Remediate Security Alerts Using Azure Defender (part 2)

By Ashwin Venugopal -

 


To read part 1 please click here


MITRE ATT&CK Tactics

Each alert type has a description, severity, and MITRE ATT&CK tactic. Security Center's kill chain intents are based on version 7 of the MITRE ATT&CK matrix and described in the table below:

Tactic

Description

PreAttack

It could be either an attempt to access a certain resource regardless of malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt, originating from outside the network, to scan the target system, and identify an entry point.

InitialAccess

It is the stage where an attacker manages to get a foothold on the attacked resource. This stage is relevant for compute hosts and resources such as user accounts, certificates, etc.

Persistence

It is any access, action, or configuration change to a system that gives a threat actor a persistent presence on that system. Threat actors will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool  restart or provide an alternate backdoor for them to regain access.

PrivilegeEscalation

It is the result of the actions that allows an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions may require a higher level of privilege to work and are likely necessary at many points throughout an operation.

DefenseEvasion

It consists of the techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as (or variations of) the techniques in other categories that have the added benefit of subverting a particular defense or mitigation.

CredentialAccess

It represents the techniques resulting in access to or control over system, domain, or service credentials used within an enterprise environments. Adversaries will likely attempt to obtain legitimate credentials from users or administrators account to use within the network.

Discovery

It consists of the techniques that allows the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must align themselves to what they now have control of and what benefits operating of that system gives to their current objective and overall goals during the intrusion.  

LateralMovement

It consists of the techniques that enables an adversary to access as well as control remote system on a network and could, but not necessarily, include execution of tools on remote systems. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to more systems, access to specific information or files, access to additional credentials, or to cause an effect.

Execution

This tactic represents the techniques that results in the execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.

Collection

It consists of the techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for the information to exfiltrate.

Exfiltration

It refers to the techniques and attributes that results or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate

CommandAndControl

This tactic represents how adversaries communicate with systems under their control within a target network.

Impact

Impact events primarily try to directly reduce the availability or integrity of a system, service, or network, including manipulation of data to impact a business or operational process. This would often refers to techniques such as ransomware, defacement, data manipulation, and others.

 

Suppress Alerts from Azure Defender

To detect threats in any area of your environment and generate security alerts you can use the various Azure Defender plans . If an alert isn't interesting or relevant, it can be manually dismissed; or the suppression rules feature can be used to automatically dismiss similar alerts in the future. You can use a suppression rule to:
  • Suppress alerts that you've identified as false positives.
  • Suppress alerts that are being triggered too often to be useful.

The alerts that have already been triggered on the selected subscriptions can only be dismissed by the Suppression rules.

Manage Security Incidents & Threat Intelligence Reports

The analytics are used by the Security Center to connect the information between distinct security alerts and by using these connections, a single view of an attack campaign as well as its related alerts to help you understand the attacker's actions and the affected resources can be provided.

Incidents appear on the security alerts page, you can select an incident to view the related alerts and get more information. 

Generate threat intelligence reports

When Security Center identifies a threat, a security alert is triggered which contains the detailed information of the event, including suggestions for remediation while providing the threat intelligence reports containing the information about detected threats to help incident response teams to investigate and remediate threats. The report includes the information such as:
  • Attacker's identity or associations
  • Attacker's objectives
  • Current and historical attack campaigns
  • Attackers' tactics, tools, and procedures
  • Associated Indicators of Compromise (IoC) such as URLs and file hashes
  • Victimology, which is the industry and geographical prevalence to assist you in determining if your Azure resources are at risk.
  • Mitigation and remediation information 
Security Center has three types of threat reports, which can vary according to the attack:
  • Activity Group Report- provides deep dives into attackers, their objectives, and tactics.
  • Campaign Report- focuses on details of specific attack campaigns.
  • Threat Summary Report- covers all of the items in the previous two reports.

This type of information is very useful during the incident response process, in which there is always an ongoing investigation to understand the source of the attack, the attacker's motivation, and what to do to mitigate this issue in the future.


To read part 1 please click here





Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning...
Read more