SlideShare a Scribd company logo

CSF18 - Incident Response in the Cloud - Yuri Diogenes

NCCOMMS
NCCOMMS

Cybercrime Security Forum - Europe 2018 Session

Technology
1 of 34
Download to read offline
Incident Response in the Cloud with Azure Security Center Yuri Diogenes, MsC Cybersecurity @yuridiogenes
Developer Resource Administrator Subscription User Service Service Resource
Top cloud threats
Reconnaissance Weaponisation Delivery Exploitation Installation Command and Control Actions on the Objective RECONNAISSANCE DELIVERY COMMAND & CONTROL ACTIONS ON OBJECTIVEEXPLOITATION Simplified Kill Chain PRETEXTING SOCIAL ENGINEERING ERROR, NEGLECT PARTNER/VENDOR IDENTITY SPOOFING PHISHING MALICIOUS SOFTWARE DOWNLOAD MALICIOUS CODE ELEVATION OF PRIVILEGE MAN-IN-THE-MIDDLE MEMORY HIJACKING OR CORRUPTION EXTERNAL MEDIA CROSS SITE SCRIPTING ATTACK WATERHOLE SPAMMING CONTENT SPOOFING BRUTE FORCE AUTHENTICATION BYPASS CODE INJECTION CODE SIGN AND SIGNATURE ATTACKS NETWORK TAMPERING PHYSICAL DEVICE ATTACK PUBLIC VULNERABILITY ROUTING ATTACKS SQL INJECTION USE COMPROMISED CREDENTIAL WEB APPLICATION ATTACK ZERO-DAY VULNERABILITY DENIAL OF SERVICE LEAK/EXFILTRATE DATA DEFACEMENT MOVE LATERALLY C2 - BACKDOOR OR CONTROL CHANNEL CONTROLS EVASIONAUTHENTICATION STORE ATTACK CRYPTANALYSIS DENIAL OF ACCESSSCANNING REMOTE ACCESS/CONTROL MONITORING AND INTERCEPTION CODE INCLUSION
Cloud attacks kill chain Inbound brute-force RDP, SSH, SQL attacks and more Suspicious process execution Using compromised resources to mount additional attacks (outbound port scanning, brute-force RDP/SSH attacks, DDoS, and spam)
Actors harness cloud compute power to execute additional attacks
YOUR SECURITY POSTURE ! using targeted signals, behavioral monitoring, and machine learning closing the gap between discovery and action across all endpoints, from sensors to the datacenter
www.hackerhalted.com 11 ADVANCED CYBER DEFENSE OPERATIONAL SECURITY PLATFORM SECURITY Prevent & Assume Breach Strategy Security Monitoring and Analytics Cyber Defense Operations Center Access Policy & Controls Security Development Lifecycle (SDL) Operations Security Assurance (OSA) Patching Antimalware Vulnerability Scanning Datacenter Security Secure Multi-tenancy Network Protection Data Encryption and Key Management
How ASC can help SOC?
How ASC can help SOC? Initial Triage • Verify Security Alerts / Security Incidents • Perform Initial Investigation • Investigation dashboard and Hunting • 3rd Tier Escalation for cases that are not solved with ASC • More artifacts to hunt since data come from multiple sources within the organization • Incident reported • Document the scope • Perform initial troubleshooting to isolate (support or security)
How ASC can help SOC? •On-PremisesServers •NetworkDevices • Primary investigation across all data source • Security Posture • On-demand Investigations for IaaS
Evaluate the type of activity Apply false positive and suppression techniques Evaluation Result Alert Normalize the data
Alert
▪ Known Malware: Worm_Kasidet.sc, Dynamer!Ac, RemoteIe, Carberp.L, TinBa, Gether.B!cl, Prepscram, Ardamax, Fethar.B!cl, sv.dll, Generic.grp, Farfli.O, Win32/Farfli.K!bit, Hupigon, Ainslot.A, masss_launcher.exe, Win32/Zegost.DA, bkro_luminosity.b, flyboy.dll, IK.exe ▪ Penetration Testing Tools: Meterpreter / Metasploit, Colbalt Strike, PowerShell Empire ▪ Unknown Malware: Stressor, bundlers/packed malware, malicious svchost.exe, malicious debuggers, crypto coin miners, browser spyware, suspicious powershell activity, malicious pdf.exe, unidentified shellcode, new Trojan Family (Ingok.A) ▪ A/V Software Vulnerability: Injected code introduces possibility of ROP / DEP bypass
ASC scans process memory to identify evidence of exploitation and malicious code Detect malicious code in-memory with automated memory forensic techniques ASC sends an alert with rich context for alert triage, correlation, and investigation. Includes (as applicable): • Machine, user and process details • In-memory payload capabilities and function calls • Shellcode location and contents • Related suspicious threads • Active network connections
Get prioritized security alerts Details about detected threats and recommendations Incidents contextual awareness Alerts that conform to kill chain patterns are fused into a single incident
Demo
RDP Brute Force SSH Brute Force Suspicious process Suspicious CMD Suspicious user activity Malicious Communication Compromised Machine (TI) Outgoing spam Outgoing BF Outgoing scans Outgoing DDoS PowerShell analytics Privilege escalation Log clear activity Built-in user activity Account enumeration Lateral move Suspicious CMD Account enumeration Lateral move RDP Brute Force
Demo
Quickly assess the scope and impact of an attack Interactive experience to explore links across alerts, computers and users Use predefined or ad hoc queries for deeper examination
Demo
Windows Defender ATP Integration • Windows Defender Advanced Threat Protection (WDATP) is now integrated into Security Center for a centralized view of detected threats on devices and virtual machines. Microsoft’s vast threat intelligence enables WDATP to identify and notify you of attackers’ tools and techniques, so you can understand threats and respond. • WDATP is automatically enabled for Azure and on- premises Windows Servers that have onboarded to Security Center.
Search and analyze security data using a flexible query language Use built-in or custom queries with Log Analytics search
Threat Intelligence To build this threat intelligence, Security Center uses data that comes from multiple sources within Microsoft. Security Center uses this data to identify potential threats against your environment.
Demo
Use code CYBERCRIME during checkout to apply discount. Visit microsoftpressstore.com Save 45% on book or eBook Offer expires November 3, 2018!

