SecOps and Incident Response with Azure Advanced Threat Protection Дмитрий Узлов Компания «ТЕХНОПОЛИС»
THE DAILY NEWS Attack shuts down xxxxxx organization for 2 days Investigation determined Wrecking ball that threat actor was malware was used to present on network for over distract victim and 5 months. response teams from main attack. Data sources indicate dozens of other institutions may be similarly impacted.
timeline 1 2 Day 84 – 129: 3 Day 134: Moves laterally through Threat actor LATERAL EXFILTRATE network; obtains Day 1: executes fraudulent MOVEMENT DATA privileged credentials and Attackers successfully transfers of funds. accesses sensitive systems. target Patient Zero with backdoor malware DENIAL OF DOMAIN ACCESS DOMINANCE 5 4 Day 135: Day 135: Uses remote code execution After customer detects fraudulent from a local machine to domain transactions, wrecking ball malware is controller , gaining domain delivered. admin accounts Operations are brought to a halt!
Identities Endpoints User Data Cloud Apps Infrastructure Users and Admins Devices and Sensors Email messages and SaaS Applications Servers, Virtual documents and Data Stores Machines, Databases, Networks
Maximize Detection Azure AD Identity Protection Azure AD Identity Protection Cloud App Security Identity protection & Identity protection & Extends protection & conditional conditional access conditional access access to other cloud apps Brute force account or use stolen account credentials Phishing Opens Exfiltrate data mail attachment + Clicks on a URL Exploitation Command & Attacker accesses & Installation Control sensitive data User browses to a website User account Attacker Privileged Domain is compromised attempts lateral account compromised movement compromised Azure ATP Identity y protection on
Detect and investigate advanced Azure attacks, compromised identities, ATP and insider threats
Azure Advanced Threat Protection Detect threats fast Focus on what is Reduce the Protect at scale Best-in-class security with Behavioral important using fatigue of false with the power of powered by the Analytics attack timeline positives the cloud Intelligent Security Graph
Account enumeration Golden ticket attack Users group membership enumeration DCShadow Users & IP address enumeration Skeleton Key Hosts & server name enumeration (DNS) Remote code execution on DC Service creation on DC Compromised Lateral Credential Movement ! ! ! Domain Reconnaissance Dominance Brute force attempts Pass-the-Ticket Suspicious VPN connection Pass-the-Hash Suspicious groups membership modifications Overpass-the-Hash Honey Token account suspicious activities
How Azure ATP works M O NITO R INVES T IGAT E ACTIVITIES AND RES P OND U S E R S Azure ATP D E V I C E S Intelligent Security Graph DE T ECT ANALYZE & ALERT U S ER D A T A BEHARIO R Organizational domain controllers
Recommend
More recommend