Welcome to this second video in the series on empowering security analysts with Microsoft Defender Threat Intelligence. My name is Terry Clancy. In this video, we'll build on the concepts covered in the first video of the series and delve into various strategies for threat hunting with Microsoft Defender Threat Intelligence, or MDTI.
We'll demonstrate these strategies in action, providing practical examples and insights along the way. In the previous video, we explored how MDTI integrates with, and enhances the other Defender products and how they collectively contribute to the overall Microsoft security portfolio. We also delved deeper into how Microsoft Defender Threat Intelligence collaborates with Microsoft Defender XDR and Sentinel to create a unified security operations platform.
This platform represents the next evolution in the security operations centre or SoC, journey. It seamlessly integrates the best features of Security Information & Event Management or SIEM systems, and eXtended Detection and Response or XDR systems, along with AI, threat intelligence and extended posture management, into a single cohesive experience with one data model, and unified features. In that last video, we also exlored Microsoft Defender Threat Intelligence and delved into the raw intelligence and finished intelligence it provides, along with the tools available to leverage this intelligence. In this video, we'll focus on the strategies for threat hunting using MDTI alone, showcasing the value MDTI itself brings to the threat hunter.
In some cases, we'll also reference the value that Defender Threat Analytics can add when used with MDTI. In the next video, we'll examine threat hunting with Sentinel integrated with MDTI, highlighting how Sentinel can correlate data across a broader range of multiple data sources. OK, let's dive into threat hunting with MDTI. Microsoft Defender Threat Intelligence is a powerful tool in our threat hunting arsenal.
It provides comprehensive threat intelligence, drawing from Microsoft's vast telemetry data across its global network with expert analysis to provide actionable threat intelligence. MDTI offers real time threat data, allowing us to stay current with the latest threats, and its advanced analytics and machine learning capabilities help identify complex attack patterns. MDTI helps you identify adversaries and offers extensive profiles on known threat actors, their tactics and their targets. MDTI integrates seamlessly with the broader Microsoft 365 Defender suite, enhancing our overall security capabilities.
For users of Defender endpoint products, Defender Threat Analytics helps focus MDTI's threat intelligence on your installed base of technology, and, the overall platform Platform offers customisable dashboards and reports. MDTI APIS allow for integration with third party tools and for automation. They also allow you to scale your threat hunting activities. All this helps us tailor the intelligence to your specific needs and environment.
OK, let's look at some more specific examples of how MDTI capabilities can be leveraged for threat hunting. Threat indicator lookups allow you to search for known indicators of compromise or IOCs, such as malicious IP addresses, domains, and file hashes to identify potential threats in your environment. Adversary and TTP tracking tracks adversaries and their tactics, techniques and procedures, or TTPS, typically using the MITRE.
ATT&CK framework to understand their behaviour and improve threat detection and response. MITRE, ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. CVSS scores, or Common Vulnerability Scoring System scores, are an industry standard used to assess the severity of security vulnerabilities.
These scores are provided on a one to 10 range, with a score of 10 being the most critically vulnerable. They help us evaluate which vulnerabilities to prioritise for remediation first. Brand Protection monitors for threats targeting your brand, such as phishing sites and fake social media accounts to protect your organization's reputation. Reputation scoring assigns reputation scores to various indicators of compromise, such as domains, IP address, and URLs, to help prioritize threats. Vulnerability Intelligence provides insights into known vulnerabilities, their severity, and potential impact, enabling prioritization, proactive patching, and risk management With Malware Analysis, MDTI provides analysis of malware samples to help you understand their behaviour, capability, and potential impact, helping you mitigate and prevent future infections.
Tracker analysis analysis tracking mechanisms used to monitor activities and infrastructure, aiding in threat attribution and mitigation. Trackers are unique codes or values embedded within web pages, often used to monitor user interactions and gather data. Often, when a user visits a page, the tracker collects data and sends it back to the server for analysis. For example, trackers like Google Analytics IDs are used by website owners to understand user behaviour. Marketers also use trackers to measure the effectiveness of their campaigns.
In the context of cybersecurity, trackers can help identify and correlate disparate websites to a central entity. For example, threat actors might copy the source code of a legitimate website for phishing campaigns and inadvertently leave tracking IDs intact. This can help security analysts identify fraudulent sites when MDTI is used with Defender Threat Analytics and related Defender Endpoint products they contextualize intelligence based on your installed IT inventory. This includes detailed threat analytics reports that highlight the most critical threats, based on their potential impact and the organization's exposure level considering the installed base.
