Category: Infosec

Threat Hunting on SQL Server with Azure Sentinel

For years Microsoft SQL Server has served as a backbone of critical applications for enterprises. Due to the nature of critical data stored on the SQL Server databases, it has always been a point of Interest for internal or external adversaries and one of the primary targets for exploitation.

 It is important to monitor all your SQL database instances and servers for any sign of threats.

Last week I posted a detailed blog post on Monitoring SQL Server with Azure Sentinel on Microsoft Azure Sentinel Official Blog. The blog talks about how to ingest logs from SQL Servers running on VMs, Parse the logs in readable format and then run various hunting queries and create alerts

You can read the detailed post here.

The Parser and hunting queries are also uploaded to Azure Sentinel Github repo.




My Session at Economic Times–Microsoft Security 360 Conclave

ETCISO.in and Microsoft organized a one-day conclave to enable CISOs enhance their security stance in the era of flux and transformation. The conclave served as a platform for top CISOs and security experts to deliberate on the latest opportunities, challenges and trends in the enterprise cybersecurity space.

It was really speaking at this event on “ Top Security Myth busters” which was all about various myths within the security community and in organizations for their internal cyber security and compare them with things happening in reality. This session also had some demos on some of Microsoft’s investments in threat detection capabilities and remediation accross Email Security, Endpoint Security and Identity protection.

If you happened to attend this event in person,  I really hope you liked it.

If you couldn’t attend it in person, the sessions were streamed LIVE and now available On-Demand below.

My Session starts at ~ 4:28:00

Cheers,

Iftekhar



My Session at Digital Governance Tech Summit 2019, New Delhi – Security Considerations for Moving to Cloud.

Digital tech

I’ll be speaking at Digital Governance Tech Summit 2019, New Delhi on

Security considerations while moving to the cloud” –  1615 Hrs, 27th August 2019


In this session, learn about various security considerations organizations to make while moving to cloud, shared responsibilities between cloud provider and end customers.

If you happen to be participating in this conference, please do stop by and say hi.

There are other great sessions in this conference presented by elite Microsoft speakers and other industry veterans like Keynote by Ananth Maheshwari, President Microsoft India and Amitabh Kant, CEO, Niti Aayog, Govt of India.

You can find the list of entire list of sessions and tracks here

I look forward to have some of you in the session and discuss more on your secure cloud journey.

Cheers

Iftekhar




Best Practices in configuring Office 365 Anti Phishing Policy

Office 365 Advanced Threat Protection enables additional layer of protection against malicious URLs, Malicious Attachments and Phishing campaigns.

In my previous posts we talked about these configurations, please click on the hyperlinks below to see those posts.

1. Best practices in configuring Office 365 Safe Attachments

2. Best Practices in configuring Office 365 Safe Links.

Today we’ll take a look at anti phishing policies which can be configured in Office 365 for protection against

  • 1. User Impersonation
  • 2. Domain Impersonation
  • 3. Domain Spoofing

User Impersonation : User Impersonation configuration allows organization to list down their top executives like CEO, CFO, Directors etc and any emails coming with the exact same display name and going to users will be quarantined/delivered to Junk as per the configuration.

Domain Impersonation : Domain Impersonation configuration protects against emails coming with similar typosquatted domains like yours. For eg. your organizations domain is Contoso.com and attackers may send emails after registering similar looking domains like Cont0so.com, Contoso-inc.com etc.

Domain Spoofing :  Domain spoofing configuration enables domain authentication like SPF, DKIM, DMARC to be enforced validating the origin of the emails as per the from address and block/quarantine/junk those emails which fails authentication.

I have created this video tutorial of Step by Step tutorial of the recommended configurations of Anti Phishing Policies in Office 365 Advanced Threat Protection.

Hope you like the videos, please do subscribe to the channel to be updated with future tutorials.

Cheers




Best Practices in configuring ATP Safe Link Policies in Office 365

One of the major attack vector used by threat actors are sending emails with malicious URLs. These emails without any malicious attachments usually has luring text which encourages users to click on a link to take any action and then take them to a Phishing URL or a webpage with malicious content.

For E.g. the email below, which looks like it has come from Microsoft to users and asking users to click on a URL which would lead to

Email

Office 365 Advanced Threat Protection enables Safe Link policy which protects users at the time of click by verifying the URL against threat intelligence for any phishing page or malicious content.

