Review EDX Course Security in Office 365 (Microsoft CLD245x)

Recently I took the course Security in Office 365 using the free Audit Access, the final exam and the Certificate are missing here.
The sections of the course are:
  • Threats and data breaches targeting your data
  • Office 365 Advanced Threat Protection
  • Office 365 Threat Intelligence
  • Auditing, alerting and reporting in Office 365
  • Advanced Security Management in Office 365
After each section there is a quiz, as well as an final exam with 20 questions (missing in the free version). I’ll go through each section adding some notes.
Introduction to Security in Office 365
Threats and data breaches targeting your data
  • how threat actors gain access
  • kill chain
  • how the work and threat landscape changed
  • on-premises environment vs “gray area” (cloud etc.) in terms of controll and security
  • phishing
  • malware
  • spoofing
  • escalation of privilege
  • data exfiltration
  • data deletion including ransom ware
  • data spillage (“Data spillage occurs when protected data is transferred to a system that doesn’t provide the same level of protection as the source.”)
  • as well as password cracking
  • malicious insiders
Security solutions in Office 365 
  • Exchange Online Protection (EOP)
  • Office 365 Advanced Threat Protection (Office 365 ATP)
  • Office 365 Threat Intelligence
  • Auditing and alerts
  • Advanced Security Management (ASM)
  • EOP (not End Of Protection 😉 but Exchange Online Protection)
  • Office 365 Threat Intelligence
  • Threat Dashboard
  • Auditing and alerts
  • Advanced Security Management (AMS)
  • Threat detection
  • Enhanced control
  • Discovery and insights
Introduction to Secure Score
  • Overview of Office 365 Secure Score
  • security related measurements
  • Office 365 Secure Score API
  • API & powershell
  • downstream data for other tools and SIEM etc.
  • The Secure Score dashboard
  • The Secure Score analyzer tab
  • Increasing your security posture
  • I liked some of the points:
    • Enabling multi-factor authentication on all admin accounts
    • Designating more than one global admin
    • Enabling auditing across workloads
    • Enabling mailbox auditing
    • Having a weekly review of sign-ins after multiple failures
    • Having a weekly review of sign-ins from unknown sources
    • Having a weekly review of sign-ins from multiple geographies
Implementing and Managing Office 365 ATP
Introduction to Exchange Online Protection
  • The anti-malware pipeline in Office 365
  • Zero-hour auto purge
  • ZAP, detect spam or malware that was undetected by heuristics and delivery patterns
  • Phishing and spoofing protection
  • SFP, DKIM, DMARC
  • Spoof Intelligence
  • Give overview of spoofing attempts, allow spoofing for certain senders for certain addresses
  • Managing spoof intelligence
Overview of Office 365 Advanced Threat Protection
  • How ATP expands protection provided by EOP
  • Safe attachments
  • sandbox/detonation chamber 😀
  • Safe attachment policy options
  • Safe links
  • URL detonation -> mix of safe links and sage attachements
  • Safe links policy options
Managing Safe Attachments
  • Creating safe attachment policies in the Security and Compliance Center
  • Creating safe attachments policies using Windows PowerShell
  • Modifying an existing safe attachments policy in the Security and Compliance Center
  • Creating a transport rule to bypass safe attachments
  • Safe attachments end user experience
Managing Safe Links
  • Creating safe links policies by using the Security and Compliance Center
  • Creating safe links policies using Windows PowerShell
  • Modifying an existing safe links policy
  • Create a transport rule to bypass safe links
  • Safe links user experience in email
  • Safe links user experience in Office 2016
Monitoring and reports
  • Threat protection status report
  • ATP message disposition report
  • ATP file types report
  • Malware detections report
  • Top Malware report
  • Top Senders and Recipients report
  • Spoof Mail report
  • Spam Detections report
  • Sent and received email report
  • Security & Compliance Report Demonstration
Using Office 365 Threat Intelligence
Office 365 Threat Intelligence
“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
  • Microsoft Intelligent Security Graph
    • Source: Windows, Office 365, Cloud Services, 3rd party
  • Threat dashboard
    • reporting tool for C-level
  • Threat explorer
    • analysts, admins
Using the Threat Detection dashboard
  • Threat detections in your tenant
  • Security and malware trends
  • Alerts
  • More insights
  • Threat Intelligence Demonstration
Using Threat Explorer
  • Viewing options in Threat explorer
  • Filtering capabilities in Threat Explorer
  • Drilling for details
  • Incident reports
Implementing auditing, insights, and alerts
Overview of auditing in the Security & Compliance Center
  • Auditing architecture in Office 365
  • Audited activities
  • Office 365 Management Activity API
Enabling mailbox auditing in Exchange Online
  • Mailbox actions logged by mailbox audit logging
  • Enabling mailbox auditing
  • Specifying owner actions to audit
  • Changing the age limit for entries in the mailbox audit log
Searching the audit log
  • Enabling auditing in your tenant
  • Granting permissions
  • Searching the audit log
  • Viewing the search results
  • Filtering the search results
  • Exporting the search results to a file
  • Searching the audit log by using Windows PowerShell
  • Using a SIEM application to access your auditing data
Enabling sharing auditing for SharePoint and OneDrive
  • The SharePoint sharing schema
  • The SharePoint Sharing model and sharing events
  • How to identify resources shared with external users
Managing insights and alerts in the Security & Compliance Center
  • Introduction to insights and alerts
  • Types of insights that are available
  • Types of alerts that are generated
  • Alerts features in the Security & Compliance Center
  • Alert policy settings
  • Default alert policies
  • Viewing alerts
  • Managing alerts
Advanced Security Management
Overview of Advanced Security Management
  • Lesson introduction
  • Anomaly detection policies
    •     Login authentication failures
    •     Administrator activity
    •     Inactive accounts
    •     Location
    •     Impossible travel
    •     Device and user agent
  • Activity policies
  • Anomaly detection and activity alerts
  • Policy templates
  • Productivity app discovery
  • App permissions
Implementing policies and alerts
  • Enabling and accessing Advanced Security Management
  • Creating anomaly detection policies
  • Creating activity policies
  • Reviewing and taking action on alerts
  • Investigating activities in the Activity log
  • Grouping IP addresses to simplify management
Implementing app discovery
  • Log file requirements
  • Supported vendors and their data attributes
  • Creating app discovery reports
  • Reviewing app discovery findings
  • Troubleshooting errors when log files are uploaded
Implementing app permissions
  • App permissions architecture
  • Managing app permissions
  • Approving or banning an app
Conclusion
Unfortunately I do not have access to an Office 365 environment for testing. So I was thankful that the course gives a broad insight of the posibilites of the security configurations of Office 365. Lots of the topics come withshort  examples (like phishing, spoofing etc.) and a short video clip.

From my side more insight on the security mechanisms and more detail on Threat Intelligence would have been great.  The course goes into logging and how to find strange behaviour, malware and threat intelligence. Which was really nice to see how much effort Microsoft put into securing their cloud products.

A lot of the questions in the module assessements questions are more about configuration the platform itself or how tabs are named, I felt a bit like in a MS exam long time ago. Large parts of the content is text and not videos, most courses are a bit different here.

The course gave a good overview and insights for understanding Security in Office 365 for me, that’s what I was looking for.
Links

Recommended Talks for the New Year (mainly 35C3)

Like last here here some recommendations for starting into 2019. Mainly from 35C3 and one from Bluehat.

See the original thread from twitter here (It’s a bit messed up, but should be complete):

Review Cybrary Advanced Cyber Threat Intelligence

Since I found that some information was missing from this course https://govolution.wordpress.com/2018/06/30/review-udemy-certified-cyber-threat-intelligence-analyst/
I found a course on cybrary, which is only about 3 hours long and which is free.

So the review will also be a bit shorter. For the content please review:
https://www.cybrary.it/course/advanced-cyber-threat-intelligence/

Module 1 – Threat Intelligence Maturity Model is the intro, with an interesting analysis about maturity levels of organisations related to threat intelligence which I found pretty informative.

