The next evolution of automatic attack disruption
[Show theme music] HEIKE RITTER: Hello! Welcome, everyone, to a special episode of the "Virtual Ninja Show." Today we are going to talk about the next evolution of automatic attack disruption, and I have two experts with me: Noam and Yair. And my name is Heike, and I will be your host. So let's start. Noam, please introduce yourself.
NOAM HADASH: Hey, everyone. My name is Noam. I'm a principal product manager at MDE. YAIR TSARFATY: My name is Yair Tsarfaty, and I'm an principal security research manager at Microsoft Defender for Endpoint. HEIKE: So today was a super-exciting day for your team because we just published a blog around all these new capabilities that will help the defenders to even defend better against human-operated attacks. So, in a nutshell, Noam, can you explain what has been introduced or what has been announced today? NOAM: This is really an exciting day. We've just announced a set of really awesome capabilities that are truly going to bring value in protecting our customers and increasing the value we can bring them to stop human-operated ransomware and human-operated attacks in general.
The ability to bring org-wide protection and automatic machine speed capabilities is truly something that customers desire, need, and ask for us continuously. And that is what we've delivered today, to be able to automatically detect the machine speed not only to the fact that the attack is occurring but really pinpoint the specific assets used by those attackers and being able to target those assets in a way that both blocks them from maneuvering and continue on that attack and at the same time doing it while continuing the regular productivity and customer trust we so desire. And not only that, we've also announced the ability to do that much sooner in the kill chain. So, no need to wait for the attack to actually get to the impact stage.
We are actually now able to incriminate and act much sooner in the kill chain. And not only that, being able to do so in a way that both evicts the attacker and really automatically pinpoints all of the other assets that the attacker already has in their end and contain those, as well, the combination of all of which is really going to bring value to our customers and be able to evict the attackers and get to a point where a ton of those attacks, which thus far were in many cases a game-over kind of thing, will come to a point where very little [Indistinct] will come to our customers. HEIKE: So, we also call it the next evolution because we already have attack disruption today.
And for everyone who doesn't know about it, you can go back to our YouTube playlist [bell rings] and watch the episodes that we already did around this topic. And today, this is exciting, because it's actually stopping an attack at a much earlier stage, and we want to learn everything about it. So, I think there is...they're not official names,
but we have four capabilities that are part of that big announcement. And the first one, again, it's not an official naming, but the first one is around lateral movement. And maybe, Yair, can you explain a little bit why this is especially from a research perspective from what you do all day long is such an innovation and something definitely totally new versus how it is being done as of today? YAIR: Yeah, sure. This capability is something that really differentiates because it's industry led, and no other competitor has it, because to stop a lateral-movement attack defenders can today go manually to Active Directory and disable the user account there or automatically through automatic attack disruption, because we already have this capability. However, this is not enough. Why? Because when you disable an account in Active Directory, there is still existing Kerberos tickets that might exist in a way that the attacker might already have logged on to some devices or asked the KDC, the key distribution center, for a Kerberos ticket, and it will remain valid until for some time.
So for that... HEIKE: So that means if a user is already in a session and doing something, and now you disable their account, no new account activities can happen or, like, a new login, but that one session or that maybe two or three, whatever the user has is active? YAIR: Yes. HEIKE: And the attacker can continue to do what they're doing. YAIR: Exactly. They can be maybe already connected to some devices, already obtain some tickets so they can log in to the devices that already issued the Kerberos tickets for them.
So... HEIKE: So, and what are you doing now? YAIR: Yeah. So in order to tackle this problem, what we're doing, we are doing an inline security policy on each device in the network, because we are distributing policy to all Microsoft Defender for Endpoint agents. And these are able to protect themselves from any activity inline, near real time. So, by the time that the user is trying to log in or reuse Kerberos tickets, we are not dependent at all on Active Directory, but we are in line, we can terminate and can deny this login attempt.
HEIKE: Wow. Okay. So, meaning all these sessions are then being terminated, and the attacker can't keep moving laterally. That's awesome. But, that's only one. So, Noam, the second one, if I'm not mistaken, is about pre-ransomware incrimination. I don't know if they have an order, but at least I for myself wrote them in this order.
So what is the second one about? NOAM: So, completely, Heike. I think one of the things we learned that while we can and are bringing in a ton of value in really stopping and containing attacks automatically at the impact stage, the impact that we can bring to customers by doing it much sooner is immense. Our goal and our design and what it is that we've announced here that we are actually are rolling out the ability to automatically not only incriminate the fact that there is an attacker in your organization, working hands on keyboard in the environment, but also automatically identify the compromise entities leveraged by that attacker. By containing the attack much sooner, long before it actually got to the impact stage, not only are we limiting the scope and impact the attacker can do, but we're also limiting the attack paths that the attacker can possibly route to and the additional assets it might compromise, as well. And then, really reducing the level of impact in general that our customers might impact. HEIKE: Wow.
I mean, you know everybody is scared. Ransomware, and then especially human-operated ransomware, it's really, yeah, disrupting a customer and organization, and us disrupting them in this earliest stage as possible is just amazing. And I know we just talked about the second capability.
The third one is about eviction capabilities. What's that about? Who wants to take that? YAIR: Yeah, I can take this. So, as I said before, an attacker might already have some presence on some devices. It can be connected already with Remote desktop, for example, and maybe as some present on some SQL Server or Exchange or even the domain controller. What we can do with this capability is, we are also identifying which active sessions are available and which active sessions are in possession of the attacker within the same compromised identity and terminate them altogether at the same time in real time. So, this is very amazing, and this is a starting point to start evicting the attacker from the network, not just Remote desktop, but it can be also SMB sessions, for example, if the attacker is connected remotely and starts maybe exploring the File Explorer and browsing the file system.
We can also terminate the session. It's at near real time. HEIKE: Wow. Okay. Thank you. So then I think here, Noam, the last one goes to you again, pivoting capabilities. NOAM: In a lot of attacks, the attackers don't only have just one compromised entity in their possession, and just blocking that will indeed contain this specific entity, but we've not stopped the attack in general. And that is why we saw such importance in really understanding not only what is the one entity that we're currently seeing doing the malicious activity but also automatically pivot from that entity to all of the other entities already in the possession of the attacker and are compromised and being able to put in force or put in place all of those amazing capabilities we've just discussed and enforcing the those not only on this original compromise entity but also automatically discover all of those additional ones and contain those, as well.
And by doing so, not only stopping this one technique or the one mechanism we're currently seeing but stopping the attack in general. And again, bringing to the org-wide level protection and not just one specific entity protection. HEIKE: And I think all of this, we call it "contain the user," right? So, this is all very user specific, but it is actually on the endpoint. So, what people need to do is have Microsoft Defender for Endpoint hopefully onboarded their devices, too, and then it will be on by default.
When we talked about this episode, Noam, you also mentioned, yes those are the four capabilities. Of course, this is a lot of technology in the background a lot of logistics and research and all these things on the back end. But, there's also something within the portal new that customers can use and see more than before.
What is all of that? NOAM: Yeah, completely. So, I think when we started rolling this capability out and started having the interaction discussion with our customers in the rollout phase, the main comment we constantly get is, "Listen, this thing is amazing. The protection that it brings, the ability to stop real attacks out in the world.
Like, we haven't mimicked attacks, we've seen real-life attack groups encountering these capabilities and being truly blocked." And at the same time one of those comments was, "Listen it's amazing that I can see you are blocking that, but I would truly love to have the ability to investigate deeper, to learn deeper as to what exactly it is that attack disruption not only triggered but also blocked, really in the environment understanding what it is the attacker tried to do and was blocked by attack disruption." And because of that, for a contained user, we have already also enabled the capability in the portal to both see and have dedicated alerts into what it is that we have actually blocked being correlated to the incident, the related incident with a dedicated tag called "Attack disruption." And secondly, every blocking event that we have done via attack disruption in contained user is also visible and available for our customers in Advanced Hunting.
