32,39 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
Written by a recognized cybersecurity expert, Microsoft Defender for Identity in Depth not only lays the groundwork for deploying and managing MDI, but also takes your knowledge to expert levels, enabling you to strengthen your organization against the most advanced cyber threats.
You’ll familiarize yourself with the essentials of MDI, from seamless setup to leveraging PowerShell for automation, setting the stage for exploring advanced integrations and capabilities. Through practical, real-world examples, you’ll learn how to extend MDI’s reach by using APIs and conducting proactive threat hunting with KQL to turn insights into actions.
The book gradually shifts focus to operational excellence, helping you develop expertise in investigating alerts, optimizing action accounts, and troubleshooting, which will empower you to master the building and maintenance of a robust ITDR framework and strengthen your security posture.
By the end of this book, you’ll be able to harness the full potential of MDI’s functionalities, positioning you as a key player in your organization’s cybersecurity defenses.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 518
Veröffentlichungsjahr: 2024
Ähnliche
Microsoft Defender for Identity in Depth
An exhaustive guide to ITDR, breach prevention, and cyberattack response
Pierre Thoor
Microsoft Defender for Identity in Depth
Copyright © 2024 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
The author acknowledges the use of cutting-edge AI, such as ChatGPT/Claude/Grammarly, with the sole aim of enhancing the language and clarity within the book, thereby ensuring a smooth reading experience for readers. It’s important to note that the content itself has been crafted by the author and edited by a professional publishing team.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Dhruv Jagdish Kataria
Publishing Product Manager: Prachi Sawant
Book Project Manager: Ashwin Kharwa
Senior Editor: Sarada Biswas
Technical Editor: Rajat Sharma
Copy Editor: Safis Editing
Proofreader: Sarada Biswas
Indexer: Pratik Shirodkar
Production Designer: Jyoti Kadam
Senior DevRel Marketing Executive: Marylou De Mello
First published: December 2024
Production reference: 1251124
Published by Packt Publishing Ltd.
Grosvenor House
11 St Paul’s Square
Birmingham
B3 1RB, UK.
ISBN 978-1-83588-448-5
www.packtpub.com
For Carina, the love of my life, and our amazing children – your support and love mean the world to me.
– Pierre Thoor
Foreword
A well-known phrase in cyber security is “hackers don’t break in, they log in.” Anyone who has worked in incident response, in a security operations center, or in any kind of threat-hunting role can attest to the truth of this statement. Despite being with us for many years, and despite the evolution of cloud identity platforms such as Microsoft Entra ID, in many organizations, Microsoft Active Directory is still at the heart of the corporate identity landscape. Identities, from our regular users to our most privileged administrators, are key to maintaining the security of our environments or limiting the impact of compromise. I have been fortunate to be involved in some of the largest and most complex cybersecurity breaches in the world and have seen defenders struggle to protect Active Directory effectively. It is understandable that defenders would struggle; modern identity systems are complex and ever-changing to suit the evolving needs of modern companies. The advent of the work-from-home era has increased this complexity significantly and further highlighted the importance of securing our identities. This evolving complexity presents a unique challenge to defenders. It is difficult to collect the logs and telemetry from all these services manually and build custom detection rules across them all to effectively secure your identity plane. Microsoft Defender for Identity (MDI) looks to solve this problem by reducing the barrier to entry to be able to effectively monitor Active Directory. The out-of-the-box telemetry and detection logic has been tuned over years of understanding how adversaries compromise Active Directory, taken from the lessons from real-world compromises. As new techniques are discovered, they are built and deployed into the product, ensuring protection against the most novel of attacks.
MDI is one of the pillars of the Microsoft Defender security stack. It provides unique visibility and insights into not only Active Directory, but also other supporting components, such as Active Directory Federation Services, Active Directory Certificate Services, and Microsoft Entra Connect. My personal belief is there is no product available that comes close to providing the out-of-the-box insights that MDI does. I have often joked that if I could spend someone else’s money on a security product, then MDI would be it. In this book, you will learn from Pierre, an expert in the deployment and operationalization of MDI. Importantly, he will arm you with the knowledge to not only configure and deploy MDI but also to empower you with the skills to effectively hunt for and prevent identity compromise. This book covers not only reactive investigations but, crucially for defenders, how to use MDI to proactively address misconfigurations or weaknesses in Active Directory. The goal of any threat actor is to obtain an identity with enough privilege to complete their objectives, from data exfiltration to ransomware and everything in between. This book will arm you with the skills to hopefully prevent, disrupt, or understand that activity in your environment.
Matthew Zorich
Principal Security Research Manager
Microsoft GHOST
Contributors
About the author
Pierre Thoor is a Microsoft MVP in security and a dedicated cybersecurity expert with a focus on identity protection and threat detection. As a first-time author, he shares his extensive knowledge in this book. Pierre hosts the Security Dojo Podcast and blogs at thoor.tech, where he explores Microsoft security topics. As an international speaker, he makes complex security subjects accessible to audiences worldwide.
At Onevinn, Pierre delivers advanced security solutions that strengthen organizations’ defenses against cyber threats. He specializes in Microsoft Sentinel and Microsoft Defender XDR. Pierre is also an expert in Azure Governance, including the Cloud Adoption Framework and enterprise-scale landing zones, ensuring that security is integrated into every aspect of cloud adoption. With skills in DevOps practices, Kusto Query Language (KQL), and developing solutions with Bicep and PowerShell, he implements automation and infrastructure as code to enhance security operations.