Component analysis examines the software components and libraries for known vulnerabilities and malicious behaviour, ensuring the security of your applications. Knowing these components can help you understand the makeup of a web page, or the technology and services driving a specific piece of infrastructure. In this context, component examples include operating systems, web servers, frameworks, content management systems, databases and server software, etcetera. Cookie analysis analyses Cookies used by websites and applications so as to detect tracking and potential privacy issues, enhancing data protection. Correlation of data involves aggregation and enrichment of data from various sources, allowing analysts to correlate IOCs with related articles, actor profiles, and vulnerabilities, et cetera. Microsoft Security Copilot provides contextual threat intelligence, which can really help to connect the dots.
It integrates in context directly into the MDTI blade of the Microsoft Defender XDR portal. Note also that MDTI is included for free with any tenants provisioned for a Copilot for Security, Security Compute Unit, or SCU. See the URL on the screen For more information.
MDTI helps you prioritize your hunting efforts based on relevant threats to your organization. This uses intelligence such as reputation scoring and threat analytics to prioritize threats based on exposure level, reputation, CVSS scores, installed base, etcetera. MDTI also allows security analysts to test high hypothesis about potential threats and attack scenarios, improving threat detection and response strategies. To do this, you would either use Cousteau query language KQL to write complex queries against MDTI data, or you can employ guided hunting by using the MDTI Intel Explorer to craft meaningful hunting queries without needing to know KQL or the data schema.
The MDTI Intelligence, Projects feature enables collaboration among among analysts within the same tenant, allowing them to share insights and work together on investigations. All these capabilities help organisations enhance their threat intelligence and improve their overall security posture. Utilizing almost all these capabilities involves performing searches using MDTI Intel Explorer. As discussed and demoed in more detail in the last video, searches are either implicit, meaning that the fields or data types to be searched are inferred by search format, or explicit, meaning that the data type to be searched is explicitly selected.
As an example of an implicit search, when I search for an IP address, it recognizes it as an IP address and constrains the search to that data type. Implicit searches can be used for IP addresses, domains, hosts, and CVE IDs. Keywords can also be searched, which results in a search across many data types.
For explicit searches on the other hand, you select the data type you wish to search. So as you can see here, you can select tag component trackers, several WHOIS data types, a few certificate data types, and two cookie data types. OK, let's zoom out a little and at a high level look at the various strategies employed for threat hunting.
There are a few key strategies you're most likely to want to utilize when using MDTI. Indicator of compromise or IOC based hunting involves searching for known indicators of compromise such as malicious IP addresses, domains, file hashes, or e-mail addresses. This method relies on predefined threat intelligence data to identify potential threats within your environment.
By leveraging IOCs, security analysts can quickly detect and respond to known threats. Tactics, techniques and procedures or TTP based hunting typically uses the MITRE, ATT&CK framework and focuses on identifying the behaviours and methods used by adversaries. Instead of looking for specific IOCs, this approach examines the tactics, techniques and procedures that attackers use to achieve their objectives. By understanding and hunting for these patterns, security analysts can detect and mitigate threats that may not yet have known IOCs. Hypothesis driven hunting, involves creating hypothesises about potential threats based on observed behaviours, anomalies or intelligence. Security analysts develop hypothesis about how an attacker, might operate within their environment and then test these hypothesis by searching for evidence to support or refute them.
This method encourages proactive and creative thinking, allowing analysts to uncover otherwise hidden threats. Threat intelligence guided hunting, uses external and internal threat intelligence to guide the hunting process. This approach involves leveraging threat intelligence feeds, reports, and analysis to identify potential threats and prioritize hunting activities.
By integrating threat intelligence into the hunting process, security analysts can stay informed about the latest threats and focus their efforts on the most relevant and impactful areas. Defender threat analytics and other defender components will often provide the trigger or starting point for such a search. Data-driven hunting relies on custom analysis of large volumes of data to identify patterns, anomalies, and potential threats. This approach uses advanced analytics, machine learning, and statistical methods to sift through data and uncover indicators of malicious activity. By leveraging data-driven techniques, security analysts can detect a subtle and complex threats that might otherwise go unnoticed. As a threat hunter, you can use a combination of all these approaches to follow leads in a process we call infrastructure chaining.
