John-Luke Peck This presentation will review in hindsight and retrospect several recent incident response engagements performed over the last 12 months by a 3rd-party (non-Microsoft affiliated) security and incident response services provider. During the talk the presenter will review what went well and what did not go well during the various engagements, with a particular focus on the data, services , and support available from Microsoft & Office365/AzureAD, and how they were and were not able to be leveraged during the various engagements. This will include a focus on areas where: * Necessary data was not available because the client had not taken, or were unaware of the need to take, steps to enable collection of the data * The data & services available were successfully used during response efforts The presentation will highlight: * Lessons learned about Office365/AzureAD and Incident Response * How Office365, AzureAD, and ATP services and data were used in the response efforts * Recommendations for Office365/AzureAD tenants to improve their security & IR capabilities /before/ an incident occurs All presented examples and incidents will be de-identified to maintain and protect privacy and operational security. What this is NOT: * A service provider's sales presentation

2. JOHN-LUKE PECK, CISM MCTS MCSA
DEPUTY CISO, LEAD CONSULTANT
CI SECURITY
HTTPS://CI.SECURITY
EMAIL: JLP@CI.SECURITY
Autopsies of Recent
DFIR Investigations
(By a 3rd party IR service provider)

3. $whoami
Today:
> Deputy CISO and Lead Consultant for CI Security
> International Professional Services / Managed Detection Services Provider
> Enterprise Risk Management & IR Consultant
> Support CISO and manage/audit internal controls
Previously:
> Infrastructure Engineer & Consultant (AD, Exchange, VMWare, Layer 2)
> High Performance Computing (SuperComputers)
> IT Management
> Information Security Program Management

4. Where We’re Going Today
> Reviewing 3 Incidents
> What went well, What went less well
> How IR & Forensics are changing
> Names have been changed to protect the innocent
> Incident details have been ‘blended’ into anonymized amalgams
> All actually occurred.

5. Who here….
• Is part of or support/work with Incident Response team(s)
• Use Office365 or Azure as “prod”
• Works on Office365, Azure, or ATP

6. Incident 1
Stargazer Foods
Austin, TX
Nationwide snack food mfgr
Office365 & On-prem AD
Business dependent on IoT
Heavy Field Sales Users

7. > Antivirus alert for cryptominer apps on a Sales Exec’s laptop
> Client wants a forensic analysis to know the extent of impact
Incident 1: Stargazer Foods
> CI Forensics team on-site for imaging.
> But before that…Client took Containment steps!
✓ Disconnected from the network
✓ Left powered up
✓ Unjoined the laptop from the domain
✓ Didn’t touch it otherwise
Risks!
• Data access/compromise
• Ransomware
• Remote access tools
• Malware which reaches IoT
Environment
• Policy/legal violations

8. > Client took containment steps!
◦ Disconnected from the network
◦ Left powered up
◦ Unjoined the laptop from the domain
◦ Didn’t touch it otherwise.
> Client believed they were taking prudent containment measures
> Reasonable conclusion
> This wasn’t a client failure
….this was my process failure.

10. Incident 1: Stargazer Foods
> Image the laptop
> Start the forensic analysis
> Analysis tool ingests/indexes files, size info
> Little to no readable data for review
…drive is partially encrypted!

11. > Second verse, same as the first…
> Back on-site, re-image laptop
> Image can be read an analyzed!
(Success! Phase 2…)
Incident 1: Stargazer Foods
> Traditional disk image analysis process
> Clearly discovered cryptominers and other badness
> Sent report, held Retrospective review, applied process changes

12. Incident 1 Review
Affected System Investigation/Analysis Methods Result
Laptop (Windows)
Disk Imaging Challenges with FDE
Automated ingestion/indexing Challenges with FDE
Manual data analysis & conclusions Found the flag!
> Successful project
> Overcame technical & process issues
>> Same forensic process for >= ~20 years?

13. Incident 2:
Farragut Realtors
Durham, North Carolina
• Private Real Estate & Property Mgmt corp
• All Office365 & Windows/Mac endpoints
• Small number of admin staff
• Lots of field reps/agents
• Lots of Finance data (escrow payments, bank info)

14. Incident 2: Farragut Realtors, Durham NC
Amanda got Phished.
Amanda didn’t know she got phished.
Amanda figured out she got phished when sending
• A wire transfer for the 3rd time
• To the 2nd new bank account
• for a single customer
“something seemed not right.”

