Endpoint on Adrenaline : One

Introduction

 

This blog series will capture how to maximise the protection of an endpoint using the various technologies in the Defender suite. The controls outlined in the series will each need to have their own considerations taken into account for a given environment but hopefully at a minimum it will be clear just how powerful of an offering Microsoft has. 


Unfortunately due to the highly modular and distinct diversity in controls Microsoft offers things are often overlooked and misconfigured when tests are conducted. With this in mind, the shortest possible route to a solution for this is utilizing the recommendations, CSPM and Secure Score technology contained within Defender 365 and Defender for Cloud as it will automatically conduct posture assessments and inform you of things you have missed and may want to turn on (IE dont take these recommendations lightly)


Lastly, I would recommend reading the book “Defender for Endpoint in depth” from packt as it showcases the complexities and unity between systems that can protect your endpoints. Although this blog series will extend beyond the bounds of the book.






Defender for Cloud


To get started we are going to deploy a few agents via Defender for Cloud, the reason for this is that it makes many more features available to us as opposed to if we deployed the agent the traditional method (script, intune etc).


The caveat to doing this is we need to establish each and every one of the endpoints we need to protect as hybrid machines using Azure ARC. This of course comes with some architecture concerns particularly if you don’t use Azure as you will now need to introduce a new attack surface. So with that in mind first lets address a few ways to handle this appropriately because in my opinion, the extra features we are going to explore later are way to cool to miss out on.





This diagram illustrates how we can keep our security stack separated and monitored using dedicated management objects (Management Group, Subscription and Resource Group). This architecture allows for Defender for Clouds CSPM and Microsoft Sentinel Analytical Rules to easily be configured to warn of any risks or threats posed to your hybrid machines.


Additionally, the separation of resources permits for increased RBAC controls as most often you will not need to interact with your hybrid machines for system administration purposes because all your pre-existing workflows, IT infrastructure and playbooks will just operate as normal with Azure ARCs only purpose being to enable further protective measures. 


With regards to Azure ARC you will also want to implement the allow list for which azure policies can be pushed to the hybrid machines preventing further configurations from being set and ensuring that guest configurations are disabled completely. Instructions for these items are captured here: https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-overview 


Defender for Endpoint


Once you have enabled the Defender for Cloud service within the Azure Portal and onboarded your endpoints as hybrid machines, pivot to Environment Settings > Your Azure Tenant > Your Hybrid Machines Resource Group. This page will reveal much of the protective options Defender for Cloud can offer (not all of them!).


First, ensure “Defender CSPM” is set to “On”. This feature will capture both recommendations for additional protective settings and items you may have misconfigured for your hybrid machines. You can setup alerting for all these recommendations so should one of particular criticality appear such as a control defined in this blog series is disabled or stopped working you can be notified immediately.





Going a step further Defender for Cloud can trigger Logic Apps when these recommendations are generated allowing for you to forcefully auto-remediate issues which is particularly effective for items in this blog series as most the controls are added to the Hybird machines through Azure Policies.

Side Note: Because these controls are pushed through Azure policies they are effectively permanently enforced meaning if an adversary is able to remove a control from within the endpoint, it will simply be reapplied over and over again. Including managed identities the policies will configure for SQL server scanning.


Now we have some posture monitoring we can enable the “Servers Plan 2”. 





With this enabled all the extra features we are going to explore can now be also configured. This of course will onboard the hybrid machine into Defender 365 where you can also manage the asset and view features like advanced hunting at https://security.microsoft.com.


Next on the same item (Servers Plan) select “Settings”. This page details further configurable items such as an additional telemetry stream to a log analytics workspace, Vulnerability assessments through a free partnership with Qualys and Agentless Scanning. You will want to enable all of these options. If you do not already have the Microsoft Sentinel service enabled on a log analytics workspace configure it first so you have somewhere to put the data it captures from event records on the asset.






File Integrity Monitoring


This feature can be enabled through “Workload Protections” on the main Defender for Cloud landing page. You will need a log analytics workspace for the changes to be recorded too but hopefully, you already established one in the previous steps. Once enabled you will be able to define files and registry items to monitor for changes. The technology comes with a predefined list of obvious items but you will want to explore your asset inventory to identify other items to track. 