Recommended

CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael Narezzi
NCCOMMS
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
NCCOMMS
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
NCCOMMS
 
CSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacCSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha Kranjac
NCCOMMS
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
marketingunitrends
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
IBM Security
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 

Recommended

CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael Narezzi
NCCOMMS
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
NCCOMMS
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
NCCOMMS
 
CSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacCSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha Kranjac
NCCOMMS
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
marketingunitrends
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
IBM Security
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Storage Switzerland
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enough
Martin Opsahl
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
Radware
 
How to Take the Ransom Out of Ransomware
How to Take the Ransom Out of RansomwareHow to Take the Ransom Out of Ransomware
How to Take the Ransom Out of Ransomware
marketingunitrends
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
Veriato
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Dragos, Inc.
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat Protection
Lan & Wan Solutions
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDR
Netpluz Asia Pte Ltd
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
Quest
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
anpapathanasiou
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
ISSA LA
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
InnoTech
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE - ATT&CKcon
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
SaraPia5
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
HITCON GIRLS
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
APNIC
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
Microsoft
 
NetWitness
NetWitnessNetWitness
NetWitness
TechBiz Forense Digital
 

More Related Content

What's hot

Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
Veriato
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Dragos, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
SaraPia5
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
HITCON GIRLS
 

What's hot (20)

Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enough
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
 
How to Take the Ransom Out of Ransomware
How to Take the Ransom Out of RansomwareHow to Take the Ransom Out of Ransomware
How to Take the Ransom Out of Ransomware
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat Protection
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDR
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 

Similar to CSF18 - Incident Response in the Cloud - Yuri Diogenes

NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
James Perry, Jr.
 
