Security Threat Analysis – Using Operations Management Suite

This blog post is aimed at positioning Operations Management Suite (hereafter called OMS) in the world of security forensic investigations and to provide a security investigation example.

https://www.microsoft.com/oms

Before diving into OMS, it is good to have a basic understanding of what kinds of threats exist, what high-level counter measures the security market has to offer, and where OMS fits into that space.

It is fair to say that OMS has just started its journey, where we have already established a great analytics solution and there is more to come, based on your feedback. OMS is primarily based on realizing and introducing new features through User Voice. Personally I think it’s great to have direct customer feedback incorporated in our engineering processes through the Azure Operational Insights feedback page. You can suggest your feature or desired functionality and let others vote on your suggestion. We prioritize requests based on the number of votes they receive. This gives us a real life and dynamic view of what you actually need and want.

Let’s talk a bit about security threats. Besides the viruses, malware, and other nasty stuff, there’s one special threat to call out here, known as Advanced Persistent Threat (APT). This is not your typical script kiddy trying to get you to click on a “who wants to see flying pigs” email which can cause annoying things; this is a sophisticated and very persistent attack targeted at your corporate resources. An APT goes beyond the typical malware or adware attacks.

An APT typically starts at the outer boundary of your network and might be started with an attacker gaining access to a non-privileged account. From there the attacker takes their time to work their way in. This process can take months or longer; there’s no hurry when executing an APT attack. Research has found that often an APT attack is executed by a “company structured” entity which actually has “employees” working on shifts.

After an attacker has compromised a non-privileged account they start their reconnaissance work to explore and map your resources. Since they are using a legitimate account, there are no alarm bells going off at this point, assuming that the attacker stays within certain patterns which will not trigger an intrusion detection system. A sophisticated APT attack will not perform notable attacks like enumeration of users or shares at a large scale – which would obviously trigger some alarm bells — instead, they proceed in a kind of stealth way to appear as normal traffic. Attackers are aware of what will and will not trigger your intrusion detection system (IDS) and/or intrusion prevention system (IPS).

This brings me to the topic of IDS and IPS systems. Let me start by saying that OMS is not an IDS nor is it an IPS system. You could summarize OMS functionality – and specifically Operational Insights — in one word: Analytics.

Note that OMS today is a suite which consists of not only Operational Insights, but also includes Azure Automation, Azure Backup, and Azure Site Recovery.

There is plenty information to be found on the Internet about IDS and IPS, so I will not repeat the Internet here except to briefly summarize their properties.

IDS have the following properties:

  • Network-based — analyses network traffic and checks if that matches known attacks.
  • Host-based — monitors inbound and outbound packets from and to a device and looks for suspicious activity. It can take a snapshot of existing system files and can detect changes.
  • Statistical anomaly based — utilizes a baseline which identifies normal network traffic versus deviations from that baseline.
  • Signature based — compares network packets against a database which contains signatures of known malicious threats. Here lies the same challenge which can be found when using an anti-virus solution: there must be a signature available to detect an attack and the system must be kept up to date.

An IPS is an extension of IDS, but unlike an IDS, an IPS is reactive and can take counter measures to actively prevent an attack or block an attack in progress.

As noted earlier, some of the challenges that can make detecting an attack difficult include the following:

  • There is no signature available for that specific attack; for example, the attackers may be using different ports or protocols to mask the attack.
  • There may be a high number of false positives which can cause “cry wolf” scenarios which affects the reliability of those alerts and the trustworthiness
  • The attack may be below a defined threshold or within an established baseline – which is often the case in APT attacks.

Let me emphasize here though that IDS and IPS systems are very powerful security solutions despite their drawbacks.


So where does OMS fit in?

OMS is neither an IDS nor an IPS solution, so what is it?

OMS helps you in forensic security investigations. In other words when you suspect suspicious activities or a security breach, OMS will help to guide you through an analysis of potentially millions of events, and enable you to correlate related events.

OMS is dependent on providers which bring in security data that can be analyzed. In the current release the data provider is based on Windows event logs – which includes security logs, IIS logs, and also Syslogs. In addition, OMS is able to leverage Azure diagnostics data, and OMS can connect with an Azure storage container. A Linux provider and an AWS provider are coming soon. Integrating Azure VM’s is even more easier by clicking on the Operational Insights icon the Azure portal, then click on the Servers view and selecting the VM you want OMS enabled:

 

image

OMS as noted earlier – can integrate with Azure Diagnostics:

image

 

OMS will have integration with AWS Storage soon:

image


Let’s walk through an example how you can leverage OMS to start your security investigation.

This example uses fictitious names, actions, and descriptions for demonstration purposes only.

Tip: I often use this “cheat sheet” to quickly find security related event IDs: https://support.microsoft.com/en-us/kb/977519

OMS will assist you in drawing your attention to the solution pack tiles, for example to the Notable Issues section of the Security & Audit solution pack.

