Investigation in Defender TI
While investigating an incident, we aim to find the campaign, the attackers, and who is behind the attack – in this situation, Context is Everything.
Threat intelligence plays a critical role in many scenarios; an incident investigation is one of them because we want to know the APT group behind the attack and which artifacts are related to them.
Threat intelligence data is collected, processed, and analyzed to understand the relations and context in order to allow us to search for the threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to move faster, be more informed, gain data-backed security decisions, and know the APT groups – from behavior reactive to proactive in the fight against threat actors.
In threat intelligence, you must know the ones that matter:
- Understand recent actor, malware, or vulnerabilities trends
- Proactively hunt threat actors targeting
- Accelerate your threat response by prioritizing the threats that matter most
- Leverage Threat Intelligence with External Attack Surface Management
- Make the most of correlating data with Microsoft Sentinel and Microsoft EASM
From a security standpoint, today’s enterprise computing environment changed significantly over the past few years. A few years ago, a security analyst struggled with separate dashboards for their classic security tools, such as antivirus, email gateway, firewall, etc., on several different screens.
Today’s security analyst works with different security tools to handle a threat landscape where the Cybersecurity rules have changed. The number of security-oriented infrastructure solutions has shot up, from identity and access management (IAM) solutions to cloud-Native security tools. Today’s ecological environments are a lot more diverse and a lot more populated. This has brought a couple of security facts into focus:
- Data Excess– Security tools and systems must now manage an overload of information from various data types, including logs, security events, threat intelligence, and much more.
- Complex Attackers – Attacks today don’t occur instantly but are spread over time. Multiple stages are involved in the modern threat chain, including surveillance, infiltration, lateral movement, and others.
IOCs must be tied together in a pattern to track and prioritize threats accurately, and relying on a single indicator of compromise without context around that activity is not the best position to find threats. Still, this is the situation in many investigation scenarios.
Enter Threat Chains – To combat evolving threats that happen over some time, you need to be able to stitch together related alerts. These events or alerts may not be significant on their Still, a threat chain connected to a single entity can indicate a severe security event when tied together. This lets you prioritize and identify low, slow threats over several steps.
Threat Chain – Connecting threats to entities enables threat chains. In a typical threat chain, a single event may not be an event of significant interest. However, as multiple related events get tagged to the same entity, the significance of each event grows. When tied together, the total risk from multiple related events is much more than the sum of the individual incidents.
Pivoting Across Entity-Linked Assets – Most alerts use different identifiers depending on the solution. For example, certificate-identified threats are differentiated using a hash.
Infrastructure chaining leverages the relationships between highly connected datasets to build an investigation case. This process is the core of threat infrastructure analysis and allows organizations to surface new connections, group similar attack activity, and substantiate assumptions during incident response.
The concept of infrastructure chaining.
Data enrichment capability can potentially stop a point-in-time investigation in its tracks. Many attack campaigns employ obfuscation techniques, such as simple geo-filtering, and complex tactics, like passive OS fingerprinting. We could start with malware that attempts to connect to an IP address (possibly a C2). That IP address may have hosted an SSL cert with a common name, such as a domain name.
The main takeaway is that one data point taken out of context may not be handy. That domain may be connected to a page containing a unique tracker in the code, such as a NewRelicID or some other analytic ID we may have observed elsewhere Or, perhaps, the domain may have historically been connected to other infrastructure that may shed light on our investigation. Still, we can start stitching together a story when we observe the natural connection to all this technical data.
Outside-In Attacker Perspective
An adversary’s outside-in perspective enables theme advantage of your continually expanding web, apps, and mobile presence outside your firewall environment.
Approaching and interacting with the web and mobile properties as a real user enables Microsoft’s and Defender TI crawling, scanning, and machine-learning technology to disarm adversaries’ evasion techniques by collecting user session data, detecting phishing, malware, rogue apps, unwanted content, and domain infringement at scale This helps deliver actionable, event-based threat alerts and workflows in the form of threat intelligence, system tags, analyst insights, and reputation scores associated with adversaries’ infrastructure.
As more threat data becomes available, more tools, education, and effort are required for analysts to understand the data sets and their corresponding threats. Microsoft Defender Threat Intelligence unifies these efforts by providing a single view into multiple data sources.
Threat Intelligence Lifecycle
Every TI analyst must use Defender TI to combine contextual knowledge about the overall threat landscape with analytical skills; cyber intelligence analysts gather information to monitor, assess, and report on risks that could affect an organization. From private data collection to OSINT evaluation, threat intel analysts synthesize various sources to build a complete picture of an organization’s risk posture that informs the company’s actions to mitigate these risks. They produce short-term and long-term evaluations so that security teams understand what to expect from a threat perspective and what they can do to avoid potential attacks or breaches.
The main action of an analyst is tied into the Threat Intelligence Cycle.
The Threat Intelligence Cycle is:
Direction – Based on the entity value and the potential impacts of asset loss or service interruption are assessed in this first phase. Questions that need to be answered include: what needs protecting & why? Which are the priorities? What types of TI information are required? Who will receive the TI, and how Answers to these questions are the cornerstone of the whole intelligence program and inform the development of guidelines for data collection methods and resource assignments.
Collection – During TI collection, the intelligence team gathers information and context that fulfill the requirements laid out earlier. The intelligence is collected from social media, deep and dark web sources, network data, and other OSINT.
Processing – The resultant lake of raw data from Collection isn’t used alone because it is too much and isn’t standard. Remembering the requirements and data types outlined in the Direction phase is essential. During the Processing stage, the data is formatted to be understood and suited for the user.
Analysis and Production – Now that the data is usable, you should reconsider the organization’s goals to refine the threat information. Various analysis techniques determine if suspicious behaviors are correlated, and relevant Context and priority are added, turning the data into finished intelligence.
Dissemination – The threat Intelligence is now ready to be shared with the user through a report, feed, or automated platform. The security team will use the TI to build and act on priority mitigation and proactive protection plans, focusing on alerts of the highest importance or impact to their organization. This is also the stage where automated remediation actions, such as takedown requests, publishing of attack indicators, defense hardening, etc.
Feedback – After any alert to a threat event, it is critical to re-analyze the organization’s security goals. Is the Direction still the same? Is there a different type of data we need? Is the TI actionable? Are there too many or too few alerts? Pausing to provide feedback can make threat mitigation faster and more accurate. Further, organizational efficiency is constantly refined by redirecting assets or pivoting in a new direction.
The Pivot Story
Every incident investigation, adversary campaign, and other hunting scenario demands searching for indicators and the assets they belong to.
Data is gold. Let’s start an attack or threat intelligence story. While exploring the Defender TI portal, we have massive data.
This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, WHOIS, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies Trackers. Components, Host Pairs, and Cookies data sets are collected by observing the Document Object Model (DOM) of web pages crawled.
Components and Trackers are also observed from detection rules triggered based on the banner responses from port scans or SSL Certificate details. Many of these data sets have various methods to sort, filter, and download data, making it easier to access information that may be associated with a specific artifact type or time in history.
Microsoft centralizes numerous data sets into a single platform, Defender TI, making it easier for Microsoft’s community and customers to conduct infrastructure analysis Microsoft’s primary focus is to provide as much data as possible about Internet infrastructure to support a variety of security use cases.
Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversaries’ infrastructure associated with actor groups targeting their organization. Microsoft collects internet data via its’ PDNS sensor network, global proxy network of virtual users, port scans, and leverages third-party sources for malware and added Domain Name System (DNS) data.
Know the field
Defender TI provides an elastic search engine to streamline the investigation process. The platform allows users to pivot across various indicators from different data sources, making it easier to discover relationships between disparate infrastructures.
We need a starting point. Therefore, an IP address or domain from an incident investigation allows us to search for it. In this example, we have an artifact with specific info and an IP address of 184.108.40.206. Let’s trail it.
On the Defender TI, we can start with the general search of the IP address and receive the first piece of information with the Summary:
Reputation data is essential to understand the trustworthiness of your attack surface and is also useful when assessing unknown hosts, domains, or IP addresses that appear in investigations. These scores will uncover any prior malicious or suspicious activity that impacted the entity or other known indicators of compromise that should be considered.
The analyst insight section provides quick insights about the artifact that may help determine the next step in an investigation. We can quickly determine that the IP Address is routable, hosts a web server, and recently has an open port. This section will list any insights that apply to the artifact and those that do not apply for additional visibility.
Resolutions provide Passive DNS (PDNS), a system of record that stores DNS resolution data for a given location, record, and timeframe. This historical resolution data set allows users to view which domains resolved to an IP address and vice versa. This data set allows for time-based correlation based on domain, or IP overlap PDNS may identify previously unknown or newly stood-up threat actor infrastructure. Proactively adding indicators to blocklists can cut off communication paths before campaigns occur.
Services using state-of-the-art tools and methods are designed to gather data across the global landscape of potential cyber threats, including existing and emerging threats and cybercrime actors.
Projects allow to development of private or team project types for organizing indicators of interest and indicators of compromise from an investigation Projects contain a listing of all associated artifacts and a detailed history that retains the names, descriptions, collaborators, and monitoring profiles.
Articles provide relation to active or historical campaigns or relation to adversaries.
Some of them have direct and helpful information; with others, we need to pivot to find more data and search for hiding artifacts, indicators, and assets.
Next, we continue to the Data. Each one of them includes massive and valuable information. The part of the Data includes additional information for WHOIS, Services, and Intelligence.
Whois – Thousands of daily domains are bought and transferred between individuals and organizations. This would be considered a public domain registration. However, private domain registration services allow you to hide personal information from your domain’s Whois record. In these situations, the domain owner’s information is safe and replaced by their registrar’s information. More actor groups are performing private domain registrations to make it more difficult for analysts to find other domains they own. Defender TI provides a variety of data sets to find actors’ shared infrastructure when Whois records don’t provide leads.
Certificates are a fantastic way for users to connect disparate network infrastructure. We can easily associate a certificate to an IP address hosting it regularly. Modern scanning techniques allow us to perform data requests against every node on the internet in hours.
Trackers are unique codes or values found within web pages and are often used to track user interaction. These codes can correlate a disparate group of websites to a central entity. Often, actors copy the source code of a victim’s website they are looking to impersonate for a phishing campaign.
Will actors take the time to remove these IDs that allow users to identify these fraudulent sites using Microsoft’s Trackers data set? Actors may also deploy tracker IDs to see how successful their cyber-attack campaigns are. This is similar to marketers when they leverage SEO IDs, such as a Google Analytics Tracker ID, to track the success of their marketing campaign.
Web components describe a web page or server infrastructure from Microsoft performing a web crawl or scan. These components allow a user to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure. Users can also understand if a website might be vulnerable to a specific attack or compromise based on its running technologies. Pivoting on unique components can find compromised actors’ infrastructure or other compromised sites.
Host pairs are two pieces of infrastructure (a parent and a child) that share a connection observed from a virtual user’s web crawl. The connection could range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference.
Service names and port numbers distinguish between services that run over transport protocols such as TCP, UDP, DCCP, and SCTP. Port numbers can suggest what application is running on a particular port. But applications or services can be changed to a different port to obfuscate or hide the service or application on an IP address.
Knowing the port, header/banner information can identify the application/service and the combination of ports being used. Defender TI surfaces 14 days of history within the Services tab, displaying the last banner response associated with a port observed.
DNS records over the years have provided users insight into MX, NS, TXT, SOA, CNAME, and PTR records. Reviewing DNS records can help identify shared infrastructure actors’ use across their domains. For example, actor groups use the same nameservers to segment their infrastructure or mail exchange servers to administer their command and control.
Now that we searched for a specific IP address, we found a lot of data to search and pivot. First, we need to add the artifacts and indicators to a project. You need to create a dedicated project and add future records and indicators.
This example is called “Abused-Tools-Nov-22”. From now on, every related indicator will be part of this project.
Data we have: We know the IP address is 220.127.116.11with the following information:
Neutral (Score: 38) First Seen: 2018-01-06 Last Seen: 2022-11-01 Netblock: 18.104.22.168/16 ASN: AS14618 - AMAZON-AES Organization: Amazon.com, Inc. Host: Amazon Web Services
Except for the score, it looks legit IP address.
We can see the Analyst insight with an “Open port last Detected” on the last days with the “Host web server.”
The next one will be the Article. As we can see, we have got relation to specific campaigns.
- RiskIQ: Fingerprinting Brute Ratel C4
- When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors
In this scenario, both articles provide massive data with threat reports about the actors and many indicators that might affect our scenario.
The first part was from the Summary. Now we need to continue to the Data itself and pivot with all our information. The highlights from this console will be:
- Services (Remote Access)
Whois provides a variety of data sets to find actors’ shared infrastructure when records don’t provide leads.
This scenario will provide information about the Record, attribute, and values.
Continue to pivot will show the Resolution with the Resolve Name to the IP and Certificate indicators. The below artifacts are:
ec2-174-129-157-251.compute-1.amazonaws.com SHA1 for certificate - the first one is "55684a30a47476fce5b42cbd59add4b0fbc776a3."
Certificate data include the following:
- Sha1: The SHA1 algorithm hash for an SSL Cert asset.
- First Seen: a timestamp that displays the date we first observed this certificate on an artifact.
- Last Seen: a timestamp that displays the date we last observed this certificate on an artifact.
- Infrastructure: any related infrastructure associated with the certificate.
In this scenario. The first Certificate SHA1 artifact provides Details. We can use any of this information, but the Related Infrastructure will provide helpful information. In this scenario, many of these IP address is malicious IPs.
SHA1 – SHA-1 was a popular hashing algorithm used for SSL certificates but is now considered insecure. In 2012, a report indicated that breaking SHA-1 with enough processing power has now become possible. In November 2013, Microsoft announced it wouldn’t accept SHA1 certificates after 2016. Microsoft and Google also announced plans to deprecate certificates using SHA-1. For full security in modern browsers, upgrade any old certificates using SHA-1 to a newer hashing algorithm such as SHA-256.
Change to Domain
Go over the information
Chane to a new organization
MARKMONITOR INC. Trackers - 2ad2ad0002ad2ad / ce7a321e4956 / 2ad2ad0002ad2ad2 / 0ad0ad0000ad0ad000 / ebbc9b6ab09e0f6c23 / 0ad0ad0000
JarmHash 2ad2ad0.... JarmExtensionHash ce7a321... JarmFuzzyHash 2ad2ad0002... JarmExtensionHash ebbc9b6a... JarmFuzzyHash 0ad0ad0000... JarmHash 0ad0ad0000ad0ad0...