Module 2 – Campaigns and Open-Source Threat Intelligence comes with some information about OSINT and visualization, which is also covered a bit broader in the course that I took previously.

Module 3 – Sharing Operational Threat Intelligence is a bit more interesting, since here we start with “Sharing Operational Threat Intelligence”. This comes with some information about Crowdstrike & Alienvault, Yara, TLP, CybOX and STIX, TAXII. Finally some information about Tactical/Operational sharing, which was interesting, because the author seems to know that things like ROI etc. are also important when talking about security programs, the explanation of Analytic Confidence was also useful. The video about “Words of Estimative Probability” will almost certainly be useful in the future.
The tools are not explained in depth or compared to each other which is a pitty. I strongly suggest to have a look at sigma ;).

Module 4 – Strategic Threat Intelligence Analysis is something that was missing from the courses I viewed before. The topics here are:
Cognitive Bias and Logical Errors
Competing Hypothesis Analysis
Human Elements of Attribution
Nation-State Attribution
Strategic Review and Creating an Active Defense

Conclusion
For me the course was interesting and infomative, especially Module 3 & Module 4 brought a new perspective to me. Some of the example could be shown with more length. Further I got some more tools that I might try in future. I give the course 4/5 points.

 

Links
https://www.cybrary.it/course/advanced-cyber-threat-intelligence/
https://metadefender.opswat.com/#!/
http://virscan.org/
https://www.virustotal.com/
https://community.riskiq.com/
https://www.us-cert.gov/
https://github.com/VirusTotal/yara
https://github.com/Yara-Rules/rules
View at Medium.com

How to Write Simple but Sound Yara Rules

How to Write Simple but Sound Yara Rules – Part 2

How to Write Simple but Sound Yara Rules – Part 3


https://en.wikipedia.org/wiki/Information_Sharing_and_Analysis_Center
https://cybox.mitre.org/about/
https://stixproject.github.io/about/
https://github.com/Neo23x0/sigma

https://en.wikipedia.org/wiki/Analytic_confidence
http://www.tylervigen.com/spurious-correlations
https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/psychology-of-intelligence-analysis/index.html

Review Udemy “Certified Cyber Threat Intelligence Analyst”

As a second course (see previous blog post for the first course) I bought “Certified Cyber Threat Intelligence Analyst” which has the same instructor as “Certified Advanced Persistent Threat Analyst”.

Section 1: Phases Overview

The first three videos give an overview on the agenda (hunting, features&behavior extraction, attribution, tracking and take down).

The two videos following about hunting are explaining the goal of hunting, including information gathering from different sources, such as VirusTotal, underground forums, deep web and so on.

Features & Behavior Extraction covers what to extract from malware for further insight in five videos, like metadata, language, metadata, exif, strings, IPs etc..

The videos following are about Clustering and Correlation, Threat Actor Attribution, Tracking and Taking Down, followed by the quiz. Without going too deep, the videos cover sandboxing, dynamic and static malware analysis, malicious events, passive DNS, Graph DB, C2 infrastructure, TTP (yay!), OSINT and more.

The next sections go through each phase with more depth.

Section 2: Hunting

The hunting section starts with two videos with hunting and VirusTotal. This covers different techniques helping hunting, yara rules, retrohunt, searching and research. The three videos about Hacking Forums come with some examples. For this topic I highly recommend to read https://krebsonsecurity.com/?s=hackforums & https://krebsonsecurity.com/tag/darkode/ and so on for more in depth information.

The two Deep Web parts are also pretty basic, nothing new if you are in cyber for some time. Also, I do not like it when “Deep/Dark Web” is only refered to shady or criminal activities. The next video is about Honeypot & OSINT, especially honeypots are big fun and you should setting up one.

The two lab videos are much longer than the other ones (<30min), and seem to be taken from a different course. The first is about VirusTotal Intelligence which gives a nice introduction to hunts, retrohunting, clustering and other functions of the platform. The second lab video is about yara. It is being said that you can get access to VT from the trainers, but I got no answer to my request, which is kind of disappointing.

