Streamlining Incident Response with Microsoft Defender ATP
Streamlining Incident Response with Microsoft Defender ATP
Incident Management with world-class technology and skills
As a complete security solutions integrator, Optiv’s Enterprise Incident Management team (EIM) has been at the forefront of preventing and responding to attacks and intrusions of all types using many cybersecurity solutions and technologies. Our experienced incident responders, investigators and malware reverse-engineers are equipped with unique skills using a gamut of technologies. Optiv helps clients detect, respond, contain and remediate threats utilizing best of breed solutions, including Microsoft Defender Advanced Threat Protection (MDATP). In this blog post, we will cover how MDATP is integrated into Optiv’s investigative methodology and its ease of deployment if your organization is looking for an all-inclusive Windows-native endpoint security solution.
Data Acquisition - Speed is Key
Incident Response often requires answering questions as quickly as possible, allowing for more informed and efficient decision making when managing response efforts. In traditional IR procedures, this means collecting logs, memory and disk images from endpoints for analysis in Optiv’s forensic lab and conducting the investigation on servers using our suite of state-of-the-art forensic tools. When managing a large-scale incident, this approach can be very time consuming and expensive, ultimately resulting in wasted time while waiting for forensic analysis to be completed.
MDATP offers capabilities for large-scale evidence collection, complemented by analytic tools that significantly speed up triage, detection and impact assessment. These tools and capabilities are leveraged to efficiently identify critical hosts and threat indicators associated with the incident, hunt for additional hosts with those same threat indicators, inform incident commanders as they designate hosts requiring traditional forensic investigations for more thorough analysis and facilitate further threat hunting as the response continues and new threat indicators are identified.
Collecting Investigation Packages
Microsoft Defender ATP packs several features to assist in security investigations. The MDATP timeline provides valuable information before, during and after an incident that includes events such as process executions, network connections, file and registry changes, etc. Additionally, there is an “Investigation Package,” as Microsoft calls it, to gather network artifacts, event logs, prefetch, process executions, etc., from endpoints. This package collects over 70 artifacts that Optiv’s incident responders can quickly obtain and analyze to assess the situation level of impact (if any) to the organization. The packages can be collected from MDATP enrolled Windows devices via the MDATP console or using the API. Some of the items collected in this package include the following:
|SMB Sessions||Temp Directories||Installed Programs|
|Scheduled Tasks||Users and Groups||Network Connections|
|Security Event Logs||Prefetch Files||Services|
In some cases, the Investigation Package is not enough and more information is needed. Optiv can leverage the Live Response capability for remotely accessing systems to collect incident-specific artifacts as well as to deploy and execute custom scripts that collect and parse Windows artifacts that are not automatically collected by MDATP. This process essentially puts us at the keyboard of the compromised system to perform live host triage analysis. Live response enables Optiv consultants to analyze volatile evidence from compromised hosts that would otherwise be lost.
Data Analysis Using Advanced Threat Hunting
Optiv leverages the MDATP Advanced Hunting tool for searching across the environment for known indicators of compromise (IOC) or suspicious behaviors to detect intrusions, assess impact and uncover key evidence to contribute to the investigation. Advanced hunting is based on the Kusto query language, which supports one or more statements and at least one tabular expression statement. This enables Optiv to use analytical data analysis techniques such as stacking, sorting, grouping, etc., to find anomalies or key evidence contributing to the investigation. An expression-based query language also allows us to perform frequency analysis and conditional statements to narrow in on relevant events while excluding normal events.
Optiv’s experienced incident responders utilize Advanced Hunting to review Windows artifacts at a scale that is commonly observed with persistence, lateral movement, credential theft, remote access and data exfiltration techniques. Optiv’s Incident Discovery service leverages the MITRE ATT&CK framework as a foundational component of our process to hunt in our clients’ network for artifacts indicative of adversarial tactics and techniques. Combining our Enterprise Incident Management team’s extensive experience responding to incidents with the power of Microsoft’s Advanced Hunting as well as the wealth of intelligence captured by the ATT&CK framework, Optiv consultants can thoroughly analyze an environment for threats that have yet to be identified through traditional means. The MDATP Advanced Hunting data schema includes tables for alerts, device information, process executions, network connections, registry changes, logon events, file metadata and more to thoroughly examine a device of interest or analyze telemetry across the organization.
Containment and Remediation
There are multiple features within MDATP that can assist in later phases of incident response, such as containment, eradication and remediation. These capabilities include host isolation, file quarantine and blocking process executions. Having access to a tool that can facilitate these actions dramatically enhances the efficiency of incident response. Further, these are functionalities that can be automated through security orchestration, complementing traditional SOC operations in addition to digital forensics and incident response.
