Microsoft Detection and Response Team (DART) AMA

Some of the frequent things we find missing in todays landscape is: 1. Lack of Incident Response plan - Doesn't have to be a million steps, but it needs to have procedures in place that are clear and direct. SOC analyst calls lead to get the alert or suspicious behavior looked at with another set of eyes, then a flow chart based on decisions from there. Actors are getting faster, however they are usually signs of compromise 30-60+ days before the investigation starts. 2. Recovery only needs to happen after an incident. Lets build more on proactive measures! MFA everything, password-less login, Windows Hello. As remote work has turned into the norm, many IT providers have put solutions in place fast to enable workers. This fast pace usually cuts security corners sometimes, as they may not have MFA on VPN. 3. Someone will always click the email. Credential tiering helps cut off the lateral movement possibilities and privilege escalation. Losing an end users workstation should not lead to a full domain compromise.

Know your business applications and their dependencies. When we ask you to take down a SQL Server because of an indicator of compromise, what's going to be the impact? What applications will be unavailable to your organization? Do you know all of your service accounts and their passwords? What would be the level of effort to reset those passwords?

How Can I Become A Member Of DART?

Conditional access for sure! Hopefully these devices are onboarded to Defender for Endpoint. From an incident response perspective, getting personal devices when there's a compromise is going to be a tough one... so when it gets to that point you probably want to have a discussion with your legal team.

For Azure Virtual Machines, reviewing alerts in Microsoft Defender for Cloud: https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-incident. The reason you might not be seeing the subscription is your account might not have the rights to see the subscription, a Global Admin may have access to the subscription so I would recommend you ask a global admin in your org to see if they are able to see the subscription: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

In some cases, there could be subscriptions that cannot be seen by Global Administrators. Therefore, they must elevate their access to be able to see and manage those subscriptions which may explain why you couldn't see it. Here is a good overview: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin. This is a common tactic that we've seen. With those credentials they typically create a very expensive VM for coin mining and footing you with the bill or use that as a launching point for other attacks.

Have a playbook to follow -- identify your requirements and needs before an incident strikes. What are your requirements to gather a disk image or triage data? What tools do you need, and do you have them ready? What stakeholders need to be made aware, for legal and compliance reasons? Do site managers know what they need to do to actually acquire the evidence you need? Plan ahead so that execution can be efficient. It probably won't be perfect even then, but it'll still get your team answers faster. As for live triage vs. deadbox analysis, abide by organizational/evidence preservation/legal and compliance requirements first 🙂 That said, live triage data can be collected and analyzed much more quickly than a disk image can be obtained...

Live Triage is the way to go, it's fast and aligns best with business objectives of least impact to business downtime. Most data on computers isn't forensically/threat hunting relevant. Disk Images are usually necessary if you are trying to carve for a file no longer on disk or litigation/lawyers come in. One key thing to focus on is employees who know how to use 5 tools well are more well prepared to defend vs throwing 10 shiny tools at them. On many engagements we see customers with all the tools, but the security folks aren't well versed in how to use them or don't gain a deep enough understanding as they are switching between tools/portals.

Identity is the mechanism by which most attacks execute on their objectives. They may get in several different ways; however, the real question is how did they privilege escalate from a normal user to a privileged user? So making sure you are implementing identity detections is key to stitching together the various artifacts into a true attack timeline.

Hi Nathan, could you please clarify your question here "What can be done to improve the speed at which Microsoft reacts to a breached O365 Customer?" Are you rereferring specifically to DART or Microsoft in general?