When talking security investigation and forensics, please take the word “prevent” out of the dictionary because organizations realize that stopping complicated cyber attacks in many situations is unrealistic.

Note: this post is an introduction for investigation with Microsoft 365
Cyber attacks are involved and motivated by various factors, ranging from ideology and financial to commercial espionage and even nation-state-driven scenarios.
The threats are continually evolving, targeting all organizations while becoming more prevalent and high-profile. In today’s world, attackers are patient, persistent, sophisticated, and they attack technology and increasingly people and processes.
Criminals are targeting commercially sensitive information, intellectual property, and critical network infrastructure. These threats may come from attackers both within and outside your organization.
Some of these may seem harmless and others far more damaging and malicious in their intent. Any intrusion into an organization’s infrastructure can lead to operational expenses, reputational damage, and loss of competitive advantage, not to mention regulatory fines.
So, every organization wishes for its closely guarded secrets to be traded or leaked, or it is brand to suffer adverse media attention.
Besides, many vendors are creating products and services to help counter the threat. Organizations deploy security controls and other security tools, such as intrusion detection systems, data leakage prevention, visibility system, and many others.
Organizations are also implementing sophisticated vulnerability management programs to identify and remediate vulnerabilities on time. Despite this array of available technology solutions, attackers continue to find a way through, resulting in high-profile and damaging breaches that continue to be publicized in the media.
The effect is simple; in many cases, organizations find themselves at a cyber incident without the ability to respond and investigate the incident. Also, other situations where the existing security tools and infrastructure environments do not perform a necessary investigation and use the information.

Basic steps for Investigations

Tracking digital activity allows investigators to connect cyber communications and digitally-stored information to physical evidence of criminal activity. There are necessary critical steps in forensics for those struggling in the field, all of which contribute to a thorough and revealing investigation.

Procedure Development

Whether related to cyber activity, criminal conspiracy, or the intent to commit a crime, digital evidence can be delicate and highly sensitive.
Cybersecurity professionals understand the value of this information and respect the fact that it can be easily compromised if not properly handled and protected.
For this reason, it is critical to establish and follow strict guidelines and procedures for activities related to computer forensic investigations.
Such procedures can include detailed instructions about when computer forensics investigators are authorized to recover potential digital evidence, properly prepare systems for evidence retrieval, store any retrieved evidence, and document these activities to help ensure the authenticity of the data.

Evidence Assessment

A vital component of the investigative process involves the assessment of potential evidence in a cybercrime. Central to the effective processing of evidence is a clear understanding of the details of the case at hand and, thus, the classification of cybercrime in question.
For instance, if an agency seeks to prove that an individual has committed crimes related to identity theft, computer forensics investigators use sophisticated methods to sift through hard drives, email accounts, social networking sites, and other digital archives to retrieve and assess any information that can serve as viable evidence of the crime.
This is, of course, true for other crimes, such as engaging in online criminal behavior like posting fake products on eBay or Craigslist intended to lure victims into sharing credit card information.

Evidence Acquisition

Perhaps the most critical facet of successful computer forensic investigation is a rigorous, detailed plan for acquiring evidence. Extensive documentation is needed before, during, and after the acquisition process. Detailed information must be recorded and preserved, including all hardware and software specifications, systems used in the investigation process, and the systems being investigated.
This step is where policies related to preserving the integrity of potential evidence are most applicable.
General guidelines for preserving evidence include the physical removal of storage devices, using controlled boot discs to retrieve sensitive data, ensuring functionality, and taking appropriate steps to copy and transfer evidence to the investigator’s system.

Evidence Examination

To effectively investigate potential evidence, procedures must be in place to retrieve, copy, and store evidence within appropriate databases. Investigators typically examine data from designated archives, using a variety of methods and approaches to analyze information.
These could include utilizing analysis software to search massive archives of data for specific keywords or file types and procedures for retrieving files that have been recently deleted.
Data tagged with times and dates are particularly useful to investigators, as are suspicious files or programs that have been encrypted or intentionally hidden.

Documenting and Reporting

In addition to comprehensively documenting information related to hardware and software specs, computer forensic investigators must keep an accurate record of all activity related to the investigation, including all methods used for testing system functionality and retrieving, copying, and storing data, as well as all actions taken to acquire, examine and assess the evidence.
Not only does this demonstrate how the integrity of user data has been preserved, but it also ensures proper policies and procedures have been adhered to by all parties.
As the purpose of the entire process is to acquire data that can be presented as evidence in a court of law, an investigator’s failure to accurately document his or her process could compromise the validity of that evidence and, ultimately, the case itself.

