Archive

Archive for the ‘Microsoft Defender ATP’ Category

Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios

March 26th, 2020 No comments

With the bulk of end users now working remotely, legacy network architectures that route all remote traffic through a central corporate network are suddenly under enormous strain. The result can be poorer performance, productivity, and user experience. Many organizations are now rethinking their network infrastructure design to address these issues, especially for applications like Microsoft Teams and Office 365. At Microsoft, for example, we adopted split tunneling as part of our VPN strategy. Our customers have asked us for guidance on how to manage security in this changing environment.

An architecture that routes all remote traffic back to the corporate network was originally intended to provide the security team with the following:

  • Prevention of unauthorized access
  • Control of authorized user access
  • Network protections such as Intrusion Detection/Prevention (IDS/IPS) and Distributed Denial of Service (DDoS) mitigation
  • Data loss prevention (DLP)

In this post, we’ll address alternative ways of achieving modern security controls, so security teams can manage risk in a more direct-to-internet network architecture.

Prevention of unauthorized access

Multi-factor authentication (MFA) helps increase authentication assurance. We recommend requiring it for all users. If you are not ready to deploy to all users, consider entering an emergency pilot for higher risk or more targeted users. Learn more about how to use Azure Active Directory (Azure AD) Conditional Access to enforce MFA. You will also want to block legacy authentication protocols that allow users to bypass MFA requirements.

Control of authorized user access

Ensure only registered devices that comply with your organization’s security policies can access your environment, to reduce the risk that would be posed by resident malware or intruders. Learn more about how to use Azure AD Conditional Access to enforce device health requirements. To further increase your level of assurance, you can evaluate user and sign-on risk to block or restrict risky user access. You may also want to prevent your users from accessing other organizations’ instances of the Office 365 applications. If you do this with Azure AD tenant restrictions, only logon traffic needs to traverse the VPN.

Network protections

Some of the protections that you may have traditionally provided by routing traffic back through your corporate network can now be provided by the cloud apps your users are accessing. Office 365, for example, is globally distributed and designed to allow the customer network to route user requests to the closest Office 365 service entry point. Learn more about Office 365 network connectivity principles. We build resiliency into Office 365 to minimize potential disruption. We protect Office 365 and Azure from network attacks like DDoS on behalf of our customers.

With the above controls in place, you may be ready to route remote users’ traffic directly to Office 365. If you still require a VPN link for access to other applications, you can greatly improve your performance and user experience by implementing split tunneling.

We strongly recommend that you review VPN and VPS infrastructure for updates, as attackers are actively tailoring exploits to take advantage of remote workers. Microsoft Threat Intelligence teams have observed multiple nation state and cybercrime actors targeting unpatched VPN systems for many months. In October 2019, both the National Security Agency and National Cyber Security Centre issued alerts on these attacks. The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and Department of Commerce National Institute of Standards and Technology (NIST) have published useful guidance on securing VPN/VPS infrastructure.

DLP

To help you prevent the accidental disclosure of sensitive information, Office 365 has a rich set of built-in tools. You can use the built-in DLP capabilities of Teams and SharePoint to detect inappropriately stored or shared sensitive information. If part of your remote work strategy involves a bring-your-own-device (BYOD) policy, you can use Conditional Access App Control to prevent sensitive data from being downloaded to users’ personal devices.

Malware detection

By default, SharePoint Online automatically scans file uploads for known malware. Enable Exchange Online Protection to scan email messages for malware. If your Office 365 subscription includes Office 365 Advanced Threat Protection (ATP), enable it to provide advanced protection against malware. If your organization uses Microsoft Defender ATP for endpoint protection, remember that each user is licensed for up to five company-managed devices.

Additional resources

The post Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios appeared first on Microsoft Security.

Protecting against coronavirus themed phishing attacks

March 20th, 2020 No comments

The world has changed in unprecedented ways in the last several weeks due to the coronavirus pandemic. While it has brought out the best in humanity in many ways, as with any crisis it can also attract the worst in some. Cybercriminals use people’s fear and need for information in phishing attacks to steal sensitive information or spread malware for profit. Even as some criminal groups claim they’ll stop attacking healthcare and nursing homes, the reality is they can’t fully control how malware spreads.

While phishing and other email attacks are indeed happening, the volume of malicious emails mentioning the coronavirus is very small. Still, customers are asking us what Microsoft is doing to help protect them from these types of attacks, and what they can do to better protect themselves. We thought this would be a useful time to recap how our automated detection and signal-sharing works to protect customers (with a specific recent example) as well as share some best practices you can use personally to stay safe from phishing attempts.

What Microsoft is doing

First, 91 percent of all cyberattacks start with email. That’s why the first line of defense is doing everything we can to block malicious emails from reaching you in the first place. A multi-layered defense system that includes machine learning, detonation, and signal-sharing is key in our ability to quickly find and shut down email attacks.

If any of these mechanisms detect a malicious email, URL, or attachment, the message is blocked and does not make its way to your inbox. All attachments and links are detonated (opened in isolated virtual machines). Machine learning, anomaly analyzers, and heuristics are used to detect malicious behavior. Human security analysts continuously evaluate user-submitted reports of suspicious mail to provide additional insights and train machine learning models.

Once a file or URL is identified as malicious, the information is shared with other services such as Microsoft Defender Advanced Threat Protection (ATP) to ensure endpoint detection benefits from email detection, and vice versa.

An interesting example of this in action occurred earlier this month, when an attacker launched a spear-phishing campaign that lasted less than 30 minutes.

Attackers crafted an email designed to look like a legitimate supply chain risk report for food coloring additives with an update based on disruptions due to coronavirus. The attachment, however, was malicious and delivered a sophisticated, multi-layer payload based on the Lokibot trojan (Trojan:Win32/Lokibot.GJ!MTB).

Screenshot of a phishing email about a coronavirus update.

Had this payload been successfully deployed, hackers could have used it to steal credentials for other systems—in this case FTP accounts and passwords—which could then be used for further attacks.

Only 135 customer tenants were targeted, with a spray of 2,047 malicious messages, but no customers were impacted by the attack. The Office 365 ATP detonation service, signal-sharing across services, and human analysts worked together to stop it.

And thanks to signal sharing across services, customers not using a Microsoft email service like Office 365, hosted Exchange, or Outlook.com, but using a Windows PC with Microsoft Defender enabled, were fully protected. When a user attempted to open the malicious attachment from their non-Microsoft email service, Microsoft Defender kicked in, querying its cloud-based machine learning models and found that the attachment was blocked based on a previous Office 365 ATP cloud detection. The attachment was prevented from executing on the PC and the customer was protected.

What you can do

While bad actors are attempting to capitalize on the COVID-19 crisis, they are using the same tactics they always do. You should be especially vigilant now to take steps to protect yourself.

Make sure your devices have the latest security updates installed and an antivirus or anti-malware service. For Windows 10 devices, Microsoft Defender Antivirus is a free built-in service enabled through Settings. Turn on cloud-delivered protection and automatic sample submission to enable artificial intelligence (AI) and machine learning to quickly identify and stop new and unknown threats.

Enable the protection features of your email service. If you have Office 365, you can learn about Exchange Online Protection here and Office 365 ATP here.

Use multi-factor authentication (MFA) on all your accounts. Most online services now provide a way to use your mobile device or other methods to protect your accounts in this way. Here’s information on how to use Microsoft Authenticator and other guidance on this approach.

MFA support is available as part of the Azure Active Directory (Azure AD) Free offering. Learn more here.

Educate yourself, friends, and colleagues on how to recognize phishing attempts and report suspected encounters. Here are some of the tell-tale signs.

  • Spelling and bad grammar. Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have an editorial staff to ensure customers get high-quality, professional content. If an email message is fraught with errors, it is likely to be a scam.
  • Suspicious links. If you suspect that an email message is a scam, do not click on any links. One method of testing the legitimacy of a link is to rest your mouse—but not click—over the link to see if the address matches what was typed in the message. In the following example, resting the mouse on the link reveals the real web address in the box with the yellow background. Note that the string of IP address numbers looks nothing like the company’s web address.

