08. 11. 2024 Luca Zeni Blue Team, SEC4U, Threat Intelligence

SATAYO And SOC: Exchanging Data For Better Insight

In this post, we’ll explore the synergy between a Cyber Threat Intelligence (CTI) platform and a traditional Security Operations Center (SOC) service. For those interested in the topic, I recommend reading my previous article, where I demonstrated a concrete example of integration between our SIEM and SATAYO, the CTI platform we use in our SOC. However, this time we’ll shift the focus from integration to the real-world results of this collaboration. We’ll dive into a case that shows how this synergy can provide a more comprehensive understanding of threats, by analyzing them from two distinct and complementary perspectives.

The threat that will be analyzed involves an unauthorized access attempt to a Microsoft 365 account using compromised corporate credentials. The goal is to understand the causes of this incident and the effects it had. To do this, we’ll look at the incident from two separate perspectives: that of the SIEM and the CTI platform.

The SIEM Side

Date: Saturday, July 20, 2024, 00:37 AM
A series of alerts appeared on the SIEM, indicating a possible brute-force attack. Specifically, the rule “Attempts to Brute Force a Microsoft 365 User Account” was triggered. This rule activates when multiple failed login attempts are recorded for a particular user. The SIEM query that was triggered by this event is similar to the following:

event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or UserStrongAuthClientAuthNRequired or InvalidReplyTo) and event.outcome:failure

Through further analysis, important details emerged. The login attempts originated from multiple IP addresses, all flagged as malicious due to prior brute-force activity. None of these IPs were part of the corporate network, and none had been previously used to log in. Additionally, the unusual time of the login strongly suggested that a real-time attempt at unauthorized access was in progress, not a false positive.

The failed login attempts returned error code 50131 (ConditionalAccessFailed), which means that a conditional access policy set by the Azure AD administrator had blocked the login. There are several parameters for these policies, such as device type, authentication factors, and geographical location.We couldn’t understand which of these parameters were missing, but the important thing is that the accesses were blocked.

This analysis gave us critical insight into an attack in progress, showing an intermediate stage where compromised credentials were being used. However, the origin of these credentials remained unknown until nearly a month later…

The CTI Side

Date: Wednesday, August 14, 2024
On August 14th, our SATAYO Cyber Threat Intelligence platform detected suspicious company credentials being sold in two different underground marketplaces specializing in logs and access credentials obtained via malware stealers. The analysis of these logs showed an infection by not just one but two infostealer malware: Vidar and RedLine.

The compromised device was a private laptop, not part of the corporate environment. This machine had been infected by the malware, which exfiltrated various types of data, including credentials saved on the device. Among the stolen credentials were the login details for various Microsoft services, including the email account targeted in the brute-force attack a month earlier. What had initially been classified as a brute-force attempt turned out to be an unauthorized access attempt using compromised credentials from this infected device.

With this information, we were able to explain the earlier attack: the credentials used in the Microsoft 365 access attempt had been stolen through malware on the compromised laptop.

While the source of the credential theft was identified, the origin of the malware infection itself remained unclear. To investigate further, log files such as cookies, browser history, and the victim’s online activity were analyzed. Based on available data, two plausible hypotheses emerged:

  1. Downloading of unofficial software (cracked software) – The victim may have downloaded executable files from untrustworthy sources
  2. Unverified ZIP file downloads (via torrenting) – The victim’s download history showed several ZIP files from free-resource or file-sharing platforms, potentially leading to the malware infection

While we can’t say with absolute certainty how the malware was introduced, these are the most likely scenarios based on our analysis.

Conclusion

This case demonstrates the benefits of combining different approaches. Each solution, whether it’s the SIEM or a CTI platform, has its own strengths and limitations. A SIEM provides excellent monitoring and detection capabilities for events as they happen, but may not always reveal the origins of an attack. On the other hand, a CTI platform excels at identifying the source of a threat and providing proactive intelligence but may struggle to detect exploitation in real-time.

By combining the two, we were able to form a complete picture of the attack, allowing us not only to detect unauthorized access attempts but to trace them back to their origin as well. This synergy allows organizations to enhance security posture, providing broader visibility and more effective monitoring of potential attack surfaces.

These Solutions are Engineered by Humans

Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find cybersecurity issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.

Luca Zeni

Luca Zeni

Author

Luca Zeni

Latest posts by Luca Zeni

07. 06. 2024 Blue Team, SEC4U
Akira Ransomware: How to Make an Efficient Detection Rule
15. 03. 2024 Blue Team, SEC4U
SATAYO and SOC: in the New Midlands
26. 10. 2023 Blue Team, SEC4U
From Chaos to Case: How SLAs Make Life Better!
See All

Related Content

Tags: , , ,

30. 08. 2024 Blue Team, SEC4U

A Concrete Example of ES|QL and SOC Detection Rules

The purpose of this article is to show a real-life case study of the integration of the new Elastic ES|QL language within the detection rules used by the SOC to detect cyber threats. Overview ES|QL (Elasticsearch Query Language) is an Read More
16. 07. 2024 Blue Team, Red Team, SEC4U

Automate Business Processes with APIs: python-gvm

Have you already read this blog post Adding soar features to the soc part 1 vulnerability management? If not, you have to! It explains the SOAR features leveraged by the Würth Phoenix SOC and how we implement our Vulnerability Management Read More
07. 06. 2024 Blue Team, SEC4U

Akira Ransomware: How to Make an Efficient Detection Rule

In this article, we're going to explore an example of the process used to perform the initial steps of creating ad hoc detection rules based on specific events that mark the world of cyber security. Specifically, starting from a real Read More
14. 12. 2023 SEC4U

Enrichment of the Ransomfeed Project

There are community projects that, once implemented, become true points of reference. One of these is certainly the DRM - Dashboard Ransomware Monitor project. This project, founded by Dario Fadda in 2020, monitors ransomware groups through scraping activities, to store Read More
10. 01. 2023 Blue Team, SEC4U

Spam Trap Box – A Powerful Method to Detect Phishing Attempts

It's more and more common to receive emails asking for credentials. They usually say that there's some kind of issue that can only be solved by accessing the involved service using the link inside the message text. In most cases Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive