Ad
More Related Content
What's hot (20)
Similar to ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Sentinel using Sysmon and MITRE ATT&CK (20)
Ad
More from CloudVillage (11)
Ad
Recently uploaded (20)
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Sentinel using Sysmon and MITRE ATT&CK
- 1. ATT&CKing the Sentinel Deploying a threat hunting capability on Azure Sentinel using Sysmon and MITRE ATT&CK
- 2. Hi there! e Edoardo Gerosa Vigilant Service Lead @ Deloitte AG Consulted at banks, pharmaceuticals and tech companies @netevert github.com/netevert [email protected] Olaf Hartong Blue Team Specialist Leader @ Deloitte NL Consulted at banks, educational institutions and governmental organisations @olafhartong github.com/olafhartong [email protected]
- 3. Before we start e • DISCLAIMER: The tool presented is not a magic bullet. It will require tuning and real investigative work to be truly effective in your environment • Sentinel is still in public preview … much will change in the coming year • Although we will talk about limitations of Sentinel in a threat hunting context, Microsoft has been proactive in reaching out to us to collect feedback … credit where due • We are not Azure Sentinel experts, we likely cannot answer all questions about the platform itself
- 4. What are we talking about We’d like to share a tale of discovery and experimentation… (which began with a misunderstanding)
- 5. What are we talking about …that ended in yet another GitHub project Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and MITRE ATT&CK on Azure Sentinel Why? • The Endpoint is often used as an entry point into a network, whether it lives in the cloud or on-prem • Endpoint Detection & Remediation (EDR) solutions are great, however often quite costly • There is an alternative approach to the detection aspect, using an adversarial framework • It allows you to leverage a data platform that is easy to deploy and, out of the box, quite powerful
- 6. Project background Sentinel-ATT&CK borrows ideas from successful threat hunting projects • A Sysmon configuration repository, set up in a modular fashion for easy maintenance • Helps generate tailored configurations • Mapped to the MITRE ATT&CK framework • Frequently updated based on threat reports or new attacker techniques • Splunk App providing an investigative workflow approach for Threat Hunters • Based on ML (Mandatory Learning) to help hunters to get to know their environment • No false positives are assumed, just triggers • Supplies the user with tools to contextualise and investigate these events
- 7. MITRE ATT&CK A lightning overview “ A framework for describing the behaviour of cyber adversaries operating within enterprise networks ” • Comprehensive library of "what to look for" • Threat model & framework • Library of attacker activity (TTPs) covering 245 techniques ➢ Windows: 211 ➢ Linux: 126 ➢ Mac: 145 Found @ https://attack.mitre.org
- 8. Sysmon Another lightning overview • Sysmon is a free, powerful host-level tracing tool, developed by a small team of Microsoft employees • Initially developed for internal use at Microsoft • Sysmon uses a device driver and a service that runs in the background and loads early in the boot process • Monitors 22 events ranging from process creation, file timestamp changes, network connections, registry events and DNS events
- 9. Why combine ATT&CK and Sysmon 12 ATT&CK data sources can be collected with Sysmon
- 10. Project background Armed with these ideas we began experimenting (with not a lot of success) BEEP! BEEP! BEEP!
- 11. The platform First impressions Super fast deployment … goodbye 4-month SIEM implementation projects
- 12. The platform Azure Sentinel contains a number of excellent features 1. An easy-to-use query language • Kusto Query Language (KQL) • Read only • Used to access and query log analytics workspaces via API or Web App 2. Incident grouping • Grouping over time periods (default 24h) • Incident grouping by case with Sentinel Fusion to reduce alert fatigue • Ability to bake your own organisation’s machine learning models 3. Threat response automation with Logic Apps • Large amount of connectors (SNOW, Jira, Outlook, AD etc.) • Ability to develop custom connectors • Easy to use playbook designer
- 13. The problem Setting up an ATT&CK-based hunting capability in not straightforward Two aspects currently stand in the way: 1. Limited log onboarding documentation, with Sysmon/Operational logs currently being hidden
- 14. The problem Setting up an ATT&CK-based hunting capability in not straightforward 2. By default Sysmon log data is unparsed and presented as XML … a parser is provided by Microsoft, but does not map to a datamodel s
- 15. Other observations Overview of additional observations made while experimenting Additionally we identified the following two ATT&CK-specific gaps: • No available dashboards leveraging ATT&CK • No ATT&CK-based threat hunting notebooks Other observations: • Limited documentation • Some features are (for the moment) hidden, like automated playbook execution and case grouping • Advanced hunting features require some advanced skills (Python, Jupyter and data science modules) • Inability to bulk import detection rules, it’s a highly manual process • IAM controls not available (yet), anybody added to the workspace can access everything • Cannot drill down from dashboards
- 16. The solution Do it yourself! An overview of the repository – found @ https://github.com/BlueTeamToolkit/sentinel-attack - PRs welcome!
- 17. Sysmon configuration Sysmon can be configured to monitor for specific ATT&CK techniques An XML configuration file is provided to configure Sysmon to collect specific ATT&CK technique data The configuration file is easily installed with the command: “sysmon –c sysmonconfig.xml”
- 18. Sysmon parsing in Sentinel How to parse Sysmon logs in Sentinel Sentinel-ATT&CK provides a dedicated parser that maps log fields against the OSSEM log standard, found @ https://github.com/Cyb3rWard0g/OSSEM
- 19. Kusto karate Using Kusto to execute precise hunts • The repository provides 120 Kusto detection/hunting queries covering 156 ATT&CK techniques • The combination of ATT&CK, Sysmon and the parser makes it possible to execute very clear and legible hunting queries … taking you from this:
- 20. Kusto karate Using Kusto to execute precise hunts … to this:
- 21. Threat hunting dashboard Providing ATT&CK telemetry across the network The repository also provides an ATT&CK-based, threat hunting dashboard, that has the following features: • Easily importable through a JSON file • Provides ATT&CK data overviews over different timespans • Shows the number of techniques executed mapped to the killchain • Provides an overview of machines affected • Shows the top ATT&CK techniques and commands executed • Provides a time chart of ATT&CK techniques executed over time
- 22. Guidance You’re not left alone More importantly sentinel-ATT&CK provides comprehensive guidance on how to install and leverage all features discussed … and we plan to add more! … we also write on Medium!
- 23. Let’s see it! A lightning look at the platform We'll showcase a live instance of Sentinel ATT&CK deployed on our Azure lab to • Walk through the repository and dashboard • Walk through the threat hunting Jupyter notebook
- 24. Q&A Some questions to get started: • Who has used Sentinel and what is their opinion of the platform? • Who uses Sysmon as a process monitoring solution in their network and what is their opinion of the tool? • What are some of the response activities that could be performed with Sentinel on compromised virtual machines, especially considering the in-built SOAR capabilities of the platform?
- 25. IT’S OVER! Thank you all for your attention, come talk to us! Thank you for this amazing opportunity!