Identify the Initial Compromise

Identifying the initial compromise is required to protect other systems that could be vulnerable and allow us to search for the patient zero.
There are many ways and technics during a cyber attack, which means we need to know and search how the attacker infiltrates into organization infrastructure. The list of technics is:
Initial Access – the first access to the system in many ways such: Drive-by Compromise, Exploit Public-Facing Application, Spear-phishing, and others
Execution – the execution tactic provides many ways such: PowerShell, LSASS driver, WMI, and more
Persistence – Persistence can be beneficial in hunting, and that includes Account manipulation, hooking, trap, and others.
Privilege Escalation – the act of exploiting a bug, design flaw, configuration oversight in an operating system, software application with ways such as access token manipulation, DLL search order hijacking, memory injection, process injection, and others
Defense Evasion – adversaries use to avoid detection throughout their compromise with tactics such as execution guardrails, group policy modification, indirect command execution, valid account, and more
Credential Access – dumping is the process of obtaining to perform a lateral movement (LMP) and access restricted information with tactics such as credential dumping, kerberoasting, private keys, two-factor authentication interception.
Discovery – adversaries may attempt to get a listing of a local system, domain accounts, sensitive information with tactics such as account discovery, domain discovery, network scanning, security control discovery, and more
Lateral Movement – various techniques attackers use to progressively spread through a network as they search for critical assets such as pass the hash, SSH hijacking, taint shared content, and more
Collection – adversary may use automated techniques for collecting internal data such as Data from information repositories, email collection, a man in the browser, and others.
Command and Control – In an initial compromise, play an essential role. The attackers need to establish a Command and Control (C&C) infrastructure to interact with the infected host with tactics such as commonly used port, custom cryptographic protocol, domain generation algorithms, and more.
Exfiltration – Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it with tactics such as data compressed, over command and control channel, automated exfiltration, and others.
Impact – Adversaries may manipulate data to manipulate the organization, and by using stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making

How to Identify the Initial Compromise

To gain an initial foothold within the target, infrastructure APT drops a malicious program during the point of the entry step, and while there are multiple ways of deploying malicious payloads, the most common cases are malicious email attachments or exploits against the user’s web browser which are embedded into the websites the victim is usually browsing or is forced to browse to.
The approach the APT choose to use depends on the resources they possess or time that is available for carrying out the attack. One of the most common methods to deliver malicious payload is by attaching it to a spear-phishing email.
Depending on APT actors’ sophistication, the attachment might be as simple as macros in Microsoft Office documents or a zero-day in specific software, so another common approach of planting malware is attacking the user’s web browser through malicious web sites.
In this scenario, a website that the user usually visits is compromised, and the exploit is embedded.
Additionally, an arbitrary web site can be hijacked or created just for this purpose. However, the user is then tricked into visiting this site, mostly via a spear-phishing email that contains a link.
In any case, the exploit tries to exploit a known or Zero-Day vulnerability, which then results in malicious code being planted on the target’s computer.
Finally, while other approaches to delivering the malware exist, the result is the same – attackers gain control of the victim’s machine. It’s worth mentioning that the malware delivery process might be complicated so that multiple malicious code stages are executed.
This is mainly done due to specifics of the malicious payload delivery or to bypass security defenses, which might detect the initial compromise.
Some example for Initial Compromise:
Drive-by Compromise – You can identify exploits in temporary internet files using Yara and Anti-Virus signatures. Review Internet history.
Public-Facing Application – Depending upon the application, you may have web-server logs and application logs to review. Look for web-shells and other signs of post-compromise.
Spear-phishing Attachment – You can parse Outlook archives using forensic tools such as Encase or pdf export and review attachments if you have access to the mail system itself.

The source of an attack – Patient Zero

When investigating the incident, the most challenging actions are to find evidence that leads to the root cause of the attack – The source of an attack: Patient Zero.
In investigating the incident, the organization must quarantine the compromised entities to prevent the spread of the attack to other parts of the organization.

To solve the problem in these investigations, the organization has these objectives:

• Determine the type of attack
• Identify the initial entry point of the threat.
• Get information and many details about the incident.
• Understand how the incident was distributed beyond the point of entry

In incident response, you must use timelines as a way to order events in their most logical fashion, and this view paints a clearer picture of where patient zero is most likely to exist.
For example, if a user was detected to have run a malicious program, you need to look at their activity over the past week or month might indicate if that account was compromised at an earlier time.

