Attack Detection

Overview

When information systems are properly configured, all attacks, even those that are unsuccessful, leave some trace that they occurred. Clever attackers will attempt to remove those traces once they have gained access to a system. If telemetry monitoring is configured properly within an organization, monitoring systems will alert the blue team to potential intrusion activity before the attackers have a chance to remove that telemetry from the compromised systems.

Logging and monitoring

Unless there is a system to record events as they happen on a computer, finding evidence about how and when something happened will be difficult. Therefore, the collection of system event telemetry is important to detecting and understanding how an attacker is infiltrating and compromising a system.

One way of securing event telemetry from deletion by an attacker who has compromised a system is to move event telemetry off systems to a centralized location as quickly as possible. Centralizing event logs provides the benefit of placing many data sources in a single location where events can be correlated. Attackers who compromise a system will also be unable to remove event log evidence of their activities if those events are recorded on a separate system.

SIEM systems

SIEM systems perform analysis of event log data as it is generated. SIEM systems can aggregate data from a variety of sources, correlate that data, and generate events based on determinations made about that correlated data. SIEM systems can be software that runs on Windows or Linux server operating systems and is also available as hardware or virtual appliances. Some SIEM systems provide compliance, retention, and forensic analysis functionality. They can be used in conjunction with, or as a replacement for, other event log management systems in an organization.

IDS

An IDS is a software application, hardware, or virtual appliance, that monitors an organization’s information systems for a problematic activity or violations of policy. There are multiple types of IDS including network intrusion detection systems (NIDS) that monitor networks for suspicious activity or host-based intrusion detection systems (HIDS) that monitor a specific system. Multiple IDS can report to a central SIEM system. This central SIEM system would then provide centralized telemetry storage, correlation, analysis, alerts, and security recommendations based on telemetry data. An intrusion protection system (IPS) is a special type of IDS that includes functionality that allows for an automated response to occur when an intrusion is detected.

Attack detection and machine learning

Recognizing the characteristic evidence of an attack in hundreds of thousands, if not millions, of event log entries spread across a multitude of different event sources is like finding the proverbial needle in a haystack. An advantage of big data and machine learning is that they are very good at finding patterns and anomalies that may not have been apparent using older analysis techniques.

Big data and machine learning techniques allow the characteristic traces of attacks that are present in an organization’s event logs to be recognized and surfaced. This occurs because while the characteristics of a single attack may be subtle when the characteristics of thousands of attacks are analyzed across tens of thousands of organizations, commonalities are more easily identified. Cloud services ingest data constantly. This means that the identifying characteristics of a newly recognized attack will become known to all customers almost immediately.

Microsoft attack detection products

Microsoft has several products that can be used to detect suspicious activity on an organization’s information systems based on the collection and analysis of telemetry. These products can be used individually or together depending on the organization’s need. Some of these products can run locally on an organization’s network and other products use Microsoft’s cloud infrastructure for management and analytic functionality.

Advanced Threat Analytics

Advanced Threat Analytics (ATA) is a solution that you can deploy in on-premises environments to detect threats. ATA uses behavioral analytics to determine what constitutes abnormal behavior on your organization’s network based on its understanding of the prior behavior of security entities. For example, noticing when an account has a suspicious sign-on activity that differs from normal sign-on activity, when an account performs an enumeration of the membership of sensitive groups, or when a computer appears to be participating in attacks, such as a golden ticket attack.

For more information on Advanced Threat Analytics, consult the following documentation: https://www.microsoft.com/en-au/cloud-platform/advanced-threat-analytics

Azure Advanced Threat Protection

Azure Advanced Threat Protection (ATP) has very similar functionality to ATA, except all of the telemetry is funneled for analysis into the cloud rather than that analysis being performed on-premises. Similar to ATA, Azure ATP uses behavioral analytics to determine what constitutes abnormal behavior on your organization’s network based on learning the prior behavior of security entities. Azure ATP can ingest telemetry data from SIEM systems, Windows Event Forwarding, directly from Windows Event Collector as well as RADIUS accounting from VPN endpoints.

For more information on Azure ATP, consult the following documentation: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/what-is-atp

Azure Security Center

Originally deployed as a tool to analyze and report on the security of resources in Azure, Azure Security Center agents can be deployed to on-premises servers. Azure Security Center can analyze event telemetry from servers running both on-premises both bare metal or virtualized as well as servers running as IaaS virtual machines, correlating events so that administrators are able to view the timeline of a specific attack as well as steps that can be taken to mitigate that attack.

For more information on Azure Security Center, consult the following documentation: https://docs.microsoft.com/en-us/azure/security-center/security-center-intro

Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection is a product for Windows 10 endpoints that provides the following functionality:

• Endpoint behavioral sensors. Monitors a Windows 10 computer’s telemetry, including gathering data from event logs, running processes, registry, file, and network communications data. This data is forwarded to the organization’s Windows Defender ATP cloud instance.
• Cloud security analytics. Cloud security analytics takes the telemetry gathered at the endpoint level and analyzes that data, providing threat detections and recommended responses back to the organization. This analysis occurs against information available to Microsoft across the Windows ecosystem as well as cloud products such as Office 365 and Azure. For example, Microsoft may learn about and resolve a specific threat from the telemetry of one set of Windows Defender ATP customers. This insight allows Windows Defender ATP to make recommendations when the same threat is detected in the endpoint telemetry of another Windows Defender ATP customer.
• Threat intelligence. Windows Defender ATP doesn’t just rely on telemetry collected with customers’ consent across the Microsoft ecosystem. Microsoft also has security researchers and engages with partner organizations to identify attacker tools and techniques and to raise alerts when evidence of these tools and techniques surfaces in customer telemetry.

For more information on Windows Defender Advanced Threat Protection, consult the following web page: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection