Sharing Microsoft learnings from major cybersecurity incidents

This post is authored by Mark Simos, Director of Business Development and Strategy, Enterprise Cybersecurity Group

Microsoft has assisted customers with investigation of, and recovery from cybersecurity attacks for well over a decade. This effort began informally when our IT department and product groups came to the aid of customers encountering attacks in their environment. Since those early days, the volume and complexity of incidents has required Microsoft to scale up its efforts to include full-time professional investigation and recovery teams. These teams are typically engaged on one or more major investigations on any given week throughout the year. If you are experiencing a targeted attack, you can rapidly engage our Global Incident Response and Recovery teams through Microsoft Premier Support.

Incident Response Reference Guide

Because the challenges that our customers face during incident response and recovery are both technical and non-technical, we recently embarked upon an effort with partner organizations, to provide our customers comprehensive incident management guidance.

The results of this effort have been compiled into an Incident Response Reference Guide. It is available for download, and we are distributing a printed version at the Microsoft booth during the RSA conference in San Francisco, this week.

This guidance describes the learnings and recommendations that our organizations have made along the technical, operations, legal, and communications dimensions. It is designed to help you prepare for and meet critical needs during a major cybersecurity incident, as well as to avoid common errors.

The recommendations in this guide can help organizations prepare for, and address many severities of security incidents, though it is primarily focused on major incidents where administrative access has been compromised.

This guidance is designed to enable you to:

  1. Prepare for a crisis by reducing risk to your organization
  2.  Better manage a crisis, whether or not you have made prior preparations

The tips and guidance in this document are designed to provide insights to organizations facing their first incident, as well as seasoned professionals that manage persistent adversary operations regularly. It is based on our collective experiences across a wide range of Fortune 1000® companies and government agencies. We would love to hear your feedback on how this document helped you and how to improve it. You can reach us at CyberDocFeedback@microsoft.com.

Beyond the Guide

As our teams travel the globe helping customers and fighting cybercrime, the learnings from this work continuously influences Microsoft products, public guidance, and how we help future customers. Several key pieces of guidance we published have been informed by this experience including, Versions 1 and 2 of Mitigating Pass-the-Hash and Other Credential Theft, Best Practices for Securing Active Directory, and a new type of guidance that outlines a prioritized security strategy for these attacks, Securing Privileged Access (SPA) roadmap (online SPA training available here). Microsoft has also contributed to efforts like the NIST 800-184 Guide for Cybersecurity Event Recovery to share our lessons learned.

Additionally, many of our products and features have been directly influenced by our incident response and recovery experience. These include Windows Defender Advanced Threat Protection (ATP), Advanced Threat Analytics (ATA), Windows Server 2016 Shielded VMs, Virtualization Based Security (VBS) in Windows 10 that includes Credential Guard, Microsoft Identity Manager’s Privileged Access Management Capability (MIM-PAM), and many others.

The measure of what causes an incident to have a major impact to an organization varies, depending on the business or missions. However, we have found most major incidents involve the compromise of administrative access to most or all enterprise IT systems (as happens in targeted attacks frequently reported in the press). Based on the prevalence of credential theft techniques that lead to compromise of administrative rights, Microsoft has open sourced the build instructions for building privileged access workstations (PAWs) that our cybersecurity professional services personnel deliver. This architecture is based on learnings from attacks on our customers as well as experience deploying secure access workstations internally for administrators of our own IT systems.

Learn from over a decade of experience helping our customers recover from major incidents by downloading the Incident Response Reference Guide today.

from Microsoft Secure Blog Staff

Integrating OpenCanary & DShield

Being a volunteer for the SANS Internet Storm Center, I’m a big fan of the DShield service. I think that I’m feeding DShield with logs for eight or nine years now. In 2011, I wrote a Perl script to send my OSSEC firewall logs to DShield. This script has been running and pushing my logs every 30 mins for years. Later, DShield was extended to collect other logs: SSH credentials collected by honeypots (if you’ve a unused Raspberry Pi, there is a nice setup of a honeypot available). I’ve my own network of honeypots spread here and there on the Wild Internet, running Cowrie. But recently, I reconfigured all of them to use another type of honeypot: OpenCanary.

Why OpenCanary? Cowrie is a very nice honeypot which can emulate a fake vulnerable host, log commands executed by the attackers and also collect dropped files. Here is an example of Cowrie session replayed in Splunk:

Splunk Honeypot Session Replay

It’s nice to capture a lot of data but most of them (to not say “all of them”) are generated by bots. Honestly, I never detected a human attacker trying to abuse of my SSH honeypots. That’s why I decided to switch to OpenCanary. It does not record a detailed log as Cowrie but it is very modular and supports by default the following protocols:

  • FTP
  • HTTP
  • Proxy
  • MSSQL
  • MySQL
  • NTP
  • Portscan
  • RDP
  • Samba
  • SIP
  • SNMP
  • SSH
  • Telnet
  • TFTP
  • VNC

Writing extra modules is very easy, examples are provided. By default, OpenCanary is able to write logs to the console, a file, Syslog, a JSON feed over TCP or an HPFeed. There is no DShield support by default? Never mind, let’s add it.