Pierre assists organizations in navigating the complexities of modern cybersecurity challenges.
I want to deeply thank my wife, Carina, for her constant support and belief in me. To my children, whose curiosity and questions inspired me – thank you. Big thanks to the technical reviewers, Stefan Schörling and Konrad Sagala, for your helpful support and comments that made this book better. Thank you, Matthew Zorich, for your endless inspiration and for writing the foreword. Lastly, thank you to my employer, Onevinn, for your support during this journey.
About the reviewers
Stefan Schörling is a renowned security expert with more than 25 years of experience in the cybersecurity field. He has served various roles within the cybersecurity area. Today, he is supporting customers to be better protected against adversaries, but also helping those who have been hit by cyber incidents. In his spare time, he conducts security research and also speaks at various international conferences (SANS, Live 360, TechED, Ignite, and various user groups). Stefan has been awarded a Microsoft MVP award every year for 17 years for his efforts and passion for sharing his knowledge in tech communities.
I’d like to thank my wife and family for the time and commitment it takes for me to follow my dream and do the things I do. Without their support, this would not be possible. I would also like to thank my first manager, Mathias, for believing in me even if I had no formal IT education and for the fun times we had over the years working together. I would simply not be where I am today without them.
Konrad Sagala has been involved in designing and deploying server systems since 1993. From 1996, he focused on Windows Server Systems: Security, Exchange and Active Directory. For the last 10 years, he has focused on cloud platforms. He has been an active Microsoft Certified Trainer since 2007, delivering Identity, Microsoft 365, Exchange, Security, and Server Platform courses, and has been a Microsoft Most Valuable Professional for 18 years in the Microsoft 365 category.
Table of Contents
Preface
Part 1: Mastering the Fundamentals of Microsoft Defender for Identity
1
Introduction to Microsoft Defender for Identity
The growing threat landscape and the role of MDI in ITDR
Modern identity threats and strategic defense frameworks
The Cyber Kill Chain
MITRE ATT&CK framework
The Unified Kill Chain
MDI’s strategic position in the cybersecurity ecosystem
Unpacking key features and benefits of MDI
Summary
2
Setting up Microsoft Defender for Identity
Technical requirements
Pre-installation and planning checklist: laying the groundwork
Licensing
What permissions do you need?
What are the operating system requirements?
Other sensor requirements
Networking
PowerShell
Data collection
User profiling
Sizing
Prerequisites for AD FS and AD CS
Active Directory service accounts
Deployment of MDI – a step-by-step guide
Following with your own lab environment
Getting the MDI installation package and access key
Navigating step-by-step proxy configuration for MDI
Installing TinyProxy
Configuring TinyProxy
Ensuring success with post-installation activities
DSAs
Configuring SAM-R
Setting the gMSA in the Defender XDR portal
Verifying the DSA
Defender XDR unified RBAC
Summary
3
Leveraging MDI PowerShell for Automation and Management
Technical requirements
Primer on the MDI PowerShell module
Installing the MDI PowerShell module
Module file overview
Understanding the module and its functions
Crafting advanced PowerShell scripts for MDI management
Health issues API
Automation in action – case studies and scripting scenarios
Monitoring the MDI service via Azure Monitor
Monitoring the MDI configuration with Azure Monitor and custom alert rules
Sending health issues and security alerts via syslog to Microsoft Sentinel
Summary
Part 2: Advanced Configuration, Integration, and Threat Detection
4
Integrating MDI with AD FS, AD CS, and Entra Connect
Technical requirements
Integrating MDI with AD FS
How AD FS authentication works
Configuring AD FS for MDI sensor installation
Validating the AD FS integration
Integrating MDI with AD CS
How AD CS works
Importance of MDI on Certificate Servers
Configuring AD CS for MDI sensor installation
Validating the AD CS integration
Integrating MDI with Entra Connect
How Entra Connect works
Configuring Entra Connect for the MDI sensor
Validating the Entra Connect integration
Expanding MDI across multiple Active Directory forests
The concept of multiple forests
Types of trusts in multi-forest environments
Prerequisites for MDI in a multi-forest environment
VPN integration – securing remote activities and data flow
Understanding RRAS and RADIUS
Configuring Microsoft RRAS
Summary
5
Extending MDI Capabilities Through APIs
Technical requirements
Introduction to the MDI API
Getting started with Microsoft Graph API
Building custom integrations and automations
Identifying integration opportunities
Type of use cases
Summary
6
Mastering KQL for Advanced Threat Detection in MDI
Technical requirements
KQL for beginners – querying MDI data
The history of KQL and its ecosystem
Understanding your MDI data
Getting started with KQL
Practical tips for effective queries
Hunting tables in MDI
Practical use of hunting tables
Advanced KQL techniques for deep threat detection
Understanding attack paths in AD
MDI and the attacker’s kill chain
Crafting KQL queries for threat detection
Real-world case studies – detecting advanced attacks with KQL
Prerequisites
PtH attack
Kerberoasting
DCShadow attack
Summary
Further reading
Part 3: Operational Excellence with Microsoft Defender for Identity
7
Investigating and Responding to Security Alerts
Developing a methodical approach to alert investigation
Understanding the MDI alert system
User Entity
Lateral movement paths (LMPs)
Initial triage and categorization
Root cause analysis
Real-world playbook – responding to advanced threats
Defining advanced threats
Pre-incident preparation
Incident detection and validation
Response strategy and execution
Incident response – an action plan for high-stakes situations
Building an incident response team
Incident Response Plan (IRP)
Summary
8
Utilizing MDI Action Accounts Effectively
Technical requirements
Configuring and securing action accounts
Understanding action accounts – what are they and why do they matter?