Within the FIM dashboard, you will get a summary view of what changes were made per system that is monitored and a secondary view that details exactly what was changed and when as illustrated below:




While this view can be handy for a cursory look I recommend selecting an endpoint of interest and directly pivoting into the log analytics workspace so that you can use KQL to manipulate the data. This extends to workbooks were with some effort you can build hunting-like dashboards that allow your team to easily glide over alot of data quickly. Below is an illustration of a workbook I use personally.




Adaptive Application Control


With Defender for Endpoint deployed via Defender for Cloud we can implement a really powerful app control feature that utilizes machine learning to build lists of apps that should be permitted and provide recommendations back into the CSPM page highlighted before


Once enabled Adaptive Application Control is largely divided into 3 sections: - 

  • Implemented rules 
  • Recommended Rules 
  • Ineligible assets 


Navigating around the interfaces you can setup rules that will generate alerts when EXEs, Scripts or MSI files become present on an asset but are not within the rule. The recommended applications are those present frequently across your assets. Where you can stick to defining rules that are as restrictive as possible including what identities you expect to use the application.





Note: If this recommended application list grows you will receive an alert titled ‘Allowlist rules in your adaptive application control policy should be updated’ so make sure you have notifications enabled for this recommendation.





Summary


Hopefully, with this first post, you can start to see that there are a lot of controls beyond “just installing MDE” for endpoints and that really it is an injustice to conduct tests without the exhaustive list of endpoint protective measures enabled. In this post we: - 


  • Enabled CSPM in Defender for Cloud for recommendations on configurations 
  • Deployed Defender for Endpoint Plan 2 
  • Enabled an additional telemetry stream for EventIDs 
  • Highlighted FIM and its effectiveness 
  • Highlighted Adaptive App Control 


What’s Next? 


In the next post we will be exploring the configurable controls within the Defender 365 portal and even expanding into the advantages of using Microsoft Sentinel and Defender for Identity in conjunction with Defender for Endpoint for expanded visibility on endpoints.

Popular

Brilliance in the Basics

Image
Introduction Tired of watching you and your friends get compromised, do exactly what's in this blog and start beating adversaries. Avoiding the memes adversaries win because of simple mistakes and neglect and we all already know what they are so I'm going to list them for you. Its all for free too. Enumerate To put it simply, there shouldn't be anything you don't know about your environment, you should know who all your users are, where all your electronic devices are and what they do, what applications you have and what versions they are. Enumeration is the jet fuel for making good defensive decisions. I wrote about how to enumerate your environment here  Securing your estate: The First Step (goblinloot.net) . Follow these steps and become the arbitrator of your own environment  Your perimeter is a bridge, not a wall Monitor your perimeter as best as you can but always assume it has already been defeated. Monitor endpoint system and process telemetry and southwest traf
Read more

Investigate

Image
  Introduction This document details how an analyst should conduct investigations and triage in the normal duties of their job. It will describe concepts and logic that enable analysts to look at data, ask investigative questions, evaluate those questions and arrive at assertions about what they have found. An Alert For the most part, analysts begin their investigative work when an alert is generated. Alerts are fantastic because they are a statement that something has happened and something needs to be done about it. Typically alerts are filled with information that an analyst can then use in their investigation. Alerts are generated by detections and these detections can come in many shapes and sizes. Some just look for a particular action like someone unlocking their car door, others might have access to more context like someone who isn’t the owner of the car unlocking the door. Going even further some detections might look at how the car door was opened or at what
Read more

Endpoint on Adrenaline 3

Image
Introduction Now that I have covered the advanced features obtained from Defender for Cloud and the complexities of Defender for Endpoint with the objective of delivering as much protection as possible to the endpoint, I will now explore how to expand on this greatly and open up even more use cases. Microsoft Sentinel This technology will allow us to unify and correlate data generated by other controls. I have decided to deploy Microsoft Sentinel into 4 primary categories : System Administrator - Asset Uptime, Application Inventory, Device configuration and Troubleshooting Network Engineers - Netflow and session traffic, violations and alerts for potential issues Threat Detection - Analytics and playbooks Threat hunting - Workbooks & Machine learning Using Microsoft Sentinel we can achieve a plethora of incredibly powerful use cases with Defender 365 endpoint data. Below is an illustration of how my SIEM works to enable analysts to prevent and detect threats Data Sources In order t
Read more