15. Client’s Own Investigation:
• Found spoofed BEC emails using Amanda@Farragut.com
• Verified the named senders had NOT sent the messages
• Found a “tell”, a signature trait in the emails
“Kindly,
Amanda“
(Amanda doesn’t sign her emails that way)
Incident 2: Farragut Realtors, Durham NC

16. By the time we arrived:
• Had a paper trail of evidence
• Spoofed/BEC Emails
• Faked Documents
• Wire Xfer Forms
• Had stopped transfers-in-progress
Incident 2: Farragut Realtors, Durham NC

17. By the time we arrived:
• Had reset bank passwords
• Turned on Bank MFA
• Had started resetting O365 passwords
The emails were still coming from inside the house…
Incident 2: Farragut Realtors, Durham NC

18. Incident 2: Farragut Realtors, Durham NC

21. The Story So Far:
• One account compromised
• Multiple remote sessions & locations
• Persistence beyond password resets
Incident 2: Farragut Realtors, Durham NC

22. Risks:
• Targeted malware sent through email
• Remote Access Tools on endpoints?
• Potential loss of financial & customer records
• Possible attacker persistence?
Incident 2: Farragut Realtors, Durham NC

23. Incident 2: Farragut Realtors, Durham NC

24. Incident 2: Farragut Realtors, Durham NC

25. Incident 2: Farragut Realtors, Durham NC
By submitting your file to VirusTotal you are asking VirusTotal
to share your submission with the security community

27. • Defender ATP Team confirmed no malware
• Just Business Email Compromise & Fraud

28. Incident 2: Farragut Realtors, Durham NC
Remediation!
#1: Dump all active sessions
#2: Reset passwords
#3: MFA - Not just a good idea. It’s a GREAT idea.

29. Incident 2: Farragut Realtors, Durham NC
Additional Remediation
• Conditional access policies – limit O365 logins to US
• Scanned all endpoints
• Monitor AzureAD for further atypical logins
After a few months of followup monitoring,
all clear.

30. Incident 2 Review
Affected System Investigation/Analysis Methods Result
Office 365
(Phishing / BEC)
Message Tracing / Mail Flow Logs Some data available, some not
AzureAD/Office365 Audit Logs Found multiple flags! On multiple continents!
Email sample analysis Confirmed no malware
Remediation
• Confirm no malware (email or on endpoints)
• Boot the bad actors
• Implement technical controls (MFA, Conditional Access)

31. Incident 3
SKYHEART UNIVERSITY

32. Incident 3: SkyHeart University, Albany NY
• Private university phishing “event” in O365
• Needed followup investigation
• Wanted 3rd Party validation that no malware/ransomware remained in Prod
• SkyHeart also self-host Prod datacenter
• 800 Windows servers

33. Incident 3: SkyHeart University, Albany NY
• How to reliably scan 800 servers
• In active production (No downtime possible)
• Without reinventing the wheel

34. Incident 3: SkyHeart University, Albany NY
We could…
• Script a no-install AV agent, output to .txt, run the
package by GPO or remote-push, collect output
• Work with Pen-Testing Team, “How would YOU
pwn this network” threat model/TTE

35. Incident 2: SkyHeart University, Albany NY

39. Incident 3 Review
Affected System Investigation/Analysis Methods Result
800 On-Prem
Windows Servers
Pushed AV client & output analysis Not viable – heavy lift, would require reboots
Threat-model logic-bomb scenarios Not comprehensive, could easily miss a targeted attack
DefenderATP Threat Hunting Confirmed no malware
Travel to physical site Not required
• This is the direction IR is turning towards
• Azure, AWS, Google Cloud, SalesForce, Cloud SIEM…
• Data-centric event analysis
• vs. forensic imaging & offline manual analysis

40. • Easy to deploy
• High-integrity log collection/archival systems
• Vs SysLog txt files on a file server
• Log evidence is preserved
• Clients don’t need to manage a multi-DB SIEM
• Can bolt onto existing systems
• Doesn’t need Yet Another Endpoint Agent
IR Data Shift – PROS!

41. • Differences in systems, platforms, log types & available data
• Data can be hard to extract
IR Data Shift – CONS!

42. • Requires setup of complex technical controls
• SMB’s don’t know
what they don’t know
IR Data Shift – CONS!

44. > Client had learned about ATP
> Had set up domain-level protections
> Email filtering, Safe Links, etc.
➢Did NOT know about Defender ATP Endpoint Security!
Followup: Stargazer Foods

45. > CI demo’d the ATP platform
Followup: Stargazer Foods

46. Followup: Stargazer Foods

47. THANK YOU
BLUEHAT!
John-Luke Peck, CISM MCTS MCSA
Deputy CISO, Lead Consultant
CI Security
https://ci.security
Email: jlp@ci.security