Please watch this video on how to configure Office 365 Safe Links with recommended configurations.

if you want to see a quick demo on how Office 365 Safe works, checkout the following video.

Cheers.




Best Practices in Configuring Office 365 ATP Safe Attachments

Security and End User Experience don’t often go hand in hand, the art is to find the right balance.

I often get asked how should I configure my Office 365 Advanced Threat Protection Safe Attachments policy to achieve maximum protection against modern day threats such as Zero Day Exploits, Macro Based trojans and other specially crafted malicious attachment.

In this video, we’ll go through some of the recommendations on configuring ATP Safe Attachment policy in Office 365.




Domain Spoofing – Making things difficult for an attacker

Phishing emails comes in many shapes and form. here are various forms of phishing, organizations are currently struggling with :

Types of Phishing

1. Domain Spoofing – In this type of phishing, the email’s from address indicates it has come from reputated domains like Microsoft, Google, Paypal etc and often organization’s own domain but it really has not originated from there servers. Attackers often spoof the domain to make it look like a legitimate emails from these company’s and asking recipients to do a task like verify their account to harvest credential, download and install a file which is malicious, or visit a malicious webpage.

2. Domain Impersonation – In this type of phishing, the attackers registers a similar looking domain as your organization’s or major brands Microsoft etc, For Eg If your Organization’s domain is Contoso.com, attackers would register domains like c0ntoso.com, Cont0so_.com etc and then sends out emails from these domains to your users asking them to carry out a transaction, click on URLs or open an attachment. If users are not paying attention they would never be able to differentiate between original domain name of the organization and “Typosquatted” domain attacker is sending these email from.

3. User Impersonation – In this type of phishing, attackers uses the name of top executive’s names like your CEO, Director, CFO etc and then send email to their subordinates or to the other group of employees and then ask them to carry out a high value activity. These executive’s name usually have high authority which are often not questioned and hence employees falls for it without verifying the identity or the intent of the email.

While this is not a exhaustive list, attackers also use combinations of above techniques to increase their chances of a successful exploitation.

In this post, we’ll talk about Domain Spoofing in details”:

Spoofing a domain and its reputation have been into existence for ages and with the advent of various tools and scripts it has got a lot easier to carry out this attack.

 

 

 

Protection against Spoofed Emails

Create a SPF record for your Organization : –

SPF or Sender Policy Framework is a authentication technique to validate if the email is actually originated from designated server of the domain or not and hence helps in detecting spoofed and forged emails.

If you are an Office 365 Email customers, you can follow these steps to create your SPF Record.

DMARC and DKIM are additional domain authentication techniques you should also look at.

This will ensure if any attackers tries to spoof your domain to send emails to your organization or to others external parties will have their domain authentication failed.

 

If you are an Office 365 Exchange Online Customer, Inbuilt Exchange Online Protection by default protects from domain spoofing by redirecting all the emails to Junk Mailbox folder if the SPF or domain authentication is failed by marking them as High Spam or Spam.

You should definitely check your Anti Spam settings to see how you want Spam and High Spam emails to be treated,

 

SPAM Settings

 

 

 

 

Detecting a Spoofed email

Detecting a spoofed email is never so easy as the from address will have the exact domain name as you’d like it to have. So if an attacker is trying to spoof your own organization’s domain, your users will actually see the correct domain name in the ‘From’ address.

if you take a look at following example of an Spoofed email, the ‘from’ domain is actually showing as Contoso.com which is the legitimate domain of this Organization. So its not that easy to differentiate unless you are ready to dive deep into Header Analysis

Spoofed Email

Yes, you may find additional clue in the email which might seem odd and can help figure it out, you can read my previous post on finding clues for Phishing.

So lets take a look at what are the things you should look at in the email header which can help identify that this is a spoofed email.

Follow this to pull out the message headers if you are using Outlook Client.

If you are using OWA, click on the drop down menu on the right hand side and click on message details.

Header

You may copy the message headers and then paste it to the Microsoft Message Header Analysis tool and hit analyze.

Now lets see what things you should look at:

You should find that domain Authentication like SPF = FAIL.  We’ll learn more about SPF later in this post.