Best Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesBest Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting Breaches
Splunk
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
Blue Coat
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morris
Emily2014
 

Similar to CSF18 - Incident Response in the Cloud - Yuri Diogenes (20)

How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Eximbank security presentation
Eximbank security presentationEximbank security presentation
Eximbank security presentation
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdf
 
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and Prevention
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced Threats
 
Information Security 201
Information Security 201Information Security 201
Information Security 201
 
Best Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesBest Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting Breaches
 
Best Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesBest Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting Breaches
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morris
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
 

More from NCCOMMS

More from NCCOMMS (20)

O365Con19 - UI:UX 101 Learn How to Design Custom Experiences for SharePoint -...
O365Con19 - UI:UX 101 Learn How to Design Custom Experiences for SharePoint -...O365Con19 - UI:UX 101 Learn How to Design Custom Experiences for SharePoint -...
O365Con19 - UI:UX 101 Learn How to Design Custom Experiences for SharePoint -...
 
O365Con19 - Model-driven Apps or Canvas Apps? - Rick Bakker
O365Con19 - Model-driven Apps or Canvas Apps? - Rick BakkerO365Con19 - Model-driven Apps or Canvas Apps? - Rick Bakker
O365Con19 - Model-driven Apps or Canvas Apps? - Rick Bakker
 
O365Con19 - Office 365 Groups Surviving the Real World - Jasper Oosterveld
O365Con19 - Office 365 Groups Surviving the Real World - Jasper OosterveldO365Con19 - Office 365 Groups Surviving the Real World - Jasper Oosterveld
O365Con19 - Office 365 Groups Surviving the Real World - Jasper Oosterveld
 
O365Con19 - Developing Timerjob and Eventhandler Equivalents - Adis Jugo
O365Con19 - Developing Timerjob and Eventhandler Equivalents - Adis JugoO365Con19 - Developing Timerjob and Eventhandler Equivalents - Adis Jugo
O365Con19 - Developing Timerjob and Eventhandler Equivalents - Adis Jugo
 
O365Con19 - Sharepoint with (Artificial) Intelligence - Adis Jugo
O365Con19 - Sharepoint with (Artificial) Intelligence - Adis JugoO365Con19 - Sharepoint with (Artificial) Intelligence - Adis Jugo
O365Con19 - Sharepoint with (Artificial) Intelligence - Adis Jugo
 
O365Con19 - What Do You Mean 90 days Isn't Enough - Paul Hunt
O365Con19 - What Do You Mean 90 days Isn't Enough - Paul HuntO365Con19 - What Do You Mean 90 days Isn't Enough - Paul Hunt
O365Con19 - What Do You Mean 90 days Isn't Enough - Paul Hunt
 
O365Con19 - Tips and Tricks for Complex Migrations to SharePoint Online - And...
O365Con19 - Tips and Tricks for Complex Migrations to SharePoint Online - And...O365Con19 - Tips and Tricks for Complex Migrations to SharePoint Online - And...
O365Con19 - Tips and Tricks for Complex Migrations to SharePoint Online - And...
 
O365Con19 - Start Developing Teams Tabs and SharePoint Webparts with SPFX - O...
O365Con19 - Start Developing Teams Tabs and SharePoint Webparts with SPFX - O...O365Con19 - Start Developing Teams Tabs and SharePoint Webparts with SPFX - O...
O365Con19 - Start Developing Teams Tabs and SharePoint Webparts with SPFX - O...
 
O365Con19 - Start Your Journey from Skype for Business to Teams - Sasja Beere...
O365Con19 - Start Your Journey from Skype for Business to Teams - Sasja Beere...O365Con19 - Start Your Journey from Skype for Business to Teams - Sasja Beere...
O365Con19 - Start Your Journey from Skype for Business to Teams - Sasja Beere...
 
O365Con19 - Lets Get Started with Azure Container Instances - Jussi Roine
O365Con19 - Lets Get Started with Azure Container Instances - Jussi RoineO365Con19 - Lets Get Started with Azure Container Instances - Jussi Roine
O365Con19 - Lets Get Started with Azure Container Instances - Jussi Roine
 
O365Con19 - Azure Blackbelt - Jussi Roine
O365Con19 - Azure Blackbelt - Jussi RoineO365Con19 - Azure Blackbelt - Jussi Roine
O365Con19 - Azure Blackbelt - Jussi Roine
 
O365Con19 - Customise the UI in Modern SharePoint Workspaces - Corinna Lins
O365Con19 - Customise the UI in Modern SharePoint Workspaces - Corinna LinsO365Con19 - Customise the UI in Modern SharePoint Workspaces - Corinna Lins
O365Con19 - Customise the UI in Modern SharePoint Workspaces - Corinna Lins
 