You can query everything. You can investigate everything, and you can see the full scope of the attack, both on the incident page and dedicatedly in advance, something where you want to dip deeper. HEIKE: And then, within the alert, I think you can, or I don't know if it's in the alert, but you have full transparency of what actually happened.
It is not just, okay, this user was disabled or this was terminated, but you can, you see the full picture of what we saw in order to react in the way that we did. And then, you mentioned also there is an option to release a user. Basically, if automated attack disruption disabled a user, you can now release that user again. One thing I also want to mention, because the question comes up a lot, we said okay, you need to have your device onboarded to Defender for Endpoint. You do not have to have the AV as an active, as your active antiviral solution, but of course we recommend it, but it is not one of the prerequisites. I know that the question comes a lot.
This is a lot, and I think to really digest it much better, I suggest we go into a demo and see it working end to end. NOAM: We've actually set up an environment framework similar to what it is we've seen in a ton of our customers' environment to really mimic what real hands-on-keyboard attacks look like. We'll start off the attack, but what it is we're unfortunately are seeing so many times out in the wild where the attacker gains access to an internet-facing, non-MDE onboarded devices, where they will begin the attack by already gaining its first domain admin account that will be called here "Alice." And the attack will begin by that. HEIKE: Okay, thanks for the setup. YAIR: Yeah, so the attack starts by what we are seeing very commonly in human-operated attacks by creating an additional set of domain admin credentials called "Backup," in this case.
And this is the way for the attacker to create an additional set of credentials to maybe use them later if something went wrong with the primary credential, Alice. And then, the the attacker is going to connect over Remote desktop to the domain controller. Usually in attacks, this is a game-over moment. The attacker is now a domain admin. The attacker is now controlling the domain controller.
He is now able to do whatever he wants. And now, let's see in just a few seconds how it looks differently when attack disruptions kick in. So, what we see in the left that the attacker is using M packet, a very common attacker framework that is used in in the wild by many attackers, that starts by dumping credentials remotely to gain more privilege to additional domains and other computers. And then, this specific activity was blocked by the antivirus, for instance. But we can see that, for example, the way my command could have been executed correctly. And this is exactly the point where we incriminate the activity, and the policy's distributed and disruption kicks in.
As you can see, the attacker is evicted from the domain controller from the Remote desktop session. This is the first step toward evicting attackers from the network. And this is a critical capability because there is no other solution in the on-prem environment to do that. Now, the attacker is trying to reuse the credentials.
Maybe something went wrong and trying to re-log in with Alice, and you see that it cannot log in. It can see this error that's saying that there is some restriction for the logon. HEIKE: So, I would assume next up is trying to use the backup account.
YAIR: Actually, not yet, Heike, because the attacker now understands that the Alice credentials are probably compromised and wants to move as quickly as possible to the remote encryption phase. So, he's still going to try to use the Alice credentials in order to remotely encrypt the devices, but as you remember, all the security policy, protection policy distributed already to across all Microsoft Defender for Endpoint instantly to provide organization-wide protection rather than single-device protection. So, the activity happened on several devices or some endpoint or some domain controller, but we are distributing the policy to the entire organization in order to protect everyone, because we predict that the human-operated attack will happen.
And this is the moment, actually, where Alice understands that the remote encryption failed and now is trying to move to the backup domain account. If you remember, the attacker created backup credentials as a domain admin and never used them before. This is the first time the attacker is going to use the backup account. And that it's still going to fail because we identified already, using our pivoting capability, that the compromised user is associated with this backup account and also incriminated that, because we identified all the attacker's assets over the network and contained all of them.
So, this is really interesting because no activity ever happened with this backup user. HEIKE: Yes. Not only from the attacker, but that account wasn't even existing before. So...
YAIR: Yeah, just created and that's it. No one logged in. HEIKE: Yeah. YAIR: No one did any activity with that. And then, this is the moment where I say, okay, what's going on? I just created a backup. Let's try to reconnect to the domain controller using the backup.
