One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1703027 |
| Date de publication | 2020-05-11 12:00:00 (vue: 2020-05-11 12:08:21) |
| Titre | Stories from the SOC - Office365 Credential Abuse |
| Texte |
Executive Summary
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
The most critical element in combating malicious attempts on technology today is visibility. When considering the sheer amount of various cloud, firewall, IDS/IPS, anti-virus, etc. offerings, integrations are a necessity to enable effective security. Unified management is unachievable unless you can effectively consume and correlate a variety of log feeds that can be analyzed through the proverbial “single pane of glass.” By leveraging the AlienApp for Office365, we presented a compromised Office365 account to the customer who then confirmed our suspicion, reset the account, and implemented multi-factor authentication for that user. Though the AlienApp provides an incredibly insightful view of an Office365 environment, the ability to correlate events across multiple data sources enables an analyst to understand and determine the baseline activity of our clients, enhancing our detection and response capabilities.
Investigation
Initial Alarm Review
Indicators of Compromise (IOCs)
The initial alarm surfaced as the correlated result of two UserLoggedIn events that were within 10 minutes of each other but originated from 2 distinct countries. The abnormalities in login behavior indicate that a user’s credentials were most likely compromised.
Figure 1 - Initial Alarm
Expanded investigation
Alarm Detail
Also included in the alarm details is the associated MITRE ATT&CK® rule attack ID, which afforded the ability to efficiently and expeditiously gather relevant information about this potential attempt to compromise the customer’s Office 365 account. The synopsis for this attack technique is defined as the attempt to “… steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process…”
Correlation Rule Logic
Figure 2 - Correlation Logic
Correlated Events
Figure 3 - U.S. Login Event
Simultaneous logins were detected from both the United States and a foreign country, generating two events, like the one pictured above, with different source countries. These successful logins occurred within two minutes of one another; thus, triggering the Credential Abuse alarm.
Response
Building the investigation
The successful login attempts’ origin and volume deriving from the United States fall within the baseline activity for this user. However, there was a sudden surge in attempts from a foreign country that aligned with the timeline of when this account had appeared to have been successfully compromised.
Customer interaction
In order to effectively articulate the login irregularities to the customer, our team did a retrospective query to analyze successful authentication attempts for this particular Office365 user. Utilizing advanced query capabilities within USM Anywhere |
| Envoyé | Oui |
| Condensat | “single 365 ability abnormalities about above abuse access account across action activity addition addresses advanced afforded alarm alienapp aligned all allowed also amount analysis analyst analyze analyzed and/or another; anti anywhere appeared are articulate asked assist associated at&t att&ck® attaching attack attempt attempts attempts’ authentication baseline been behavior blog both building but can capabilities capture clients cloud combating compromise compromised conducted confirm confirmed considering consume corrective correlate correlated correlation countries country created credential credentials critical customer customer’s customers data defined deriving describes detail details detected detection determine did different distinct each earlier effective effectively efficiently element enable enables enhancing environment equipped etc event events executive expanded expected expeditiously fact factor fall feeds figure firewall foreign four from further future gather generated generating glass granularity had hand have host hour however ids/ips implemented incident included incredibly indicate indicators information initial insightful integrations intent interaction intrusion investigation investigations iocs irregularities legitimate leveraging like likely log logged logic login logins malicious managed management minutes mitigating mitre most multi multiple necessity not notes occurred offered offerings office office365 one order origin originated other over pane particular period pertaining pictured potential presented prevent process…” proverbial provided provides query real recent reconnaissance relevant remediate reported reset response result retrospective review reviewed rule security series service shared sheer showing simultaneous soc source sources specific staff states steal steps stories subsequent successful successfully sudden summary surfaced surge suspicion synopsis taken team technique techniques technology them then these those though threat through thus timeline today trepidations triggering two ultimately unachievable understand unified united unless user user’s userloggedin using usm utilizing variety various view virus visibility visualizations volume when whether which who within world |
| Tags | Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.