A solution pack in OMS is a collection of pre-defined queries, visualized in a tile which is drilldown-capable. We have provided pre-defined queries for the most common queries which we believe are helpful assisting you in your investigation.

Flexibility in the OMS search engine is key. For example, you can start your investigation when you are alerted by the Notable Issues view of the Security and Audit solution pack. You can start searching by drilling down on the information, or start your search per keyword or with a pre-defined query. The objective of OMS is to provide you with a user-friendly experience of the portal UI and search capabilities, while enabling you to create very flexible and powerful custom queries.

When you navigate from the OMS Overview pane to the Security and Audit view you will see the Failed logons count:

image

When you drill down by clicking on Failed logons, you notice that there is a failed logon for the Backup Service account:

image

Let’s drill down and zoom into that information to find out that there were interactive logon attempts:

image

We can look at who attempted to logon with that account:

image

So this draws immediate attention to our BadGuy user. Let’s see what kind of security events are related to this user when we use a query with a string search containing his name. This will search in all Security Events to see if  a match of “BadGuy” can be found:

image

We get 1,110 results back and at a glance I can see that our BadGuy user has been active on two computers, WHDVM1 and WHDVM4.

Now let’s correlate the two BadGuy user instances found on the two servers by checking the check boxes and click on Apply. We just want to make sure that we are correlating the account names instead of potential matches found in other fields:

image

Please note that when you click on Apply the query automatically gets modified to include an OR filter. Combined with intellisense you quickly and easily learn how the OMS search syntax works.

 

When we execute this search query I can see Activities and Processes listed on the left hand side. Click on the 3 dots (…) to expand the list of processes :

image

A quick glance over the Process list reveals some disturbing instances:

image

As you may know, Mimikatz is used to dump LSA secrets and SysInternal’s PsExec is used to execute remote commands; it is not a good sign to have found these processes on my server.

Let’s see where else Mimikatz has been used, but to avoid reinventing the search query wheel and to utilize the common queries that OMS provides for me, I’m picking a query from the Common Security Queries:

image

After modifying this query by replacing hash.exe with mimikatz.exe, I can see the following which tells me that mimikatz.exe has been executed on two servers by our BadGuy:

image

Maybe I should be looking at what else has been changed on these systems. I can utilize the Security and Audit view to look at Software changes and even at Windows Service changes:

image

Please note that the data for Software changes are not triggered by the change itself, but we leverage a periodic snapshot to capture changes. Therefore it is fair to say that Change Tracking cannot be positioned as an exclusive security detection mechanism for malicious software installations and needs to be used with correlation. In addition it is very unlikely that a malicious user “installs” their tools using regular installation methods.

 

When looking at Configuration Changes on my server WHDVM4 (by selecting the server in the left pane), I can see at a glance that FTP related software has been installed (and probably used):

image

Let’s find out if this actually has been used by listing all executed processes on server WHDVM4 (you can also use the time slider to scope your specific moment in time):

image

I don’t have to modify my search query, since I can see in the list of processes that filezilla.exe has been used. I can even see that this has been installed with FileZilla_3.11.02_win64-setup.exe, but note that you can detect these process even if they have not been installed, but just copied over. No surprise about who has used it when we add the process name to the query and use a Select statement to control our view to just show the Process, Account and Computer:

image

The Wired Data solution pack (coming soon) will enable me to correlate traffic, like which protocol, port and remote IP address was used, to our BadGuy’s actions:

image

From here I can continue my investigation and start correlating more data.


Recovering from an APT attack

This is a common and and an interesting question. I’m sure that there multiple opinions on this topic, here is mine:

IDS, IPS systems and even OMS, cannot help you to recover from an APT attack. I know this is a bold statement. There are currently no solutions which can 100% guarantee you that you have recovered from an APT attack, period. Rebuilding your environment is the only waterproof solution to recover from an APT attack. Another point is that you need to be careful with restoring backups. You might already have been compromised at the time of the backup creation. Unfortunate it’s very hard to determine which backup is safe to restore.

 

So what can you do?

Let me first say that this blog post is intended to give you a better understanding of the potential extent of a breach and gives you a chance to learn about those attacks. Secondly, I hope that this blog post will help you to be better prepared for prevention going forward. Let me entice you to explore a number of Ignite sessions where we discuss measures which can prevent an APT attack:

 

  • Nano Server – low footprint server
  • Just Enough Administration (JEA) and Just In Time (JIT) administration – provide temporary higher privileged access and use locked down PowerShell end points:


Summary

Operations Management Suite (OMS) is a great solution to help you with forensic security investigations. OMS can search through millions of events fast, apply correlation and provide you with ready to go solution packs. OMS is a great addition to your existing Intrusion Detection and Prevention security solutions and integrates well with System Center and a lot of innovations are coming!

 

How to get started with OMS?

Navigate to https://www.microsoft.com/oms and start exploring!