Leveraging threat intelligence to investigate suspicious activity

At this point, there is no more doubt that the use of threat intelligence to help your detection system is imperative. Now, how do you take advantage of this information when responding to a security incident? While the Blue Team works primarily on the defense system, they do collaborate with the incident response team by providing the right data that can lead them to find the root cause of the issue. If we use the previous example from Security Center, we could just hand it that search result and it would be good enough. But knowing the system that was compromised is not the only goal of an incident response.

At the end of the investigation, you must answer at least the following questions:

    • Which systems were compromised?
    • Where did the attack start?
    • Which user account was used to start the attack?
    • Did it move laterally?
      • If it did, what were the systems involved in this movement?
    • Did it escalate privilege?
      • If it did, which privilege account was compromised?
    • Did it try to communicate with command and control?
    • If it did, was it successful?
      • If it was, did it download anything from there?
      • If it was, did it send anything to there?
    • Did it try to clear evidence?
      • If it did, was it successful?

These are some keys questions that you must answer at the end of the investigation, and this can help you to truly bring a close to the case, and be confident that the threat was completely contained and removed from the environment.

You can use the Security Center investigation feature to answer most of these questions. This feature enables investigators to see the attack path, the user accounts involved, the systems that were compromised, and the malicious activities that were done. In the previous chapter, you learned about the Security Incident feature in Security Center, which aggregates alerts that are part of the same attack campaign. From that interface, you can click Start Investigation to access the Investigation dashboard, as shown here:

The investigation map contains all entities (alerts, computers, and users) that are correlated with this incident. When you first open the dashboard, the focus of the map is the security incident itself; however, you can click on any entity and the map will expand with the information that is correlated with the object that you just selected. The second part of the dashboard has more details about the selected entity, which include:

  • Detection timeline
  • Compromised host
  • Detailed description of the event
  • Remediation steps
  • Incident stage

In the following example, the security incident was selected on the investigation map, and this is the information available for this entity:

The content of this pane will vary according to the entity selection on the left (the investigation map). Note that for the incident itself, there are some options that are grayed out, which means that these options are not available for this particular entity, which is expected.

Watch one of the authors of this book, Yuri Diogenes, demonstrating how this feature works at Ignite 2017 in Orlando at https://blogs.technet.microsoft.com/yuridiogenes/2017/09/30/ignite-2017-azure-security-center-domination/.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset