Calling from Inside the House: How Nation States Use Your Domain to Compromise Your Cloud Infrastructure

hi everyone welcome to my b-sides vancouver 2021 talk called calling from inside the house or more technically put how nation-states use your domain to compromise your cloud infrastructure so a quick intro about myself my name is alex parsons i'm a principal consultant at crowdstrike on the cloud incident response team and i live in seattle washington i've actually only been at crowdstrike for about one month and before that i worked at straws freeberg another cyber security consulting firm for about five and a half years while i was working at strasbourg i gave a few besides presentations for vancouver and orlando in office 365 incident response and before i joined straws i wrote one of the first papers on windows

and forensics while i was in college in vermont you can see a list of my certs if you care about those as well and as always opinions expressed are solely my own and do not reflect the views or opinions of my current employer crowdstrike and just so you can put a face to the name here's a picture of me also a comparison of before and during the pandemic that is a picture of my cat on a sweater and that's a picture of my cat not on a sweater and here's a dog that i recently got so that's a little intro about me so let's get back to the topic at hand do you remember when around say 2010

2011 when clouds started to become a thing and everyone kind of looked at it very skeptically because the fear was always well the cloud is going to compromise my domain i think something that's interesting about some of the attacks and some aspects of the attack today is that and what we're going to talk about in this presentation is what happens when your domain is already compromised and they're using your domain to compromise the cloud which is why this talk is called calling from inside the house and this is a picture from the movie when a stranger calls and i apologize if i've spoiled a 1979 movie but uh i guess i have so honing in a little bit more on what

we're going to talk about on this talk the focus for this is going to be on a compromise in an azure ad or an office 365 environment all office 365 environments have azure ad an identity is a core component of these types of attacks so that's why we're going to focus on those things additionally although i would love to go into the nation-state attacks first it is critically important to understand other types of threat actors at play because the ways in which you detect those attacks are incredibly relevant with nation states something to think about over the past few years is that attackers are getting better and better threat actors are starting to find ways

to bypass mfa ransomware attackers are now starting to get into the bbc game and something that was just a theory when i was in college was that is that supply chain attacks are no longer just a theory we actually see them happening now a good example is a few years ago when we saw not petya and within the past year the solo solarigate i don't think i'm pronouncing that right but those types of attacks also involve supply chain attacks so the goal of this is to kind of describe the different type of attacks by threat groups detail how you detect those things and then we'll talk about how do you prevent those things ahead of time we're going to start with

the basics but as i said the basics are fundamental to being able to detect nation state attacks because the basic detection methods still apply to everything else speaking of which it would be remiss of me to not talk about the o365 lighter attack frame which is something that's been developed i think within the past two years essentially what's great about the mitre attack framework is they map out the techniques for all of the tactics listed here so if you go to their website you can actually dive into the different types of tactics that you might be familiar with from host-based analysis and apply them to office 365 it might help you kind of learn uh more

about the how cloud infrastructure actually works i also have the azure ad matrix in here as well because that's also relevant let's talk about how office 365 facts are laid out there's two different types historical and current historical artifacts are probably what you're used to interacting with with a lot of cloud incidents so think of your unified audit logs your azure id sign in with aws it might be your cloudtrail logs things like that your current artifacts are exactly what it sounds like what is how is your environment currently configured the question that i often get when i talk about the importance of both of these artifacts is why do we care about current artifacts

if i have the historical blocks if i see for example that an inbox rule was created a week ago and deleted two days later why do i care about both there's a lot of reasons but a few of these is well what if you have persistence that you haven't detected within your roll-off period of your logs and whenever you remediate you are always going to have a little bit of doubt that you didn't perform a complete remediation so for those reasons i almost always like to collect current artifacts even if it appears that you might have the full story from history so this slide i'm not going to explain everything that's listed here it's more

of a reference slide i've given other talks on how to analyze a lot of these types of logs so and that's a 45-minute talk on its own but i i just want to have this reference slides here so as i start discussing these log types you can reference them in general just know that these are the different types of historical logs on the left and on the right you can see a subset of current settings that we often pool that then become relevant during an investigation now here's some additional resources as i mentioned in the last slide my besides orlando talk is available to get online pwc also released a fantastic business email compromise guide i would

