Remediate Security Alerts Using Azure Defender (part 2)

By Ashwin Venugopal -

 


To read part 1 please click here


MITRE ATT&CK Tactics

Each alert type has a description, severity, and MITRE ATT&CK tactic. Security Center's kill chain intents are based on version 7 of the MITRE ATT&CK matrix and described in the table below:

Tactic

Description

PreAttack

It could be either an attempt to access a certain resource regardless of malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt, originating from outside the network, to scan the target system, and identify an entry point.

InitialAccess

It is the stage where an attacker manages to get a foothold on the attacked resource. This stage is relevant for compute hosts and resources such as user accounts, certificates, etc.

Persistence

It is any access, action, or configuration change to a system that gives a threat actor a persistent presence on that system. Threat actors will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool  restart or provide an alternate backdoor for them to regain access.

PrivilegeEscalation

It is the result of the actions that allows an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions may require a higher level of privilege to work and are likely necessary at many points throughout an operation.

DefenseEvasion

It consists of the techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as (or variations of) the techniques in other categories that have the added benefit of subverting a particular defense or mitigation.

CredentialAccess

It represents the techniques resulting in access to or control over system, domain, or service credentials used within an enterprise environments. Adversaries will likely attempt to obtain legitimate credentials from users or administrators account to use within the network.

Discovery

It consists of the techniques that allows the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must align themselves to what they now have control of and what benefits operating of that system gives to their current objective and overall goals during the intrusion.  

LateralMovement

It consists of the techniques that enables an adversary to access as well as control remote system on a network and could, but not necessarily, include execution of tools on remote systems. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to more systems, access to specific information or files, access to additional credentials, or to cause an effect.

Execution

This tactic represents the techniques that results in the execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.

Collection

It consists of the techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for the information to exfiltrate.

Exfiltration

It refers to the techniques and attributes that results or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate

CommandAndControl

This tactic represents how adversaries communicate with systems under their control within a target network.

Impact

Impact events primarily try to directly reduce the availability or integrity of a system, service, or network, including manipulation of data to impact a business or operational process. This would often refers to techniques such as ransomware, defacement, data manipulation, and others.

 

Suppress Alerts from Azure Defender

To detect threats in any area of your environment and generate security alerts you can use the various Azure Defender plans . If an alert isn't interesting or relevant, it can be manually dismissed; or the suppression rules feature can be used to automatically dismiss similar alerts in the future. You can use a suppression rule to:
  • Suppress alerts that you've identified as false positives.
  • Suppress alerts that are being triggered too often to be useful.

The alerts that have already been triggered on the selected subscriptions can only be dismissed by the Suppression rules.

Manage Security Incidents & Threat Intelligence Reports

The analytics are used by the Security Center to connect the information between distinct security alerts and by using these connections, a single view of an attack campaign as well as its related alerts to help you understand the attacker's actions and the affected resources can be provided.

Incidents appear on the security alerts page, you can select an incident to view the related alerts and get more information. 

Generate threat intelligence reports

When Security Center identifies a threat, a security alert is triggered which contains the detailed information of the event, including suggestions for remediation while providing the threat intelligence reports containing the information about detected threats to help incident response teams to investigate and remediate threats. The report includes the information such as:
  • Attacker's identity or associations
  • Attacker's objectives
  • Current and historical attack campaigns
  • Attackers' tactics, tools, and procedures
  • Associated Indicators of Compromise (IoC) such as URLs and file hashes
  • Victimology, which is the industry and geographical prevalence to assist you in determining if your Azure resources are at risk.
  • Mitigation and remediation information 
Security Center has three types of threat reports, which can vary according to the attack:
  • Activity Group Report- provides deep dives into attackers, their objectives, and tactics.
  • Campaign Report- focuses on details of specific attack campaigns.
  • Threat Summary Report- covers all of the items in the previous two reports.

This type of information is very useful during the incident response process, in which there is always an ongoing investigation to understand the source of the attack, the attacker's motivation, and what to do to mitigate this issue in the future.


To read part 1 please click here





Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more