For example, an IOC or attack may yield an IP, which leads to an SSL certificate, which leads to a domain, which might uncover multiple other leads, and on and on it goes, until you identify threat infrastructure. MDTI can link to threat actors, TTPS, and steps for remediation. Let's walk through a practical workflow for using MDTI in threat hunting. We start by identifying potential threats relevant to our organization via the MDTI dashboard. Note that Microsoft Defender Threat Analytics and Defender External Attack Surface Management EASM can be highly valuable in this step because it will constrain your view to those issues that may impact your specific installed base of technology.
We then researched the associated TTPS and IOCs provided by MDTI and using this information, we formulate a hunting hypothesis. Next, we search our internal systems for the identified indicators or patterns. We thoroughly analyse our findings, escalate any confirmed threats for incident response.
Then, we document and share our mitigations and results, contributing to our organization's overall threat intelligence. Finally, we work to mitigate future security risks. To further illustrate typical threat hunting scenarios and their variability, here are just a few examples of how it may play out depending on what leads you start with and where they take you. In the first example, given an IP address from an e-mail link, you use MDTI to look up a domain, then an SSL, then an article which leads to a threat actor profile which explains tactics, techniques and procedures or TTPS and provides a remediation. In the second example, the first thing you know was that you've been attacked.
You obtain the malware file hash and then in MDTI you search for that and find indicators of compromise, IOCs, and then threat actor profile, and then article, and then tactics, techniques and procedures and finally a remediation. In the third example, Defender Threat Analytics or EASM identifies indicators of compromise or IOCs and brings that to your attention. You then look up the CVE in MDTI and find the finished intelligence on the CVE vulnerability, that then provides remediation steps, which you then use. Then you search for, and find, other instances of this IOC in your installed base which you likewise remediate. OK, let's see how to put some of this theory into practice.
In this demo, we focus on an attack by Mage Cart, a syndicate of cyber criminal groups behind hundreds of breaches, of online retail platforms. Microsoft had been profiling and following the activities of Magecart. They typically inject scripts which steal sensitive data, consumers enter into online payment forms on ecommerce websites directly or, through compromised suppliers. Back in October 2018, Mage Card infiltrated this companies online website MY pillow.com to steal payment information by injecting a script into their web store. The script was hosted on a typo squatted domain.
MY pilto with a "T" PILTO.com. Note that this particular case has been broadly and publicly disclosed, including at the URL on the screen. This breach was a two stage attack, with the first skimmer only active for a brief time before being identified as illicit and removed. However, the attackers then still had access to the company's network, and on October 26th, 2018, Microsoft observed that they registered a new domain, livechatinc.org. Mangecart actors typically register domain that looks as similar as possible to the legitimate one.
Thus, if an analyst looks at the JavaScript code, they might miss Magecart's injected script that's capturing the credit card payment information and pushing it to Magecart's own infrastructure. However, Microsoft's virtual users capture the Document Object Model, or DOM and find all the dynamic links and changes made by the JavaScript from Crawls on the back end. We can detect that activity and pinpoint that fake domain that was hosting the injected script into the MY Pillow web store.
So let's look at how to use MDTI to gather Magecart Breach threat intelligence. First, we navigate to the MDTI Intel Explorer and search for M Y pillow.com. Here we see the article.
Consumers may lose sleep over these two Magecart breaches is associated with this domain. Looking at that article, we can see that it was published on March 20, 2019, and it provides an overview and insights as to how the Magecart Threat Actor Group breached this company in October 2018. This includes snippets, descriptions of the malicious scripts, and an analysis of this breach and how it represents a new breed of digital threat. We then move on and select the Public Indicators tab, which lists four public indicators which we should, and will, search for. Now, if we go back to the Intel Explorer search bar and search for M Y pillow again, we can then select the Host Pairs tab. In MDTI, host pairs refer to two pieces of infrastructure, a parent and a child, that share a connection observed from a virtual user's web crawl.
This connection can range from a simple top level redirect, HTTP3O2, to more complex interactions like an iframe or script source reference. Host pairs reveal connections between websites that traditional data sources such as passive Domain Name System, PDNS, and WHOIS wouldn't surface. They also let you see where your resources are being used, and vice versa.
To narrow in on the time frame, we'll sort the host pairs by first seen, and isolate scripts, by filtering on script.src as the cause. We then page forward until we find host pair relationships that were first seen in October 2018.