highly recommend checking that out and in terms of automated tools a microsoft engineer created a community project called hawk and that is an excellent tool for getting started with pulling logs in an automated way i do want to point out that ingest logs into your sim if you can but if you can't you can pull down the talk the pwc office 365 extractor is also great for pulling unified audit logs so those are again historical logs the biggest thing here is definitely this microsoft cloud instant response playbook though this is a newish playbook that released about a week or two ago i think and it is a fantastic playbook on how to go through some of these events so i'd highly

highly recommend checking out the instant response playbooks linked here now that i've bored you with describing different artifact types and descriptions of those artifacts i'd figure i would give you this fun fact which is that the washington state ferry system is one of the most extensive ferry services in all of north america is actually number two when when you look at the entire room so hopefully that gives you a way all right now that we're back on the topic we'll describe the three different types of office 365 instance they're probably the most common the first is the basic it's the wire fraud incident so threat actor compromises a bunch of email accounts eventually gets to your accounts

receivable and sends an email saying hey the ceo requests five million dollars sent to this random address asap trick somebody to send the money and the money ends up going to the threat ransomware it's a little more complicated with that the ransomware attacks rather than starting and almost residing entirely in office 365 like the wire fraud attacks ransomware attacks start with malware infections and then either in parallel or after the fact end up compromising your office 365 email environment and the goal is to basically pressure you to pay more but then finally there's the exfiltration and covert persistence incidents we'll say or in plain english these are the nation state attacks so these are the three different attack

types we'll get more into detail soon so we'll start with the most common example of a office 365 attack you'll note that i have a difficulty rating here this isn't a technical term this is just how i tend to think about these types of attacks in my mind so you'll see easy medium ratings and i have uh it's just helpful for classification generally with these types of attacks they target organizations that don't have multi-factor authentication and the initial attack techniques or initial access methods aren't terribly complicated they either use a password leak that they find online from a company like we'll say yahoo or tumblr whatever one of those attacks and take the passwords there and just attempt them on

all the different types of office 365 domains or the most common method is via phishing emails so send an email convince somebody to click on the link that goes to a website owned by you and get their credentials persistence typically is really simple it's just compromise more users and if somebody finds out your users compromise then just get to anyone and at the end of the day you just want money so here's an email where it's legitimately sent by kent or not legitimately but it's sent by that account and charles trust kent so naturally charles will then just send the money but in reality it's sent by the threat actor and the money ends up going to the doctor

so here's a diagram of what a wire fraud life cycle might look like it's pretty simple it starts out with the threat doctor sending a phishing email user will click on the link and although the page will look like this which is a normal microsoft login it'll actually be owned by the thread actor and when the user enters their credentials it actually goes to the thread actor the threat actor now owns those passwords and they can log into the account so once the threat actor has accessed the account they determine whether or not they have access to the right account and you'll notice here there's a cycle icon here and that's because threat actors will continue to compromise

more accounts until they have access to the right one such as accounts receivable which might have the ability to actually perform the wireframe another core component of these phishing attacks is that they rely on trust from other users so if they're getting into a company environment they might email from a customer of yeah of the new victim additionally inbox rules are core component to hiding this activity so on the right here you have an example where the director might delete all emails that have words that say you have been hacked which would obviously if the throat if the user were to legitimately receive that email they would know that they've been hacked right or if the phishing email itself or wire

fraud has docusign in the name then the thread actor would put that in the keyword list of things to hide so once they have access to the account they need to perform the fraudulent wire transfer they will then send an email requesting as we saw on the last slide for the money to be sent they they end up getting the money sent and the threat actor will then use all of the compromise accounts they have to spread the phishing campaign to more users or more likely to additional companies so that's that lifestyle so here's a pretty fun example let's say batman's email account is compromised batman is sending an email over to a friend lee neighborhood spider-man

that asks spider-man to click on a link and log in with his credentials so spider-man does it spider-man's now compromised and is sending a dog sending phishing emails now over to iron man and thor now iron man has a lot of money so the threat actor now uses iron man's account to ask for 10 billion dollars for an ironman spin-off and accounting at stark industries is ecstatic to hear from ironman so of course they end up wiring the money over meanwhile the threat actor looks into the worst email account and thor doesn't really have much money because it's from a different universe and everything and decker decides to just send out the warhammer raffle announcement

