Azure ATP can identify a variety of cyberattacks. After watching this video, you will have a sense of how to investigate alerts to determine if the attacks indicated in alerts are false alarms or the result of actual attacks.
- [Instructor] I'm logged in to the Azure Advanced Threat Protection portal at portal.atp.azure.com, and I'm going to look into suspicious activities more advanced attacks this time that have been detected by Azure ATP. So I'll start in my high-severity alerts here. I'm going to scroll down and here I see I have suspected identify theft, so a pass-the-ticket attack against Ron Harper, so I'll click on that attack, on that alert. So pass-the-ticket is a lateral movement technique in which an attacker steals a Kerberos ticket from one computer and then uses it to gain access to another computer by reusing the stolen ticket, so in this detection, a Kerberos ticket has been found on two or more different computers. In this case, we can see that Ron Harper's Kerberos ticket was taken from finance server three and used on RDP server to access two resources. So the first phase of an investigation like this is triage. We want to determine if this is a false positive, and I can actually do it right here by looking under evidence. So for Ron to have a legitimate Kerberos ticket on finance server three and RDP server, we know he needs to have logged in to each of those machines. Under evidence, I can see that Ron was observed logging in to one of these computers, so he has logged in to finance server three, but we see another note here that mentions Ron was not observed logging in to RDP server during the 30 days before this suspicious activity occurred. I'm going to keep going here. I'll go to level. I'm going to click on Ron Harper and look at his activity a little more closely. So I see immediately Ron is a helpdesk engineer, somebody who likely has privileged access in more than a few places, and I see Ron's logged on to finance server three, a server with sensitive financial data as well as one of my Sharepoint servers where no doubt, we have a lot of corporate data, much of which might be sensitive. If I scroll down here, I see a timeline of Ron's activity, and over to the left, I see lateral movement path. So at first glance, lateral movement is empty, but I'm going to scroll up here, and I notice that that's the most recent picture, so I can actually view a different date. I'm going to go back to, going to pick November 21st. On November 21st, I see a lateral movement path here that indicates how an attacker might have accessed Nick Cowley's account from Ron Harper's account, and I see a little green circle with an S on it, which means sensitive, so I'm going to click on Nick Cowley and take a closer look. (mouse clicking) And I see Nick is my chief information security officer, so definitely a sensitive account. If I'd like to know why that's a sensitive account, I can actually click on the sensitive icon, and it's going to show me here Nick is a member of two sensitive groups, administrators and domain admins. So if Nick is compromised, this is serious. (mouse clicking) So I think I'm going to dig into Nick's timeline a bit here. In fact, I'm going to go ahead and click on NICKC-LAP which is likely Nick's laptop and look at the machine details. And I'll go ahead and click on that Sharepoint server and see if anything stands out. (mouse clicking) Let's look at the active alerts we show under Nick's user. So I see a number of very suspicious activities under Nick's account, so I see suspected identity theft here. I see a suspected DCSync attack that's a phony domain controller replication request, so an attempt by an attacker to get a domain controller to replicate its active directory database. So just looking at these alert titles, any SECOPS analyst would conclude that it's probable that Nick's been compromised, and we did all of that in less than five minutes, following the trail of alerts and activities from users from one user to the next across machines, from the source of the alert to the target, and with visibility into the probable result. The only thing worse than a security breach is having no visibility into the type or scope of the breach, something you'll never have to worry about with Azure ATP.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure