is compromised. So you can, you can, yeah. Simply block management access to it, or block network access to it.
Now, Azure Sentinel is one of the solutions we've mentioned before. And in fact, it's, Microsoft's seem or so solution who have you already had a chance to, to get a well, get a glance on it, to, to get hands on with Azure Sentinel. Okay.
It's, it's a pretty new solution. And it went GA a general available in September of this year. Let's build this slide together. What you have there is on the, on the one hand, you have the integration into the, into the, the security graph. You can integrate it with other security solutions.
So you can get information from your AWS environments, from your GCP environments, from your Azure environment, but also from all the Microsoft tools they have in, in, in the backend, for example, office 365, or Azure active directory, or your on-prem ID or whatever you have you name it, it's enriched with intelligence.
So there is AI and ML in the, in the back end, which helps you to, well, to find this, this needle in the haystack, if there is something wrong, and this is not only malware, but it's also when.
And if some, someone tries to, to attack you and you can integrate it with, with community tools, service now, and other tools community at this point means you can use ju notebooks and on the GitHub community, there's a whole side with lots of those notebooks to help you while to help you to, to, to hunt down a particular threat. May I just interrupt you for a second, have a small technical announcement. There are this large windows in the roof, which will be closed now to raise the temperature a little bit. It may be loud for a moment for a minute to two, so, okay.
I can, I can speak up louder. So be prepared for that. Sorry for the inconvenience. Thank you. Okay. But you you'll see Azure Sentinel later in the demo. So I think I have three key takeaways. First of all, assume breach. There is not a question if we are attacked, but the questions when,
And then the second is have your monitoring ready because when we are attacked, we want to know about it. So we need to have massive telemetry. We need to have all the information. And in fact, this is a discussion with the German workers council.
I, I often had, it's not about monitoring your, your, your, your employees. It's about gathering information about your network and your environmental security. And only if we have this information, then we can do some, some educated guesses. And this in fact is what ML and AI does.
I mean, what we are doing in the back end, let's say we, we take agile, active directory, identity protection. What they are doing there is they will firstly, analyze your user's behavior for 14 to 30 days. Because if you do not have a baseline, how do you want to say, well, okay, this was unsuspected was suspicious or unexpected, right? So we need to have data, data, data, and data. Yeah. And then we should leverage AI and ML based tools such as the intelligence, security graph or Azure Sentinel or Azure security center or whatever there is on the market. Any questions so far?
Yes. Sorry.
Didn't get that. But you got a micro,
If you collect data for your baseline yeah. Assume you already hacked. How good is your baseline then?
Okay.
Well, first of all, yeah. I mean, you need to, to start at a point in time and you need to collect the data for a baseline.
So you, if you say, well, let's start today and we are already hacked. Then the user base baseline wouldn't help you any further, because then you say, well, this is, this is usual behavior. We have it every day or every week or whatever. You're absolutely right. But then you need to, to think in a different kind of, I mean, it's not only about the users and only about the user activity. It's also about what actually happens on your backend services, on your service, on your cloud services. And you will see it later.
This is where ML will help you because then you, you can bring it all together. You can, you can, you can get a, a big picture of what actually happens. And this is what threat hunting at the end is. It's not only getting information, but it's also bringing it together.
And then, then find out what actually happens. But you're right.
If you, if you simply start creating a, a baseline and the baseline is also compromised, it won't help you further.
Any other questions? Okay. Then I would say, let's start into a demo. Let me see if that works. That looks good. Okay.
Well, first of all, I'm starting my talk client on it, cuz I want to be anonymous and then I'm connecting my smartphone. Here you go. Okay. Now what I'm doing now is I will, first of all, start a passport attack against my environment and another possible attack against Azure. Let's let's run that for a while. Okay. And then I'm gonna show you what actually means to be, to be locked on without having a password.
Nope, no.
That user should not have been locked on already.
Well, the networks actually working, which is pretty good. No, where's my smartphone. Here we go. Okay. So what we have, we have two options, option one. And this is what I have configured here is to use the authenticator app on your Microsoft smartphone to log on. So I did not enter a password here. I only entered the username and it tells me, well, on your app, please click the 53. And I'm doing that now.
Then I have to authenticate, which in fact is multifactor authentication because now I'm, I'm asked for my identity and I'm in, and this is pretty cool because no one likes passwords while attackers do, because passwords can be guessed or can be fished. I don't think that I will lose access to my smartphone. Maybe I will. But even then you need my fingerprint or my face to be able to, to unlock it again. So it's all about raising the bars for, for an attacker. And the second option we have is to lock on with a security key.