  • Suspicious attachments. If you receive an email with an attachment from someone you don’t know, or an email from someone you do know but with an attachment you weren’t expecting, it may be a phishing attempt, so we recommend you do not open any attachments until you have verified their authenticity. Attackers use multiple techniques to try and trick recipients into trusting that an attached file is legitimate.
    • Do not trust the icon of the attachment.
    • Be wary of multiple file extensions, such as “pdf.exe” or “rar.exe” or “txt.hta”.
    • If in doubt, contact the person who sent you the message and ask them to confirm that the email and attachment are legitimate.
  • Threats. These types of emails cause a sense of panic or pressure to get you to respond quickly. For example, it may include a statement like “You must respond by end of day.” Or saying that you might face financial penalties if you don’t respond.
  • Spoofing. Spoofing emails appear to be connected to legitimate websites or companies but take you to phony scam sites or display legitimate-looking pop-up windows.
  • Altered web addresses. A form of spoofing where web addresses that closely resemble the names of well-known companies, but are slightly altered; for example, “www.micorsoft.com” or “www.mircosoft.com”.
  • Incorrect salutation of your name.
  • Mismatches. The link text and the URL are different from one another; or the sender’s name, signature, and URL are different.

If you think you’ve received a phishing email or followed a link in an email that has taken you to a suspicious website, there are few ways to report what you’ve found.

If you think the mail you’ve received is suspicious:

  • Outlook.com. If you receive a suspicious email message that asks for personal information, select the checkbox next to the message in your Outlook inbox. Select the arrow next to Junk, and then point to Phishing scam.
  • Microsoft Office Outlook 2016 and 2019 and Microsoft Office 365. While in the suspicious message, select Report message in the Protection tab on the ribbon, and then select Phishing.

If you’re on a suspicious website:

  • Microsoft Edge. While you’re on a suspicious site, select the More (…) icon > Send feedback > Report Unsafe site. Follow the instructions on the web page that displays to report the website.
  • Internet Explorer. While you’re on a suspicious site, select the gear icon, point to Safety, and then select Report Unsafe Website. Follow the instructions on the web page that displays to report the website.

If you think you have a suspicious file:

  • Submit the file for analysis.

This is just one area where our security teams at Microsoft are working to protect customers and we’ll share more in the coming weeks. For additional information and best practices for staying safe and productive through remote work, community support and education during these challenging times, visit Microsoft’s COVID-19 resources page for the latest information.

The post Protecting against coronavirus themed phishing attacks appeared first on Microsoft Security.

Forrester names Microsoft a Leader in 2020 Enterprise Detection and Response Wave

March 18th, 2020 No comments

I’m proud to announce that Microsoft is positioned as a Leader in The Forrester Wave™: Enterprise Detection and Response, Q1 2020. Among the Leaders in the report, Microsoft received the highest score in the current offering category. Microsoft also received the highest score of all participating vendors in the extended capabilities criteria. We believe Microsoft’s position as a Leader in this Forrester Enterprise Detection and Response Wave is not only a recognition of the value we deliver with our endpoint detection and response capabilities through Microsoft Defender Advanced Threat Protection (ATP), but recognition for our customers for their help in defining a market-leading product they really need and love using.

Microsoft Defender ATP, our endpoint protection solution, received the highest score possible (5 out of 5) in the endpoint telemetry, security analytics, threat hunting, ATT&CK mapping, and response capabilities criteria, as well in the Performance and Planned Enhancements criteria. The endpoint detection and response capabilities built into Microsoft Defender ATP empower defenders to achieve more and focus on remediating the threats that will have the biggest impact to their organization. Our broad and deep optics into the threat landscape and our built-in approach to security make our offerings unique.

The recently announced Microsoft Threat Protection, a solution that expands Microsoft Defender ATP from endpoint detection and response (EDR) to an extended detection and response (XDR) solution by combining our endpoint protection with protection for email and productivity tools (Office ATP), identity (Azure ATP), and cloud applications (Microsoft Cloud App Security), received the highest score of all participating vendors for its extended capabilities. As customers face cross-domain attacks, such as email phishing that leads to endpoint and identity compromise, Microsoft Threat Protection looks across these domains to understand the entire chain of events, identifies affected assets, like users, endpoints, mailboxes, and applications, and auto-heals them back to a safe state.

