6. Reconnaissance Weaponisation Delivery Exploitation Installation
Command and
Control
Actions on the
Objective
RECONNAISSANCE DELIVERY COMMAND & CONTROL ACTIONS ON OBJECTIVEEXPLOITATION
Simplified Kill Chain
PRETEXTING
SOCIAL
ENGINEERING
ERROR, NEGLECT
PARTNER/VENDOR
IDENTITY SPOOFING
PHISHING
MALICIOUS SOFTWARE
DOWNLOAD
MALICIOUS CODE
ELEVATION OF PRIVILEGE
MAN-IN-THE-MIDDLE
MEMORY HIJACKING
OR CORRUPTION
EXTERNAL
MEDIA
CROSS SITE SCRIPTING
ATTACK
WATERHOLE
SPAMMING
CONTENT SPOOFING
BRUTE FORCE
AUTHENTICATION BYPASS
CODE INJECTION
CODE SIGN AND
SIGNATURE ATTACKS
NETWORK TAMPERING
PHYSICAL DEVICE ATTACK
PUBLIC VULNERABILITY
ROUTING ATTACKS
SQL INJECTION
USE COMPROMISED
CREDENTIAL
WEB APPLICATION
ATTACK
ZERO-DAY
VULNERABILITY
DENIAL OF SERVICE
LEAK/EXFILTRATE DATA
DEFACEMENT
MOVE LATERALLY
C2 - BACKDOOR OR
CONTROL CHANNEL
CONTROLS EVASIONAUTHENTICATION STORE
ATTACK
CRYPTANALYSIS
DENIAL OF ACCESSSCANNING
REMOTE ACCESS/CONTROL
MONITORING AND
INTERCEPTION
CODE INCLUSION
7. Cloud attacks kill chain
Inbound brute-force RDP,
SSH, SQL attacks and more
Suspicious process execution
Using compromised resources to
mount additional attacks (outbound
port scanning, brute-force RDP/SSH
attacks, DDoS, and spam)
10. YOUR
SECURITY POSTURE
!
using targeted signals, behavioral
monitoring, and machine learning
closing the gap between discovery and action
across all endpoints, from
sensors to the datacenter
11. www.hackerhalted.com 11
ADVANCED
CYBER DEFENSE
OPERATIONAL
SECURITY
PLATFORM
SECURITY
Prevent & Assume Breach Strategy
Security Monitoring and Analytics
Cyber Defense Operations Center
Access Policy & Controls
Security Development Lifecycle (SDL)
Operations Security Assurance (OSA)
Patching
Antimalware
Vulnerability Scanning
Datacenter Security
Secure Multi-tenancy
Network Protection
Data Encryption and Key Management
15. How ASC can help SOC?
Initial
Triage
• Verify Security Alerts / Security Incidents
• Perform Initial Investigation
• Investigation dashboard and Hunting
• 3rd Tier Escalation for cases that are not solved with ASC
• More artifacts to hunt since data come from multiple sources within
the organization
• Incident reported
• Document the scope
• Perform initial troubleshooting to isolate (support or security)
16. How ASC can help SOC?
•On-PremisesServers
•NetworkDevices
• Primary investigation across all data source
• Security Posture
• On-demand Investigations for IaaS
17.
18. Evaluate the type
of activity
Apply false
positive and
suppression
techniques
Evaluation
Result
Alert
Normalize the
data
22. ASC scans process memory to
identify evidence of
exploitation and malicious
code
Detect malicious code in-memory with automated memory forensic techniques
ASC sends an alert with rich context for alert triage,
correlation, and investigation. Includes (as applicable):
• Machine, user and process details
• In-memory payload capabilities and function calls
• Shellcode location and contents
• Related suspicious threads
• Active network connections
23. Get prioritized security alerts
Details about detected threats
and recommendations
Incidents contextual awareness
Alerts that conform to kill
chain patterns are fused into
a single incident
27. Quickly assess the scope and
impact of an attack
Interactive experience to
explore links across alerts,
computers and users
Use predefined or ad hoc
queries for deeper
examination
29. Windows
Defender
ATP
Integration
• Windows Defender Advanced Threat Protection
(WDATP) is now integrated into Security Center for
a centralized view of detected threats on devices
and virtual machines. Microsoft’s vast threat
intelligence enables WDATP to identify and notify
you of attackers’ tools and techniques, so you can
understand threats and respond.
• WDATP is automatically enabled for Azure and on-
premises Windows Servers that have onboarded
to Security Center.
30. Search and analyze security data
using a flexible query language
Use built-in or custom queries with
Log Analytics search
31. Threat Intelligence
To build this threat intelligence,
Security Center uses data that
comes from multiple sources
within Microsoft. Security Center
uses this data to identify potential
threats against your environment.