Writing detections when stuck with EDR

Image
Introduction Making the leap to purchasing and maintaining an EDR solution can be huge for organisations so huge in fact that they never really progress from there when it comes to visibility on assets. This is an important consideration because organisations should aim to achieve some level of detection engineering but will likely never get to explore the associated complexities. So how can organisations effectively and easily write detections that actually help to protect them when they are only able to leverage an EDR tool. Understanding your tools limitations To most people EDR tools are incredibly verbose in the telemetry they capture from any given asset but unfortunately relative to overall telemetry available they actually only capture what the vendors think is the most pertinent. This is for obvious reasons because ingesting telemetry at the scale vendors do comes at a significant cost so they implement "cost-saving measures" like limiting the amount of any one given
Read more

Endpoint on Adrenaline Two

Image
Introduction Continuing on from my last post that captured using Defender for Cloud to gain powerful additional features on top of defender for endpoint to protect your endpoints we are going to take a closer look at Defender for Endpoint itself and extend into some endpoint-specific use cases for Defender for Identity that tie directly back into Defender for Endpoint. Firstly a really important consideration when configuring Defender for Endpoint is that alot of the heavy lifting from a prevention standpoint actually happens in Defender Anti virus. This means that while im going to briefly cover some settings to make sure Defender Anti Virus isnt hindering Defender for Endpoint im going to reserve further Defender Anti Virus controls to the next part in this series. This also of course means that when your doing your own testing just installing the MSSense agent (What you get from the scripts, intune etc) is actually not Defender for Endpoint in its totality so you simply can not m
Read more

Standardized Note Taking Format For Analysts

Image
  Introduction This post outlines a format for note-taking designed to aid analysts and ensure the knowledge they acquire over time is kept so that it can easily be consumed later. This format is designed to be technology agnostic so it can be applied to a note-taking tool or platform of the analyst’s choice. I designed this format because analysts often received what you could call unplanned information whereby at any given moment during their day they could learn something highly impactful to their role via any medium. This really exasperates the need for good note-taking practices for analysts. Illustrated above is the wireframe that analysts can implement into their note-taking platforms. Each section contains sub-sections that allow for different knowledge to remain segregated and more searchable. Meeting Notes Within any given week analysts can have countless meetings and so it is important to note down items from meetings for future review. Not every meeting needs to be capt
Read more

Why you need to be purple!

Image
 It's Bad For those who have worked with me for longer periods, you would have heard me say at least once that I don't believe in the commonly prescribed structure of blue and red team operations as much as there are good intentions behind the separation of operations, human behaviour has prevailed and there exists a quite toxic environment between the two (wrongly opposing) sides. This is a direct contradiction to  our purpose in cybersecurity which is to harden environments and increase resiliency to cyber-attacks. We need to change While purple teaming was not created to replace blue and red operations I have adopted it to do exactly that. Too often I experience clashes between red team operators and defenders whether its online shouting contests or during client engagements behaviour that does not support the iterative improvement of cybersecurity is simply not welcome. Particularly SOC analysts will know this as they will have experienced their fair share of red team eng
Read more

Investigate Two

Image
Introductions How you as an analyst handle true positives is life and death in the eyes of potential victims. Traditionally the industry elected to prioritize overzealousness and sending more than not to cover their failings, This however is no different to guesses and it is possible to arrive at strong data-backed decisions on events that could be the compromise of an estate True Positive True positives exist at the heart of all our jobs, they are what we wake up for in the morning and why we endlessly pursue understanding how to protect our clients. The strictest possible definition of true positive is where an outcome of a prediction or model is returned true. This broad definition is important because the assumption carried with a predication or model can change. As an example many security technologies aim to identify when an application often unwanted by an organization is present within a system, these are commonly dubbed PUPs. (Potentially Unwanted Programs). The general cons
Read more

Securing your estate: The First Step

Introduction A commonly forgotten fact within the cybersecurity industry is that most organizations are not equipped nor have started to form any sort of security program. This is the case for many reasons because most organizations are SMBs so they don't and likely will never have funds to purchase people and technology and the fact that the cybersecurity industry is incredibly toxic for low expertise and or low capability teams as the well of knowledge we all rely on has been poisoned by vendors and 'thought leaders'. With this in mind, I have created a small resource that will guide you through what you need to do to make a start. This resource won't reference vendors and I will try to avoid specific jargon. Enumerate The term 'You can't secure what you don't know' stands strong even to this day and should be your primary focus before you do anything else. Understanding what assets, you have both physically (computer hardware) and logically (applicati
Read more