Tracking Patient Zero with Azure Sentinel
Information security has many similar concepts with medical, after all, the terms of patient zero, virus, health risk, infections, and many others are used in both areas.
Today, attacks against organizations are becoming more and more accurate and are developed to strike only one victim with a specific goal to gain access and spread widely on the network, and to do more actions such as stealing critical information, doing lateral movement and more.
There are many attack scenarios on each process but there are common steps for each scenario:
- Internal reconnaissance
- Initial compromise
- Established foothold
- Privilege escalation
- Gain persistence
- Exfiltration and objective
The Cyber Kill Chain is one of my favorite ways to work with and to do actions such as attack and defense including the Microsoft Cyber Kill Chain (CKC) process with Microsoft Threat Protection (MTP).
Principles of Tracking
So, how the Cyber Kill Chain, the Patient Zero, and Azure Sentinel is related to each other?
In many situations, the patient zero the first step is the initial compromise which is the stage of doing spear-phishing over email platform with a malicious attachment or else, some targeted URL.
In the real world, we’ve many situations of Anti-Virus, Anti-Phishing, Sandboxing, and another defense tool that cannot identify or block security issues, and the user found itself without any caveat pressing and do many actions.
This real-life situation can be a weak moment and the user can open a malicious attachment or type credentials on some website that downloads some shellcode – to make a long story short the user does some malicious action that leads his pc to be the first Patient Zero!
Note: There are many other scenarios such as mailbox take over, laptop on the road, wireless MITM, mobile infections, and many other scenarios.
So we’ve initial compromise and we’ve got the six-part of Cyber Kill Chain (the C2 stage) on our system, now what?
For this security issue and for many other scenarios we need a SIEM platform to handle events, security issues, actions, and any information to allow us to track the Patient Zero.
In the main scenario, we divide the Patient Zero to general stages:
- Identify the patient
- Understand how it was compromised
- Implement changes to prevent the same attack to spread or to occur again
With Azure Sentinel, we can Protect >>> Detect >>> Response.
Azure Sentinel – the cloud-native SIEM comes on top of many dedicated security and system tools that allow us to manage any data, any information, any system including legacy, multi-platform, and every point.
By accessing tons of data and amount of information we can access to useful information and extracted the relevant data to our scenario and for a specific situation when we’ve Patient Zero.
When the machine got compromised, many actions are executed by the malicious code, for example:
- URLs are visited and tried to access by the user
- Network flows are generated
- Registry values can be change
- files and processes are created
- Data can be sent to an external location
All these data are called Indicator of Compromise (IoC’s) and we need to take action to know if we’ve got another infected machine.
Because Azure Sentinel correlating all of the information with Cloud, On-Premises, network devices logs, devices, sensors, and any kind of traffic, will expose who seems to be infected in our network.
>> More data you’ve, then more possibilities you’ll have to discover winning stuff.
With Azure Sentinel SIEM, you can respond with two main ways: Passive and Active.
The passive way means that you can identify your security issue and sending alert… and maybe someone will handle it in time.
The Active way means that you respond automatically in many ways, perform auto-investigation, or perform conditions such as Automatic-Response, Active-Response, Auto-remediation, and the principle continues the same.
Azure Sentinel provides full automation with Rules, workbook, and playbook. For example, a security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert.
A security playbook can help automate and orchestrate your response and can be run automatically when specific alerts are triggered.
The next step will be to find how it was compromised. If you found interesting IoC, build a timeline of the activity on the compromised machine.
Part of the information might be, visit URL? does the user click on the URL? if the user received a mail with malicious attachment? were the latest network connections? what were the IP addresses used? These steps often use forensics techniques to access such data.
The main goal is to find how the patient zero was infected!
Tracking with Azure Sentinel
To track a Patient-Zero with Azure Sentinel you can work with many tools such as Kusto Query Language (KQL), with
Analytic, with Hunting and Notebook.
In our scenario, we’ve got the user that received URL and click on that URL and then blocked by Exploit Guard.
The resource in this scenario:
- Azure Sentinel
- Office 365 with Exchange Online Mailbox
- Windows 10 Exploit Guard Enabled
Azure Sentinel configured with the following connectors:
- Connector to Office 365
- Connector to Azure AD
- Connector to Security Event
- Connector to Windows 10 (Events)
- Investigation with KQL
the scenario is that the user received an email and tried to open from his Windows 10 machine, once the user accesses to the URL it’s blocked by the Exploit Guard (NetworkProtection).
Because we’ve automatic rules to identify all of these scenarios actions the Azure Sentinel raises an alert, so during the investigation, we saw the actions on the user Windows 10 machine and the user mailbox.
During a simple and basic and very short query with KQL, we received all the information.
Some screenshots from the process
The users clicked on URL but blocked by the Exploit Guard
Azure Sentinel received incident with many information
Then we did a quick investigation based Azure Sentinel and KQL query including Windows 10 and Exchange Online mailbox
A Patient-Zero is your main goal to prevent attack spreading on the network and to make sure that you can protect them for a future attack.
Azure Sentinel provides the tools to work with any stage on the process to achieve the goal – tracking Patient-Zero.
Note: this scenario in this blog post was basic, so the next blog post will be about finding a Patient-Zero with malicious attachment with Azure Sentinel.