and that would and a lot of people would love to be on a raffle for getting thor's hammer so uh the fed actor ends up compromising tons of credentials from the world and that is pretty simple but good example the entire time you also have forwarding from thor's account going over totally not joker joker.com who knows how it gets there because i've broken the whole universe between marvel and dc so that's a pretty simple example so the next thing is how do you detect that right and you'll notice again i break this down from historical and current settings so some things that i mentioned or how the thread actor was creating inbox rules and that carries stirred here

uh these are the operation names that you want to look for within your unified autofogs the other thing is that every single login as well as the inbox rules themselves they have ip addresses associated so do geoip lookups for those ips see if they log in from a foreign country i will say that more and more threat directors are using hosting providers based in the u.s so don't just do you know one of those splunk ip iplocation lookups you want to look at isps you see something from quadrant that's probably bad because quadrunet is the hosting provider for the majority of vpn services doesn't necessarily mean it's bad but it's likely that it's a consumer vpn

service and threat actors love consumer vpn services again with the current settings you want to look at your inbox jules and your forwarding settings remember inbox rules can also forward so definitely want to make sure that you don't have forwarding going on in your environment next i kind of want to talk about the wire fraud attacks the medium difficulty as i want to say or what we're actually starting to see today which is that productors who have a little bit of skill are starting to bypass multi-factor authentication and they do so the uh three methods there might be more but these are the three i've seen which are the first one is they'll just connect me a legacy authentication

which is arguably the easiest basically microsoft has two types of authentication modern and legacy authentication if you don't if you're if your tenant is older than i think it is august 2017 then you have legacy authentication enabled and you need to opt into modern authentication essentially if you still have legacy authentication enabled a threat actor can just log in with pop3 or imap or another like legacy protocol like ews or something and they don't need two-factor authentication they just get it a complete easy bypass so definitely make sure you opt into that but i want to move on to the other techniques token stealing is another method so the idea is that the thread actor clicks on the link

goes to the attacker's website but it's actually acting as a proxy for microsoft's actual website so the user still sees the mfa token process going through so they see like um you know enter your your [Music] number that you receive when you enter your mfa and then the thread actually actually ends up stealing the token this just the session and then they have access for a period of time and then for oauth applications that one i'll describe right now which is that with oauth it's similar to what you see on facebook or linkedin or twitter uh facebook mesh column when you want to take that buzzfeed quiz and they say hey can i access everything on your profile and

you say yeah i want to see what disney princess is the closest to me so you say yes similarly office 365 has a no off article where you might get a prompt that says hey i want to access your email no problem right and for a medium to advanced attacker level they might rely on the user to actually click accept and if you're lucky and you've compromised an admin they check this box and says consent on behalf of your organization the next thing you know they have access to everything in your environment the threat actor does so that's that i also want to briefly talk about how these oauth applications rely on the microsoft graph api

so everything you see here and it can interact with your calendar your groups your microsoft teams things it can do so much and it's incredibly powerful so with great power comes great responsibility and or as we like to think of it with great power comes a lot of evil again i want to talk about why this is scary because oauth applications give the threat actor the ability to keep having access even through password changes and it doesn't matter if you have mfa enabled and if you let's say you know that they access your email and send a bunch of emails and you think you're good after you do a password reset and even like re-authorize all the mfa

tokens you're still not good so it's something to keep on the radar i haven't been seeing it widespread yet but it's definitely going to happen especially as more organizations adopt mfa i also have this little diagram to kind of show you log in through here and then rather than getting a prompt for rather than the attacker stealing the password they don't have to i mean they could if they want to but they could just rely on you hitting this accept button how do you detect this i have a list of operation names here that are often associated with oaf this is also going to be incredibly important as we talk about nation state attacks because

oauth persistence methods are incredibly relevant with those so this is just an example of a little bit of json that you're going to get if you collect unified audit logs that's what ual stands for if you collect unified auto vlogs for the operation add app role assignment service principle you'll notice here that if you look closer you can see the mail.read value is being granted because it says new value and then you can see the fact that it says re-enailing all mailboxes this event is actually granting access to all mailboxes in the entire environment uh through the application name the mail analyze application so that kind of went into detail but a high level for medium detections medium difficulty