Host isolation is a preferred and recommended technique to prevent potential lateral movement of a threat if there are indications of an active network intrusion by denying attackers a secure means of navigating from system to system as they act on their objectives. During the response process, the Optiv team works with our clients to isolate potentially compromised hosts directly from MDATP without compromising the integrity of volatile data or necessitating human interaction to pull cables manually. This isolation and network containment can be tactically timed early in the response if there is a higher immediate risk to the entire organization or performed later in the response process in line with strategic plans to minimize risk to ongoing operations.
Denying malware or adversary tools the ability to execute, automatically quarantining any associated binaries and isolating a host upon detection are important steps that incident responders need to take quickly in order to contain a threat once it has been identified. If a new variant of malware spreads across the organization, MDATP can be configured to block malicious process executions, quarantine the malicious files, isolate impacted endpoints and generate alerts for any future instances via custom detection rules. MDATP custom detection and isolation rules utilize the same Kusto query language and data schema as Advanced Hunting, greatly expanding the potential use cases for automated response.
As an example, assume that Optiv is responding to an active compromise with behavioral indications of an Advanced Persistent Threat using specific living off the land attack techniques. MDATP allows responders to create a custom detection rule that is based on attackers’ tools and techniques, rather than on ephemeral threat indicators such as hashes. A visual example is presented below. When this example rule is triggered by matching behaviors, MDATP will automatically take pre-defined containment actions. Optiv recommends thoroughly testing custom rules, especially those that may impact critical endpoints, before implementing.
In this example, upon detection, we would block the process execution, isolate the endpoint, collect an investigation package and run a full anti-virus scan.
A Strong Competitor for Windows Endpoint Security
There are far more capabilities with MDATP that we have not mentioned in this article that also provide value such as Vulnerability Management, Next-gen Anti-virus, automated investigations, web content filtering and integrations with other apps like O365 and Skype. Where MDATP falls short is not having the full spectrum of features with MacOS and Linux operating systems. Today, MDATP supports MacOS and Linux with effective endpoint monitoring but does not include features like investigation package, host isolation and live response. Microsoft frequently releases updates to the MacOS and Linux offerings, including new features. We expect to see more advanced capabilities within the next year.
For any organization using Azure/Active Directory, deployment and configuration can be accomplished much faster than competitors due to Microsoft’s baked-in implementation of MDATP within the Windows Operating System. Group Policy, SCCM, MDM/Intune and Microsoft Endpoint Configuration Manager are examples of common deployment methods used to onboard devices to MDATP. Optiv’s experienced security architects and engineers can support the planning, deployment and configuration of your MDATP instance. Microsoft also provides online guidance to prepare, setup and onboard your organization.
Integrations and Possibilities With API
With MDATP API Explorer and API for SIEM integration, detections from MDATP can easily be configured to today’s SIEMs and used in logic apps for hunting, reporting, or prioritizing responses. The API is capable of executing hunt queries, getting alerts, isolating machines, collecting investigation packages, restricting app execution, blocking and quarantining files and more. These capabilities of the API can also allow for orchestration of incident response procedures. Using the API to collect alert and network telemetry can enable advanced analytics and custom dashboards, such as what we have illustrated in the Aligning Defender ATP Alerts to MITRE ATT&CK blog series.
We’re Here For You
As a complete security solutions integrator, Optiv will continue to be cybersecurity solution and technology agnostic. When it comes to Incident Management, our consultants have experience using a plethora of endpoint security tools, including Microsoft Defender ATP, Carbon Black, CrowdStrike and NetWitness. We do not pick sides nor solicit one tool over another. Still, as illustrated in this article, with Microsoft Defender ATP, Optiv is well equipped to discover, respond, contain and remediate intrusions and malware.
Incident Response and Management
Our Enterprise Incident Management solutions help prepare, validate, support and lead your Incident Response and Management Program. Our team has years of experience and expertise in dealing with digital forensic investigations and advanced threat actors. We have helped large and small organizations alike prepare their plan and tactical response to threats.
Our seasoned malware reverse-engineers, investigators and incident responders are here to help your organization prevent attacks, uncover hidden indicators of compromise, reduce your attack surface and respond to incidents should they occur.
Copyright © 2020 Optiv Security Inc. All rights reserved.
No license, express or implied, to any intellectual property or other content is granted or intended hereby.
This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.
Complaints / questions should be directed to Legal@optiv.com