Tag Archive: Automation

SEC-LABS R&D > Automation

Automated attack disruption of Ransomware and BEC – public preview

2023-03-20 0 Comments

Automated attack disruption of Ransomware and BEC (Business email compromise uses high-confidence Extended Detection and Response (XDR) signals across all workloads; endpoints, identities, email, and SaaS apps, to contain the threat quickly and effectively, to stop further impact.

These 2 scenarios are common attacks and it’s really great that they are supported by the feature in Microsoft 365 Defender.

Business Email Compromise, BEC

Threat actors are impersonating executives to trick, for example, Economic department to transfer money by impersonating the CFO or the CEO.

Automatic attack disruption can help to detect these attacks and remove the access to the accounts by disabling the compromised account, limiting their ability to send fraudulent email

Human-operated ransomware, HumOR

This attack, commonly used today, is devastating for an organization. The threat actors has full control of the environment and have usually controlled the environment for some time.

The challenge from a SecOps perspective is to be fast enough to respond to the incidents and mitigate accounts and the devices fast enough.

When the threat actors has gained privileged access, things move very quick and automatic attack disruption will contain the spreader device and disable the compromised user account

Automatic attack disruption operates in 3 key stages

  • Detect malicious activity and establish high confidence
  • Classification of scenarios and identification of assets controlled by the attacker
  • Trigger automatic response actions using the Microsoft 365 Defender protection stack to contain the active attack

First the detection will happen, which is achieved by AI, research-information etc.., to establish a high level of confidence in accurately detecting ransomware spread and encryption activity. The XDR-level capability correlates insights across endpoints, identities, email and SaaS apps to establish high-fidelity alerts.

A second stage will aggregate automatic analyze the activities like tampering, backup deletion, credential theft, mass lateral movement and many more to flag the assets included in the chain and trace the activities back to the remote execution TTP

Distrupting the attack

Response actions against the entities which are identified as compromised and in the public preview these two are the main actions:

When this happens, it will be visible in the:

Incident queue

  • A tag titled “Attack Disruption” next to affected incidents

If you really must exclude some user from the automatic attack disruption, then you can do it in the MDI settings

Incident page

  • A tag titled “Attack Disruption”.
  • A yellow banner at the top of the page that highlights the automatic action taken.
  • The current asset status is shown in the incident graph if an action is done on an asset, e.g., account disabled or device contained.

Some thoughts

It’s important that prerequisites are fixed, like MDI Action Account (if not using built-in system account) and

For further reading, please visit
Automatic attack disruption in Microsoft 365 Defender | Microsoft Learn

Stay safe, Protect the world and Happy Hunting!

Detect, Protect, Respond

, , , ,

24/7 protection during Covid-19 – Defender ATP Auto IR

2020-05-14 0 Comments

One thing we usually discuss with customers is the workload. Everyone has too much to do and it can, sometimes be difficult to prioritize investigations.

Especially now, where you might be short on staff, and the Covid-19 virus can strike at the SOC organization or reduce the numbers of available people.

Of course, this does not only apply during the world crisis of Covid-19. Automation is also a help in the normal day to day work.

There are benefits of being able to automate responses and we have these discussions with many customers.

MDATP Automatic self-healing is built-in into Defender ATP and is mimicking these ideal steps a human would take to investigate and remediate organizational assets, impacted by a cyber threat.

This is done using 20 built-in investigation playbooks and 10 remediation actions

Increased Capacity

  • Respond at the speed of automation
  • Investigate and remediate all alerts automatically
  • Free up critical resources to work on strategic initiatives

Cost implications

  • It will drive down the cost per investigation and remediation
  • Takes away manual, repetitive tasks
  • Automated remediation eliminates downtime

Get full value of your protection suite and people, quick configuration and you are up and running

SecOps Investigation (Manual)

Sometimes it will take some time from the alert being triggered until someone has the time to start looking at it.  Manual work also requires more resources for review and approval for each action

From a SecOPs perspective, an initial response involves information gathering.

