Microsoft Sentinel SOC 101: How to Detect and Mitigate Zero-day Exploits with Microsoft Sentinel
Zeroing In
Get this entire series in a free, downloadable eBook https://aka.ms/SentinelSOC101
Zero-day exploits are one of the most dangerous threats in the cyber security landscape. They are attacks that take advantage of a software vulnerability that is unknown to the software vendor or to antivirus vendors. The attacker spots the software vulnerability before any parties interested in mitigating it, quickly creates an exploit, and uses it for an attack. Zero-day exploits can compromise sensitive data, disrupt critical systems, and cause reputational damage to organizations.
Mitigation Strategies
There is no definitive answer to the best way to monitor for zero-day exploits, as different organizations may have different needs and resources. However, some of the common methods that experts recommend are:
Monitor reported vulnerabilities: By keeping track of the latest security advisories and bulletins from software vendors, security researchers, and threat intelligence sources, organizations can be aware of any potential zero-day exploits that may affect their systems and applications. This can help them take preventive measures, such as applying patches, updating software, or disabling certain features, before an exploit is widely used by attackers. See: MSRC Update Guide and the NIST Vulnerability Database.
Install next-generation antivirus solutions: Traditional antivirus solutions rely on signature-based detection, which means they can only identify known threats. Next-generation antivirus solutions use machine learning, behavioral analysis, and cloud-based intelligence to detect unknown threats, such as zero-day exploits. These solutions can also provide automated response capabilities, such as quarantine, deletion, or remediation of malicious files or processes.
Perform rigorous patch management: Patching is one of the most effective ways to prevent zero-day exploits, as it fixes the underlying software vulnerabilities that attackers exploit. However, patching can also be challenging, as it requires testing, deployment, and verification of patches across multiple systems and applications. Organizations should have a patch management policy that defines the roles and responsibilities, the frequency and priority of patching, the tools and processes to be used, and the metrics and reports to be generated.
Segment networks with firewalls: Network segmentation is a technique that divides a network into smaller subnets based on different criteria, such as function, location, or access level. This can help isolate and protect critical systems and data from unauthorized or malicious access. Firewalls are devices or software that control the traffic between different network segments based on predefined rules. By using firewalls to segment networks, organizations can limit the exposure and impact of zero-day exploits.
Deploy advanced endpoint protection solutions: Endpoint protection solutions are software or hardware that protect devices such as laptops, desktops, smartphones, or tablets from cyberattacks. Advanced endpoint protection solutions use techniques such as sandboxing, emulation, or virtualization to analyze suspicious files or processes in a safe environment before allowing them to run on the device. This can help detect and block zero-day exploits that may evade traditional antivirus solutions. See: Microsoft Defender for Endpoint.
Monitor user activities and access levels: User activities and access levels are indicators of how users interact with systems and applications within an organization. By monitoring user activities and access levels, organizations can identify any abnormal or suspicious behavior that may indicate a zero-day exploit. For example, if a user accesses a system or application that they normally do not use, downloads a large amount of data, or performs unauthorized actions, this may signal a potential compromise. Organizations should have a user activity monitoring policy that defines the scope, frequency, and methods of monitoring, as well as the actions to be taken in case of anomalies. See other chapters in this series: https://aka.ms/SentinelSOC101.
How can organizations protect themselves from zero-day exploits?
One of the solutions is Microsoft Sentinel, a cloud-native security information and event management (SIEM) solution that provides intelligent security analytics and threat intelligence across the enterprise.
In fact, a tool like Microsoft Sentinel that sits at the end of the security path, is essential. This is where Microsoft Sentinel really shines because it is constantly collecting signals and monitoring all of the connected pieces of the environment for constant review and alerting. Generally, a zero-day exploit is a threat that has no immediate patch or remediation. But utilizing the power of Microsoft Sentinel features, organizations have control over exposure.
Microsoft Sentinel can help organizations detect and mitigate zero-day exploits in the following ways:
Collect data at cloud scale: Microsoft Sentinel can collect data from various sources, such as Microsoft solutions, Azure services, and third-party applications, using built-in connectors. It can also ingest data from common event format, Syslog, or REST-API. By collecting data at cloud scale, Microsoft Sentinel can provide a comprehensive view of the security posture of the organization and identify any anomalies or indicators of compromise that may signal a zero-day exploit.
Detect threats with analytics and intelligence: Microsoft Sentinel can analyze the collected data using machine learning and artificial intelligence to detect previously uncovered threats and minimize false positives. It can also leverage the unparalleled threat intelligence from Microsoft, which is based on analyzing trillions of signals daily. Additionally, Microsoft Sentinel can enable proactive threat hunting with pre-built queries based on years of security experience. By using these capabilities, Microsoft Sentinel can help organizations discover and prioritize zero-day exploits before they cause significant damage.
Investigate and respond with automation and orchestration: Microsoft Sentinel can help organizations investigate and respond to zero-day exploits with speed and efficiency. It can provide a prioritized list of alerts, correlate alerts into incidents, and visualize the entire scope of every attack. It can also automate and orchestrate common tasks by using playbooks that are based on Azure Logic Apps. These playbooks can perform actions such as sending notifications, blocking malicious IPs, isolating infected devices, and creating tickets. By using these features, Microsoft Sentinel can help organizations contain and remediate zero-day exploits in a timely manner.
Example 1
Based on available IOCs, the following KQL query example detects CVE-2023-23397:
DeviceProcessEvents
| where InitiatingProcessFileName == "svchost.exe"
| where FileName == "rundll32.exe" and ProcessCommandLine contains "davclnt.dll" and ProcessCommandLine contains "DavSetCookie"
| where ProcessCommandLine !contains "http://10."
| where ProcessCommandLine !contains "http://192.168."
| extend url = split(ProcessCommandLine, "http://")[1]
| extend domain = split(url, "/")[0]
| where domain contains "." and domain !endswith ".local"
| summarize count() by tostring(domain)The DeviceProcessEvents table requires the Defender Solution (Defender for Endpoint) be enabled for Microsoft Sentinel.
Example 2
The following KQL query shows missing updates for Windows and Linux systems:
// Missing updates summary
// Get a summary of missing updates by category.
Update
| where TimeGenerated>ago(5h) and OSType=="Linux" and SourceComputerId in ((Heartbeat
| where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
| where Solutions has "updates"
| distinct SourceComputerId))
| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification) by Computer, SourceComputerId, Product, ProductArch
| where UpdateState=~"Needed"
| summarize by Product, ProductArch, Classification
| union (Update
| where TimeGenerated>ago(14h) and OSType!="Linux" and (Optional==false or Classification has "Critical" or Classification has "Security") and SourceComputerId in ((Heartbeat
| where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
| where Solutions has "updates"
| distinct SourceComputerId))
| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Approved) by Computer, SourceComputerId, UpdateID
| where UpdateState=~"Needed" and Approved!=false
| summarize by UpdateID, Classification )
| summarize allUpdatesCount=count(), criticalUpdatesCount=countif(Classification has "Critical"), securityUpdatesCount=countif(Classification has "Security"), otherUpdatesCount=countif(Classification !has "Critical" and Classification !has "Security")Summary
Microsoft Sentinel is a cloud-native SIEM solution that can help organizations protect themselves from zero-day exploits. It can collect data at cloud scale, detect threats with analytics and intelligence, and investigate and respond with automation and orchestration. By using Microsoft Sentinel, organizations can benefit from the speed, scale, and intelligence of the cloud to enhance their security operations and resilience.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]