And what I have here is a little fighter, two based security key, which I can use no here, here we go, which I can use to lock on against the Azure active directory. So
Let's stick it in here. There shouldn't have been, oh, there, there was a sign request. Now I want to use a security key. What I need is a pin, but it's only a local pin for this security key. So it can be used on my machine. And I used a very small pin and now I have to touch it. So I'm in again. Now I could say, well, okay, but it's a pin one, two, a 3, 4, 5. I can guess it.
Or I can do kind of a brute force against this pin. Well, you can, but after every attempt you have to touch this little tiny piece of hardware. So first of all, you need to have access physical access to the, to the security key, and then you have to touch it every and every, and every time you enter a pin in order to have the pin checked or approved. So that's not good for, for brute force, right? But you see I'm in, I have two options to lock on without having a password today.
There still is a password option in there, but you will soon be able to, to remove the password option from, from the user.
At least that's my opinion. I think that's, that will come. Yes. So what happens if you lose both your smartphone and the security key? Well then you're in trouble. Best practice here is not only to, to rely on one security key because it's part of hardware and it, it can, it can break, right? So you should have at least two security keys and you shouldn't take both security keys with you.
So in this case, you would lose X to your smartphone and your security key, but you will still have another security key to lock on against your, your user account. Okay, now let's close this again. Here we go.
Now what I've prepared yesterday is my Azure security center.
So, so this is what Azure security center actually looks like. Well, that's not the best screen resolution for it because now we have to scroll. But if you have a large screen at home, you can have it on, on one screen. And it's really, really good from, from the, from the view. I think what I've mentioned before is what we have here is resource security hygiene. So what we see are the recommendations that Azure security center will offer us regarding to our environment.
So what, what they say here is I should enable secure transfer to all my storage accounts and I can quick fix it so I can click there. And it will be remediated for my, for me, secure transfer in this case means that I will only allow TLS based encryption in the communication channel to my secure, to my storage accounts, or we should enable just in time network access. So we have management interfaces, which are open to the internet and we should block it, which in fact is something like privileged identity management.
I will only open my management ports when I need them and I will close them again. When I'm done,
There are other best practices. Disc encryption should be applied on virtual machines. This is not encryption addressed. So it's not about protecting your, your virtual discs, which are stored on a storage account because there is encryption already, but it's about encrypting your virtual machines from within the operating system using BitLocker or Thery. And then there is threat protection. And what we see here, this is from yesterday. Let's move that again.
We have lots of alerts which have come here, a security incident and some, some single alerts that will tell us, well, there's something very, very strange going on here. You should do something now. And now Willie means in real time. So we will get the information from in this case, it was Microsoft defender ATP on the window server, which, which told us what happened. We will get these in near real time. So let's move back to this demo here that's working, which is absolutely fine, but I've prepared another script.
And what we do here now is we will do a brute force attack against one of my service. This is a virtual machine, a windows, no, a Linux virtual machine running on Azure with an open SSH port.
And while this takes a minute, what an attacker actually will do is something like this. He or she will try to find out which parts are open. And what we see here is that there is an open part 22 on this IP address, which in fact is the Linux server we are currently attacking.
And oh, what we see here is we've been successful. We have user Tom and a password, which is security rocks. So let's try to log on 3, 1 0 1, 1 8 7. This is 1 8, 7, not 1 8, 2. Okay. It would have worked if I would have entered security rocks. Here we are. Now what we have done is we have done a successful BR force against Linux server running on Azure.
This is something what Microsoft encourages you to do.
So they, they, they don't say this is not allowed as long as you're only attacking your environment. And I mean your service, that's absolutely fine for pan testing and for, for whatever you're doing, but please do not do that with service that not belong to your environment or to a back end service, because then you're gonna be in trouble. Right? Okay. Now that we're in the server, the next thing to do is well to scan the internal network to see, Hey, I'm not alone.
I, so let's see who's who's around here. And we see there are other servers with other open ports, SSH and the Microsoft remote desktop protocol. So let's move one step further. Now we're on the next server. And what we could do is what we could start PowerShell because we see that this is a window server. And on PowerShell, you could do something like get your IP address. This in fact is invoke rest command. That's the, the command I've, I've just run invo rest method to IP info IO slash Jason, and then only get the expression IP. And then we will see the external IP address of the server.
This could be a firewalls IP address, but in this case, it's a management IP address of the server. So we're gonna move to the, to this machine. And this is the red run here
And where's the red run. There's a green run. Okay. On the green run, let's say the green one is the attack target. And the red one is the server we are using to attack the green in the same network on the green server. I have a folder on the C volume, which is called malicious it's MTSS C now moving to the red
Server
And I've prepared some commands here.
First thing is we are using WMI to copy the SVC host access from the green server to the malicious folder. So let's do it.
Well, do we have power here? I only have 7% of my, of my battery left, so the server will go into sleep guys. Okay.
So let's, let's talk further. So what we did, we've done is we've copied the SVC host and I'm copying no, I'm now starting a process from this exo file. Let's switch to German. Okay? Okay. So let's go back to the green server. You see now the SVC host access here, and you have only used WMI to do this. There's nothing, nothing bad in it actually, but maybe security center already will give us some information about this. Now let's see if we have a new alert. Not yet here. Let's see if I've got an email.
Not yet, but it will come. I'm pretty sure. Oh yeah. Great.
So
That's life. Yep. Great. Thank you. Okay. The next thing to do is rerun a PSX act. So a remote process call, if you will.
No,
Here again. Now I'm, I'm starting a remote shell and a remote CMD on the green server from the red server. We'll see it. See it up here because then the, the label will change as soon.
It was, it was successful. Here we are. So let's say host name. Nope. You see it's windows victim two, which is the green server victim. One would be the red server. Who of you knows Mimi cuts.
Ah, okay. Now you all know this is not a tool you want to have in your environment, right? You do not want to have it executed on one of your service. What I've done just now. And what we can do with it is we can find out what our lock on password hashes are.
Okay.
What, okay. Oh, I see. Come on. Here you go. What we have here now is the NTLM and, and Shawan hashes of one of my users, Tom, which is local user Welock on with, if you imagine this would be your local administrator, let's say your user account administrator went down to, to one of your employees and helped him or her on the machine. So he or she locked on, locked off again, and the hashes are, are cashed. Now the attacker has access to the hashes and what I'm doing now, as the last thing is I'm using rec SV R three, two as a process to download malicious content.
Come on,
Hey, come on again. We are still on the green server, right? So we now move to the malicious folder and I'm running this command, which doesn't look that bad actually. But what it did is what it should have done now is it should, here it is. It downloaded the test virus to this folder. So in fact, it was a power download in the back end and you didn't even see it when starting this command line. Now let's see what security center and Azure Senti will tell us about this. First of all, let's refresh that. Here we go. Date is 1113, which is today. We now already have four new alerts.
Suspicious SVC host process was executed. Malicious credential theft tool was executed and there was a potential attempt to bypass app blocker, which was the last thing we did when we download the iCare iCare virus file. So we get this information in real time and not only after 200 days, which is the average time that an attacker will recite within a company when the company is attacked. Let me say that. In other words, it takes an average time of 200 days to find out that you have an attacker in your environment.
Now with the help of M D a TP security center and Centennial, you will find it out in, let's say five seconds,
If he's that loud and noisy as I was now. But if not, then again, we are back to threat hunting. So finding out what actually happens in the environment, and this is when Azure Sentinel comes into play, Azure Sentinel is, well, it, it relies on two things. It relies on the one hand on the intelligence security graph. And on the other hand unlock analytics, which is a, a big data warehouse for lock files.
So everything you're tracking, everything you're logging is locked in the lock analytics workspace, and you can use sandal to hunt it down. And what we see here is this is not what I would expect to see at the moment, because I have lot of, lots of wire data here should be others, because what I'm doing currently is, as we remember, we are running a brute force attack against the environment against one of the servers.
And it's not the brute force. It took only 30 seconds we saw in the demo, but it is, it's a real brute force.
So I'm running thousands of usernames and billions of passwords in two lists against the environment. And as you all know, bruteforce is very noisy. So it's pretty easy to find out that someone tries to guess your passwords and you, this is something you can easily block, but what about passwords? Prey attacks? So only few passwords to lots of user accounts.
Well, this is something we are currently running in the PowerShell. Let's see if that was successful already.
Oh, looks good. Well, I've created the PowerShell script to do a passwords spray against Azure ad.
And I know these are passwords that I have created, and I have put them for the demo into the text file. But if you now imagine that let's say 2% of all the users worldwide are using one of 10, well known passwords password, 1, 2, 3, 4, 5, 6, something like that. Then you know that a password's prayer attack can be successful.
The downside is you didn't really had a good life finding out that there's a passports pre attack running against your environment when you're on Azure ad, because what I'm doing with my script, I'm doing a non interactive lock on. So I'm using a, the CLI to lock on against already.
And, and I'm doing it in a, let's say in a, in a way, which is not too noisy now in, in the sign in locks in Azure ad, you didn't see it. Even at the beginning of October.
Now, shortly before Microsoft ignite the, the big conference last week in Orlando, I did the demo again. And then I say, oh, we now have those sign and lock information from those noisy, not UN noisy passwords spray attacks in the sign and locks and Azure Sentinel helps us to track it all down. So one thing is, it's not like Azure security center that you get it out of the box. You have to do some, some custom management on it. You have to create your own baselines, your own rules. You have to know what you're looking for. And this is when the Jupyter workbooks come into play.