Notice that M Y pillow.com is pulling content from the typosquatted domain M Y pilto.com with a "T", on October 3 to 8 2018 through a script.
Let's see what we can learn if we compare the IP addresses that these two domain names had at the time. If you click on M Y pilto.com it effectively runs an Intel Explorer query on that and takes you to the Resolutions tab.
Sorting by first seen, you can see that in October 2018 it resolved to 195.161.41.65. Clicking on that IP address brings up the information that MDTI has on that address. First we navigate to confirm it's used by M Y pilto.com in October 2018 and yes it was used from October two to five, 2018.
Then we look at the top level info on the address and the first thing we notice is that it is Russian, which is an immediate red flag. Also take note of the ASN and Admin org. We then do the same procedure with M Y pillow.com. This time we start by searching on M Y pillow.com in Intel Explorer, then click on the Resolution tab, then sort by first seen and navigate to see that it was assigned to 18.218.80.63 on October 2, 2018, which then covers the time of interest.
We then click on that address to bring up the IP address details. We then sort by first seen and navigate to confirm it's used by M Y pillow.com in early October 2018. We then look at the top level info on the address and the first thing we notice is that it is American, which is much more in line with our expectation.
Also take note of the ASN and Admin org. So then considering the intimate script relationship between M Y pillow.com and M Y pilto.com, and then comparing the wildly disparate backgrounds of the related IP addresses in terms of country, ASN, IP, admin organization, there are lots of red flags here which indicate risk and potential threats. OK, now let's check for finished intelligence on M Y pilto.com. Searching for that name again.
If we Scroll down to the articles section, you can see these 9 related articles. These should be reviewed in detail and you should take note of any additional information about the Magecart Threat Actor group. This will include things such as tactics, techniques and procedures, TTPS and other IOCs.
Now let's see what we can learn if we compare The WHOIS information that these two domain names had at the time. First we will go to M Y pillow.com. We'll go to The WHOIS tab, select the appropriate date, and take particular note of the registrar name, country and name servers. Then we'll do the same for M Y pilto.com and again go to the WHOIS tab, select the appropriate date, and take note of the same fields.
Comparing the two and looking at the name and organization details from October 2011 for M Y pillow.com indicates that M Y pillow Inc clearly owns the domain. On the other hand, The WHOIS information information for M Y pilto.com from October 2018 indicates that the domain was registered in Hong Kong and is privacy protected by Domain ID Shield Service Co. Given the address records and WHOIS details analysed so far, an analysts should find it odd that a Chinese privacy service guards a Russian IP address for a US based company.
So there are even more red flags indicating risk and potential threats. OK, let's move on and investigate a public indicator of compromise or IOC, we identified earlier in this demo, livechatinc.org. Back in Intel Explorer, we enter livechatinc.org and then either
scroll down in the Summary tab or go to the Articles tab. Either way, the article Mage Group 8 blends into nutribullet.com, adding to their growing list of victims, should now appear in the search results. Select the article and we can see that the article was published on March 18, 2020, and details information about other companies that were also victims of the Mage Cart Threat Actor group. It goes into some detail explaining how the JavaScript code in the three related skimmers works, how data is exfiltrated, including the details about the exfiltration target servers. We then select the Public Indicators tab, which lists a large number of IOCs related to livechatinc.org.
This includes livechatinc.org itself, and M Y pilto.com. OK, to uncover other potential issues related to livechatinc, let's go back to information on M Y pillow.com and look for host pairs that relate to livechatinc. We can quickly see that secure.livechatinc.org and
secure.livechatinc.com have both communicated with M Y pillow.com. Live Chat is a legitimate live support chat service that online retailers can add to their websites as a partner resource. Several ecommerce platforms including M Y Pillow use it. It's legitimate domain name is livechatinc.com. However, livechatinc.org is a fake domain name. So in this case, the threat actor used a top level domain typosquat, to hide the fact that they placed a second skimmer on the M Y Pillow website.
So then to get a more thorough list of host pairs referencing livechatinc, we can download the list, open it in Excel and first filter by parent host name contains livechatinc. As you can see, only one of these lines appear to involve the fake livechatinc.org domain name and it has a cause of XML HTTP request which might for example be consistent with a data passing connection. Then, separately we can filter on child host name contains livechatinc, and again, only one of these lines appear to involve the fake livechatinc.org domain name, and it has a cause of script.src.
