1 00:00:00,000 --> 00:00:06,200 Welcome to the Azure Security Podcast, 2 00:00:06,200 --> 00:00:09,360 where we discuss topics relating to security, privacy, 3 00:00:09,360 --> 00:00:13,760 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:13,760 --> 00:00:17,320 Hey everybody, welcome to episode 56. 5 00:00:17,320 --> 00:00:18,600 This week is another light week, 6 00:00:18,600 --> 00:00:20,920 it's only myself, Gladys, 7 00:00:20,920 --> 00:00:24,200 and Mark and Sarah are all on vacation. 8 00:00:24,200 --> 00:00:25,520 But this week, we also have a guest, 9 00:00:25,520 --> 00:00:27,900 Michael Malone, who's here to talk to us about 10 00:00:27,900 --> 00:00:30,360 Microsoft Defender Advanced Hunting. 11 00:00:30,360 --> 00:00:31,800 Before we get to Michael though, 12 00:00:31,800 --> 00:00:33,840 I do have a few little news items. 13 00:00:33,840 --> 00:00:38,760 Azure Advisor for MySQL has now just gone in preview, 14 00:00:38,760 --> 00:00:43,160 and it allows for basically Azure Analysis, 15 00:00:43,160 --> 00:00:45,240 giving you things like performance tips, 16 00:00:45,240 --> 00:00:46,960 and giving you security ideas, 17 00:00:46,960 --> 00:00:49,640 and just some advisory notes about 18 00:00:49,640 --> 00:00:52,120 securing and improving the cost efficiency, 19 00:00:52,120 --> 00:00:53,680 and the efficiency in general of 20 00:00:53,680 --> 00:00:56,120 your products in this case, MySQL. 21 00:00:56,120 --> 00:00:58,760 We've now also added the ability to 22 00:00:58,760 --> 00:01:01,120 support custom certificate authorities 23 00:01:01,120 --> 00:01:03,320 in Azure Kubernetes Service in AKS. 24 00:01:03,320 --> 00:01:04,680 This is really cool because that way, 25 00:01:04,680 --> 00:01:07,800 if you decide to create your own certificate authority, 26 00:01:07,800 --> 00:01:10,320 you can now install your own root certificates in there, 27 00:01:10,320 --> 00:01:12,640 and then use them just as you would do. 28 00:01:12,640 --> 00:01:14,560 Say, I don't know, GoDaddy or 29 00:01:14,560 --> 00:01:15,800 a various sign root certificate. 30 00:01:15,800 --> 00:01:17,320 So that's another nice thing to see, 31 00:01:17,320 --> 00:01:19,400 and I know a lot of customers have been asking for that. 32 00:01:19,400 --> 00:01:21,920 Azure Application Gateway now supports 33 00:01:21,920 --> 00:01:23,600 private link that's in preview. 34 00:01:23,600 --> 00:01:25,400 I've talked about private link, 35 00:01:25,400 --> 00:01:27,320 I think just about every single podcast. 36 00:01:27,320 --> 00:01:29,160 More and more past services are 37 00:01:29,160 --> 00:01:31,280 supporting private links so that way you can have 38 00:01:31,280 --> 00:01:33,480 private IP addresses, private DNS names, 39 00:01:33,480 --> 00:01:35,800 and essentially having traffic flow between 40 00:01:35,800 --> 00:01:39,800 two past services without going over the public internet. 41 00:01:39,800 --> 00:01:42,360 So that is Azure Application Gateway. 42 00:01:42,360 --> 00:01:44,280 We now also have in public preview, 43 00:01:44,280 --> 00:01:47,080 continuous backup enhancements in Azure Cosmos DB. 44 00:01:47,080 --> 00:01:50,360 I don't pretend to be an expert in backing up Azure Cosmos DB, 45 00:01:50,360 --> 00:01:54,400 but having some enhancement there is probably a good thing. 46 00:01:54,400 --> 00:01:58,360 We've also now added to API management, 47 00:01:58,360 --> 00:01:59,760 content security policy, 48 00:01:59,760 --> 00:02:01,840 and core configuration support. 49 00:02:01,840 --> 00:02:04,840 So core is cross origin resource sharing. 50 00:02:04,840 --> 00:02:08,560 It is a critically important defense in browsers. 51 00:02:08,560 --> 00:02:13,200 It allows you to share resources across 52 00:02:13,200 --> 00:02:17,080 domains without violating the browser security policy. 53 00:02:17,080 --> 00:02:18,920 You got to be very careful there though. 54 00:02:18,920 --> 00:02:21,920 Don't go putting a star as that wild card to say, 55 00:02:21,920 --> 00:02:24,120 I support absolutely everything from absolutely everywhere. 56 00:02:24,120 --> 00:02:26,360 That defeats the whole purpose of course, 57 00:02:26,360 --> 00:02:28,440 but it's great to see that because now you can actually 58 00:02:28,440 --> 00:02:30,960 set it both in the actual portal 59 00:02:30,960 --> 00:02:33,400 and you can also do it declaratively. 60 00:02:33,400 --> 00:02:35,800 So that's the news that I've got this week. 61 00:02:35,800 --> 00:02:37,880 Let's turn our attention to our guest. 62 00:02:37,880 --> 00:02:40,160 This week, as I mentioned, we have Michael Malone, 63 00:02:40,160 --> 00:02:42,520 who's here to talk to us about Microsoft Defender, 64 00:02:42,520 --> 00:02:44,480 Advanced Hunting, and KQL. 65 00:02:44,480 --> 00:02:46,320 Michael, welcome to the podcast. 66 00:02:46,320 --> 00:02:48,920 Would you care to take a moment and give our listeners 67 00:02:48,920 --> 00:02:51,440 a little bit of background on who you are and what you do? 68 00:02:51,440 --> 00:02:53,080 Thanks for having me, Michael. 