Section 3: Features Extraction

The first two videos are a short introduction to the topic “Features Extraction Goal”, which is more like an introduction to static malware analysis.

The next two videos cover “Import Table Hash (imphash)”. I always have a bad feeling when people talk about MD5 in this area, since collisions are possible with MD5. Further some of the statements are a bit dangerous, for example “Cannot revert the hash to get original content” only applies for content with a certain size that is not available in any form. When you have a hash and find a matching file, for example in a antivirus database like virustotal you totally can get the original content. Just imagine a scenario where an analyst from company A is giving a bunch of MD5 to an external company B. When an employee of company A ever uploaded internal documents to VT, company B now can assign the MD5 to the uploaded document. This is why you do not share all your indicators folks.

The instructor is even talking about that hashes are “security protection features”. Pentesters love finding MD5 hashes of passwords, nothing cracks better ;).

So depending on the usecase please consider using stronger hash algorithms, also in malware analysis. Imphash might be OK at this place though, since it only refers to the import table and not to the whole binary.

For better understanding: https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.

“Just because two binaries have the same imphash value does not mean they belong to the same threat group, or even that they are part of the same malware family”. In the course it is being said that similar imphashes mean that the malware has more or less the same source code, which is unfortunate and false leading.

The following video is about “Fuzz Hash (ssdeep)”, refer the link list for further explanation.

The first lab video is “Extracting VBA Macros with Didier Stevens Tools”. If you ever have the chance of catching up Didier Stevens and one of his workshops at a conference go there, from all I heard it is awesome and I look forward to it. First the video is going into more features of VirusTotal, then going to emldump and oledump. The second lab video is about C2 IP Pivoting, which refers to finding IPs in VBA macros in this case.

The section ends of course with a quiz.

Section 4: Behavior Extraction

Eight short videos about dynamic analysis including “Dynamic Indicators”, “Process Infector and Keylogger”, “Passive DNS” and the quiz. I won’t go deep into it here, since the titles are pretty self explaning and mainly cuckoo output is used here. Play for yourself with that ;).

Section 5: Clustering & Correlation

The first four videos are about “How Clustering & Correlation Works”. Here some of the classifiers are explained with examples and what it is for. Two videos about GraphDB follow, and a longer lab video & of course the quiz. Interesting that the tutor is not refering to the product, but to a category (neo4j, maltego) when talking about GraphDB, which was a bit confusing first.

The lab video looked good and interesting, hope I will have some time in the future to play with the VT features. The video contains an intro to viper (awesome tool) and how to use viper for correlation.

Section 6: Attribution

The topics in this section are “Where are they located?”, “Who are the targets”, “Initial Compromise”, “Privilege Escalation”, “Persistance”, “Lateral Movement”, “Exfiltration Strategy”, “Profiling the Attacker” and the final quiz. Some parts are pretty similar to the APT course.

For the discussion about attribution, in my thinking it is an approach for getting useful information for fighting an attacker. If it works, great. On a higher level things might be a bit different and give much opportunity for open discussions ;).

Section 7: Tracking

In the tracking section the videos are about “Passive DNS & Internet Port Scan”, “Lookups, OSINT and Hacking Forums” as well as the quiz. The section is pretty short and goes only a bit more in depth as section 1.

Section 8: Taking Down

This is covering “Sinkhole”, “How it works?”, “Hacking Forums”, “Victim Notification” & the quiz, the section is also short as the two sections before. Of course this is simplified, be careful, a lot can go wrong here.

Conclusion

As in the APT course, the course is OK for beginners, but please have in mind that some content is not high qualitiy and not complete, which is hard. Therefore I give this course three stars out of five.

I can also recommend “Malicious Software and its Underground Economy: Two Sides to Every Story” (https://www.coursera.org/learn/malsoftware), if still possible, which I took some time ago, the author of this course actually took down a C2 infrastructure and it is pretty interesting.