To learn more about the IP address in use by the fake domain name at that time, let's go back and find a host pair relationship with secure.livechat.org and then pivot off that host name, which takes us to the Resolutions tab, which indicates that this host resolved to 212.109.22.230 back in October 2018. Clicking on that IP address again, we notice that the IP address is also located in Russia, and the ASN organization is JSC IOT. Let's now look in more detail at the domain registration for this fake domain. Back in Intel Explorer,
we then search for secure.livechatting.org and then go to The WHOIS tab and select the record from December 25, 2018. The registrar used for this record is OnlineNIC Inc, which is the same one used to register M Y piltow.com during the same campaign. Based on the record from December 25, 2018, note that the domain also used the same Chinese privacy guarding service, Domain ID Shield Service as M Y pilto.com
did. The December record also used the same name service NS-1 through 4 .jino.ru, which were the same ones used in the October 1, 2018 record for M Y pilto.com. Also looking on the Host Pairs tab, we can see some very interesting host pair relationships from October to November 2018.
secure.livechatinc.org redirected users to secure.livechatinc.com on November 19, 2022. This redirection is more than likely an obfuscation technique to evade detection.
www. M Y pillow.com was pulling a script hosted on secure.livechatinc.org, the fake live chat site, from October 26, 2018 through November 19, 2018. During this time frame, www. M Y pillow.com user purchases were potentially compromised. secure.livechatting.org was requesting data using xmlhttprequest
from the server www.M Y pillow.com, which hosts the real M Y pillow website from October 27 to 29, 2018. This could potentially have been the exchange of compromised customer data. To wrap up this demo of Microsoft Defender Threat Intelligence, and how to gather Magecart Breach threat Intelligence, let's summarize the key steps and findings. First, we used MDTI Intel Explorer to search for M Y pillow.com and
found an article detailing a Magecart breach in October 2018. We examined the public indicators and host pairs tabs to identify connections between M Y pillow.com and the typosquatted domain M y piltow with a T .com. Comparing the IP address information revealed red flags, such as a Russian IP address, m y pilto.com.
Next, we investigated livechatinc.org, another public indicator of compromise, and found it was used to hide a second skimmer on the MY pillow website. The WHOIS information for livechatinc.org showed
similarities with m y pilto.com, including the same registrar and privacy service, as well as more red flags. By following these steps, we demonstrated how MDTI can be used to gather comprehensive threat intelligence, identify potential risks, and uncover connections that might otherwise go unnoticed. OK, before we wrap up, I'll quickly mention that while MDTI is a powerful tool, it's important to understand its limitations.
While MDTI can be used alone, it is more effective when integrated with the Defender Security stack or similar third party system. MDTI works best in conjunction with Microsoft Defender products and specifically Defender Threat Analytics and related endpoint products because it can then constrain your view too and focus your attention on those issues that may impact your organization's specific installed base of technology. Integration with Sentinel is also very valuable because Sentinel provides a broader view than the Defender endpoint products because it analysis a broader range of routine log data for behavior analysis and has more external third party connectors.
Such integrations allow MDTI intelligence to be related to a broad array of endpoint data to better identify and understand multimodal threats. It's also important to always remember that human analysis remains crucial to contextualise the intelligence provided by MDTI. While MDTI provides a wealth of external threat intelligence, we must also continue developing our internal threat intelligence to complement external sources.
Lastly, MDTI and Defender generally requires continuous tuning and customization, to align with our specific threat land and organizational needs. To wrap up, threat hunting has become a crucial practice in today's rapidly evolving cybersecurity landscape. It's proactive approach significantly reduces the risk and impact of advanced cyber threats. Effective threat hunting combines the hunting skills of experienced analysts, with advanced tools like Microsoft Defender Threat Intelligence and the other Defender products.
By leveraging these capabilities, organisations can stay ahead of sophisticated adversaries and maintain a robust security posture. This brings us to the end of this video on threat hunting with Microsoft Defender Threat Intelligence. Thank you very much for watching. I sincerely hope it was helpful and if it was, please give it a thumbs up. I also hope you're able to watch my other videos in this series. Future videos will delve deeper into the MDTI APIS, making the most of Copilot, and MDTI's integration with other products like Microsoft Sentinel.
I hope you'll join us for those as well. Thanks again and all the best.
2025-01-13 07:34