Matt Swann, Microsoft
As defenders, we watch our intrusion detection systems like a hawk so that we know when to jump into action. However, successfully evicting an adversary in a large-scale environment requires capabilities beyond detection.
In this talk I describe 5 capabilities that network defenders must have in order to effectively respond to an intrusion in a large-scale service. I describe how we overcame these challenges in Office 365 with pointers to source code and reusable tooling.
24. Add IP IOC
Alerts from processes
accessing this IP
Dump process memory
Extract malware indicators
Scan process memory
for malware indicators
Processes matching
these indicators
Dump process memory
Extract network indicators
Add IOCs for new
network indicators
Matt is a Principal Engineering Manager in the OneDrive and SharePoint team at Microsoft. He drove the security development process for SharePoint 2010 and 2013, then built a team focused on cloud security for SharePoint Online. Matt is passionate about intrusion detection, incident response and catching adversaries. When he’s not catching bad guys, you can find him at home with his kids or hiking in Washington's beautiful Cascades.
-----------------------------------
latency – coverage – data overload – means we are not effective, which means we lose – even if we successfully detected!
5 superpowers that have enabled us to meet this challenge in Office 365
log it before you need it so you can determine when something changed and what the state was at the time of compromise
e.g. daily dump of all ASEP registry keys (there are many!)
once you’ve captured the data, you’ll find that it lets you build better detections as well
Another pattern is just-in-time forensic capture
e.g. when a high-severity alert is detected, dump the entire state of the machine into the data store
Another pattern is just-in-time forensic capture
e.g. when a high-severity alert is detected, dump the entire state of the machine into the data store
if I’m investigating an adversary, I might know DNS hostnames or IP addresses he uses
I can distribute those IOCs to every agent in real-time via a pull model from an Azure cloud service
when an adversary runs malware on these machines, I will get a real-time alert from the IOC match
another technique I can use is to distribute a job across each machine
a job is a set of parameters for a hard-coded task in each agent. this is not remote code execution
the job repository will gradually distribute the job across the fleet to reduce impact
for example, this might be a yara job
yara allows me to locate malware signatures in memory on disk
if one of the machines finds a match, it sends an alert back to our detection repository
together, IOCs and jobs build a virtuous cycle that allows me to track my adversary across my fleet in real-time
let’s use our job system to apply a disruptive action across the fleet – blocking an IP address by adding a static route, or a DNS hostname by updating the hosts file
similarly, we can use our IOC service to take disruptive action autonomously. instead of just alerting when an IOC is matched, we can suspend the thread or suspend the process.
e.g. thread injection
Raw event logs
Detection results
Forensic data
IOC hits
Job results