Links, as in the previous artice I added some links that are not originaly from the course:

https://www.udemy.com/cybersecurity-threat-intelligence-researcher/

https://www.heise.de/security/artikel/Threat-Intelligence-IT-Sicherheit-zum-Selbermachen-3453595.html

https://en.wikipedia.org/wiki/Cyber_threat_intelligence

Russian financial cybercrime: how it works

Click to access wp-cybercrime-and-the-deep-web.pdf

http://www.scmp.com/tech/innovation/article/1840925/chinese-forums-offer-hacking-courses-around-us100-cyber-attacks

https://cuckoosandbox.org/

http://graphdb.ontotext.com/

https://www.virustotal.com/

https://virusshare.com/

https://krebsonsecurity.com/

Click to access The_Diamond_Model_for_Intrusion_Analysis_A_Primer_Andy_Pendergast.pdf

https://govolution.wordpress.com/2016/10/24/the-first-15-days-of-a-password-honeypot/

https://github.com/govolution/betterdefaultpasslist

https://en.wikipedia.org/wiki/Maltego

https://github.com/laramies/metagoofil

https://virustotal.github.io/yara/

https://remnux.org/

https://github.com/govolution/avet

https://www.mscs.dal.ca/~selinger/md5collision/

Meaningful MD5 Collisions: Creating executables

https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html

http://blog.virustotal.com/2014/02/virustotal-imphash.html

https://ssdeep-project.github.io/ssdeep/index.html

Release: emldump.py Version 0.0.3

oledump.py

https://malwr.com/

Click to access first2005-paper.pdf

https://viper.li/

View at Medium.com

https://en.wikipedia.org/wiki/DarkComet

Review Udemy “Certified Advanced Persistent Threat Analyst”

Although being a Pentester, I am also into that topic, since I also got some Incident Response experience. So I took the course as a wrap up for myself, in a special offer the course costs about 10$ instead of about 100$.

The course is starting with a short introduction of the instructor, followed by an overview and explanation of APT. The course itself is structured in four sections with a small multiple choice quiz after each section. At the end you get a certificate of completion.

Section 1: Understanding APTs

This includes an overview like motivation for attacks, some examples, organization of APT, actors, techniques, characteristics and so on.

A longer example follows which takes some examples from the show “Mr. Robot”, and the blog article https://medium.com/@jym/a-survey-of-attack-life-cycle-models-8bd04557af72 . The article is worth a look, also if you do not want to take the course.

The next chapters go more in depth about “Cyber Kill Chain & APT Lifecycle”. The wording is a bit militarized here (of course), but the content is valid. All steps of the “Kill Chain” are explained upon the models introduced before, including more techniques and tactics. I missed some things here, for example it was said that attackers dump hashes and then crack them to gain further access. As a tool there was Mimikatz introduced, but no word that credentials could be received in clear text.

After that an overview about APT1 (one video) is given as well as an overview about Stuxnet (three videos). For APT1 I highly recommend to read the original report by Mandiant (https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf), for Stuxnet the movie Zero Days (https://www.imdb.com/title/tt5446858/). This is followed by a chapter about cyberwar and finally by the quiz.

Section 2: Equation Group

The next section is dealing with the highly sophisticated Equation Group, which was created be the NSA (likely). After an overview it goes down to components and infection ways.

The components videos explain the skills and techniques the group used to gain access, persistence, exploitation, like for example persistence on hard disks and the different attack platforms and backdoors. When seeing what some actors are capable of, I always ask myself what they can do now? Offensive security is a broad research field and the most sophisticated and up to date techniques and exploits are of course never mentioned at conferences. Lets just imagine a google project zero but much bigger and of course working for a specific actor. I think you get my point.

Videos about DoubleFantasy, EquationDrug, GrayFish, Fanny and about the infection mechanism follow. Sometimes the instructor is talking about a lab, but there is no lab, so I guess there is another version of the course that includes a lab. One video follows called “Lab 2” (there was no “Lab 1”), the lab is an overview of the site https://apt.securelist.com/#!/threats/. The site itself is good (changed design since the course), but I don’t know why the video is called Lab.

To the end the multiple choice quiz is following.