O365Con19 - Be The Protagonist of Your Modern Workplace - Corinna Lins
O365Con19 - Be The Protagonist of Your Modern Workplace - Corinna LinsO365Con19 - Be The Protagonist of Your Modern Workplace - Corinna Lins
O365Con19 - Be The Protagonist of Your Modern Workplace - Corinna Lins
 
O365Con19 - How to Really Manage all your Tasks Across Microsoft 365 - Luise ...
O365Con19 - How to Really Manage all your Tasks Across Microsoft 365 - Luise ...O365Con19 - How to Really Manage all your Tasks Across Microsoft 365 - Luise ...
O365Con19 - How to Really Manage all your Tasks Across Microsoft 365 - Luise ...
 
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio StruyfO365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
 
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
 
O365Con19 - Keep Control of Your Data with AIP and CA - Bram de Jager
O365Con19 - Keep Control of Your Data with AIP and CA - Bram de JagerO365Con19 - Keep Control of Your Data with AIP and CA - Bram de Jager
O365Con19 - Keep Control of Your Data with AIP and CA - Bram de Jager
 
O365Con19 - Kaizala a Dive Into the Unknown - Rick van Rousselt
O365Con19 - Kaizala a Dive Into the Unknown - Rick van RousseltO365Con19 - Kaizala a Dive Into the Unknown - Rick van Rousselt
O365Con19 - Kaizala a Dive Into the Unknown - Rick van Rousselt
 
O365Con19 - How to Inspire Users to Unstick from Email - Luise Freese
O365Con19 - How to Inspire Users to Unstick from Email - Luise FreeseO365Con19 - How to Inspire Users to Unstick from Email - Luise Freese
O365Con19 - How to Inspire Users to Unstick from Email - Luise Freese
 
O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris GoosenO365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Recently uploaded (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