again everything i talked about in the easy detections the logons the even the inbox rules those are still relevant with these attacks so don't forget about the basics we're just building on them and we're adding more knowledge to it so here's additional operation names again you always want to look at your current artifacts because you want to be certain that you're actually mediating correctly you want to make sure that you don't have any current compromises in your environment so definitely take a look at that as well as your current admin privileges because something i didn't mention is that sometimes they'll add users as a especially the advanced to an actor so they'll add users and maybe maybe

they'll give one admin privileges maybe they will give another normal rights just regular email and they might just leave that doorman to wait to get back in right these are also this is also a really important concept for legacy authentication you want to look at the b2 ropc user agents uh that is the user agent that you're going to see that relates to legacy authentication it used to be called cba and fraud these days you'll see that you are opc another interesting thing is that for the attacks that bypass mfa the token stealing events as i'm calling it i guess it might be more like say session stealing you want to check your azure 80 sign-in

events rather than your unified audit books because you there are scenarios especially with that where you won't actually see the first login in your unified box but it will be present in your azure id sign ins and and the ip address will be from the threat actor themself the last one before we talk about nation state is this trend we're seeing where ransomware attacks are compromising the victims and they're compromising their email accounts they're using that to pressure the the victim so why is this scary well imagine if you're in the middle of an incident you're trying to contain it and the threat actor just sends a blast an email out to the press and to

maybe even your competitors to say oh this this whole ransomware attack occurred and the company is completely unprepared and their security is terrible right that's the stuff that threat actors might say it might not be true it might be true who knows but um it's incredibly damaging from a par perspective the other thing is what if they could actually see email communications around ransom payment what if you send an email to your insurance provider or to [Music] your maybe you have a ransomware negotiator working with you where you say the high end i can afford is eighty thousand dollars or eight million dollars and then the ransomware actor says they might actually use that against you

right and then the other thing is that they can use it as an extortion method to say hey you have a bunch of social security numbers here or you know there's some performance reviews something like that um they can use that and say in addition to the ransom which is now recently stealing data and threatening to release that data they can also add emails to that list of things that they threaten to release i think this is going to happen more and more but we'll see so overall it's used to pressure the pavement of the ransom and i'm not going to go into detail with the detection because it's actually the same as wire fraud

the other thing to remember is that they sometimes will use something like quackbot to steal credentials from the compromise systems and sometimes they're they actually compromise personal emails and it's not actually related to the corporate email so just keep that in mind so here's actually a really good example of a ransomware attack where their office 365 environment was also compromised basically there was company that was compromised by the lock bit ransomware group and after they were frustrated i first i just presumed that they weren't getting paid based on threat actors tactics but they then emailed a mass emailed a bunch of press and uk newspapers and they basically tried to embarrass the victim in order to pressure them to

pay the ransom so just something to keep in mind and you're gonna see it more and more for sure hopefully not now i talked about all this here's a fun fact about seattle again seattle currently has 15 light rail stations and they will be adding 30 rail stations within the next four years which is super exciting to me living in seattle and then i also kind of grouped in everything from 2025 to 2041 and saying there's 42 stations coming there but that is so far in the future let's i don't even know if that number counts anyway so let's get into nation state behaviors then next all right so let's talk about how nation states are different from

[Music] normal attackers to me this is honestly really fascinating so in a normal attack you're going to get logins from foreign id addresses however from a nation estate attack you're going to get logins from a corporate ip address which obviously makes things incredibly difficult to detect because it's going to look normal because they're compromising the devices in your network you're going to see all the activity coming from your network right with a normal attack or let's say a medium to advanced attacker the attacker is going to create new oauth applications maybe even applications that they own that are a cross-tenant just to make their lives easier however with a nation state they're going to be a lot stealthier

and they're going to modify the existing oauth applications that you have in your environment so [Music] again the logins are coming from your ip addresses and modifying your oauth applications which makes it so much harder to detect additionally a medium to advanced attacker might also create a bunch of admin accounts to create persistence which is pretty smart but the items that a nation state might do are kind of next level in the fact that they may create an addition or like modify your federation your federated domains so that they're setting up an idfs server in their own environment but connecting it to your cloud environment essentially it overall it's just like next level persistence mechanisms

it's pretty impressive so here's the scenario we're talking about the thread doctor has domain ad privileges we'll say it's through a supply chain attack we've seen that in solar gate or i know there's like a thousand different names for that attack but i won't try to name them but that's an example of a nation state through supply chain having access to your domain your domain controller syncs with office 365 via adfs so in order to talk about that let's talk about how that how that syncing is happening and and it's with azure ad and to talk about why this matters here's the stag so the compromise start happens in your regular active directory on premise as we mentioned