Best practices for action account configuration – getting it right the first time
Security measures – protecting your action accounts from compromise
Real-world scenarios and use cases
Automated threat response – leveraging action accounts for quick reactions
Case study – detecting and responding to credential theft and lateral movement
Operational efficiency – how action accounts streamline security processes
Summary
9
Building a Resilient Identity Threat Detection and Response Framework
Technical requirements
Designing proactive threat-hunting strategies with MDI
Understanding the threat-hunting methodology
The importance of logging and accurate detection
Developing security use cases
Leveraging behavioral analytics and MDI in hypothesis-driven hunting
Elevating your ITDR posture – Continuous improvement with MDI
Learning from total identity compromise incidents
Implementing identity-hardening strategies
Disaster recovery and incident response – preparing for the inevitable
Establishing an incident response plan
Automating responses to identity-based incidents with SOAR
Disaster recovery for identity systems
Summary
10
Navigating Challenges: MDI Troubleshooting and Optimization
Diagnosing common MDI issues
Spotting the signs of trouble
Using tools and logs to find problems
Configuration and connectivity fixes
Checking key configuration settings
Removing a malfunctioning MDI sensor manually
Network connectivity troubleshooting
Resolving security alert misfires
Customizing detection rules and applying filtering techniques
Adjusting alert settings for better accuracy
Operational guide
Daily tasks
Weekly tasks
Monthly tasks
Quarterly/ad-hoc tasks
Summary
Future reading
Index
Other Books You May Enjoy
Part 1:Mastering the Fundamentals of Microsoft Defender for Identity
This part provides an essential foundation for understanding Microsoft Defender for Identity (MDI). You’ll be introduced to MDI’s critical role in protecting against identity-based threats, guided through the deployment process, and equipped with automation techniques using PowerShell for streamlined management. This section is designed to give you a strong grasp of MDI’s functionality and how to integrate it into your broader security strategy.
This part includes the following chapters:
Chapter 1, Introduction to Microsoft Defender for IdentityChapter 2, Setting up Microsoft Defender for IdentityChapter 3, Leveraging MDI PowerShell for Automation and Management1
Introduction to Microsoft Defender for Identity
In this starter chapter, we’ll start boarding ourselves on the journey of Microsoft Defender for Identity (MDI) and its critical role within the evolving threat landscape. We’ll get insights into the strategic importance of MDI within the broader cybersecurity ecosystem, learning how it serves as a fundamental tool in Identity Threat Detection and Response (ITDR), which is a term from Gartner. This chapter will explore how MDI fits within the broader cybersecurity ecosystem, providing vital tools for protecting against identity-based threats.
Instead of jumping straight into the technical setup, we’ll take time to explore the why behind MDI. Understanding these foundational aspects will give you a solid grasp of how MDI fits into a comprehensive security strategy. By the end of this chapter, you’ll not only appreciate the capabilities of MDI but also how it helps to fortify your defenses against identity-centric attacks.
These insights are crucial for IT professionals and cybersecurity experts tasked with safeguarding Active Directory (AD) – a common target for adversaries. A successful attack on AD can lead to unauthorized access or even allow attackers to gain complete control over an environment, posing a severe threat to an organization’s security and stability.
In this chapter, we will cover the following:
The growing threat landscape and the role of MDI in ITDRModern identity threats and strategic defense frameworksMDI’s strategic position in the cybersecurity ecosystemUnpacking key features and benefits of MDILet’s get started!
The growing threat landscape and the role of MDI in ITDR
As we begin this journey through the area of cybersecurity, we find ourselves navigating an ever-expanding threat landscape. The digital age, while bringing unparalleled convenience and connectivity, also introduces complex challenges that demand sophisticated solutions.
ITDR was identified by Gartner Inc. (and the term ITDR was created by them as well), an IT research and advisory company, as one of the top security and risk management trends that IT leaders and security leaders need to have a strategy on. Adversaries, attackers, hackers, we can call them whatever we want, abuse access and identities, and the focus of their attacks is identity compromise, lateral movement, and privileged escalation. Therefore, we need tools and processes to detect, investigate, and respond to these types of threats to efficiently defend our organization. If we start thinking that ITDR is a security discipline and not just a product, to get visibility into credential abuse, privilege escalation attempts, and entitlement exposure, my opinion is that we then can know more about our environment and take appropriate actions for our security posture.
But what is ITDR? Before we answer that question, I want you to look at how our attack surface has expanded a lot in just a few years. Attackers are changing tactics and the spotlight on protecting our identities has never been so current as of now. While firewalls once served as our primary security boundary, the current landscape suggests that identity management is becoming a central element of security strategies. I believe this shift is driven by the rising numbers of password spray attacks, fundamental security misconfigurations – especially in implementing multifactor authentication (MFA) – and a lack of visibility into our data, leaving us remarkably vulnerable. Just before I began to write this book, Microsoft experienced an interesting nation-state attack from the group known as Midnight Blizzard, also referred to as NOBELIUM, famous for their password-spray attacks during 2021 against Cloud Solution Providers (CSPs) and Managed Service Providers (MSPs) and in January 2024 for their initial access through a password-spray attack of a legacy test OAuth application that had elevated privileged access.