Since the email is not originated from the server of the domain which it says its from, the SPF will be failed.

Also Auth AS value should be showing Anonymous. which means the email is not authenticated with a credentials.

if this email actually had been sent from your domain, the Auth As value should be “Authenticated”

Auth As


Create an Warning Message for all External Email – Mail Tips

Consider creating a caution message on the top of all the emails originating from external servers,  You can use Exchange Online mail flow rules to create these custom notifications, More info on creating disclaimers here

Mail tip

Legitimate Spoofing

Legitimate Spoofing” ? Is that even a thing? why would a spoofing be legitimate?

Well, Yes, there are emails which could be SPF failed but still be legitimate,

No SPF Records :  If you are getting an email from a organizations who have not configured and published their SPF records with their domain registrar, there is no way to authenticate them.

Cloud Hosted Email Service Provider :  If your sender’s email service is hosted on a shared tenant with a cloud service provider, there are chances that the provider cannot provide individual server details for SPF configuration for each and every email tenant.

Marketing and Newsletters : Some organizations outsources their marketing email campaign to third party companies who sends emails on behalf of their clients and hence those emails would look like as Spoof however genuine.

Spoof Intelligence to rescue :

Office 365 Customers can now take a look at the Spoof Intelligence report to see the domain pairs who are sending emails to your organizations and their domain authentication is getting failed. You also have the option to configure if you are okay to have their emails coming in while their domain authentication has failed.

Spoof
Spoof Intelligence

So if you do see a domain here which is sending legitimate emails but getting failed authentication, you can come here and mark them as “Allowed to Spoof” which will ensure optimized mail flow from them.

I hope this post helps un understanding domain Spoofing and how can we make it harder for attackers to bypass the protection.

In my next post, we’ll look at a common configuration mistake which lets these Spoofed emails coming in and getting delivered, specially if the attacker is spoofing your own domain.

Cheers

Iftekhar





My Article on CIO Review Magazine : Stay Updated, Stay Protected

(Post migrated from TechNet.com)

In the increasingly dynamic world of cyber threats where threat landscape is changing by seconds, staying updated breaks the ROI of the attackers.

If you are a reader of CIO review magazine hope you’ll like my this article published in the October 2017 edition.

 

You can read the full CIO review Digital Magazine here with some other great articles.

https://www.cioreviewindia.com/magazines/cloud-software-solution-special-october-2017/

Cheers

Iftekhar



What is Windows Defender ATP ?

I get to hear a lot of confusion between Windows Defender and Windows Defender ATP and people don’t often get the difference between the two,

lets understand the difference.

Windows Defender is an Anti malware / Anti Virus solution part of Windows 10 itself, it helps protect you from known malware/Viruses which has already been discovered and there is a definition available for it. So think of this like similar Anti Virus capability provided by known vendors like McAfee, Symantec etc.

Besides protecting you from known malware, Windows Defender also has inbuilt machine learning and heuristics to detect malware in realtime based on behaviour analysis. If you want to see a glimpse of what Defender AV can do in real time, watch this video below.

 

Windows Defender ATP on the other hand is an Endpoint detection and Response ( EDR) solution from Microsoft which enables identifying and detecting suspicious and malicious activities on the endpoint PCs and help you take remedial actions for containment.

So if there is a persistent attack scenario where attackers are doing initial recon and lateral movement activity to find out critical and high value assets for them to compromise, this activity gets detected in the Defender ATP console and helps organizations to confine it before the attackers are able to compromise your high value assets.

Here is a quick overview of Windows Defender ATP and some of the example activities of compromise it can help detect and remediate.

Defender ATP can run irrespective of the fact what Anti Malware you are using.

Hope that clears out the confusion.

Do subscribe to my channel on YouTube for more informative demos on InfoSec.

Cheers




Threat Mitigations in Windows 10

Traditionally Operating system releases from Microsoft used to happen once in few years and the time between releases,  a lot of these exploitation techniques used to get developed. Most of these new exploitation techniques were used to carry out attacks on Windows platform which didn’t have any mitigations and future release with the fix was few years apart.

Some of the exploitation that exists today didn’t even existed a decade before.