69 00:02:53,080 --> 00:02:56,000 So yeah, I'm currently on the Defender 365 70 00:02:56,000 --> 00:02:57,080 customer experience team. 71 00:02:57,080 --> 00:02:59,400 So I work helping large customers on board 72 00:02:59,400 --> 00:03:03,240 and operationalize the Microsoft 365 Defender XDR Suite. 73 00:03:03,240 --> 00:03:06,320 So XDR is an expanded detection and response capability 74 00:03:06,320 --> 00:03:09,280 for that's helps customers out finding suspicious 75 00:03:09,280 --> 00:03:11,000 and malicious activities at their enterprise. 76 00:03:11,000 --> 00:03:12,440 It's kind of like an upgrade, if you will, 77 00:03:12,440 --> 00:03:15,000 from a traditional antivirus. 78 00:03:15,000 --> 00:03:16,600 Prior to being on this team though, 79 00:03:16,600 --> 00:03:19,320 I spent about seven and a half years with Microsoft Dart. 80 00:03:19,320 --> 00:03:22,480 So essentially what we would do is we would go investigate, 81 00:03:22,480 --> 00:03:26,040 determine human adversary or human operated type attacks. 82 00:03:26,040 --> 00:03:27,880 So when you had a human at the other side of the keyboard, 83 00:03:27,880 --> 00:03:30,800 it's not just purely a malware problem, if you will. 84 00:03:30,800 --> 00:03:32,800 And actually, I heard you had a new book coming out 85 00:03:32,800 --> 00:03:34,320 on Azure Security, Michael. 86 00:03:34,320 --> 00:03:36,760 Yeah, I've been talking a little bit about that. 87 00:03:36,760 --> 00:03:39,680 I'm not kidding, we're actually literally four or five pages 88 00:03:39,680 --> 00:03:41,440 away from actually having the drafts completed. 89 00:03:41,440 --> 00:03:43,600 So we're really excited for that. 90 00:03:43,600 --> 00:03:45,160 It should be out in November. 91 00:03:45,160 --> 00:03:48,240 And it's designing and developing secure Azure solutions. 92 00:03:48,240 --> 00:03:50,640 Yeah, I actually just put out a book last year. 93 00:03:50,640 --> 00:03:53,000 It's called Designing Secure Systems, which is kind of a 94 00:03:53,000 --> 00:03:56,640 theoretical based approach on system security overall. 95 00:03:56,640 --> 00:03:59,560 So it's like, essentially, if you can imagine 96 00:03:59,560 --> 00:04:03,720 a unified model that lets you look at physical human process 97 00:04:03,720 --> 00:04:06,840 as well as cyber systems and how a vulnerability in one area 98 00:04:06,840 --> 00:04:10,000 can lead to an issue in another. 99 00:04:10,000 --> 00:04:12,920 So the topic of this podcast is advanced hunting. 100 00:04:12,920 --> 00:04:15,840 So the question is gonna be, 101 00:04:15,840 --> 00:04:19,920 so what is advanced hunting and what does it sort of entail? 102 00:04:19,920 --> 00:04:23,560 Absolutely, so advanced hunting is kind of like a roll your own 103 00:04:23,560 --> 00:04:25,360 detection capability inside of Defender. 104 00:04:25,360 --> 00:04:28,680 So Defender, as I mentioned, is an XDR. 105 00:04:28,680 --> 00:04:33,000 It's essentially a capability to identify not just malicious 106 00:04:33,000 --> 00:04:34,360 but suspicious activity. 107 00:04:34,360 --> 00:04:37,000 And the reason why I make this clarification, 108 00:04:37,000 --> 00:04:38,840 traditionally, when you looked at security products, 109 00:04:38,840 --> 00:04:40,120 you had antivirus. 110 00:04:40,120 --> 00:04:44,160 And antivirus is tuned to specifically find known bad things. 111 00:04:44,160 --> 00:04:45,520 It's very difficult. 112 00:04:45,520 --> 00:04:48,400 The way I like to describe it is, 113 00:04:48,400 --> 00:04:49,600 from an antivirus perspective, 114 00:04:49,600 --> 00:04:51,520 if you clean up a legitimate file, 115 00:04:51,520 --> 00:04:52,520 you're likely to make news. 116 00:04:52,520 --> 00:04:55,120 Whereas if you miss a bad file, 117 00:04:55,120 --> 00:04:57,160 you're just a bad antivirus solution. 118 00:04:57,160 --> 00:04:59,960 EDR and XDR kind of helps you cover that gap 119 00:04:59,960 --> 00:05:03,200 because we are essentially tuning to avoid false positives. 120 00:05:03,200 --> 00:05:04,400 If you have a false positive, 121 00:05:04,400 --> 00:05:06,360 you can take down a customer's enterprise. 122 00:05:06,360 --> 00:05:09,720 So EDR enables us to identify suspicious activities 123 00:05:09,720 --> 00:05:13,160 that may not necessarily have inherently malicious files 124 00:05:13,160 --> 00:05:14,000 involved. 125 00:05:14,000 --> 00:05:17,960 So for example, if an attacker was to perform lateral traversal, 126 00:05:17,960 --> 00:05:19,160 depending on the tooling they use, 127 00:05:19,160 --> 00:05:20,680 they may or may not use malware. 128 00:05:20,680 --> 00:05:21,720 They also may be performing 129 00:05:21,720 --> 00:05:23,640 some other suspicious administrative activities 130 00:05:23,640 --> 00:05:24,480 during the attack. 131 00:05:24,480 --> 00:05:27,200 So EDR covers that gap. 132 00:05:27,200 --> 00:05:29,760 EDR being endpoint detection response. 133 00:05:29,760 --> 00:05:30,960 And then more broadly, 134 00:05:30,960 --> 00:05:32,560 so about two years ago now, 135 00:05:32,560 --> 00:05:34,920 we launched Microsoft Threat Protection, or MTP, 136 00:05:34,920 --> 00:05:37,720 which eventually became Microsoft 365 Defender, 137 00:05:37,720 --> 00:05:39,200 which is our XDR, as I mentioned, 138 00:05:39,200 --> 00:05:40,840 it's the expanded detection response. 