Now, back to the question – what is ITDR? In this case, we are joining Identity and Access Management (IAM) together with Extended Detection and Response (XDR). Many times, organizations are divided in the same way, where the identity team handles the IAM solution and products and the SecOps team handles the XDR functionality. In Microsoft terminology, the identity team looks at Microsoft Entra ID (formerly Azure AD) and AD. SecOps then looks at Defender XDR and Microsoft Sentinel. Some organizations only use cloud identities in Microsoft Entra ID, and other organizations use hybrid identities with AD and other third-party identity providers (such as Okta). The goal of an ITDR solution is to get signals from all those areas, regardless of where the identity resides.
In short, we want the capability to prevent, detect, and respond to identity-related threats. If we start thinking about how attacks start, it is typically through phishing or other social engineering tactics, up to more sophisticated attacks where the IAM infrastructure is targeted to exploit vulnerabilities in that area. If the attacker is successful, this can lead to unauthorized access to sensitive information, data exfiltration, ransomware deployment, and more. IAM’s job is to ensure that the right people have the right access to files, systems, apps, and so on to be able to do their jobs without positioning those types of resources at any risk for compromise.
In this book, we will be focusing on AD and MDI as our ITDR product. Other ITDR products from Microsoft will then be, as we learned earlier, Microsoft Entra ID, Microsoft Entra ID Protection, and Microsoft Defender XDR, and if you are invested in the Microsoft security ecosystem, you will then have your entire ITDR solution in place.
It is highly recommended to not just implement MDI as the only protection for your AD deployment but also explore common entry points to be able to reduce the attack surface. Such close the gap exercises or best practices could be implementing tiering, not using excessive privileges (least-privileged framework), using privileged access workstation/secure access workstation, isolating or, even better, decommissioning legacy systems, patching, identifying all of your critical assets, and planning for compromise – yes, planning is key because if and when we get our AD and other systems compromised, we need to be prepared and know how to recover them.
Adding MDI into the mix brings a flare of defense to this stormy sea. As you journey through these pages, you’ll discover how MDI stands as a front against identity-based threats, using advanced technology such as machine learning and artificial intelligence to detect, investigate, and stop potential breaches before they escalate.
As we begin, remember that you’re not just reading a chapter; you’re stepping into a very crucial role in safeguarding the digital identities that are the foundation of your organization. This journey is about providing you with the knowledge to not just navigate the complexities of protecting on-premises identities, but to succeed in this sometimes unpredictable digital landscape.
Modern identity threats and strategic defense frameworks
As we continue our exploration of cybersecurity, it’s essential to recognize that the nature of identity threats has evolved significantly. Today’s adversaries employ increasingly sophisticated methods to exploit and manipulate identities within organizational networks. Unlike earlier attacks that might have relied solely on brute force or basic phishing techniques, modern identity threats are multi-faceted, leveraging advanced tactics to achieve their objectives.
Modern adversaries target identities using a variety of sophisticated techniques, including the following:
Credential theft and reuse: Attackers obtain user credentials through phishing, malware, or social engineering and reuse them across multiple platforms to gain unauthorized access (think about the solarwinds123 password that caused the SolarWinds hack)Pass-the-Hash (PtH) attacks: Exploiting stolen hashed passwords, attackers authenticate as legitimate users without needing the actual plaintext passwordsPass-the-Ticket (PtT) attacks: Utilizing stolen Kerberos tickets, attackers impersonate users to access resources within the networkGolden Ticket attacks: Crafting counterfeit Kerberos Ticket Granting Tickets (TGTs) to gain unrestricted access across the entire domainSilver Ticket attacks: Forging service tickets to access specific services within the networkKerberoasting: Extracting service account credentials from Kerberos tickets to crack passwords offlineDCShadow and DCSync attacks: Manipulating domain controller functions to inject malicious changes or extract credentials from ADThese tactics allow attackers to navigate through networks silently, access sensitive information, and escalate their privileges, often remaining undetected for extended periods.
Implement a robust password policy
Ensure that your organization enforces a password policy that prohibits the use of easily guessable elements, such as the company name, in user passwords. It’s common to observe that employees create simple passwords incorporating the organization’s name (e.g., CompanyName123), making them vulnerable targets for attackers. By restricting such patterns, you significantly reduce the risk of unauthorized access through brute force or social engineering attacks.
Imagine an attack as a carefully orchestrated heist, where each step brings the attacker closer to their goal. The Cyber Kill Chain serves as the blueprint for this heist, breaking down each stage of an attack so you can anticipate and prevent malicious moves before they reach their target.
The Cyber Kill Chain
Developed by Lockheed Martin, the Cyber Kill Chain is a model that describes the seven stages of a cyberattack, providing a structured approach to understanding and disrupting adversary actions. By dissecting an attack into distinct phases, defenders can identify opportunities to interfere and halt the progression of threats.
For any cyberattack to be successful, it must go through the following:
Reconnaissance: Gathering information about the target to identify potential vulnerabilities.Weaponization: Creating malware or exploit tools tailored to the identified vulnerabilities.Delivery: Transmitting the weaponized payload to the target system (e.g., via phishing emails).Exploitation: Triggering the exploit to gain unauthorized access to the system.Installation: Installing malware to maintain persistence within the network.Command and Control (C2): Establishing communication channels to remotely control the compromised systems.Actions on Objectives: Executing the intended goals, such as data exfiltration, ransomware deployment, or system sabotage.By breaking any one of these stages, the attack will be prevented. Now that we’ve mapped out the stages of a cyberattack with the Cyber Kill Chain, let’s dive deeper into the tactics and techniques attackers use at each stage. This is where the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework comes into play, offering a more granular view of adversary behaviors.