Microsoft is dedicated to protecting companies from real cyberattacks. We are focused on product excellence, innovation, and cutting-edge technology. The success of our customers is our highest priority, which is why we put such a strong emphasis on product excellence to translate the more than $1 billion a year investment, collaboration with over 100 Microsoft Intelligent Security Association (MISA) partners, and more than 3,500 security professionals into real, cloud-delivered protection for our customers. These partnerships, investments, and continuous innovation have led us to secure this leading spot as a provider that “matters most.”

For us, this latest recognition is a testament to our research and product teams’ ongoing commitment to provide our customers with an effective and comprehensive security solution and adds to a growing list of industry recognition of Microsoft Defender ATP.

This is our first time participating in this Forrester Enterprise Detection and Response Wave and we are truly excited to have been recognized as a Leader. It’s another proud milestone in our endpoint security journey with Microsoft Defender ATP and Microsoft Threat Protection to building an industry-leading endpoint and XDR solution that customers love.

Download this complimentary full report and read the analysis behind Microsoft’s positioning as a Leader.

For more information on our endpoint security platform, or to sign up for a trial, visit our Microsoft Defender ATP page.

 

The Forrester Wave™: Enterprise Endpoint Detection and Response, Q1 2020, Josh Zelonis, March 18, 2020.
This graphic was published by Forrester Research as part of a larger research document and should be evaluated in the context of the entire document. The Forrester document is available upon request from https://reprints.forrester.com/#/assets/2/108/RES146957/reports.

The post Forrester names Microsoft a Leader in 2020 Enterprise Detection and Response Wave appeared first on Microsoft Security.

Secured-core PCs: A brief showcase of chip-to-cloud security against kernel attacks

March 17th, 2020 No comments

Gaining kernel privileges by taking advantage of legitimate but vulnerable kernel drivers has become an established tool of choice for advanced adversaries. Multiple malware attacks, including RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron, and campaigns by the threat actor STRONTIUM, have leveraged driver vulnerabilities (for example, CVE-2008-3431, CVE-2013-3956, CVE-2009-0824, CVE-2010-1592, etc.) to gain kernel privileges and, in some cases, effectively disable security agents on compromised machines.

Defending against these types of threats—whether those that live off the land by using what’s already on the machine or those that bring in vulnerable drivers as part of their attack chain—requires a fresh approach to security, one that combines threat defense on multiple levels: silicon, operating system, and cloud. Microsoft brought this chip-to-cloud approach with Azure Sphere, the integrated security solution for IoT devices and equipment. We brought the same approach to securing endpoint devices through Secured-core PCs.

Secured-core PCs combine virtualization, operating system, and hardware and firmware protection. Along with Microsoft Defender Advanced Threat Protection, Secured-core PCs provide end-to-end protection against advanced threats.

Hardware profile guaranteed to support the latest hardware-backed security features

Microsoft worked internally and externally with OEM partners Lenovo, HP, Dell, Panasonic, Dynabook, and Getac to introduce a new a class of devices, Secured-core PCs. Secured-core PCs address the need for customers to perform the complex decision flow of mapping which security feature (e.g., hypervisor-protected code integrity (HVCI), virtualization-based security (VBS), Windows Defender Credential Guard) are supported by which hardware (e.g., TPM 1.0, 2.0, etc.).

With Secured-core PCs, customers no longer need to make this complex decision; they’re assured that these devices support the latest hardware-backed security features.

Hardware-backed security features enabled by default

Secured-core PCs have the hardware-backed security featured enabled by default, removing the need for customers to test and enable these features, which require a combination of BIOS and OS settings changes.

Because both BIOS settings and OS settings are enabled out of the box with these devices, the burden to enable these features onsite is removed for customers. The following hardware-backed security features are enabled by default on any Secured-core PC:

 

Security promise Technical features
Protect with hardware root of trust TPM 2.0 or higher
TPM support enabled by default
Virtualization-based security (VBS) enabled
Defend against firmware attack Windows Defender System guard enabled
Defend against vulnerable and malicious drivers Hypervisor-protected code integrity (HVCI) enabled
Defend against unverified code execution Arbitrary code generation and control flow hijacking protection [CFG, xFG, CET, ACG, CIG, KDP] enabled
Defend against limited physical access, data attacks Kernel DMA protection enabled
Protect identities and secrets from external threats Credential Guard enabled

While some of these features have previously existed, customers had the burden of (1) choosing the right hardware profile that supported all of these features and (2) enabling these features on their devices. With Secured-core PCs, these hardware-backed security features are assured to work on the hardware and are enabled by default.