Exploitations a decade before:

  • Stack overrun
  • Return Address Corruption
  • Shell Code

Exploitation techniques today :

  • ARW
  • Sandbox bypass
  • Heapspray
  • Memory Corrupt
  • CFG Bypass
  • ASLR Bypass
  • DEP Bypass
  • ROP Shellcode

Given the kind of threats have increased multifold, waiting for couple of years to mitigate a particular exploitation technique is far from ideal and leaves our consumers and commercial users/organizations vulnerable.   With Windows 10 as a Service where we keep releasing new features and capabilities every 6 months has reduced the shelf live of these techniques.

Today we’ll go through these security mitigations enabled in Windows 10 and is enabled by default to all of our user irrespective of the Windows 10 editions you are using.

image

 

Threat Mitigations in Windows 10 is set of features which helps to disrupt exploitation techniques and vulnerability classes harder or impossible to use.

Lets go through some of these important mitigations

1. User Mode Font Driver ( UMFD ) :

User mode font driver mitigation was added in initial version of Windows 10. This is towards isolating or containing the vulnerabilities.
Font process was done in kernel mode, and these memory corruption could be hit remotely using untrusted fonts. The font processing code is very legacy code and it is also from different contributors as well.
With UMFD the font processing is now moved into an App Container in user mode. This actually makes any of the vulnerabilities in font processing kind of use less.
So, the EOPs or typically the sandbox escapes that were being targeted using vulnerabilities are no longer possible.
All the processes gets benefitted from this mitigation.
While we have moved the font processing to user mode to contain the vulnerability, it is also possible to disable processing of untrusted remote fonts for a process via the ProcessFontDisablePolicy process mitigation option.

2. Win32k Syscall Filtering :

We all know that Win32k subsystem is the No.1 targeted component for achieving Sandbox escapes. It is a gigantic component because of its functionality, what ever you see is all mostly Win32k. It has a very huge attack surface, about 1200 APIs compared to about 400 NT APIs.
With Syscall filtering Microsoft Edge tries to maintains a list of Win32k APIs that it needs and allows only those from the content process thus reduces the surface area.
This mitigation removes a good set of Win32k APIs that can be targeted for any possible memory corruption.

3. Less Privileged App Container (LPAC):

App Container has access to resources protected with ALL APPLICATION PACKAGES SID: This SID has read permission on all folders by default. LPAC is a more restricted version of the App Container. it denies access by default for everything. One can access only the secured objects that are granted explicitly to LPAC.

4. Structured Exception Handling Overwrite Protection (SEHOP) : this feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps protect applications regardless of whether they have been compiled with the latest improvements.

5. Address Space Layout Randomization (ASLR) : ASLR loads DLLs into random memory addresses at boot time. This mitigates against malware designed to attack specific memory locations where specific DLLs are expected to be loaded.

6. Heap protections : Windows 10 includes protections for the heap, such as Heap metadata hardening for internal data structures that the heap uses, it also uses Heap allocation randomization, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Also Heap guard pages before and after blocks of memory, which work as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app.

7. Kernel pool protections,

Windows 10 includes protections like Kernel DEP and Kernel ASLR for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations to create an attack.

8. Control Flow Guard :

Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead can be built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other features in Windows 10. It can also be built into applications when they’re compiled. For example, it can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. Administrators can request software vendors to deliver Windows applications compiled with CFG enabled

9. Protected Processes : With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and for the first time, you can put antimalware solutions into the protected process space, which helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system.

 10. Universal Windows apps protections: When users download Universal Windows apps or even Windows Classic applications (Win32) from the Windows Store, it’s highly unlikely that they will encounter malware, because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through Sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements

11. No Child Proc :  Attackers can trick a sandbox to create a child process to bypass mitigations. this feature prevents code execution via launching a child process.

Here is the release cycles of various threat mitigation capabilities in every Windows 10 feature updates :

Pic

The main objectives of implementing these threat mitigation capabilities in Windows 10 are :

  • Reducing the attack surface of Windows Platform
  • Takes soft target out of the picture
  • Eliminates existing exploitation techniques so that new techniques need to be found.
  • Reducing impact of vulnerability by isolation.
  • Make overall exploitation harder and expensive

These are all the more reasons to move to Windows 10 as quickly as possible to remain protected against modern cyber threats.

Hope you liked the article, look forward to more later.

Cheers.