CSF18 - Incident Response in the Cloud - Yuri Diogenes

  • 1. Incident Response in the Cloud with Azure Security Center Yuri Diogenes, MsC Cybersecurity @yuridiogenes
  • 2.
  • 4.
  • 6. Reconnaissance Weaponisation Delivery Exploitation Installation Command and Control Actions on the Objective RECONNAISSANCE DELIVERY COMMAND & CONTROL ACTIONS ON OBJECTIVEEXPLOITATION Simplified Kill Chain PRETEXTING SOCIAL ENGINEERING ERROR, NEGLECT PARTNER/VENDOR IDENTITY SPOOFING PHISHING MALICIOUS SOFTWARE DOWNLOAD MALICIOUS CODE ELEVATION OF PRIVILEGE MAN-IN-THE-MIDDLE MEMORY HIJACKING OR CORRUPTION EXTERNAL MEDIA CROSS SITE SCRIPTING ATTACK WATERHOLE SPAMMING CONTENT SPOOFING BRUTE FORCE AUTHENTICATION BYPASS CODE INJECTION CODE SIGN AND SIGNATURE ATTACKS NETWORK TAMPERING PHYSICAL DEVICE ATTACK PUBLIC VULNERABILITY ROUTING ATTACKS SQL INJECTION USE COMPROMISED CREDENTIAL WEB APPLICATION ATTACK ZERO-DAY VULNERABILITY DENIAL OF SERVICE LEAK/EXFILTRATE DATA DEFACEMENT MOVE LATERALLY C2 - BACKDOOR OR CONTROL CHANNEL CONTROLS EVASIONAUTHENTICATION STORE ATTACK CRYPTANALYSIS DENIAL OF ACCESSSCANNING REMOTE ACCESS/CONTROL MONITORING AND INTERCEPTION CODE INCLUSION
  • 7. Cloud attacks kill chain Inbound brute-force RDP, SSH, SQL attacks and more Suspicious process execution Using compromised resources to mount additional attacks (outbound port scanning, brute-force RDP/SSH attacks, DDoS, and spam)
  • 8. Actors harness cloud compute power to execute additional attacks
  • 9.
  • 10. YOUR SECURITY POSTURE ! using targeted signals, behavioral monitoring, and machine learning closing the gap between discovery and action across all endpoints, from sensors to the datacenter
  • 11. www.hackerhalted.com 11 ADVANCED CYBER DEFENSE OPERATIONAL SECURITY PLATFORM SECURITY Prevent & Assume Breach Strategy Security Monitoring and Analytics Cyber Defense Operations Center Access Policy & Controls Security Development Lifecycle (SDL) Operations Security Assurance (OSA) Patching Antimalware Vulnerability Scanning Datacenter Security Secure Multi-tenancy Network Protection Data Encryption and Key Management
  • 12.
  • 13.
  • 14. How ASC can help SOC?
  • 15. How ASC can help SOC? Initial Triage • Verify Security Alerts / Security Incidents • Perform Initial Investigation • Investigation dashboard and Hunting • 3rd Tier Escalation for cases that are not solved with ASC • More artifacts to hunt since data come from multiple sources within the organization • Incident reported • Document the scope • Perform initial troubleshooting to isolate (support or security)
  • 16. How ASC can help SOC? •On-PremisesServers •NetworkDevices • Primary investigation across all data source • Security Posture • On-demand Investigations for IaaS
  • 17.
  • 18. Evaluate the type of activity Apply false positive and suppression techniques Evaluation Result Alert Normalize the data
  • 19. Alert
  • 20.
  • 21. ▪ Known Malware: Worm_Kasidet.sc, Dynamer!Ac, RemoteIe, Carberp.L, TinBa, Gether.B!cl, Prepscram, Ardamax, Fethar.B!cl, sv.dll, Generic.grp, Farfli.O, Win32/Farfli.K!bit, Hupigon, Ainslot.A, masss_launcher.exe, Win32/Zegost.DA, bkro_luminosity.b, flyboy.dll, IK.exe ▪ Penetration Testing Tools: Meterpreter / Metasploit, Colbalt Strike, PowerShell Empire ▪ Unknown Malware: Stressor, bundlers/packed malware, malicious svchost.exe, malicious debuggers, crypto coin miners, browser spyware, suspicious powershell activity, malicious pdf.exe, unidentified shellcode, new Trojan Family (Ingok.A) ▪ A/V Software Vulnerability: Injected code introduces possibility of ROP / DEP bypass
  • 22. ASC scans process memory to identify evidence of exploitation and malicious code Detect malicious code in-memory with automated memory forensic techniques ASC sends an alert with rich context for alert triage, correlation, and investigation. Includes (as applicable): • Machine, user and process details • In-memory payload capabilities and function calls • Shellcode location and contents • Related suspicious threads • Active network connections
  • 23. Get prioritized security alerts Details about detected threats and recommendations Incidents contextual awareness Alerts that conform to kill chain patterns are fused into a single incident
  • 24. Demo
  • 25. RDP Brute Force SSH Brute Force Suspicious process Suspicious CMD Suspicious user activity Malicious Communication Compromised Machine (TI) Outgoing spam Outgoing BF Outgoing scans Outgoing DDoS PowerShell analytics Privilege escalation Log clear activity Built-in user activity Account enumeration Lateral move Suspicious CMD Account enumeration Lateral move RDP Brute Force
  • 26. Demo
  • 27. Quickly assess the scope and impact of an attack Interactive experience to explore links across alerts, computers and users Use predefined or ad hoc queries for deeper examination
  • 28. Demo
  • 29. Windows Defender ATP Integration • Windows Defender Advanced Threat Protection (WDATP) is now integrated into Security Center for a centralized view of detected threats on devices and virtual machines. Microsoft’s vast threat intelligence enables WDATP to identify and notify you of attackers’ tools and techniques, so you can understand threats and respond. • WDATP is automatically enabled for Azure and on- premises Windows Servers that have onboarded to Security Center.
  • 30. Search and analyze security data using a flexible query language Use built-in or custom queries with Log Analytics search
  • 31. Threat Intelligence To build this threat intelligence, Security Center uses data that comes from multiple sources within Microsoft. Security Center uses this data to identify potential threats against your environment.
  • 32. Demo
  • 33.
  • 34. Use code CYBERCRIME during checkout to apply discount. Visit microsoftpressstore.com Save 45% on book or eBook Offer expires November 3, 2018!