Advanced security features: Secure device risk, anti-tampering, driver control, firmware control, supply-chain interdiction, and more

The hardware-backed security features that are enabled by default, along with a combination of Secured-core services, seamlessly integrate with Microsoft Defender ATP, lighting up additional security scenarios and providing unified protection against the entire attack chain.

In this blog, we will showcase how Secured-core PC features deliver strong driver controls that protects against threats that use vulnerable drivers to elevate privilege, using the RobbinHood ransomware as example.

Case study: Secured-core PCs vs. RobbinHood ransomware

RobbinHood ransomware is distributed as a packed executable that contains multiple binaries. One of these files is a Gigabyte driver (GDRV.sys), which has a vulnerability that  could allow elevation of privilege, enabling an adversary to gain kernel privileges. In RobbinHood campaigns, adversaries use these kernel privileges to disable kernel-mode signing to facilitate the loading of an unsigned driver. The unsigned malicious driver is then used to disable security products from the kernel.

RobbinHood is not an isolated threat leveraging a vulnerable driver to achieve elevation of privilege. In the last two years, the Microsoft Defender ATP Research Team has seen a rise in the use of vulnerable drivers by adversaries, ranging from commodity malware to nation-state level attacks. In addition to vulnerable drivers, there are also drivers that are vulnerable by design (also referred to as “wormhole drivers”), which can break the security promise of the platform by opening up direct access to kernel-level arbitrary memory read/write, MSRs.

In our research, we identified over 50 vendors that have published many such wormhole drivers. We actively work with these vendors and determine an action plan to remediate these drivers. In order to further help customers identify these drivers and take necessary measures, we built an automated way in which we can block vulnerable drivers, and that is updated through Windows update. Customers can also manage their own blocklist as outlined in the sections below.

Preventive defenses

Two of the security promises of Secured-core PCs are directly applicable to preventing RobbinHood attacks:

  • Defending against vulnerable and malicious drivers
  • Defending against unverified code execution

Defending against vulnerable and malicious drivers

Secured-core PCs are the latest hardware to provide driver control out of the box, with baseline configuration already set. Driver control is provided by a combination of HVCI & Windows Defender Application Control (WDAC) technologies.

Every driver loaded into the kernel is verified by HVCI before it’s allowed to run. HVCI runs in a hardware-protected execution environment isolated from the kernel space and cannot be tampered with by other code running in the kernel, including drivers.

Driver control uses HVCI & WDAC technologies to perform the following operations:

  1. Validity and memory integrity enforcement at load-time and runtime

HVCI uses hardware-based virtualization and the hypervisor (the same hypervisor also used in Azure) to protect Windows kernel mode processes from injection and execution of malicious or unverified code. The integrity of code that runs in the Windows kernel is validated by HVCI according to the kernel signing policy applied to the device. Additionally, kernel memory pages are never simultaneously writable and executable. This makes Secured-core PCs highly resistant to malicious software attempting to gain code execution in the kernel.

In the case of GDRV.sys, which is the driver used by the RobbinHood malware, if the vulnerable driver is successfully loaded and then exploited, the runtime memory integrity check would protect the critical components. Thus, an attack to change ci!g_CiOptions and nt!g_CiEnabled, would be ineffective, as the kernel ignores changes to the variables coming from the general kernel space. And, as code integrity is enabled by default, the malicious driver RBNL.sys wouldn’t load.

The image below shows an event log from a Secured-core PC showing runtime memory integrity check preventing the CI options from being tampered with by RobbinHood and, subsequently, preventing the malicious driver RBNL.sys from being loaded.

Because runtime memory integrity check is enabled by default on Secured-core PCs, RobbinHood wouldn’t be able to disable code integrity on these machines.