As I said, OpenCanary is very modular and a new logging capability is just a new Python class in the logger.py module:

class DShieldHandler(logging.Handler):
    def __init__(self, dshield_userid, dshield_authkey, allowed_ports):
        logging.Handler.__init__(self)
        self.dshield_userid = str(dshield_userid)
        self.dshield_authkey = str(dshield_authkey)
        try:
            # Extract the list of allowed ports
            self.allowed_ports = map(int, str(allowed_ports).split(','))
        except:
            # By default, report only port 22
            self.allowed_ports = [ 22 ]

    def emit(self, record):
        ...

The DShield logger needs three arguments in your opencanary.conf file:

"logger": {
    "class" : "PyLogger",
    "kwargs" : {
        "formatters": {
            "plain": {
                "format": "%(message)s"
            }
        },
        "handlers": {
            "dshield": {
                "class": "opencanary.logger.DShieldHandler",
                "dshield_userid": "xxxxxx",
                "dshield_authkey": "xxxxxxxx",
                "allowed_ports": "22,23"
            }
        }
    }
}

The DShield UserID and authentication key are available in your DShield account. I added an ‘allowed_ports’ parameter that contains the list of interesting ports that will be reported to DShield (by default only SSH connections are reported). Now, I’m reporting many more connections attempts:

Daily Connections Report

Besides DShield, JSON logs are processed by my Splunk instance to generate interesting statistics:

OpenCanary Splunk Dashboard

A pull request has been submitted to the authors of OpenCanary to integrate my code. In the mean time, the code is available on my Github repository.

[The post Integrating OpenCanary & DShield has been first published on /dev/random]

from Xavier

[SANS ISC Diary] How was your stay at the Hotel La Playa?

I published the following diary on isc.sans.org: “How was your stay at the Hotel La Playa?“.

I made the following demo for a customer in the scope of a security awareness event. When speaking to non-technical people, it’s always difficult to demonstrate how easily attackers can abuse of their devices and data. If successfully popping up a “calc.exe” with an exploit makes a room full of security people crazy, it’s not the case for “users”. It is mandatory to demonstrate something that will ring a bell in their mind… [Read more]

[The post [SANS ISC Diary] How was your stay at the Hotel La Playa? has been first published on /dev/random]

from Xavier

Upgraded Microsoft Trust Center adds rich new content

This post is authored by David Burt, Senior Product Manager, Cloud Platform Marketing

A little over a year ago, we launched the Microsoft Trust Center at www.microsoft.com/trustcenter, which unified trust-related resources across our enterprise cloud services.  This week, we launched a completely redesigned and greatly expanded site with new content including EU General Data Protection Regulation (GDPR) guidance, audit reports, and security assessments.

The Trust Center is an important part of the Microsoft Trusted Cloud initiative and provides support and resources for information professionals, as well as the legal and compliance community.  The Trust Center offers a rich set of resources, including in-depth information about security, privacy, and compliance offerings, policies, features, and practices across our cloud products, including Azure, Dynamics 365, Office 365, Power BI, Visual Studio Team Services, and Windows Server 2016.  Each content area is supplemented by a curated collection of hundreds of the most applicable and widely-used resources for each topic.

New enhancements to the Trust Center include:

We are committed to providing you with guidance, documentation, and support you need to meet your security, privacy, and compliance goals. We will continuously improve the Trust Center to help make your job easier.

Visit http://www.microsoft.com/TrustCenter

from Microsoft Secure Blog Staff

Think Twice before Posting Data on Pastebin!

Pastebin.com is one of my favourite playground. I’m monitoring the content of all pasties posted on this website. My goal is to find juicy data like configurations, database dumps, leaks of credentials. Sometimes you can find also malicious binary files.

For sure, I knew that I’m not the only one to have interests in the pastebin.com content.  Plenty of researchers or organizations like CERT’s and SOC’s are doing the same but I was very surprised by the number of hits that I got on my latest pastie:

Pastebin Hits

For the purpose of my last ISC diary, I posted some data on pastebin.com and did not communicate the link by any mean. Before posting the diary, I had a quick look at my pastie and it had already 105 unique views! It was posted only a few minutes before., think twice before posting data to

Conclusion: Think twice before posting data to pastebin. Even if you delete quickly your pastie, there are chances that it will be already scrapped by many robots (and mine! ;-))

[The post Think Twice before Posting Data on Pastebin! has been first published on /dev/random]

from Xavier