Category Archives: Incident Response

Facing the cold chills

Have you ever felt the cold chill in your spine when the “fix engine” light comes on in your car? How about when one of your children turns pale and gets their first fever? It’s a feeling of helplessness and concern regarding what could be wrong. Then there’s the feeling of relief that comes with understanding, even if it’s only partial understanding. We give the child medicine and the fever fades. We add oil to the engine and the light goes off. The human mind often wants to take the easiest path away from fear and stress. But these solutions only fix the symptoms, leaving the cause of the issue unaddressed. The same thing is true in security related situations.

The Microsoft Detection and Response Team (DART) recently worked with a customer who had been subject to a targeted compromise, one where the entity was intently and purposefully attempting to get into their systems. The attack came through one of the customer’s child organizations, who was initially compromised. The parent organization shares a trust with the child organization. During an investigation of the child organization, the parent organization was notified that attackers had migrated their access foothold into the parent network. The parent organization was able to take immediate steps to stop the malicious activities, just before things could have gotten very serious.

From a security perspective, the customer has addressed the symptom (a known compromise) but missed the opportunity to address the core issues that allowed the compromise. It’s not unusual for an organization to shift to the perspective that everything is now better. But it’s never quite so simple.

For DART, one of our key responsibilities is helping our customers understand what happened, how it happened, how long it’s been happening, the potential impact to the organization, and how the customer can improve their protection, detection, and response mechanisms to be better prepared in the future.

Understanding a compromise

Let’s dissect this story a bit more to better understand what happened. The example customer is a global company, with dozens of child organizations around the globe, all connected to the same Active Directory architecture. From a customer perspective, the IT and security functions are decentralized at each child, with each region retaining autonomous control over the operation of their data resources. This takes the pressure off the parent organization by delegating administrative processes like patching, account management, and configuration management to administrators at the child organization; and allowing the parent to focus primarily on critical business operations and their own IT and security.

Infographic of parent org and child org relationship. The child orgs surround the parent org, which is in the cloud, and is made vulnerable as the child orgs are made vulnerable.

Each of the child organizations operates their own Active Directory forest for their users and systems, and a majority of these organizations have a two-way trust with the Active Directory in the parent organization. Roughly half of these trusts have no security identifier (SID) filtering in place to restrict account movement between the various forests. The parent organization’s incident was possible because a compromised account was allowed to move into their network, unhindered. In fact, a compromise in any of the other child organizations would have the same result, creating legitimate risk for the parent and all the other connected child organizations.

How DART helps customers address underlying risks

DART spent days trying to weave a story for the customer explaining the real risk to the organization, even though this specific attack had been blocked. There are a number of systemic issues that worked together to create the risk to the customer networks. Patching was sporadic, and due to the decentralized nature of both the information technology (IT) and security processes across the various organizations, there were large numbers of systems with known vulnerabilities. The decentralized nature of the network also created blind spots in security monitoring across the various forest and network boundaries. The customer could not have detected the lateral movement of bad actors on the network because they weren’t watching those boundaries.

Finally, the lack of configuration management across the company allowed users to have excessive account privileges and to install unsafe software packages. This resulted in large numbers of dangerous software packages to be installed on user systems with privileged access—simply because users opened email attachments, clicked a link, or installed questionable software downloaded from the internet, such as key generators for commercial software products.

The large number of potentially unwanted applications (PUAs) and malware present on the network was clear evidence of the issues facing the customer. A compromised user in one segment of the customer organization creates risk for the entire company. Faced with the reality of the situation, the customer shifted perspectives to improving the security of their environment.

To start, the customer needed to get a handle on the configuration and security of the various arms of the organization. Centralizing IT and security functions would allow for consistent patching, secure account management, and security monitoring. Two-way trusts putting the organization at risk should be managed with appropriate SID filtering, reduced to one-way trusts as needed, or removed from a trust relationship altogether, depending on business need. Standardized security software, such as anti-malware solutions with automatic updates, would provide detection of malware much more quickly on endpoints. Security monitoring at all key network boundaries would create immediate alerts when malicious software or bad actors attempt to move across the environment or create persistence points. A sensible and centralized management plan would enable the customer to protect, detect, and respond to incidents.

It’s easy to get forget security incidents are sometimes symptoms of a bigger problem facing the organization. Leadership would benefit from taking a step back from current events to work with their team and determine where the real security issues exist, and what’s needed to make the organization more secure. In essence, a security aspirin will help lower our fever, but it’s a temporary fix. The fever will return, and it could be worse. It’s more effective in the long run to obtain the needed X-rays or take appropriate blood tests to determine how sick the network is, and what treatment options will remove the key risks to network health.

Learn more

To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Facing the cold chills appeared first on Microsoft Security.

Cisco Threat Response Plugin: Defeat Threats With Just a Few Clicks

One of the best tools in your SOC’s arsenal is something you might already have access to and didn’t even have to pay for. If you already deploy Cisco Umbrella, AMP for Endpoints, Firepower devices, next-generation intrusion prevention system (NGIPS), Email Security, or Threat Grid, then you can immediately access Cisco Threat Response for FREE. As in no charge. Zero extra dollars. No strings attached.