  1. Blocklist check

While the most ideal scenario is for enterprises to set customer-specific allows lists, it can be a complex undertaking. To help customers, HVCI uses a blocklist of drivers that are blocked from loading. This blocklist is supplied in two ways:

    • Microsoft-supplied blocklist

Microsoft threat research teams continuously monitor the threat ecosystem and update the list of drivers that in the Microsoft-supplied blocklist. This blocklist is pushed down to devices via Windows update.

We’ve heard from customers that they’d like to provide a list of drivers that should be on the generic Microsoft-supplied blocklist. We’re working on a new feature that allow customers to submit drivers that they’d like us to review and add to the Microsoft-supplied blocklist.

    • Customer-specific blocklist

We recognize that there are situations where customers want a blocklist specific to their organization. By default, any validly signed driver is accepted, but customers can choose to reduce the list of accepted drivers by choosing only WHQL signed drivers. These are drivers that are submitted to Microsoft for signing and are run through a number of tests before being signed.

Devices can apply a custom code integrity policy that customers can use to define their own specific blocklist. This article has more information on how to create such a customer specific blocklist. Below is an example of a customer-specific blocklist that blocks the vulnerable driver GDRV.sys.

Defending against unverified code execution and kernel data corruption attacks

There are several unverified code execution mitigations built-in to Windows. These are readily available on Secured-core PCs.

The RobbinHood attack utilized the vulnerable GDRV.sys driver to change a crucial variable within the system memory. Although HVCI already protects against the attack on g_CiOptions, other areas of memory may still be susceptible, and we need broader defense against kernel data corruption attacks.

In addition to existing mitigations, Windows is introducing a new feature called Kernel Data Protection (KDP), which provides driver developers and software running in the Windows kernel (and the OS code itself) with the ability to mark some kernel memory containing sensitive information as read-only protected. The memory is protected through the second level address translation (SLAT) tables by the hypervisor, such that no software running in VTL0 have access to the protected memory. KDP does not protect executable pages, as those are already protected with HVCI.

Many kernel components have data that is set only once during boot and remains unchanged for the rest of the boot cycle. The first release of KDP protects the static data sections of a driver. In the future, we’re also planning to provide APIs to dynamically allocate and release protected initialized pool memory.

Secured-core PCs have KDP enabled by default.

Detection defenses

As observed in RobbinHood attacks, once the threat gains kernel-level privilege, the threat turns off system defenses, including the endpoint protection agent. Secured-core PCs provide a monitoring agent that utilizes virtualization-based security and runs in this protected environment.

The monitoring agent performs several functions. The ones relevant for this case study are:

  • Secure anti-tampering for security agents
  • Secure monitoring of Windows

Secure anti-tampering for security agents

This monitoring agent watches for attempts to tamper with the security agents. For Microsoft Defender ATP customers, these are integrated into alerts that are surfaced in Microsoft Defender Security Center.

Secure monitoring of Windows

The agent also monitors several areas of Windows, including checking for kernel exploit behavior that are often used to elevate privileges. In this particular case, the monitoring agent detected a token tampering assertion.

Secured-core PCs have both VBS and this secure monitoring agent turned on by default.

Conclusion

As this case study demonstrates, more and more threats are becoming so advanced that they can bypass software-only based defenses. Secured-core PCs are protected from RobbinHood and similar threats by default.

Customers can also get similar protection on traditional devices as long as they have the necessary hardware and are configured correctly. Specifically, the following features need to be enabled: Secure boot, HVCI (enables VBS), KDP (automatically turned on when VBS is on), KDMA (Thunderbolt only) and Windows Defender System Guard.

With Secured-core PCs, however, customers get a seamless chip to cloud security pattern that starts from a strong hardware root of trust and works with cloud services and Microsoft Defender ATP to aggregate and normalize the alerts from hardware elements to provide end-to-end endpoint security.

Overall improved endpoint protection accrues to the broader Microsoft Threat Protection, which combines and orchestrates into a single solutions the capabilities of Microsoft Defender ATP, Office 365 ATP, Azure ATP, and Microsoft Cloud App Security to provide comprehensive, cross-domain protection for endpoints, email and data, identities, and apps.

