Pular para o conteúdo
Tags

, , , , ,

Using Defender EASM and Defender TI

11/01/2023

I have already commented in past posts about MDTI (Microsoft Defender for Threat Intelligence) when integrated with Sentinel to detect indicators of attack or compromise with KQL (https://msincic.wordpress.com/2023/09/03/utilizing-microsoft-defender-threat-intelligence-iocs-in-sentinel/).

This time we are going to introduce a new tool which is EASM (Defender External Attack Surface Management) where by indicating a “seed” which can be domain names, host IPs or DNS it searches for indicators of possible attack.

It is comprehensive in that it not only looks at the Threat Indicators based on the MDTI, but also includes in the analysis expired certificates, exposed CVEs, OWASP techniques, security posture in configurations and adherence to GDPR.

Best of all: EASM IS FREE FOR THE FIRST 30 DAYS!

Enabling and Initial Configuration

The process is very simple, it follows step by step:

  1. Create the resource in Azure, where you will enter subscription, resource group and tags basically
  2. Enter the settings in “Discovery” and create the search root (or seed) with the “Discovery Group”
  3. In the search settings, indicate the frequency and what you want to search for.
    Here is an interesting point, where well-known companies and organizations can be pre-loaded in the “Import…” option, which are companies already known on common internet bases
  4. Remember to place exclusions if you have honeypot servers to avoid generating unnecessary alerts

Now just wait 48 to 72 hours for the discovery to generate the data.

Analyzing the generated data

In Overview it is now possible to detect the different items that need to be observed in the form of tabbed lists. In this list I already detect suspicious IPs for being used in malware distribution on the MDTI basis.

Looking there, we discovered an old IP that I used on a server that is now an indicator of attack:

Here you can see a summary and an indication that one of the IPs is suspicious:

EASM itself already carries information indicating which type of attack this IP is subject to and is registered with MDTI:

Opening the host observation tabs we can see what this host hosts, certificates, reputation and all the details:

I also already have a view of all the certificates used on the host for the different domains, which allows me to detect internal and external certificates that are expired or close to expiring:

In this example, I discovered later by investigating that one of the domains hosted on the same server had vulnerabilities and was being used to distribute a video website.

I changed the host and removed the DNS record pointing to this host, which was actually just an old verify record and was no longer active.

Conclusion

Using EASM we can monitor our resources that are exposed on the internet and thus protect ourselves and our customers!

From → azure, Azure Sentinel, Cloud Computing, Cybersecurity, Governance, Log Analytics, Microsoft Azure, Microsoft Defender, microsoft sentinel, Security

Deixe um comentário

Deixe um comentário

«
»