Hunting for Anomalous Identity Usage behavior with MITRE ATT&CK using Microsoft Defender for Identity
TL; DR: Identity Anomaly detection — how it works and more below.
Identity management in modern environments is a difficult subject to tackle.
Here’s why:
- There are all complexities of on-premises environments that have evolved to sync with Cloud services.
- Then, we have enterprises adopting Cloud IAM solutions while not migrating fully to them — due to lack of feature capability and support for legacy/specific applications.
- The increase of machine identities has also sped up the adoption of cloud IAM while creating more complex scenarios to manage and curb attacks.
- These disparate architectures increase number of tools that admins have to deal with plus increases the attack surface and risk in these enterprises. And they also make Detection and Response harder by having to ingest from multiple sources, and then query/hunt differently for (theoretically) the same kind of information — identity information.
With that said, we’re still years away from disestablishing these hybrid environments — due to all different application use cases for on-prem Identities and other factors such as trust in the cloud, etc. The solution for now then is to have the best integration possible between both worlds. Microsoft’s AD and AAD integration achieves exactly that — all the while providing great defense to Identity attacks for these on-premises environments — and this is Microsoft Defender for Identity, or MDI in short.
./MDIhistory
A bit of background on MDI, from this source (Paul Schnackenburg):
It started with a company (Aorato) and product that Microsoft acquired back in 2014 which was turned into Advanced Threat Analytics (ATA), an on-premises security solution for monitoring AD.
The cloud-based evolution of ATA was initially called Azure Advanced Threat Protection (AATP) which was a bit confusing as it had nothing to do with Azure (apart from being hosted there). It later changed its name to Defender for Identity to take its place in the overall Defender family.
Currently, Defender for Identity is included in Microsoft EMS E3 and E5 security bundles — reference. And it can be bought standalone as well.
./MDIarchitecture
MDI as described by Microsoft is:
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
The solution architecture is quite straightforward, it is comprised of these components:
- Sensor: MDI relies on a sensor installed on Domain Controllers (on-prem) or ADFS services forwarding to the MDI cloud platform: AD entities, Parsed Network traffic Windows events related to identities
- MDI Cloud Service: MDI management and its analysis centre, hosted in Azure.
- MDI Management Portal: Which is inside M365 Defender. It Syncs activities and alerts to/from the MDI cloud service into M365 Defender for management.
./MDISignals
As seen in the public documentation referenced prior, MDI uses different signals to determine anomalous behavior. This includes:
- Active Directory (Authentication traffic)
- Parsed Network Traffic
- Windows Events and Traces
- Correlation with
By correlating information from these different sources, it’s able to determine unusual activity.
./MDIvsNIST
With this data, it is capable of helping in different phases of the NIST framework:
All according to Microsoft documentation:
- Identify: MDI helps identify users with weak passwords and unsecure configuration (weak cipher/Domain controller). It does so by means of Identity Security Posture Management (ISPM, the identity equivalent of CSPM 😊).
Users and devices that authenticate using clear-text passwords and provide additional insights to improve your organizational security posture and policies.
- Protect: User identities and credentials stored in Active Directory by:
Defender for Identity security reports help you identify users and devices that authenticate using clear-text passwords and provide additional insights to improve your organizational security posture and policies.
- Detect: Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
Typically, attacks are launched against any accessible entity, such as a low-privileged user, and then quickly move laterally until the attacker gains access to valuable assets — such as sensitive accounts, domain administrators, and highly sensitive data. Defender for Identity identifies these advanced threats at the source throughout the entire cyber-attack kill chain
- Respond: Provide clear incident information on a simple timeline for fast triage, plus environments can be automated to respond to Compromised Identities as pointed out by the documentation:
quickly respond to compromised users by disabling their accounts or reset their password
./MDIcybersecurityValue
As described before, MDI can raise a number of alerts in different phases of the Attack Kill Chain. The documentation makes it clear on what alerts if can raise that benefit identification of Attack techniques from MITRE’s ATT&CK matrix.
Pragmatically, MDI provides security alerts with known techniques in most MITRE ATT&CK phases.
MDI has immense value to an integrated XDR architecture and Threat hunting adding visibility to Identity usage.
I’ve created a Mindmap relating MITRE ATT&CK Phases to Security Alerts that you get in MDI. Based off of MDI Security Alerts list of Mid 2022. Here’s a glimpse.
If you want it High Res, get in touch.
./integrations
And of course, it integrates with other Microsoft solutions such as M365 Defender (XDR), but most importantly, having a native connector for Sentinel:
./deployment
If you want to learn more the deployment of MDI, docs.microsoft.com is the main source.
But there are heaps of good alternate sources to investigate, such as John Gruber’s article (which I haven’t reviewed myself, but seems like a good source): What’s Microsoft Defender for identity? | by John Gruber | GitBit | Aug, 2022 | Medium
Learn more about my Cloud and Security Projects: https://linktr.ee/acamillo
Consider subscribing to Medium (here) to access more content that will empower you!
Thank you for reading and leave your thoughts/comments!