the threat actor already has access to your domain compromise end the goal of the threat actor is to gain access into your quality infrastructure so azure ad is kind of the broker between that that lets you center centralize your identity management with your active directory which is exactly how third actors are going to then get into your cloud this also isn't limited to just office 365. azure active directory can connect to aws it can connect to your github instance you could you know anything your single sign-on connects to so the advanced adversary life cycle looks kind of like this i start with the number zero because it's i don't know i thought i was being funny

with zero day but maybe not so the thread after starts by pushing out the supply chain attack that i'm talking about the company then because i mean everyone lets students don't update if you have good security you're keeping up to date with updates right so they push out the update and when they push out the update the threat actor now has say an account with domain admin privileges in your environment they then use that account to pivot to office 365 cloud using a golden sample attack and we're going to talk a little bit about how a gold and single attack works as well but the key point is that it gets accessed into office 365 so this is the pivot

point to office 365 they're in office 365 and azure id again office all office 365 environments have azure ad accounts and the threat actor can then use that let's say global admin account in office 365 to cr to add oauth applications sorry to add mail.read privileges to an existing oauth application which then creates the ability to the thread actor then tie in via a new secret and we're going to go through this step by step again so if you're lost that's fine something to point out is that this activity is all using internal id addresses so detecting this is really tough and step three we'll say is if the actor then uses that new access

they have to the cloud now to use an oauth application they built to search around your email environment maybe even your sharepoint environment and gain access that email something i also mention here is that the doctor might also create additional admin accounts for persistence a lot of things that we've seen in the easy and medium areas as well so we'll talk about this golden samuel attack the gist of it is that you have trust with your domain controller and that domain controller trusts the office 365 environment they use this all happens via adfs and essentially a threat actor because they're doing an admin and domain admins need to work with adfs quite frequently they have the

ability to then basically abuse saml to gain access to any user in office 365 it doesn't matter if they have mfa enabled it bypasses it as i said before it can work with aws or anything that really has sso or single sign-on integration with your azure energy environment and again it's not like anyone can do this you have to have domain admin privileges first so the question is then how do you detect these golden sample attacks right and the good news is that splunk has created an excellent blog post detailing the types of events that you want to look for to try and detect a disabled attack bad news is that unfortunately a lot of

these event types are enabled by default so if you're watching this presentation and you have influence on what events are enabled you should take a look at this blog post here that will describe for you which events you actually want to enable the next question is then how do you detect a golden sample attack within the office 365 blocks right so there's this kind of an anomaly of a a number that's found within the user login events that was identified i believe by cesa and when you find this one six four five seven event it sometimes indicates that samuel forgery has occurred i do want to point out that sometimes it'll create false positives specifically around accounts that are

guest accounts or external accounts like the cross tenant logins however if you see it with logins with your tenant it it will potentially be related to a golden salem attack another thing i want to mention though is that sisa has added a little bit of language that to me might indicate that this 16457 event might not actually be logged anymore so it might only apply to 2020 events not 100 certain on that but that's the interpretation i get from this quote feel free to correct me though here's a chart that was created when i was working at straws free bird four blog posts that i i helped out on it essentially lays out this type of attack so it starts with

the thread after adding a mail.read permission to a legitimate oauth application that has always existed in your environment once the thread doctor adds this mail.read application they can then run some queries via the rest api to get messages from a user there's also a lot of pretty powerful filtering capabilities and once they run that query you'll see here the result of that query which is the emails themselves so it's pretty simple to add application access with mail.read with an existing application and then they can do whatever they want it's simple but a lot of people don't look for this now that i've talked about what one of these tags might look like in concept let's talk about

what it actually looks like from the front end so what's helpful is that straw street bird created a really nice proof of concept application called that uses the microsoft graph api they have instructions on how to set it up here before you actually run the code that's in github you have to do a little bit of setup into your test environment within the azure portal and it's pretty simple this is exactly what it looks like just create your application then you add the right permissions for me i had to add the mail.read permission [Music] and that's how you set it up one thing i want to point out is that although in the proof of concept you create the