Section 3: Advanced Dissecting Techniques

The first two videos are an overview, followed by three videos about “Binary Instrumentation” introducing Intel PIN. The first video is about 8 minutes explaining what you can do with PIN. The second video explains the pintool APIs, the third videso explains some functions more deeply with finally simple example code for using PIN. Without having some basic experience in reversing this is hard to follow.

The next four videos are about automated string decoding, where vivisect, flare-dbg and pykd is introduced. For all tools it is explained how they help building an automation process, then a short example follows. In the videos the instructor talks about a step by step demo video, but this is not included.

Four videos follow for introducing Immunity Debugger PyCommands. Immunity is still 32 bit only, but nevertheless it is still used a lot in reversing and exploitation. I also recommend to have a look at xdbg64 and of course windbg.

The videos about Windows Kernel Driver Analysis cover a basic explanation of the analysis, tools needed, basic explanation of how drivers work. Finally some windbg commands are shown for helping debugging drivers. Again unfortunately no lab is available although mentioned in the course. The end is the quiz.

I liked this section, since I’ve spent some time debugging and reversing in the past and seeing the videos make me think about some stuff I may try in the future if I have more time ;).

Section 4: Fighting APTs

This is the fourth and last section of the course. The first three videos are about “The Challenge”. The challenge is of course defending versus APTs and this gives an overview as before.

The next two videos cover Callback detection strategy. This is about detection of malicious traffic. The topics Application Crashing Monitoring, Behaviour-based Analyses and Machine Learning are also covered in short videos and at the end is the quiz again. A lot of talking about 0-days in this chapter, so before hunting 0-days I strongly suggest to do some basics first. 0-Days are not even used in APTs too often.

Conclusion

The instructor is not always good to understand (especially if you run the videos faster), so I used subtitles. Subtitles seem to be generated automated, so this is not 100% consistent, for example Stuxnet becomes “stook net” or Bluetooth is “brutal”, which is funny sometimes. Some things are a bit simplified, which is natural and necessary when you start explaining a complex topic.

The labs that are mentioned in the video do not exist as mentioned before, which is a pity. Further there are no slides to download. In one slide you can see that there seems to be a different version of the course. In that course seem also to be forums and chats, that would make sense. In the forum of this versions are 3 questions, with one answer to the time of this writing.

Plenty of topics are missing from my personal point of view: Digital forensics, log analysis, logging with sysmon, using splunk, ELK, base lining, Incident Response process, tactics in fighting advanced attackers just to name a few.

I give the course 3,5 stars out of 5 for the low price, for beginners in this area it is worth a look for a first overview, although some parts are more advanced, like the Advanced Dissecting Techniques chapters, which I personally enjoyed. Would have loved to see some hands-on though.

Link List (not only from the course, also from stuff I looked up while watching it):

https://www.udemy.com/cyber-security-advanced-persistent-threat-defender/

https://nmap.org/

https://support.microsoft.com/en-us/help/555636

https://docs.microsoft.com/en-us/sysinternals/downloads/psloggedon

The “Kimsuky” Operation: A North Korean APT?

Click to access mandiant-apt1-report.pdf

https://www.imdb.com/title/tt5446858/

https://www.cfr.org/interactive/cyber-operations

https://github.com/0x09AL/APTnotes

https://en.wikipedia.org/wiki/Equation_Group

Home

https://software.intel.com/sites/landingpage/pintool/docs/71313/Pin/html/

https://software.intel.com/sites/landingpage/pintool/docs/97554/Pin/html/group__API__REF.html

https://github.com/vivisect/vivisect

Click to access b07f8ec47842886270848a886d2c640b48af.pdf

https://github.com/fireeye/flare-dbg

https://www.immunityinc.com/products/debugger/

https://x64dbg.com/

https://www.rand.org/pubs/research_reports/RR1751.html

Recommended Talks for the New Year (34C3, BH)

A new year always brings the talks from the Chaos Communication Congress. Since I had some time for watching, here is a list with my tweets of recommended talks (plus one from Blackhat). Have fun watching.