MITRE ATT&CK framework
The MITRE ATT&CK framework serves as a comprehensive guide to understanding the behaviors and methods of cyber adversaries. It’s like a master playbook that maps out how attackers operate, based on real-world observations. The framework breaks down the phases of an attack, offering a detailed taxonomy that helps security teams anticipate threats, enhance their defenses, and respond more effectively.
Core components of the MITRE ATT&CK framework include the following:
Tactics: These represent the adversary’s high-level objectives or goals, such as gaining initial access or escalating privileges within a network. They provide insight into why certain actions are taken by attackers during an intrusion.Techniques: These are the specific methods adversaries use to achieve their tactical goals. For instance, attackers might use phishing emails for initial access or credential dumping to gain account details.Sub-techniques: These dive deeper, offering more granular methods that attackers might employ. For example, under credential dumping, different sub-techniques detail how credentials might be extracted using various tools or methods.The Enterprise Matrix of MITRE ATT&CK encompasses 14 tactics, each representing a critical phase in a cyberattack:
Reconnaissance: Identifying potential targets and gathering information.Resource Development: Building the capabilities and infrastructure needed for an attack.Initial Access: Breaking into the target network using methods such as phishing or exploiting vulnerabilities.Execution: Running attacker-controlled code on a compromised system.Persistence: Maintaining access to the environment over time through methods such as backdoors or configuration changes.Privilege Escalation: Gaining higher access levels to penetrate deeper into the network.Defense Evasion: Implementing techniques to avoid detection or circumvent security measures.Credential Access: Stealing usernames, passwords, and other credentials.Discovery: Mapping out the network environment to find valuable targets.Lateral Movement: Spreading access to other systems in the network.Collection: Gathering data of interest before exfiltrating it.Command and Control (C2): Establishing a communication link with compromised systems.Exfiltration: Moving stolen data out of the organization.Impact: Disrupting or manipulating systems and data to fulfill the attacker’s objectives, such as deploying ransomware or deleting data.To illustrate how the MITRE ATT&CK framework can be applied to real-world scenarios, let’s look at an example of an attack targeting AD. This example focuses on a common method attackers use to extract sensitive credentials, known as a DCSync attack. By breaking down the tactic, technique, and sub-technique involved, we can see how MDI plays a crucial role in detecting and mitigating such threats before they can escalate. Here’s how this type of attack typically unfolds:
Tactic – Credential Access:Credential access involves techniques attackers use to obtain credentials, such as usernames, passwords, or token hashes, from a system or network, allowing them to access additional resources.
Technique – T1003 – OS Credential Dumping:This technique involves extracting credential data from operating systems. It can include direct access to credentials stored in memory or on disk, such as hashes, passwords, or tickets.
Sub-technique – T1003.006 – DCSync:A DCSync attack allows an attacker to simulate the behavior of a domain controller and request user credential data from other domain controllers. By abusing replication permissions, the attacker can extract credentials from the AD database directly.
An attacker who has gained elevated permissions, such as Replicating Directory Changes or Replicating Directory Changes All rights, can execute a DCSync attack using tools such as Mimikatz. By impersonating a domain controller, the attacker can request password hashes for accounts, including krbtgt (the Kerberos Ticket Granting Ticket (TGT) account) or highly privileged domain admins.
Once the attacker obtains the password hashes, they can leverage them in other attacks, such as Pass-the-Hash (PtH) or Golden Ticket attacks, enabling them to move laterally across the network or maintain persistent access with administrative privileges.
The MITRE ATT&CK framework is more than just a list of tactics; it’s a way to visualize and understand the full scope of an attack. When organizations map incidents to this framework, they gain valuable insights into attacker behavior, helping them predict potential future moves and adjust their defenses accordingly. This structured approach allows security teams to prioritize their response and plug gaps that could be exploited by adversaries.
While the MITRE ATT&CK framework provides an extensive catalog of attacker tactics and techniques, understanding the broader sequence and integration of these actions is crucial. This leads us to the Unified Kill Chain (UKC), a comprehensive model that combines the strengths of both the Cyber Kill Chain and MITRE ATT&CK to provide an 18-stage approach for tackling advanced cyber threats.
The Unified Kill Chain
The UKC is an advanced model that builds upon the traditional Cyber Kill Chain by incorporating additional dimensions to provide a more comprehensive and integrated approach to threat detection and response. Developed by Paul Pols, the UKC includes 18 distinct phases that detail the tactics used by Advanced Persistent Threats (APTs) and ransomware groups. Unlike the traditional kill chain, which is primarily perimeter and malware-focused, the UKC addresses a broader range of attack vectors and includes socio-technical elements, such as social engineering and pivoting.
The phases of the UKC include the following:
Reconnaissance: Conducting thorough research to identify and select targets using both active and passive information-gathering techniques.Resource Development: Engaging in preparatory activities to establish the necessary infrastructure, such as registering domains or developing malware, required for executing the attack.Delivery: Transmitting the malicious payload or weaponized object into the target environment through various methods, such as phishing emails, malicious attachments, or drive-by downloads.Social Engineering: Manipulating individuals within the organization to perform actions that compromise security, such as divulging credentials or unwittingly executing malicious code.Exploitation: Taking advantage of identified vulnerabilities within systems to execute malicious code, thereby gaining unauthorized access.Persistence: Establishing a long-term presence within the compromised system to ensure continued access, often by creating backdoors or modifying system configurations.Defense Evasion: Implementing techniques to avoid detection by security tools and personnel, such as obfuscating code or disabling security features.Command and Control (C2): Setting up communication channels to remotely control the compromised systems, enabling the attacker to issue commands and receive data.Pivoting: Using the compromised system as a launch point to access and infiltrate additional systems within the network that were previously inaccessible.Discovery: Gathering detailed information about the network environment, including system configurations, network topology, and security measures, to identify further targets.Privilege Escalation: Increasing the level of access within the network by exploiting vulnerabilities or misconfigurations, allowing deeper penetration into the organization’s systems.Execution: Running attacker-controlled code on local or remote systems to perform malicious activities, such as data manipulation or further exploitation.Credential Access: Stealing or obtaining access to system, service, or domain credentials to facilitate ongoing unauthorized access and movement within the network.Lateral Movement: Traversing the network horizontally to access additional systems and resources, expanding the attacker’s reach within the organization.Collection: Identifying and aggregating valuable data from various sources within the network in preparation for exfiltration or misuse.Exfiltration: Transferring the collected data out of the target network to an external location controlled by the attacker, often using encrypted channels to avoid detection.Impact: Executing actions that disrupt, manipulate, or destroy systems and data, such as deploying ransomware or altering critical information.Objectives: Achieving the overarching goals of the attack, which may include financial gain, data theft, espionage, or sabotage, aligning the tactical actions with strategic outcomes.To further explain the UKC, it breaks down cyberattacks into three overarching phases: In, Through, and Out. Understanding these phases provides a clearer roadmap for anticipating attacker movements and deploying targeted defenses:
In: This initial phase encompasses all the steps attackers take to infiltrate a target network. It includes activities such as reconnaissance, resource development, payload delivery, social engineering, exploitation of vulnerabilities, and establishing persistence. Essentially, this is where attackers gain their foothold and set up their operations within the network.Through: Once inside, attackers move deeper into the network, escalating their privileges and expanding their access. This phase involves pivoting, discovery, privilege escalation, execution, credential access, and lateral movement across the network. Think of this as attackers navigating through various layers of the network to reach more valuable targets.Out: In the final phase, attackers execute their primary objectives, which could range from data exfiltration and ransomware deployment to system sabotage. This stage includes activities such as data collection, exfiltration, and causing impact on the target’s systems or data integrity. It’s the finale of the attack, where the attackers achieve their goals and attempt to cover their tracks or escape the network.The real strength of the UKC is its flexibility. It recognizes that attackers don’t always follow a set path – they might skip steps or switch strategies as they go. This means defenders need to be ready to adapt, using layered security measures that can disrupt attackers at multiple points.
By including phases such as social engineering and pivoting, the UKC emphasizes the human element in cyber threats. Attackers often manipulate people to gain access, so training employees to recognize these tactics is as important as deploying technical defenses.
The UKC also helps organizations improve both proactive and reactive responses. It guides where to focus early defenses, such as detecting reconnaissance, and how to respond if an attacker gains access, such as by containing lateral movement.
Read more
For a deeper dive into the UKC and its 18 phases, visit https://www.unifiedkillchain.com. This resource provides detailed explanations, examples, and additional insights.
Now that we’ve looked at the different stages of a cyberattack, it’s time to explore how tools such as MDI fit into those frameworks.
MDI’s strategic position in the cybersecurity ecosystem
MDI is designed to protect on-premises AD identities, our core foundation of the organization, and its primary feature is to monitor user activities, network traffic, Windows events, and entity behaviors continuously. It uses advanced algorithms and machine learning to detect unusual activities, such as lateral movement, privilege escalation, and reconnaissance attacks, which could indicate potential security breaches.
Today, it’s more common that we still use AD as our Source of Authority (SoA) and synchronize the identities to Microsoft Entra ID. It’s also still common that we are using Active Directory Federation Services (AD FS) and Active Directory Certificate Services (AD CS). These workloads must be protected at all times. Just because we are still required to keep using those legacy systems, they are critical workloads and should be treated as Tier 0 systems a.k.a. your most critical asset. We will not go into detail about how to protect your Tier 0 systems with the Enterprise Access Model or the legacy AD tier model in this book, but it is highly recommended to read and learn about those control strategies.
Explore more about Enterprise Access Model
Learn more about the Enterprise Access Model and legacy AD tier model on Microsoft Learn: https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model.
With this in mind and our identity landscape in place, we need to start getting signals from these components because all parts of the landscape can be attacked. In this modern world, we want to gather our signals from on-premises (from AD DS, AD CS, AD FS, and Entra Connect) together with cloud signals, such as Microsoft Entra ID, Defender for Cloud Apps, Defender for Endpoint, and so on, to be able to correlate and analyze the data. The more signals we have, the more the likelihood of detecting anomalies and seeing the full picture or story of an attack increases.
Figure 1.1 – MDI high-level architecture
The preceding figure shows the importance of integrating personas and departments, and as the journey in this book continues, we will see exactly how important it will be. We will be informed about the security posture, if we have misconfigurations in the identity infrastructure, getting detected about privileged accounts, service accounts, and privileged escalation paths.
One of the absolute most time-consuming tasks for SOC (Security Operation Center) analysts is user profiling. The concept of criminal profiling, which special agent John Edward Douglas invented in the late 1970s at the United States Federal Bureau of Investigation (FBI) as part of the Behavioral Science Unit, laid the groundwork for modern criminal profiling, involving in-depth interviews with criminals to understand their psychopathologies and behavioral patterns. Today, in the world of cyber and cybersecurity, we use something called User Entity Behavior Analytics (UEBA), which will create a baseline of the user and their behavior, and when a user steps out of that baseline and the behavior, the UEBA will detect that anomaly and alert for that security risk. If you have activated UEBA in Microsoft Sentinel, you can look at the UEBA table, BehaviorAnalytics, to see if you have any data ingested. Here’s the book’s first KQL query:
BehaviorAnalytics | take 20In this KQL query, you will look at the latest 20 entries of the BehaviorAnalytics table.