 

The post Secured-core PCs: A brief showcase of chip-to-cloud security against kernel attacks appeared first on Microsoft Security.

MISA expands with new members and new product additions

February 24th, 2020 No comments

Another RSA Conference (RSAC) and another big year for the Microsoft Intelligent Security Association (MISA). MISA was launched at RSAC 2018 with 26 members and a year later we had doubled in size to 53 members. Today, I am excited to share that the association has again doubled in size to 102 members.

New members expand the portfolio of MISA integrations

Our new members include a number of ecosystem partners, like RSA, ServiceNow, and Net Motion, which have developed critical integrations that benefit our shared customers and we look forward to deepening our relationship through MISA engagement.

New MISA member RSA is now using Azure Active Directory’s risky user data and other Microsoft security signals to enrich their risk score engine. Additionally, RSA also leverages the Graph Security API to feed their SIEM solution, RSA NetWitness with alerts from the entire suite of Microsoft Security solutions.

 “RSA is excited to showcase the RSA SecurID and RSA NetWitness integrations with Microsoft Security products. Our integrations with Microsoft Defender ATP, Microsoft Graph Security API, Azure AD, and Microsoft Azure Sentinel, help us to better secure access to our mutual customer’s applications, and detect threats and attacks. We’re excited to formalize the long-standing relationship through RSA Ready and MISA to better defend our customers against a world of increasing threats.”
—Anna Sarnek, Head of Strategic Business Development, Cloud and Identity for RSA

The ServiceNow Security Operations integration with Microsoft Graph Security API enables shared customers to automate incident management and response, leveraging the capabilities of the Now Platform’s single data model to dramatically improve their ability to prioritize and respond to threats generated by all Microsoft Security Solutions and custom alerts from Azure Sentinel.

“ServiceNow is pleased to join the Microsoft Intelligent Security Alliance to accelerate security incident response for our shared customers. The ServiceNow Security Operations integration with Azure Sentinel, via the graph security API, enables shared customers to automate incident management and response, leveraging the capabilities of the Now Platform’s single data model to dramatically improve their ability to prioritize and respond to threats.”
—Lou Fiorello, Head of Security Products for ServiceNow

Microsoft is pleased to welcome NetMotion, a connectivity and security solutions company for the world’s growing mobile workforce, into the security partner program. Using NetMotion’s class-leading VPN, customers not only gain uncompromised connectivity and feature parity, they benefit from a VPN that is compatible with Windows, MacOS, Android and iOS devices. For IT teams, NetMotion delivers visibility and control over the entire connection from endpoint to endpoint, over any network, through integration with Microsoft Endpoint Manager (Microsoft Intune).

“NetMotion is designed from the ground up to protect and enhance the user experience of any mobile device. By delivering plug-and-play integration with Microsoft Endpoint Manager, the mobile workforce can maximize productivity and impact without any disruption to their workflow from day one. For organizations already using or considering Microsoft, the addition of NetMotion’s VPN is an absolute no-brainer.”
—Christopher Kenessey, CEO of NetMotion Software

Expanded partner strategy for Microsoft Defender Advanced Threat Protection (ATP)

The Microsoft Defender ATP team worked with our ecosystem partners to take their rich and complete set of APIs a step further to extend the power of our combined platforms. This helps customers strengthen their network and endpoint security posture, add continuous security validation and attack simulation testing, orchestrate and automate incident correlation and remediation, and add threat intelligence and web content filtering capabilities. Read Extending Microsoft Defender ATP network of partners to learn more about their partner strategy expansion and their open framework philosophy.

New product teams join the association

In addition to growing our membership, MISA expanded to cover 12 of Microsoft’s security solutions, including our latest additions: Azure Security Center for IoT Security and Azure DDoS.

Azure Security Center for IoT Security announces five flagship integration partners

The simple onboarding flow for Azure Security Center for IoT enables you to protect your managed and unmanaged IoT devices, view all security alerts, reduce your attack surface with security posture recommendations, and run unified reports in a single pane of glass.