Investigate with Microsoft 365 Security Controls

So we need to build a picture of the incident and to know who is the patient zero and from where the attack started, from a phishing email or system misconfiguration or else.
To perform investigation and to do forensics, you must work with security tools that provide visibility on each security layer to receive all information and evidence and as much as the system can provide.
Note: in a situation where the attack still occurs, you can add a security layer or enable logging to make sure that you’ve got the relevant information from the infrastructure.
Microsoft 365 security control provides a rich, useful, and valuable platform to do and success investigation and digital forensics, from the Microsoft ATP Kill Chain, through Microsoft Cloud App Security, with Threat Management and other tools.
investigation and response capabilities in with Microsoft 365 security control help security analysts and investigators to search for evidence and even for patient zero by:

• Making it easy to identify, monitor, and understand cyberattacks
• They are helping to address threats in the Microsoft platform and ecosystem platform quickly.
• Providing insights and knowledge to investigate cyberattacks against their organization

Microsoft 365 Security Control

Before we’re performing any investigation, we must know which system we’ve and the value that we can receive from them in an inquiry.

Office 365 threat investigation and response

Layer: Email, files, website including third party platform the connected and every component on Office 365 or other third
With Threat investigation and response, capabilities provide insights into threats and related response actions available in the Office 365 Security & Compliance Center. These insights can help your organization’s security team protect Office 365 users from email- or file-based attacks.
The capabilities help monitor signals and gather data from multiple sources, such as user activity, authentication, email, compromised PCs, and security incidents.
Business decision-makers and Office 365 global administrators, security administrators, and security analysts can all use this information to understand and respond to threats against Office 365 users and protect intellectual property.
Threat dashboard – Use the Threat dashboard to quickly see what threats have been addressed and as a visual way to report to business decision-makers how Office 365 services are securing your business.

Threat Explorer (or Explorer) – analyze threats, see the volume of attacks over time, and analyze data by threat families, attacker infrastructure, and more. Threat Explorer is the starting place for any security analyst’s investigation workflow.

Incidents – Use the Incidents list to see a list of in-flight security incidents. Experiences are used to track threats such as suspicious email messages and to conduct further investigation and remediation.

Automated investigation and response (AIR) – Use automated investigation and response (AIR) capabilities to save time and effort correlating content, devices, and people at risk from threats in your organization. AIR processes can begin whenever specific alerts are triggered or when started by your security operations team.

Microsoft Cloud App Security

To know which actions were made on the cloud or even on the on-premises (where a proxy is connected to the MCAS), you must have visibility, and the Microsoft Cloud App Security (MCAS) provides excellent visibility that connected to Identity, Apps, devices, and many other points that correlate all information together.
For example, the Microsoft Cloud App Security is a far more efficient and straightforward way to investigate Office 365 account breaches, including relation to Active Directory account, and the traditional approach using the Office 365 audit log search in the Security & Compliance Center for investigating incidents, was time-consuming and lacked the detail you need for logging breaches for audits.
During a breach, time is essential to understand what the attacker did and what information they might have stolen.
In a scenario in which every platform is connected to Microsoft Cloud App Security, you have better visibility and correlation to all data and information – that means MCAS will record every action by the attack.

Once the MCAS identifies a suspicious or a live-action made on a user, it provides information from all other platforms connected to MCAS and correlates between each piece of information.
For example, if Microsoft 365 security controls with proxy are configured so we can receive information from Azure AD, Microsoft Defender ATP, Azure ATP, Office 365, and any other connected platform MCAS.

Azure ATP

Azure Advanced Threat Protection monitors information generated from your organization’s Active Directory, network activities, and event activities to detect suspicious activity.
Monitored activity information enables Azure ATP to help you determine the validity of each potential threat and correctly triage and respond.
Azure ATP identifies these advanced threats at the source throughout the entire attack kill chain and classifies them into the following phases:

• Reconnaissance
• Compromised credentials
• Lateral Movements
• Domain dominance
• Exfiltration

Azure AD Identity Protection

Discovering compromised identities is no easy task. Azure Active Directory uses adaptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents that indicate potentially compromised identities.
Using this data, Identity Protection generates reports and alerts that enable you to evaluate the detected issues and take appropriate mitigation or remediation actions.

Identity Protection capabilities can Detecting vulnerabilities and risky accounts and investigate risk detections.

In Conclusion

When your defenses fail, and your organization is compromised, every second count. You must respond quickly and follow a systematic, structured approach to the recovery process.
That is, of course, easier said than done, particularly if you don’t have a cybersecurity expert on board. Fortunately, IT Governance is here to help.
The next article will demonstrate how to investigate a breach with Microsoft 365 security control.