139 00:05:40,840 --> 00:05:44,680 And the big difference between EDR and XDR is the breadth. 140 00:05:44,680 --> 00:05:46,880 So in an XDR solution, 141 00:05:46,880 --> 00:05:48,360 you're not just looking at endpoints, 142 00:05:48,360 --> 00:05:50,560 you're typically looking also at things like identities. 143 00:05:50,560 --> 00:05:53,080 So Microsoft Defender for Identity is our UEBA 144 00:05:53,080 --> 00:05:56,120 and also Identity Detection Solution. 145 00:05:56,120 --> 00:05:57,280 There's Defender for Office, 146 00:05:57,280 --> 00:05:58,560 which is looking at suspicious 147 00:05:58,560 --> 00:06:00,880 and malicious email activities going on. 148 00:06:00,880 --> 00:06:02,160 And Defender for Cloud Apps, 149 00:06:02,160 --> 00:06:03,880 which is looking for shadow IT 150 00:06:03,880 --> 00:06:06,800 and suspicious use of cloud applications. 151 00:06:06,800 --> 00:06:09,280 So Defender Advanced Hunting gives you the ability 152 00:06:09,280 --> 00:06:12,800 to do raw access hunting to the data we use inside of Defender 153 00:06:12,800 --> 00:06:13,760 to create detections. 154 00:06:13,760 --> 00:06:16,320 So we create a whole bunch of detections out of the box 155 00:06:16,320 --> 00:06:18,680 for things that we know are suspicious or malicious, 156 00:06:18,680 --> 00:06:20,280 but sometimes you may have something 157 00:06:20,280 --> 00:06:23,440 that's contextually unique to your organization. 158 00:06:23,440 --> 00:06:25,440 For example, remote administration tools 159 00:06:25,440 --> 00:06:26,600 are not inherently malicious, 160 00:06:26,600 --> 00:06:28,840 but you may know inside your organization, 161 00:06:28,840 --> 00:06:30,640 you only use one product or another, 162 00:06:30,640 --> 00:06:33,920 you might only use remote desktop to manage these systems. 163 00:06:33,920 --> 00:06:36,040 And as a result, you wanna identify things 164 00:06:36,040 --> 00:06:37,240 that are not remote desktop 165 00:06:37,240 --> 00:06:39,760 that enable you to control those systems. 166 00:06:39,760 --> 00:06:42,600 With Advanced Hunting, you can create these queries 167 00:06:42,600 --> 00:06:45,600 that'll identify when these processes have been created 168 00:06:45,600 --> 00:06:47,800 or when files were written or activities occurred 169 00:06:47,800 --> 00:06:49,000 on these devices 170 00:06:49,000 --> 00:06:51,200 and also enable you to create custom detections. 171 00:06:51,200 --> 00:06:53,120 So if your query is really good 172 00:06:53,120 --> 00:06:55,160 at identifying suspicious activity, 173 00:06:55,160 --> 00:06:57,880 you can have Defender automatically respond 174 00:06:57,880 --> 00:07:00,760 by isolating the device, quarantining the file. 175 00:07:00,760 --> 00:07:02,640 It basically gives you raw data access 176 00:07:02,640 --> 00:07:07,120 to create your own customized detections for your enterprise. 177 00:07:07,120 --> 00:07:08,720 So detections is one of the things 178 00:07:08,720 --> 00:07:09,760 you can do with Advanced Hunting. 179 00:07:09,760 --> 00:07:12,360 There's also a whole bunch of other capabilities 180 00:07:12,360 --> 00:07:13,320 that we use as well. 181 00:07:13,320 --> 00:07:16,120 So customers sometimes wanna have kind of a picture 182 00:07:16,120 --> 00:07:17,280 of their entire enterprise, 183 00:07:17,280 --> 00:07:20,320 i.e. find out where this particular software package 184 00:07:20,320 --> 00:07:23,800 is installed, see where this individual user logs on. 185 00:07:23,800 --> 00:07:25,960 So it gives you this kind of cool reporting capability 186 00:07:25,960 --> 00:07:26,800 as well. 187 00:07:26,800 --> 00:07:29,800 Since we have all these process creations and logon events 188 00:07:29,800 --> 00:07:31,360 and network communication activities 189 00:07:31,360 --> 00:07:34,640 and file creations, et cetera, emails and such, 190 00:07:34,640 --> 00:07:37,560 you have the ability to kind of create your own report 191 00:07:37,560 --> 00:07:39,040 of what goes on in your environment. 192 00:07:39,040 --> 00:07:41,280 So you may be able to do your own baselining. 193 00:07:41,280 --> 00:07:44,520 You can also identify anomaly-based activity as well. 194 00:07:44,520 --> 00:07:47,440 Another thing is from on the baselining front, 195 00:07:48,800 --> 00:07:51,080 if you get out of the box and what Defender really is, 196 00:07:51,080 --> 00:07:53,760 you can do some neat things around, for example, 197 00:07:53,760 --> 00:07:55,440 we have queries that'll help you design 198 00:07:55,440 --> 00:07:56,880 your app blocker policy. 199 00:07:56,880 --> 00:07:59,400 If you're not sure where, like what the impact 200 00:07:59,400 --> 00:08:03,800 of a particular app blocker or a WDAC policy is gonna be, 201 00:08:03,800 --> 00:08:06,240 you can very quickly report on where, 202 00:08:06,240 --> 00:08:08,320 what processes would launch from that particular path 203 00:08:08,320 --> 00:08:10,000 that you're allowing or declining, 204 00:08:10,000 --> 00:08:12,400 or you can also use it as a mechanism to figure out 205 00:08:12,400 --> 00:08:14,400 how many different executables 206 00:08:14,400 --> 00:08:16,200 and how many different devices have things launching 207 00:08:16,200 --> 00:08:17,040 from that. 208 00:08:17,040 --> 00:08:20,080 So it helps you kind of tune app blocker, WDAC, 209 00:08:20,080 --> 00:08:23,160 or like firewall policies is another great example. 