Recently I completed my GCIA (GIAC Certified Intrusion Analyst) certification, which focuses on hunting for adversaries. The course and exam focus on monitoring, network traffic analysis, and intrusion detection. The benefit of this course is two-fold. First, it directly engages a skill set I utilize in the Air National Guard. Second, it gave me some direction on approaching hunting in the cloud, Azure specifically. Now I need to figure out some tools to use to accomplish this task. Oh, I know, Azure Sentinel.
I have been dabbling with Azure Sentinel since it came out last year. But lately, I have started to put it to real use with a customer. I always love to learn new things, and nothing makes you understand better than putting that technology to real-world use.
Azure Sentinel is a SIEM (Security Information and Event Management) / SOAR (Security Orchestration, Automation and Response) solution born in the cloud. Living in the cloud allows for the ease of scalability of resources needed to store and analyze the data.
Sentinel allows you to collect data by connection to multiple datasets on your local network or in the cloud. You can connect to Azure Logs, AWS, and Syslog, to name a few. I am not going to get into the in-depth details of Sentinel in this post. I will provide some excellent links to the documentation and learning path at the end of this blog.
The SANS SEC503 course and the corresponding exam got deep into packet analysis and intrusion detection tools. Great material, but the mindset of hunting piques my interest the most. Anomalies and behaviors, and modern and future monitoring helped drive my thought process toward thinking about solutions for finding the things that are not normal.
Lucky for us, this is where Sentinel is strong out of the box. It utilizes artificial intelligence to find what is not normal in an environment. Based on established connectors, Sentinel learns. It also uses telemetry from Microsoft Intelligent Security Graph to assist an analyst in their hunting endeavors.
At the time of this writing, Sentinel has 122 developed queries. The focus of these queries is on various data sources like AWS Cloud Trail, sign-in logs, and Office 365. The tactic categorization is accomplished by using the MITRE ATT&CK (tm) framework. Using this framework should be a standard approach for an analyst.
Sentinel uses Kusto Query Language (KQL) for building robust queries for hunting. Using KQL and the built-in hunting queries is where I am beginning my correlation between what I learned in the course and what I want to expand upon with Sentinel in my cloud hunting journey.
The following is a scenario or task similar to what you would see in the course. First, I will create a simple solution using tcpdump to filter for some data I want to hunt further in the cloud. Let's say that you have a packet capture from a user's system that you suspect is communicating with a Command and Control for a botnet. In this case, the user's system is a zombie.
tcpdump -r zombie.pcap 'udp port 53 and !dst net 192.168.1' | cut -f 5,8 -d " " | sort | uniq -c
A quick breakdown of the command:
- tcpdump reads the pcap and filters for only DNS traffic that is not destined for the local network
- cut just returns the domain (basically)
- sort puts in in order the the next command
- uniq -c groups the results and gives us a count so we can do some long-tail analysis
So we may get a result like:
Well, it will not be so apparent as "evil". But if we see many calls to one particular domain. It may be worth investigating.
Now, we want to check out our environment using Sentinel queries to see if any other systems are looking for "bot.evilstuff.evil". We will do this by using KQL.
| where DestinationDnsDomain contains "bot.evilstuff.evil"
This simple query could return the results of other zombie systems. You can save this query as Hunting query with the tactic of "Command and Control" to run by any analyst. You could also make an alert that would fire for any future results.
I wanted to quickly show you how standard hunting processes can be expanded to the cloud using Azure Sentinel. I know this was very high-level and simple. I will continue to build upon this approach in my day-to-day activities.