application in a nation-state attack you might see that the threat actor will take an existing application that exists and add permissions to it so that's step two in this process so as i mentioned before with mail fetch this is where it has all the permissions added all you need to do is run your oauth application you created and get the data and here's an example of a top secret document being discovered through the application this is just a chart that i already went over but it's here if you want to take a look again but we went through all these steps there are some additional persistence mechanisms that threat actors tend to make which are

creating additional oauth applications creating other admin users and another item is adding the federation trusts federation trusts are so dangerous because if the attacker adds another say they create an adfs server and create federation trust next thing you know they can they can start getting i mean they're essentially part of your domain and all of that identity stuff is thinking and the adfs server might not even be on your network so you might not even be auditing it the other thing is mailbox permission changes we didn't talk about it too much but there is a pretty common feature in office 365 where you can give delegate access to other users and that actors might use their

admin privileges to grant like one user access to a large amount of mailboxes and gain access so how do we detect this there's luckily a lot of tools here i can't i don't have enough time to go so crazy into detail with these however main point is that there's a crowdstrike tool i would not be a true crowdstrike i believe i didn't name this however it is legitimately a pretty nice tool it does focus on current artifacts rather than historical then you also have cesa sparrow and mandy as well sparrow and mandiants azure ad investigator as it's called they both focus on both current and historical artifacts and then there's also the tools i kind

of mentioned before which is hawk which can there it's more helpful when you need to go deeper down the road and start pulling on the rope of what the thread actor actually did

and then i also mentioned the pwco365 extractor the new tool i've seen lately it's called the azure id instant response tool helps you get a deeper dive into your azure id

as i mentioned before sparrow and mandiant both look for historic artifacts and i actually looked at the operations they filter on they're all within unified audit logs i took that list and i combined it all and this is what it looks like so these are the type of events that it looks for so you want to look for events that have an id related to powershell it's pretty common and then there's also logins have when are powershell literally in the name so if you add the dash free text command or parameter onto your powershell command to search unified audit logs you can search for free text these keywords same with the saml related thing although as i mentioned it

might only apply to 2020 related events you absolutely there's a few on here that you absolutely want to alert on if you have a sim so all of these honestly all of the oauth events as well and mailbox for mission changes are also pretty significant although you might get some false positives i think if there's one if i had to pick one event if you would find nation say attacks it would be i'll use green for fun it's the update application certificates and secrets management because if you have an application that already has global mail read the threat actor doesn't need to do any of this they don't need to add any more permissions or any more

users all they need to do is add a secret copy that secret and then they can get into your environment and because that event is so important i have a little case study here that kind of shows just how like what that looks like on the back end so you might already have a legitimate secret error listed for a regular application and then the thread actor can just add a client secret and hopefully they don't name it totally not a backdoor but that would also make your life easier to find it and that's it they then create that secret and then they have enough information to start doing this this is what it looks like on the

back end with historical artifacts the unified audit logs you're going to see the display name and password honestly if you just alert on this every single time and just make sure that the user in question is actually creating a key or certificate that will help you a lot because oauth applications are scary they have a lot of power so you want to pay close attention to that with the automated tools i also [Music] did a comparison between sparrow and mandiant and what's interesting is they like are largely both the same however sparrow has a few more things that it searches for although not by much and mandiant also focuses more so on the folder missions permissions that are

changed in terms of current artifacts this is a an example from crt or crowd strikes tool that gives you a really good summary of like what what can all these applications actually access i think you'll find that there are a lot of applications you totally did not know about that have complete access to all of your email not always maliciously but just from a hygiene perspective you might want to cut that down and to make my life easier i highlighted things that are worth investigating so these permission types application it has the application from my experience it indicates that it is global rights a look at the display name as well although i mean these aren't bad in particular

but you you should be aware of what oauth applications have such global access right so you should be able to look at your display names and see if it looks right to you so i have here definitely look at the permissions i have highlighted here anything that's related to sight reading mail reading file reading so things to look into and if it has all principles here then that indicates that you can access i believe it means that it can access it for any user and what's here in purple is just if you want to take a look at which users actually grant individual access so not every application has global access but some actually are granted an

individual level if you want to dive into that deeper remember that pivot tables are your friend so just by using that tab i then created a nice little pivot table that showed me okay how many users are actually granting mail.send access right this isn't a great example because my test environment is small but just remember remember that pivot tables exist they will help you so let's kind of go back to the basics remember that nation states still make mistakes don't forget your detection methods even for the easy ones you still always want to look at the logins from foreign ip addresses or isps because sometimes twin actors will actually log in through them and sometimes and