210 00:08:23,160 --> 00:08:25,800 You can see where inbound and outbound communication 211 00:08:25,800 --> 00:08:27,560 happens inside the enterprise. 212 00:08:27,560 --> 00:08:29,920 And when you wanna determine the impact of allowing 213 00:08:29,920 --> 00:08:33,360 or blocking a specific IP address or application, 214 00:08:33,360 --> 00:08:36,480 it'll help you get that picture of what's going on 215 00:08:36,480 --> 00:08:37,360 inside your enterprise. 216 00:08:37,360 --> 00:08:39,840 So you know it before you actually implement it. 217 00:08:39,840 --> 00:08:41,240 Hey, what's WDAC? 218 00:08:41,240 --> 00:08:44,640 WDAC or Windows Defender app control enables you 219 00:08:44,640 --> 00:08:48,800 to build a policy that can define what applications are 220 00:08:48,800 --> 00:08:51,960 or are not allowed to run on a given endpoint, 221 00:08:51,960 --> 00:08:53,640 a given Windows endpoint. 222 00:08:53,640 --> 00:08:55,720 For example, you can say files that are signed 223 00:08:55,720 --> 00:08:58,600 by a specific certificate are allowed to run, 224 00:08:58,600 --> 00:09:02,080 or things from a specific path are not allowed to run. 225 00:09:02,080 --> 00:09:04,800 You can also use it for an auditing capability as well. 226 00:09:04,800 --> 00:09:07,000 For example, you can say if a process launches 227 00:09:07,000 --> 00:09:09,520 in this particular context, 228 00:09:09,520 --> 00:09:11,200 I wanna log this and see it 229 00:09:11,200 --> 00:09:14,120 from your Defender Advanced Hunting Console. 230 00:09:14,120 --> 00:09:15,200 So this is kind of interesting, right? 231 00:09:15,200 --> 00:09:19,120 So you could potentially use it for sort of alluding 232 00:09:19,120 --> 00:09:21,920 to this for more than just detection, right? 233 00:09:21,920 --> 00:09:24,560 Because you could actually just run a normal clean system, 234 00:09:24,560 --> 00:09:26,800 a known clean system, 235 00:09:26,800 --> 00:09:29,760 and get an idea for which applications are running, 236 00:09:29,760 --> 00:09:30,880 where they're running from, 237 00:09:30,880 --> 00:09:34,400 if they're digitally signed, which hopefully they are, 238 00:09:34,400 --> 00:09:37,240 what network ports and protocols are being used. 239 00:09:37,240 --> 00:09:38,840 And you could actually build that up 240 00:09:38,840 --> 00:09:41,200 to be like a list of what good looks like. 241 00:09:41,200 --> 00:09:43,440 Is that a reasonable way of putting it, 242 00:09:43,440 --> 00:09:45,640 or is that just way too simplistic? 243 00:09:45,640 --> 00:09:47,360 So that's one approach you can use. 244 00:09:47,360 --> 00:09:48,720 You can definitely, you can also, 245 00:09:48,720 --> 00:09:49,800 it's worth noting there's, 246 00:09:49,800 --> 00:09:52,560 because we're using KQL or Kusto query language 247 00:09:52,560 --> 00:09:53,520 under the hood, 248 00:09:53,520 --> 00:09:55,240 there's also the ability to bring in external data. 249 00:09:55,240 --> 00:09:59,040 So if you have a data set that has like, for example, 250 00:09:59,040 --> 00:10:01,720 systems like maybe IP address ranges, 251 00:10:01,720 --> 00:10:04,360 or list of file hashes or signers or whatnot, 252 00:10:04,360 --> 00:10:07,080 you can actually dynamically import it into your queries. 253 00:10:07,080 --> 00:10:08,880 So there's definitely one way of doing it, 254 00:10:08,880 --> 00:10:09,880 of basically saying, 255 00:10:09,880 --> 00:10:11,680 this is a known clean box, 256 00:10:11,680 --> 00:10:13,720 and this is what its profile looks like. 257 00:10:13,720 --> 00:10:16,000 But you can also, a lot of times, 258 00:10:16,000 --> 00:10:17,400 enterprises are very complex. 259 00:10:17,400 --> 00:10:19,280 There's gonna be some sort of drift 260 00:10:19,280 --> 00:10:21,080 that's gonna happen across the board. 261 00:10:21,080 --> 00:10:23,160 So what we can do with advanced hunting 262 00:10:23,160 --> 00:10:25,760 is build a picture using summarizations and pivots 263 00:10:25,760 --> 00:10:27,120 and joins and such, 264 00:10:27,120 --> 00:10:28,720 that tells us dynamically 265 00:10:28,720 --> 00:10:31,040 what your enterprise looks like today. 266 00:10:31,040 --> 00:10:32,520 The interesting thing there is, 267 00:10:32,520 --> 00:10:34,480 you can also dig into those outliers. 268 00:10:34,480 --> 00:10:36,320 So that long tail that everybody talks about 269 00:10:36,320 --> 00:10:39,120 in statistics is a very real thing in an enterprise. 270 00:10:39,120 --> 00:10:41,640 But it's also where a lot of the really interesting 271 00:10:41,640 --> 00:10:43,400 aspects of your enterprise are. 272 00:10:43,400 --> 00:10:47,000 These are where your attacker tools might be, for example. 273 00:10:47,000 --> 00:10:49,760 Or this might be somebody who's just violating policy 274 00:10:49,760 --> 00:10:50,920 for one reason or another. 275 00:10:50,920 --> 00:10:53,600 It gives you this really cool ability to dive into those 276 00:10:53,600 --> 00:10:55,880 and rationalize and figure out what kind of policies 277 00:10:55,880 --> 00:10:58,200 you'd like to create with tools like WDAC, 278 00:10:58,200 --> 00:11:00,520 or ultimately, if you wanna create a custom detection 279 00:11:00,520 --> 00:11:01,960 to respond to such a thing. 280 00:11:01,960 --> 00:11:06,360 Can I get pre-built hunting queries, 281 00:11:06,360 --> 00:11:08,200 or do I have to start from scratch? 282 00:11:08,200 --> 00:11:09,840 I mean, let me put it another way. 283 00:11:09,840 --> 00:11:11,320 So I'm not really an expert 284 00:11:11,320 --> 00:11:13,840 in threat hunting by any stretch. 285 00:11:13,840 --> 00:11:17,160 I can't imagine as a little API I can run that says, 286 00:11:17,160 --> 00:11:18,760 show me how I got whacked. 287 00:11:20,840 --> 00:11:23,160 Show me bad things that are happening. 288 00:11:23,160 --> 00:11:24,880 I mean, because I don't know what I'm looking for. 289 00:11:24,880 --> 00:11:25,720 I'm gonna be honest with you, 290 00:11:25,720 --> 00:11:27,720 I don't know what I'm looking for. 291 00:11:27,720 --> 00:11:31,240 So do we have built-in or sample queries 292 00:11:31,240 --> 00:11:33,040 that people can use that might show 293 00:11:33,040 --> 00:11:36,280 sort of indicators of either malicious behavior 294 00:11:36,280 --> 00:11:38,840 or even indicators of compromise? 295 00:11:38,840 --> 00:11:40,000 So there are, there's a couple 296 00:11:40,000 --> 00:11:41,720 of really great resources out there. 297 00:11:41,720 --> 00:11:43,960 So the first piece of advanced hunting 298 00:11:43,960 --> 00:11:47,720 is understanding KQL itself for Kusto query language. 299 00:11:47,720 --> 00:11:49,880 We've got the Kusto query language referenced. 300 00:11:49,880 --> 00:11:51,640 So this is gonna be the same query language 301 00:11:51,640 --> 00:11:53,680 using Sentinel if you've used it. 302 00:11:53,680 --> 00:11:54,920 It's also what you're gonna use 303 00:11:54,920 --> 00:11:57,000 on what's called an Azure Data Explorer cluster. 304 00:11:57,000 --> 00:12:00,120 So if you've got experience with those, you're using KQL. 305 00:12:00,120 --> 00:12:02,400 But there's also really great web-based doc 306 00:12:02,400 --> 00:12:04,000 that references the entire language. 307 00:12:04,000 --> 00:12:05,800 It's pretty easy to get used to. 308 00:12:05,800 --> 00:12:07,600 I saw a shirt the other day that actually says, 309 00:12:07,600 --> 00:12:10,720 KQL is a new PowerShell and invite me stop and think. 310 00:12:10,720 --> 00:12:13,000 It really is across our security stack. 311 00:12:13,000 --> 00:12:15,880 It's really the key language you need to understand. 312 00:12:15,880 --> 00:12:17,200 And as well as, as I mentioned, 313 00:12:17,200 --> 00:12:18,480 it's really great for if you have 314 00:12:18,480 --> 00:12:20,200 an Azure Data Explorer cluster. 315 00:12:20,200 --> 00:12:23,600 So the second thing is understanding the data landscape 316 00:12:23,600 --> 00:12:24,960 that we've gotten advanced hunting. 317 00:12:24,960 --> 00:12:27,440 Depending on which products you've got from Defender, 318 00:12:27,440 --> 00:12:30,600 you may see information from devices, emails, 319 00:12:30,600 --> 00:12:32,320 apps and identities, et cetera. 320 00:12:32,320 --> 00:12:34,760 So understanding those is really important. 321 00:12:34,760 --> 00:12:36,960 And for that, we've got our schema reference. 322 00:12:36,960 --> 00:12:38,120 There's a public face, 323 00:12:38,120 --> 00:12:40,080 there's some public facing docs that are out there on it. 324 00:12:40,080 --> 00:12:42,200 But ultimately my favorite spot to go, 325 00:12:42,200 --> 00:12:44,280 if you open up the advanced hunting page in Defender 326 00:12:44,280 --> 00:12:45,400 in the upper right-hand corner, 327 00:12:45,400 --> 00:12:46,920 there's a button for schema reference 328 00:12:46,920 --> 00:12:48,840 that breaks down every single table 329 00:12:48,840 --> 00:12:50,240 and every single column 330 00:12:50,240 --> 00:12:52,080 and provides some really great detail. 331 00:12:52,080 --> 00:12:53,520 One that I would like to highlight, 332 00:12:53,520 --> 00:12:56,440 especially if you're a Defender for Endpoint customer, 333 00:12:56,440 --> 00:12:57,720 is the device events table. 334 00:12:57,720 --> 00:13:00,480 We have a lot of really good information in there. 335 00:13:00,480 --> 00:13:02,920 For example, scheduled task creations, 336 00:13:02,920 --> 00:13:04,600 plug and play device activity. 337 00:13:04,600 --> 00:13:07,080 So if you wanna know if somebody's plugging in a USB drive, 338 00:13:07,080 --> 00:13:09,240 you can see that, you can see volume mounts, 339 00:13:09,240 --> 00:13:10,560 a whole bunch of really good information 340 00:13:10,560 --> 00:13:12,080 for creating your own custom detections 341 00:13:12,080 --> 00:13:14,480 or researching activity inside your environment. 