So you can, you can really create large, large workbooks of, of simple or not. So simple steps that you want to have in, in a particular order when you're hunting for, let's say for identity thefts, what I've, what I've done is I've created some of those rules.
For example, I want to see all security alerts, which are generated by Azure security center and which are with the alert level high. And then I will get an alert in Azure Sentinel. But what we also have is there are incidents created based on what Azure security center finds.
And when we look into this, we see that in the last 24 hours, we had 29 new incidents, for example, a potential attempt to bypass app blocker, what we've seen before or a PSX execution, which in fact, it's, it's just great. It's informational. It just says, Hey, someone has created a PSX X process on your server. This might be good. This might be bad. It's not the systems decision, but it tells you now, if you go to investigate, we will see the investigation graph. So what we see up here is the PSX execution is one ID entity.
And we see all the related entities to it, a CMD process, a CMD dot access file, a work group, windows victim, two user account. So the, the computer, the machine account and the computer account in here.
Now, if we go to the computer account and we say related alerts,
Then we will see how what's that. So we only had one PSK execution, but what fusion and the intelligence security graph does for us is it brings all this together into context.
So now we, we have the server as an, as an entity in the, in the middle of it. We have the PSX act as one process, which is related to the server. But then we see there are lots of other alerts which are related with the server, and now we can dig into it deeper and deeper. So we see here that was a suspicious process execution. That was a suspicious authentication activity. What is this?
Well, what could be a suspicious authentication activity, a brute force or password spray attack. So also the brute force we done is seen here.
So if we, now we don't have the time, but if we would now dig into all of these bubbles, we would find out that a user from Berlin has done a brute force attack against the server, which was successful. Then started moving from server to server and created some suspicious processes and did some, some bad, bad stuff. And we will find out who it was
Given. We have the IP address, but we will see the IP address from which the alerts or the, the attack is coming from. And so this is what what's Azure Sentinel helps or gives us to, to really hunt down threats.
And one thing I would like to show you at the end, I've mentioned that we had only seen the, no, I haven't mentioned it. We have created this suspicious power shall process using the direct SVR three, two XR, right? To download the ICO test file. But we only saw this command line. Now let's see where it is. That should be the living of the L alert. Okay. I didn't select it.
Micro
Microsoft defender ATP has recognized the, that thing. Now we didn't see it here. Then let's go one step further
Because there are hunting queries. And one of the hunting queries is power shall downloads.
And now we have two results within the last 24 hours. If we go to view results, then we are in the lock analytics workspace. This is what lock analytics looks like. So this year is the so-called Costo career language. It's pretty similar to, to a T SQL. And with it, we can, we can find all the information from all the tables and all the, all the alerts, all the locks we have in the lock analytics workspace.
And if we go to 11, 13 that's this year, then you see there was a process command line, which is PowerShell invo web request out file IQ com with the URI I icon org slash download slash I icon. And this is what was the command line in the DLL. We started using re as we R three two. So as a few last words, we need to have massive telemetry. This is what we, we mentioned before. You need to lock everything from everywhere in your environment, but then you need to know where to find it. And I think that's the hardest job to do.
And this is where, where the security graph in the backend does a very good job to bring it all together to, to tell you, Hey, there's something suspicious and there's something which is not, not usual in the environment. And if we bring this together, then, then we have a good, good solution to see what actually happens in the environment.
Okay. So we have three minutes left, let's say just in time. Are there questions? Yes.
So thank you. My question would be that are really great detection, capabilities and monitoring capabilities.
Are there also capabilities for preventing that architects? I mean, some of them were pretty obvious
AB absolutely. Absolutely. So Sentinel and Azure security center will not prevent the attacks will only inform you, but what you have are the other solutions you saw in the, in the, in the picture from the sec intelligent security graph. So the ATP solutions, advanced threat protection, these are the solutions that help you to really protect you from, from such an attack. So in fact, the, the attacks I've done on the window server would not be possible on a, on a vanilla window server.
If you, if you install it today, if you have MD ATP enabled, it will immediately block everything we've done before, but I've, well, I've done two steps before starting it, and I've I've modified something. So, so it was, was possible to do so, but also in all 365 and all the other solutions, Azure active directory, you have Azure active directory identity protection, which will based on ML and AI will calculate your user risk. So for example, if you are in Berlin, you lock on against your environment and everything's cool. And five minutes later you lock on from New York.
Then the system will say, no, so this is not possible. What should we do?
Well, we will challenge you with an MFA challenge. If you can prove you are who you claim to be. Everything's good. If you do not, your user is a risky user, and then you can, you can decide what to do with a risky user
Other questions. So thank you for coming here after lunch. I hope it was not too boring. And so see you later in the, in the afternoon.
Well, thank you very much, Tom. That was really impressive. Thanks a lot. Thank you.
