Our Deep Learning method

One of the data sources we monitor for our customers is Entra ID (formerly Azure AD) Sign-in logs. These logs contain information about users signing-in from their regular workplace or while on vacation. They can also indicate whether a user’s credentials were obtained in a Phishing attempt or leaked online.

Microsoft offers its own detection options for compromised accounts, for example, in the User Entity and Behavior Analytics (UEBA) suite ^[2]. The downside of using this technology is that it is developed for a global audience and operates as a black box. When the results do not align with your needs, there is little you can modify. Depending on the customer environment, this can result in numerous false positives to tune out, and potentially missed true positives.

To enhance our detection capabilities beyond the available options, we have developed our own ML/AI models to detect advanced attackers and identify attackers with subtle differences in sign-in data. By tailoring the models more closely to our customers' environments, we optimize the quality of the alerts we receive.

The models we build are based on Autoencoders, an ML/AI method that can be used to identify anomalies in data. Anomalies are data records that exhibit unexpected characteristics, such as a user authenticating from a new country or city. We feed historical data into the model, which then creates a memory of the training data. We can use this memory to determine whether new information is similar to the training data. In our case, we can use the model to determine whether a sign-in attempt for a certain user is expected or not, based on the past behavior of that user and all other users in that environment.

An ML/AI model for every environment

To meet our needs, we create a unique ML/AI model for each customer environment. This means the model is specifically tailored, and the data never leaves the customer's tenant. The custom-tailored ML/AI model is then used to spot anomalies relevant to that customer.

The challenge with creating a model for each environment is that you must create and manage many models instead of just one large one. To do this effectively at scale, we use Azure Machine Learning ^[3]. By using Azure Machine Learning, we ensure that all data stays within our customer’s environments and we can benefit from the scalability of cloud services. We can run ML/AI pipelines every hour to train on new data, keeping them up-to-date for a computing cost of 5 euros per customer environment per month.

With Azure Machine Learning, we can also prototype rapidly. In developing our models, getting the right configuration is crucial. For example, it might differ between two customer environments whether users log in mostly from one country or several. To tailor a model to a specific environment, we can run multiple configurations in parallel and gather the data at scale to quickly configure a model for each customer.

The right tool for the job

For each type of attack that we aim to detect, we select the appropriate tool. For sign-in data, creating the right signature-based detection proved difficult, and the new ML/AI capabilities can help us detect more subtle differences and, with that, more advanced attackers. The reason that it is hard to detect with traditional monitoring is that what is abnormal varies greatly. For example, in a company where half of the devices use MacOS, and the other half use Windows, we cannot simply say that using either of the two is suspicious. However, when a user always logs in from a Mac and now suddenly from a Windows device, that could indicate suspicious activity. These kinds of deviations are easy to spot by a human analyst, but an analyst is limited in time. One could choose to hardcode such detection rules in SIEM use cases, but coming up with an exhaustive list of potentially malicious situations is difficult and results in high numbers of false positives. The use of machine learning/AI here allows us to spot anomalies without having to specify all potentially malicious situations, and we can search for deviations without time limitation in all sign-in data.

ML/AI is used in conjunction with our existing detection, and the aim is not to replace everything with ML/AI, but rather to add to the existing detection to fill gaps that are harder to fill with other tools.

Adding security expertise to ML/AI

These models excel at identifying anomalies from a standard set, such as a sign-in from an unusual country. However, this does not always mean that the sign-in is malicious. The user might be on holiday checking their email or signing-in during a business trip. That is why we enhance the outcomes of our ML/AI models with our security knowledge. With the expertise gathered from our red team, our CERT, and our experience in detection, we can examine actions taken in conjunction with the sign-in to differentiate between unusual and malicious activity.

One of the recent cases our ML/AI models detected was a malicious sign-in from Amsterdam, Netherlands. As a company based in the Netherlands, it could be easy to dismiss sign-ins from our own country. However, since Amsterdam is a popular location for cyber criminals to host servers, it’s important to stay vigilant. In this case, our analysts received an alert about an anomalous sign-in from Amsterdam, a location that the user does not normally log in from. Manual analysis by our analysts, combined with threat intelligence, revealed that this was a malicious sign-in rather than a trip to our capital, allowing us to disrupt the compromise before any damage was done. Being able to detect such slight variations expands our detection surface, making it increasingly difficult for attackers to remain undetected.

Conclusion

As criminals continue to evolve their attack methods, defenders must also become more creative and fully utilize the possibilities provided by new technology. Machine learning/AI techniques like Autoencoders are a fantastic way to enhance the detection capabilities of a SOC. We strongly believe in an expertise-based, technology-driven approach, where we maximize the use of what technology can offer us and use our knowledge and experience to provide value for our SOC customers. Currently, this means that the right mix of deterministic use cases and machine learning/AI-based detections provides the greatest detection value. The example we provided here is just the first of many to come!

Contributed by: Christiaan Ottow, Jair Cardoso de Santanna, Martine Koch, Sem Spenkelink and Yorick de Boer.

[1] https://towardsdatascience.com/applied-deep-learning-part-3-autoencoders-1c083af4d798

[2] https://learn.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics

[3] https://learn.microsoft.com/en-us/azure/machine-learning/overview-what-is-azure-machine-learning