With Cisco Threat Response, customers receive a powerful solution that can streamline and simplify detection, investigation, and remediation of threats. In addition, Threat Response offers a very easy, powerful tool in the new browser plugin (for Chrome and Firefox). By adding the plugin, security professionals now have instant access to threat intelligence and response capabilities directly from their browser. To prove the simplicity of this, let’s use a straightforward example.

For information on configuring the plugin, watch the tutorial here.

For the threat, we will use the Karkoff malware, used in the DNSpionage campaign. For background on the malware, let’s see what Talos has to say about it.

Karkoff Malware

Ah, it seems that Talos has a full spotlight of Karkoff. Towards the bottom of the blog, Talos gives a full report on Indicators of Compromise for Karkoff.

Karkoff Indicators of Compromise

Traditionally, you’d have to manually copy and paste  each file, IP address, etc. from the blog, editing them to remove the defanging “safety brackets”, searching for each one in turn, in each of your telemetry sources – a laborious, manual activity. Cisco Threat Response simplifies this entire process by bringing all of these capabilities to one central source. So, let’s open the Cisco Threat Response browser plugin.


Cisco Threat Response Casebook

Immediately, Cisco Threat Response identifies 16 observables from this threat intelligence blog. 1 clean. 9 malicious. 6 unknown.

Identify Malicious Domains

By clicking the malicious and unknown observables, we can tailor our investigation. We will not worry at all about, because we know Snorty is never up to anything bad!

Select a specific Domain

As an example of how quickly we can take response actions, even before pivoting into Threat Response to do a more complete investigation, let’s look at It is listed as “unknown.” By clicking the dropdown menu next to it, and pivoting out to other trusted intelligence sources like the Talos database or Threat Grid, we could quickly gather more information to determine a course of action.

Block The Domain With Umbrella

For the purposes of simply showing the ease of the plugin, let’s assume we investigated this domain and there is no legitimate business need for our organization to be contacting it. In order to prevent potential malware activity, we will proactively block it now as a first level stopgap while we continue our investigation. Threat Response directly integrates with Umbrella, so we can immediately block the domain across our entire network with one click within the plugin.

Umbrella Blocked Domain Notification in Cisco Threat Response

Within a few seconds, Threat Response will flash a green banner confirming the blocking of the domain with Umbrella.

Investigate With Cisco Threat Response Browser Plugin

Now, after blocking a few domains quickly, our network is certainly better protected from Karkoff, but there is more investigation to be done. A quick click of the “Investigate” button will launch Cisco Threat Response’s cloud-based dashboard.

Cisco Threat Response - Karkoff Malware

Cisco Threat Response will automatically load the list of the observables and provide insights with relation graphs, file hashes, and others.

Previously, Security Operations Centers (SOCs) would hear about trending threats and wonder, “Is my network affected by this threat?” To answer that question, it would require a series of manual processes that required investigating observables hundreds of times across the network, and then, writing sufficient policy to defend against these threats. To make life even more difficult, these solutions were often from different vendors and require manual processes to implement across different parts of the next work.

With Cisco Threat Response, within minutes, your SOC can:

  1. Identify a trending threat from your SIEM, Talos, other threat intel sources, or virtually any third party product that has a web based interface
  2. Identify a list of observables with one click
  3. Quickly block domains across the network
  4. Launch Cisco Threat Response for further investigation

It is important to note that Cisco Threat Response is a FREE add-on to existing Cisco Security solutions. In the example above, the user has Threat Response integrated with their AMP For Endpoints, Cisco Threat Grid, and Umbrella solutions. In addition, every user of Threat Response automatically gets access to the Talos Intelligence and AMP File Reputation databases for use in Threat Response. While Cisco Threat Response provides significant value when integrated with only one product, it becomes even more useful with each additional Cisco Security solution integration. It offers unparalleled central-management for detection, investigation, and remediation – and the browser plugins bring all those capabilities into any type of web content. Whether it is a blog entry like in this example, any other intelligence source, or the browser-based management console of any Cisco or third-party security or networking product.

For more information on Cisco Threat Response, visit our webpage or create an account in the U.S.or EMEAR to get started right away. You can also download plugins for Chrome and Firefox to make investigations easier today.


BONUS: Make sure to catch our upcoming #CiscoChat LIVE, featuring Cisco Threat Response, on Tuesday, July 16 at 10am PT/1pm ET.

To participate in this #CiscoChat LIVE:

  • Join our #CiscoChat Live on Tuesday, July 16th, at 10am PT for a live demo from Cisco Technical Engineer, and Threat Response expert, Ben Greenbaum. Ben will answer questions about Threat Response and do a quick demo of our browser plugin and our latest integration with Firepower devices. He’ll also take your question live on air.
  • Join on YouTube, Facebook, Twitter, or and use the comments or the #CiscoChat hashtag on Twitter to submit your questions!