For MDI, we want to have the capability to detect identity-specific threats, such as reconnaissance and lateral movement, including PtH, Golden Ticket, PtT, password spray, and attacks against the identity infrastructure. These types of advanced threats are part of what we call the cyberattack kill chain. This means they include unusual actions or behaviors that occur at any stage of a cyberattack, from initial reconnaissance to the final execution of the attack. This concept helps in identifying and understanding potential threats by analyzing activities at each phase of an attack, enabling timely detection and response actions.
Unpacking key features and benefits of MDI
MDI is designed to protect against identity-based attacks in hybrid environments, providing a vigilant watch over AD and Microsoft Entra ID. MDI continuously monitors user activities and authentication patterns, offering real-time alerts and insights to detect threats such as credential theft, lateral movement, and privilege escalation.
These are the key features of MDI:
Behavioral analytics: MDI builds a baseline of normal user behaviors to spot unusual activities, such as unexpected logins or data access. This helps catch compromised accounts early before attackers can cause serious harm.Advanced threat detection: MDI excels at detecting sophisticated attack techniques, such as PtH, PtT, Golden Ticket, Silver Ticket, and Kerberoasting. It also catches threats such as DCShadow and DCSync, providing insights into potential AD manipulation.Lateral Movement Path (LMP) analysis: MDI maps potential pathways attackers could use to access more valuable resources within the network. By visualizing these paths, security teams can proactively secure critical assets, making it harder for attackers to gain a foothold.Enhanced monitoring of AD CS, AD FS, and Entra Connect: Recent updates improve MDI’s visibility into AD CS, AD FS, and Microsoft Entra Connect. This allows MDI to detect suspicious activities in federated identity setups and certificate-based authentications, while also ensuring secure identity synchronization between on-premises AD and Entra ID.Integration with Microsoft Sentinel and Defender XDR: MDI connects seamlessly with the Defender XDR portal, enabling advanced hunting and centralized management of identity-related incidents. This integration allows analysts to correlate identity threats with data from endpoints and cloud resources, creating a unified view of security incidents.Proactive attack disruption: MDI is a key part of Defender XDR’s automatic attack disruption capabilities. It can automatically trigger actions such as disabling suspicious user accounts, helping to contain threats quickly and prevent further damage.Identity is often the initial target for attackers. MDI provides organizations with the tools needed to detect, investigate, and respond to these threats quickly. Its close integration with other Microsoft security tools ensures that identity-related insights are part of a larger defense strategy, allowing security teams to stay a step ahead of adversaries. With improved visibility into AD CS, AD FS, and Entra Connect, MDI ensures that hybrid identity flows remain secure and monitored.
Summary
In this chapter, we delved into the growing identity threat landscape and the vital role that MDI plays in addressing these challenges. We explored the modern identity-based threats organizations face, the defense frameworks that help mitigate these risks, and how MDI strategically fits into the broader cybersecurity ecosystem. We also highlighted the key features of MDI, showing how it strengthens defenses against advanced attacks, providing critical ITDR capabilities.
As we move on to the next chapter, the focus shifts to practical deployment. I’ll guide you through important pre-installation planning to ensure you’re prepared, followed by a detailed step-by-step guide for deploying MDI. You’ll also learn how to configure proxy settings and ensure a successful setup by conducting vital post-installation activities.
2
Setting up Microsoft Defender for Identity
In this chapter, we’ll lay the foundation for implementing Microsoft Defender for Identity (MDI), setting the stage for a successful deployment. We’ll begin by ensuring your environment is properly prepared, covering everything you need to know before starting the deployment. From there, you’ll find a detailed walk-through of the installation process, making sure you have a smooth experience from start to finish.
For those with unique network needs, we’ll also delve into how to configure your environment for secure and efficient communication. To wrap things up, we’ll focus on critical post-deployment checks, helping you validate that MDI is working as intended and ready to secure your Active Directory environment.
I do think these skills and knowledge are vital for IT professionals and cybersecurity professionals who are tasked with safeguarding their organization from getting Active Directory compromised, because let’s be real – Active Directory is a highly attractive target for adversaries: a successful breach can lead to unauthorized access or, even worse, adversaries getting full control of the entire environment. The result would be a great financial loss.
By the end of this chapter, you’ll have a clear roadmap for implementing MDI, from initial setup to post-installation checks.
In this chapter, we will cover the following:
Pre-installation and planning checklist: laying the groundworkDeployment of MDI- a step-by-step guideNavigating step-by-step proxy configuration for MDIEnsuring success with post-installation activitiesLet’s get started!
News from Microsoft Ignite 2024: Unified agent
Microsoft has introduced a unified agent that integrates Microsoft Defender for Endpoint (MDE) with Microsoft Defender for Identity (MDI), extending protection across endpoints, operational technology (OT) devices, identities, and Data Loss Prevention (DLP). This consolidation simplifies deployment and maintenance by eliminating the need for separate agents, thereby reducing system overhead and enhancing efficiency. Organizations can now enable MDI directly from the Defender portal, streamlining the process of securing on-premises identities.