And again, whoa, what happens? I am a domain admin: Why can't I connect to the domain controller with domain admin? This is very strange and interesting. Now the attacker is trying to again create new domain admin credentials. The same command that worked before, trying to create a new set of credentials called "backup2," in this case. And this is actually being blocked because we are blocking and providing identity protection, as well, and limiting the attacker's capability to create an additional set of credentials. We are basically shutting down all the attacker's capability to move laterally in the network and basically not allow him to do any kind of lateral movement activity and evicting the attacker from the network completely. HEIKE: Wow. Okay.
This is impressive. NOAM: And just think about it, Heike: If only that one initially used device was also onboarded, this wouldn't have just ended by us containing the attack. We would've been completely evicting the attacker from the entirety of the network. So, albeit the attacker might really have this one initial or two domain admin accounts, it would still be completely locked out of the network. So it's not just only like limiting the impact but truly evicting the attacker, automatically, at machine speed.
YAIR: I want to add to that, this is organization-wide protection. This is why onboarding every single device in the network is contributing to the protection of all the devices in the network. Because the attackers are targeting the least protected devices.
It's enough to have one device that's left without Microsoft Defender for Endpoint. And if that this device is going to be targeted, then we are missing opportunity to detect and incriminate the attack at an early stage. And by detecting and incriminating an attack in the early stage, we are able to provide and distribute policy across the entire organization and protect the entire organization from attack that might happen very soon.
HEIKE: Yeah. What are these policies that you're talking about that are being pushed on the clients? NOAM: We have worked really hard throughout the role of this capability to really learn and understand throughout hundreds of different attacks that we've actually analyzed as to how attackers are actually performing their attacks. And we've made sure those policies are intelligent by nature, meaning we're both doing it in a way that is targeting attackers while really limiting any possible impact that we can for regular day-to-day behavior. And secondly, we are doing it granularly, targeting the specific protocol mechanism and techniques leveraged by attackers but trying to not block and continue to allow regular, day-to-day work. HEIKE: Okay. So, it's not causing any friction with users and customers from your preview customers.
They were all happy with what you disable and allow? How is that feedback there? NOAM: Oh, completely. Enthusiasm was shown throughout every conversation. And really, the ability here to minimize it. It's not that we're, like, there's zero friction, but we are minimizing it to the bare minimum while bringing to the maximum the impact it has on the attack. YAIR: Yeah, from a technical perspective, we're focusing on the lateral movement protocols, that there're actually the attackers that what we see in human-operated attacks are using and limiting only to restricting activity over these specific protocols and adding to that capabilities to evict and terminate active sessions of the attacker using such protocols.
HEIKE: I know that we wanted to continue with the demo and show the portal experience, but we already have a lot of content here. So, I think everybody can of course go into the portal because as of today, this is available and on by default. So, hopefully nobody actually has such an attack, but the buttons and the functionalities are already working for everyone. Also, something to mention is, yes, we were talking about this being a Defender for Endpoint capabilities not "is more," "are" four, but of course, we encourage everyone to also onboard yes to Endpoint, but then Defender for Identity and Defender for Cloud Apps and so on.
Because the more signals are coming in from the different Defenders, the richer is your incident and you get more insights. Maybe it came from a phishing attack or from something else. So, of course this is the richest if you have the full Microsoft 365 Defender Suite.
And lastly, because we already explained a lot and talked a lot, but we want you to get the most out of it, which means we have three calls to action: Do an org-wide protection, meaning onboard all your devices to Defender for Endpoint. You saw in this attack how easy it is to get on a device, and not being protected there is not a good start for the defenders. And then, update your devices, because we are continuously evolving our technologies, and sometimes they're dependent, of course, of the OSs.
So please keep updating your devices to always be on the latest build. So yes, these were our three calls to action for you. I want to thank my experts on today's show for preparing, presenting. If you want to learn more about these new capabilities, go read the blog post. And, of course, come back when it's about the next season of the "Virtual Ninja Show," and we will bring back the plush ninja cat giveaways.
So, hope to see you all. Until then, bye. [Show theme music]
2023-10-19 06:13