Collecting:

  1. Process list
  2. Services
  3. Drivers
  4. Network connections
  5. Files created
    1. Where did the file originate from?
    1. etc

Based on our results, we will decide the remediation steps (if we do not follow a playbook here, the catch will be different result depending on who makes the response).

Remediation:

The remediation will include connecting remotely or manually collect the device and then launch tools for the remediation process.

Automatic response with Auto IR

Fast time to respond which will avoid additional damage and compromise of additional devices, when attackers will start moving lateral in the environment.

It’s our 24/7 buddy who assists the SOC staff to remediate threats so the human staff can focus on other things

  1. MDATP is sending telemetry data to the cloud
  2. MDATP cloud continuously analyzes the data to detect threats
  3. Once a threat is identitfied an alert is being raised
  4. The alert kicks off a new automated investigation
  5. AIRS component asks Sense client to initiate SenseIR
  6. SenseIR is then orchestrated by AIRS on what action should be executed (Collection/Remediation)
  7. Based on the data collected from the machine (current and historical) AIRS decides what actions should be taken
  8. For every threat identified, AIRS will automatically analyze the best course of action and tailor a dedicated surgical remediation action to be executed using on device components (e.g. Windows Defender Antivirus)

Playbook is executed

“suspicious host” playbook is just an example of “catch all” playbook that is applied after detailed AutoIR investigation for evidences raised by alerts / incident  to ensure that nothing is missed.

Data Collection

  • Volatile data
    • All processes list – main image, loaded modules, handles, suspicious memory sections
    • All services list
    • All drivers list
    • All connections
  • None-Volatile data
    • Recently created files – x minutes febore / after alert
    • All persistence methods
    • Recently executed files
    • Download location

Incrimination

  • Microsoft Security Graph eco system – DaaS, AVaaS, TI, TA, Detection engine, ML infrastructure etc.
  • Custom TI indicators – for allow / block list

Remediation

  • How?
    • By leveraging OS components (e.g. Defender Antivirus) to perform the remediation (prebuilt into the system, low level actions (driver), tried and tested)
  • What?
    • File actions
    • Process actions
    • Service actions
    • Registry actions
    • Driver actions
    • Persistency methods (Reg, Link files, etc.) actions
    • Scheduled task actions
    • More…

Getting started

Advanced Features (edited list)
  • In machine groups select Add machine group

As you can see in the options, you can select different AutoIR levels

Summary

Go auto approval, save time and protect your business!

Happy Hunting

Detect, Protect, Respond, Security

, , ,

Automate response with Defender ATP and Microsoft Flow

2019-04-08 9 Comments

So now when we have cool products (more or less builtin) we need to start working with them and not be required to look in the portals 24/7.

This post will demonstrate an example on how to use approval in email to isolate machines with new alerts.

Microsoft Flow is very easy to use to create business flows for all kind of products. You can manage anything which has an API.

Microsoft has released connectors for many solutions and by drag n drop you can create flows to make your life a lot easier.

This flow used in this blog post is just to be able to show something useful.

  • Start by browsing to https://flow.microsoft.com and create a new flow
  • Search for WDATP and select the Trigger “Triggers when a Windows Defender ATP alert accurs (preview)”

We will then add an action to “Get single alert preview”, this will give us more information to use later.

In below picture we can see some of the dynamic content we can add to next step in the flow

We can also add a condition. In this example we use condition for alert severity (high or medium).

We also want to add an approver step.

For some reason the Approval type is in Swedish for me. You have 2 default options and one custom option
Options are “Everyone must approve” or “First one to approve”.

Based on the response from the approval step we continue the flow with a condition to go ahead if the responder choose to approve the action.


We add the action “Isolate machine (preview)” and configure that along with a send email action.

Running the Flow

If you need to change your flow you can re-run it using the same data as used previously

After the approval we get the status message send to all approvers

We can see that our test machine was successfully isolated

In the flow test overview

From the ATP console we now have the option to release the machine from isolation, collect investigation package etc

Dynamic content

Actions

Pro tips:

  • Use get alert to be able to add more dynamic content to use in subsequent steps
  • Use get machine to be able to get more information like IP, Computername etc
  • Start building your automated playbooks. This will save you time

Events, Recover

, , , , ,