when they start to get desperate they get a little more reckless and they start to use tactics that might be caught via the easy detection methods same with medium and one item i kind of want to talk about is how do you identify what emails are accessed which is what every lawyer on the planet wants to know after they find out that you've been affected you're going to need office 365 e5 for all of the accounts if you really want to see the email access because mail items accessed is an operation that shows which emails are accessed and it's only there with e5 the good news is that one driver sharepoint can probably be determined with e5

and again plugging the blog post written by aeon straw street bird it's right here if you want to take a look it goes into more detail on how to actually look at it this screenshot is pulled straight from the blog post so let's say you know an application that was controlled by the thread actor you then went to search the unified audit logs for that id to see what was affected and if you're lucky you're going to get a mail items access operation back and then you're going to get the in the blue it's a little cut off so i apologize for that but you'll see the message id the internet message id can then be mapped back to

the subject name in either trace logs or in pst files also wanted to note that sparrow actually has a really helpful thing where it will investigate one specific application and return all the mail items accessed events that interact with that application so you can thank season now that i've given you a good idea on how terrifying these types of attacks can be i imagine your next question is how do you prevent these things so i'll list a few basic things you can do in your environment if you're not doing them already and as well and then in the next slide i'll list more advanced things so number one you of course want to enable multi-factor authentication

and number two is to disable legacy authentication if you don't disable legacy authentication then enabling multi-factor authentication is almost pointless because legacy authentication allows you to bypass multi-factor authentication hence why legacy authentication should be disabled additionally you want to probably at a company level start disabling automatic external forwarding and if you're wondering well how do i do that you can click on the link down below this is a blog post that i helped write for aeon when i was working there it's a pretty great blog post with a lot of resources on how to actually prevent these things you also of course want to enable unified audit logs if you haven't already it's a one-click thing and it doesn't

cost you anything other things you can do is you can configure mailbox audit logging and although unified.logs are restricted to 90 days mailbox audit logs can go as far back as i think like four years or something like that for free unifi.logs you have to pay to get the online details additionally you can require admin approval to add oauth applications to your environment so you have to have admin privileges to add an application and then number seven your users are really are your most important tool to fight for fighting phishing attacks so security awareness training and just enabling the report message add-in is a really simple but helpful thing you can do just so you can use your users

to help the fight against phishing all right so we've gone over the basics but here are the harder things to do that are important the first is perform security reviews on your third parties and vendors as i mentioned before the entire concept of these nation state tax live within supply chain attacks so if you theoretically if you review your supply chain and your supply chain seems secure then you're reducing the chance that a nation state will get to you through that supply chain right additionally you want to regularly review your environment so for example check out your oauth applications every year or every half year however regularly you want check your applications to make sure

that all the applications that have access to mail are supposed to on the inbox rule and forwarding setting the front make sure that all the users that are forwarding emails to an external email maybe some are legitimate but ensure that they actually are forwarding legitimately right and also make sure that if you have any productions in places make sure they still exist there because threat actors like to change this you also want to check your mailbox permissions make sure nobody has access to 200 mailboxes again forward your unified audit logs into your azure ad you sign into your sim like splunk or humeo which crowdtrack recently acquired or elk what have you and use that sim to alert on your

on the types of events that i mentioned in the other slides it's also in the next slide too and finally a new product you can type that you can purchase is a cspm such as falcon horizon there's others it will help you make sure your cloud hygiene is good and here are the things that you can use your sim to alert on that i was mentioning before all right well that is the conclusion of my presentation my twitter handle is up here so if you have any questions feel free to message or at me i'll also share the slides there i also wanted to give a special shout out to both carly and partha they

are stras-friberg employees who did a lot of the really pivotal research that this presentation is based on so it would be incredibly rude of me to not mention their names i also just want to give a big shout out to the entire consulting industry as a whole because if you notice i named just about every major consulting company under the sun in this presentation and that's because a lot of the consulting companies did something that is a little uncommon which is open source a lot of their work and share their indicators of compromise in an effort to kind of step it up and respond to the solar gate investigations so shout out to the whole consulting

industry that's it have a nice day