342 00:13:14,480 --> 00:13:17,360 And if you wanna get started with advanced hunting, 343 00:13:17,360 --> 00:13:19,880 there's a really great series I put out about two years ago 344 00:13:19,880 --> 00:13:22,560 with Taliash called tracking the adversary 345 00:13:22,560 --> 00:13:24,320 with MTP advanced hunting. 346 00:13:24,320 --> 00:13:26,880 We basically start off with very one-on-one approach. 347 00:13:26,880 --> 00:13:28,640 So we cover the basic operators, 348 00:13:28,640 --> 00:13:33,120 like take, for example, the where clause, et cetera. 349 00:13:33,120 --> 00:13:35,680 And we cover and cover each of the individual datasets 350 00:13:35,680 --> 00:13:37,720 that we've got advanced hunting at that time. 351 00:13:37,720 --> 00:13:40,120 And ultimately build their ways up to things like joins. 352 00:13:40,120 --> 00:13:41,480 So there's all different kinds of joins 353 00:13:41,480 --> 00:13:43,720 inside of KQL they're important to understand. 354 00:13:43,720 --> 00:13:45,680 And last, we start moving into summarizing, 355 00:13:45,680 --> 00:13:46,800 pivoting and joining. 356 00:13:46,800 --> 00:13:48,640 So essentially, if you wanna build these reports 357 00:13:48,640 --> 00:13:51,560 or summarizations of what's going on inside your data. 358 00:13:51,560 --> 00:13:54,880 And the very last episode we dig into a contrived hunt. 359 00:13:54,880 --> 00:13:57,480 So we've gotten a targeted adversary situation 360 00:13:57,480 --> 00:13:59,600 we replicated inside of a defender tenant. 361 00:13:59,600 --> 00:14:01,560 And we go through and use the things that you learned 362 00:14:01,560 --> 00:14:05,320 in those different episodes to hunt down the adversary 363 00:14:05,320 --> 00:14:07,240 and figure out all of its attributes. 364 00:14:07,240 --> 00:14:08,440 So one thing I mentioned at the beginning 365 00:14:08,440 --> 00:14:09,880 that really sort of piqued my interest 366 00:14:09,880 --> 00:14:13,480 is he talks about tracking down human adversaries. 367 00:14:13,480 --> 00:14:14,920 Is there any sort of tips, tricks? 368 00:14:14,920 --> 00:14:17,320 Is there a format or structure that you go through 369 00:14:17,320 --> 00:14:18,840 to help with that? 370 00:14:18,840 --> 00:14:20,720 So one of the tools I like to use 371 00:14:20,720 --> 00:14:23,440 is I like to call it the ABCs of instant response 372 00:14:23,440 --> 00:14:25,160 or the ABCs of security. 373 00:14:25,160 --> 00:14:27,400 Essentially the ABCs represent the things 374 00:14:27,400 --> 00:14:29,920 that you wanna look for in any target attack 375 00:14:29,920 --> 00:14:32,640 or really any cyber situation you run into. 376 00:14:32,640 --> 00:14:35,640 So to get started, so the ABCs are authentication, 377 00:14:35,640 --> 00:14:38,760 backdoors, communication channels and data. 378 00:14:38,760 --> 00:14:42,160 So authentication represents the identity aspect. 379 00:14:42,160 --> 00:14:44,440 So what identity did the attacker use 380 00:14:44,440 --> 00:14:46,160 when they connected to the service? 381 00:14:46,160 --> 00:14:48,840 After they contacted this particular service, 382 00:14:48,840 --> 00:14:51,160 what identity were you using on the device itself? 383 00:14:51,160 --> 00:14:53,120 So for example, if it's a web server, 384 00:14:53,120 --> 00:14:54,960 you might be anonymous coming in, 385 00:14:54,960 --> 00:14:57,640 but if there's a vulnerability in that web page, 386 00:14:57,640 --> 00:15:00,160 you might be able to run code as the web server. 387 00:15:00,160 --> 00:15:02,480 In that case, the identity you'd be looking for 388 00:15:02,480 --> 00:15:04,080 is the identity of the IS, Apple 389 00:15:04,080 --> 00:15:06,520 or perhaps the Apache service. 390 00:15:06,520 --> 00:15:09,880 The third piece of identity is what identities were compromised 391 00:15:09,880 --> 00:15:11,640 as a result of that event. 392 00:15:11,640 --> 00:15:13,040 Now you've got on the box, 393 00:15:13,040 --> 00:15:15,000 do we have credentials that are exposed to memory 394 00:15:15,000 --> 00:15:16,560 and are you running as admin? 395 00:15:16,560 --> 00:15:19,400 Is there perhaps a password file or something on those lines? 396 00:15:19,400 --> 00:15:23,400 What types of authentication does the attacker now have access to 397 00:15:23,400 --> 00:15:25,240 as a result of that attack? 398 00:15:25,240 --> 00:15:27,040 The second one is backdoors. 399 00:15:27,040 --> 00:15:31,400 Now, backdoor is a malware term, 400 00:15:31,400 --> 00:15:34,680 but ultimately it's the mechanism that the attacker uses 401 00:15:34,680 --> 00:15:36,800 to control the endpoint itself. 402 00:15:36,800 --> 00:15:39,680 So a backdoor can be a perfectly legitimate tool 403 00:15:39,680 --> 00:15:41,360 and an intended capability. 404 00:15:41,360 --> 00:15:43,520 And our web server, the backdoor, 405 00:15:43,520 --> 00:15:45,080 the initial backdoor they connected to 406 00:15:45,080 --> 00:15:47,280 is essentially the web server itself. 407 00:15:47,280 --> 00:15:49,680 It could also be an exposed RDP port 408 00:15:49,680 --> 00:15:51,240 or it could be a piece of malware. 409 00:15:51,240 --> 00:15:52,880 If they've already infected the device, 410 00:15:52,880 --> 00:15:54,400 you might have a remote access Trojan 411 00:15:54,400 --> 00:15:56,480 or something along those lines on the device 412 00:15:56,480 --> 00:15:58,760 that enables them to control the system. 413 00:15:58,760 --> 00:16:02,120 So just like authentication, there's three time frames. 414 00:16:02,120 --> 00:16:03,440 You've got the initial access, 415 00:16:03,440 --> 00:16:06,680 so what backdoor did they use to control the endpoint itself? 416 00:16:06,680 --> 00:16:09,560 Was there any backdoors installed as a result of the event? 417 00:16:09,560 --> 00:16:13,440 So for example, did we see a downloader or a dropper 418 00:16:13,440 --> 00:16:15,520 install a backdoor into the system? 419 00:16:15,520 --> 00:16:18,720 And as a result, what backdoors do they have access to 420 00:16:18,720 --> 00:16:20,200 as a result of the attack? 421 00:16:20,200 --> 00:16:22,880 So now you've compromised this device. 422 00:16:22,880 --> 00:16:25,760 Presumably you can use a device to pivot to other devices 423 00:16:25,760 --> 00:16:27,240 that were protected by a firewall 424 00:16:27,240 --> 00:16:28,760 or a security mechanism. 425 00:16:28,760 --> 00:16:32,480 So it's essentially the mechanism for control. 426 00:16:32,480 --> 00:16:34,640 The third one is communication channels. 427 00:16:34,640 --> 00:16:36,640 And that essentially describes the way 428 00:16:36,640 --> 00:16:38,840 that the attacker communicates with a device. 429 00:16:38,840 --> 00:16:41,680 It's the path between the attacker and the backdoor. 430 00:16:41,680 --> 00:16:43,680 So in our initial access scenario, 431 00:16:43,680 --> 00:16:46,200 when the attacker contacted the web server, 432 00:16:46,200 --> 00:16:49,200 it might be a user agent string or a source IP address. 433 00:16:49,200 --> 00:16:52,280 It could also be more generic things such as countries 434 00:16:52,280 --> 00:16:55,520 or ISPs or things along those lines. 435 00:16:55,520 --> 00:16:57,760 These are all things you can use to profile 436 00:16:57,760 --> 00:17:00,560 that attacker activity inside the enterprise. 437 00:17:00,560 --> 00:17:03,520 You also have, of course, the post breach scenario 438 00:17:03,520 --> 00:17:06,640 where what communication paths are open as a result. 439 00:17:06,640 --> 00:17:08,720 And last, you've got data. 440 00:17:08,720 --> 00:17:11,480 So data, it really represents the impact. 441 00:17:11,480 --> 00:17:14,640 It's the confidentiality, integrity, and or availability 442 00:17:14,640 --> 00:17:17,160 that you've lost of information as a result of the breach. 443 00:17:17,160 --> 00:17:19,400 So if this is a ransomware or a wiper attack, 444 00:17:19,400 --> 00:17:21,880 some of your data may have been encrypted or destroyed. 445 00:17:21,880 --> 00:17:25,040 Or if it's a tamper attack, 446 00:17:25,040 --> 00:17:26,720 you might have some additional rows in your database 447 00:17:26,720 --> 00:17:27,800 you didn't intend. 448 00:17:27,800 --> 00:17:29,680 Or last, if it's a data theft 449 00:17:29,680 --> 00:17:31,360 or intellectual property theft type case, 450 00:17:31,360 --> 00:17:33,680 it's what data essentially went out the front door 451 00:17:33,680 --> 00:17:34,520 as a result. 452 00:17:34,520 --> 00:17:37,240 Did we lose some intellectual property? 453 00:17:37,240 --> 00:17:40,880 Some secrets or sensitive organizational information? 454 00:17:40,880 --> 00:17:44,640 So at the start of this, you mentioned using KQL 455 00:17:44,640 --> 00:17:45,560 to perform the hunting. 456 00:17:45,560 --> 00:17:47,160 Is that the only way you can do hunting? 457 00:17:47,160 --> 00:17:50,400 I mean, there are other APIs or anything that you can call 458 00:17:50,400 --> 00:17:54,600 or you really restrict is just using KQL. 459 00:17:54,600 --> 00:17:56,440 So there's two main ways you can really use 460 00:17:56,440 --> 00:17:58,840 advanced hunting inside of Defender itself. 461 00:17:58,840 --> 00:18:01,760 So the first way is to use the web interface itself. 462 00:18:01,760 --> 00:18:02,800 That's probably the easiest way, 463 00:18:02,800 --> 00:18:04,360 but there is some limitations. 464 00:18:04,360 --> 00:18:06,560 You have a cap of about 10,000 rows. 465 00:18:06,560 --> 00:18:08,800 So if you need to bring back a whole bunch of data, 466 00:18:08,800 --> 00:18:11,240 you may want to use the API. 467 00:18:11,240 --> 00:18:14,040 So the API will give you up to 100,000 rows 468 00:18:14,040 --> 00:18:16,600 worth of results and enables you to essentially 469 00:18:16,600 --> 00:18:18,480 programmatically call advanced hunting. 470 00:18:18,480 --> 00:18:20,880 It's really great for hooking to things like, for example, 471 00:18:20,880 --> 00:18:23,400 if you have some Azure automation out there, 472 00:18:23,400 --> 00:18:26,680 you can pull your data directly into reports or whatnot. 473 00:18:26,680 --> 00:18:28,320 The third way you can kind of use, 474 00:18:28,320 --> 00:18:30,520 and this is sort of advanced hunting, 475 00:18:30,520 --> 00:18:32,640 is really referring to the data itself. 476 00:18:32,640 --> 00:18:34,880 So we've got a couple of different APIs out there 477 00:18:34,880 --> 00:18:37,480 that enable you to pull the data into other systems. 