Technical requirements
Given the expansive nature of Microsoft 365 and its associated ecosystem, setting up and optimizing MDI demands specific prerequisites. These requirements are essential for ensuring seamless integration and functionality within the Microsoft 365 framework, catering to both security needs and operational efficiency.
You will require the following:
A Microsoft tenantA Microsoft subscription that includes Microsoft Defender for Identity, such as Microsoft 365 E5 or Microsoft 365 E3 + E5 SecurityBasic Microsoft 365 knowledgeActive Directory knowledgeA virtual or physical server environment with Active Directory installed and configured:Optional: Active Directory Federation Services and Active Directory Certificate Services installed and configuredBasic PowerShell knowledgeBasic networking knowledgeOptional: If you want to follow along with proxy setup and configuration, you need one or two virtual machines with Ubuntu 22.04 or later installed:Make the installation of Ubuntu a minimal server installationAll the code examples for this chapter can be found on GitHub at https://github.com/PacktPublishing/Microsoft-Defender-for-Identity-in-Depth/tree/main/Chapter02.
Pre-installation and planning checklist: laying the groundwork
It’s wonderful that we are now in the planning phase. But before installing MDI, it’s crucial to prepare a thorough checklist. This preparation ensures that the deployment process is smooth, and that MDI integrates seamlessly into your environment. By taking the time to properly plan, you can avoid common challenges and ensure that your organization is ready to leverage MDI’s capabilities to their fullest potential:
You need to understand the licensing requirements, understand that current service doesn’t allow for limiting features to specific users, understand that MDI is a tenant-level activation, and familiarize yourself with the types of data MDI collects to effectively profile user behavior.Additionally, consider Microsoft’s strategies for mitigating malicious insider activities, particularly regarding high-privilege roles.Lastly, assess your infrastructure to meet the sizing recommendations, ensuring MDI operates efficiently within your environment.Azure Advanced Threat Protection (ATP) or Microsoft Defender for Identity
Please be aware that MDI, formerly known as Azure ATP, is part of a broader rebranding by Microsoft to align its security products under the Microsoft Defender suite. This change reflects the product’s enhanced focus on identity security within the Microsoft security ecosystem. You will see that the old name is still there in some configurations and some portals.
Let’s begin by exploring all the prerequisites needed for a successful MDI deployment. We’ll cover several important steps in this planning phase to ensure a successful deployment by the end of this chapter.
First, we will dive into licensing – yes, it is fun and cool, but perhaps not your favorite. After that, we will discuss the required permissions, followed by the operating system and server requirements. We will then move on to networking, more specifically the ports and URLs that need to be opened.
Following that, I will guide you through installing the MDI PowerShell module and explain the types of Windows events that MDI needs to be fully functional. We will also cover how user profiling works, sizing requirements, and the necessary steps for installing the MDI sensor on Active Directory Federation Services (AD FS), Active Directory Certificate Services (AD CS), and Entra Connect server. Lastly, we will dive into how service accounts work for MDI.
Licensing
First on the list is licensing: we need one of the following licenses activated in our tenant:
Enterprise Mobility + Security E5 (EMS E5/A5)Microsoft 365 E5 (Microsoft E5/A5/G5)Microsoft 365 E5/A5/G5 SecurityA standalone Defender for Identity licenseNote
You know how fast Microsoft changes things, so check the MDI licensing requirements at learn.microsoft.com.
As of November 2023, the Service Level Agreement (SLA) for Microsoft Online Services, which MDI is part of, states that you can have some credits from the licensing bill if the uptime (in percentage) drops below 99.9%.
The definition of downtime is any period of time where the administrator is unable to access the MDI portal.
The uptime percentage is calculated using the following formula:
The credit you can get is as follows:
Uptime Percentage
Credit
< 99.9%
10%
< 99%
25%
Table 2.1 – SLA credit
A question a lot of administrators and companies ask is whether they need to license all users in their tenant if they want to utilize MDI, and the answer is yes. MDI is a tenant-wide activation, and like other tenant services, it is not currently capable of limiting benefits to specific users.
What permissions do you need?
In Microsoft Entra ID, you will need to have at least the role of Security Administrator. When you first enter the Microsoft Defender portal and go to the Settings blade, you need to have the appropriate permissions; otherwise, your MDI workspace will not be created. You will learn more about Role-Based Access Control (RBAC) later in this chapter.
What are the operating system requirements?
Before you read the following list, make sure that you are running a version of Windows Server that is supported by Microsoft and that you don’t need to take care of it in a couple of months.
The supported Windows Server editions, which includes the Server Core and Desktop Experience installations, are as follows:
Windows Server 2016Windows Server 2019Windows Server 2022See the following table for the support end dates:
Operating System Version
Start Date
Mainstream Support End Date
Extended Support End Date
Windows Server 2016
October 15, 2016
January 11, 2022
January 11, 2027
Windows Server 2019
November 13, 2018
January 9, 2024
January 9, 2029
Windows Server 2022
August 18, 2021
October 13, 2026
October 14, 2031
Table 2.2 – Windows Server OS versions and support dates
Extended Support is offered five years after mainstream support, and during this time, Microsoft will provide security updates, bug fixes, and reliability updates.
Do not confuse the Extended Support with Extended Security Updates (ESU), which is a last-resort option for customers who need to run legacy Microsoft products. ESU only includes Critical and/or Important security updates, which are defined by the Microsoft Security Response Center (MSRC). ESU will be offered for a maximum of three years after the Extended Support end date.
Figure 2.1 – Overview of Microsoft Support phases