478 00:18:37,480 --> 00:18:39,560 So the first one is going to be your Sentinel connector, 479 00:18:39,560 --> 00:18:41,560 which is a native connector between Defender 480 00:18:41,560 --> 00:18:42,920 and Microsoft Sentinel. 481 00:18:42,920 --> 00:18:45,040 So you can actually pull your data into Sentinel 482 00:18:45,040 --> 00:18:46,480 and then join it with all the log data 483 00:18:46,480 --> 00:18:48,520 that's in for instance at your SIM. 484 00:18:48,520 --> 00:18:51,080 Or you can also use the streaming API, 485 00:18:51,080 --> 00:18:53,320 which lets you pull it into either directly 486 00:18:53,320 --> 00:18:56,720 into blob storage, or you can pull it into an event hub 487 00:18:56,720 --> 00:18:58,200 and then do it with what you like. 488 00:18:58,200 --> 00:19:00,560 I'm not gonna be right, I mean, I love KQL, 489 00:19:00,560 --> 00:19:03,880 but I always like the ability to call an API, 490 00:19:03,880 --> 00:19:05,280 just in case. 491 00:19:05,280 --> 00:19:07,160 I mean, I want to build like some kind of custom tooling 492 00:19:07,160 --> 00:19:08,280 or something, and it just gives me 493 00:19:08,280 --> 00:19:09,640 that extra level of flexibility. 494 00:19:09,640 --> 00:19:12,680 So that's really great to see. 495 00:19:12,680 --> 00:19:14,760 I mean, is there a community of folks out there? 496 00:19:14,760 --> 00:19:17,000 Cause I imagine this stuff's relatively complex, 497 00:19:17,000 --> 00:19:19,280 especially if you're sort of learning this stuff 498 00:19:19,280 --> 00:19:20,160 from the get go. 499 00:19:20,160 --> 00:19:23,240 Is there other people I can talk to about this? 500 00:19:23,240 --> 00:19:24,880 We also have a get hub. 501 00:19:24,880 --> 00:19:27,560 So we're actually inside the Azure Sentinel repo. 502 00:19:27,560 --> 00:19:29,760 If you look under the hunting queries, 503 00:19:29,760 --> 00:19:32,200 you're gonna see Microsoft 365 Defender. 504 00:19:32,200 --> 00:19:35,000 And inside there is a whole bunch of YAML formatted queries, 505 00:19:35,000 --> 00:19:36,280 which is gonna be the same ones you see 506 00:19:36,280 --> 00:19:38,600 in the advanced hunting portal under community. 507 00:19:38,600 --> 00:19:40,600 So it'll help you get started if you want to see 508 00:19:40,600 --> 00:19:43,200 how other people are using advanced hunting today. 509 00:19:43,200 --> 00:19:46,320 All right, so one thing we ask all our guests 510 00:19:46,320 --> 00:19:48,520 is if you had one sort of final thought 511 00:19:48,520 --> 00:19:51,040 to leave our listeners with, what would it be? 512 00:19:51,040 --> 00:19:53,120 So probably the biggest thing is 513 00:19:53,120 --> 00:19:56,240 when you're looking through your EDR or XDR solution, 514 00:19:56,240 --> 00:19:58,840 you see activity, make sure you stop 515 00:19:58,840 --> 00:20:01,360 and determine if it's gonna be commodity stuff. 516 00:20:01,360 --> 00:20:04,080 So the stuff you get just surfing around the web, 517 00:20:04,080 --> 00:20:06,480 or if there's might be some targeted intent behind it, 518 00:20:06,480 --> 00:20:07,840 i.e. if you're looking through seeing 519 00:20:07,840 --> 00:20:09,400 some suspicious activity. 520 00:20:09,400 --> 00:20:12,480 If you do see targeted activity, remember your ABCs, 521 00:20:12,480 --> 00:20:13,840 authentication methods, backdoors, 522 00:20:13,840 --> 00:20:15,560 communication channels and data. 523 00:20:15,560 --> 00:20:18,160 And be ready to bring in help if you need it, 524 00:20:18,160 --> 00:20:19,600 like from Microsoft Dart 525 00:20:19,600 --> 00:20:21,920 or Microsoft Defender Experts for hunting. 526 00:20:21,920 --> 00:20:24,080 And if you're looking for resources for hunting, 527 00:20:24,080 --> 00:20:25,920 check out my book, Designing Secure Systems. 528 00:20:25,920 --> 00:20:27,800 It's got a lot of good content in there 529 00:20:27,800 --> 00:20:29,480 that'll help you think like a hunter 530 00:20:29,480 --> 00:20:32,240 and help you track this adversary using the ABCs 531 00:20:32,240 --> 00:20:34,800 and what I like to call authorization theory. 532 00:20:34,800 --> 00:20:36,600 Well, thanks again for joining us this week, Michael. 533 00:20:36,600 --> 00:20:38,480 I know it's an interesting topic. 534 00:20:38,480 --> 00:20:42,680 I admit it's not an area that I'm particularly familiar with, 535 00:20:42,680 --> 00:20:45,200 so it was always good to learn something new. 536 00:20:45,200 --> 00:20:46,760 And to our listeners out there, 537 00:20:46,760 --> 00:20:49,120 thank you to you also for listening in. 538 00:20:49,120 --> 00:20:51,320 Stay safe and we'll see you next time. 539 00:20:51,320 --> 00:20:54,200 Thanks for listening to the Azure Security Podcast. 540 00:20:54,200 --> 00:20:57,960 You can find show notes and other resources at our website, 541 00:20:57,960 --> 00:21:00,080 azsecuritypodcast.net. 542 00:21:00,080 --> 00:21:01,800 If you have any questions, 543 00:21:01,800 --> 00:21:04,920 please find us on Twitter at azuresecpod. 544 00:21:04,920 --> 00:21:07,880 Background music is from ccmixter.com 545 00:21:07,880 --> 00:21:31,960 and licensed under the Creative Commons license.