Through partnering with members like Attivo Networks, CyberMDX, CyberX, Firedome, and SecuriThings, Microsoft is able to leverage their vast knowledge pool to help customers defend against a world of increasing IoT threats in enterprise. These solutions protect managed and unmanaged IoT devices in manufacturing, energy, building management systems, healthcare, transportation, smart cities, smart homes, and more. Read more about IoT security and how these five integration partners are changing IoT security in this blog.

Azure DDoS Protection available to partners to combat DDoS attacks

The first DDoS attack occurred way back on July 22, 1999, when a network of 114 computers infected with a malicious script called Trin00 attacked a computer at the University of Minnesota, according to MIT Technology Review. Even after 20 years DDoS continues to be an ever-growing problem, with the number of DDoS attacks doubling in the last year alone and the types of attacks getting increasingly sophisticated with the explosion of IoT devices.

Azure DDoS Protection provides countermeasures against the most sophisticated DDoS threats. The service provides enhanced DDoS mitigation capabilities for your application and resources deployed in your virtual networks. Technology partners can now protect their customers’ resources natively with Azure DDoS Protection Standard to address the availability and reliability concerns due to DDoS attacks.

“Extending Azure DDoS Protection capabilities to Microsoft Intelligent Security Association will help our shared customers to succeed by leveraging the global scale of Azure Networking to protect their workloads against DDoS attacks”
—Anupam Vij, Principal Product Manager, Azure Networking

Learn more

To see MISA members in action, visit the Microsoft booth at RSA where we have a number of our security partners presenting and demoing throughout the week. To learn more about the Microsoft Intelligent Security Association, visit our webpage or the video playlist of member integrations. For more information on Microsoft security solutions, visit our website.

The post MISA expands with new members and new product additions appeared first on Microsoft Security.

Azure Sentinel uncovers the real threats hidden in billions of low fidelity signals

February 20th, 2020 No comments

Cybercrime is as much a people problem as it is a technology problem. To respond effectively, the defender community must harness machine learning to compliment the strengths of people. This is the philosophy that undergirds Azure Sentinel. Azure Sentinel is a cloud-native SIEM that exploits machine learning techniques to empower security analysts, data scientists, and engineers to focus on the threats that matter. You may have heard of similar solutions from other vendors, but the Fusion technology that powers Azure Sentinel sets this SIEM apart for three reasons:

  1. Fusion finds threats that fly under the radar, by combining low fidelity, “yellow” anomalous activities into high fidelity “red” incidents.
  2. Fusion does this by using machine learning to combine disparate data—network, identity, SaaS, endpoint—from both Microsoft and Partner data sources.
  3. Fusion incorporates graph-based machine learning and a probabilistic kill chain to reduce alert fatigue by 90 percent.

Azure Sentinel

Intelligent security analytics for your entire enterprise.

Learn more

You can get a sense of how powerful Fusion is by looking at data from December 2019. During that month, billions of events flowed into Azure Sentinel from thousands of Azure Sentinel customers. Nearly 50 billion anomalous alerts were identified and graphed. After Fusion applied the probabilistic kill chain, the graph was reduced to 110 sub graphs. A second level of machine learning reduced it further to just 25 actionable incidents. This is how Azure Sentinel reduces alert fatigue by 90 percent.

Infographic showing alerts to high-fidelity incidents.

New Fusion scenarios—Microsoft Defender ATP + Palo Alto firewalls

There are currently 35 multi-stage attack scenarios generally available through Fusion machine learning technology in Azure Sentinel. Today, Microsoft has introduced several additional scenarios—in public preview—using Microsoft Defender Advanced Threat Protection (ATP) and Palo Alto logs. This way, you can leverage the power of Sentinel and Microsoft Threat Protection as complementary technologies for the best customer protection.

  • Detect otherwise missed attacks—By stitching together disparate datasets using Bayesian methods, Fusion helps to detect attacks that could have been missed.
  • Reduce mean time to remediate—Microsoft Threat Protection provides a best in class investigation experience when addressing alerts from Microsoft products. For non-Microsoft datasets, you can leverage hunting and investigation tools in Azure Sentinel.

Here are a few examples:

An endpoint connects to TOR network followed by suspicious activity on the Internal network—Microsoft Defender ATP detects that a user inside the network made a request to a TOR anonymization service. On its own this incident would be a low-level fidelity. It’s suspicious but doesn’t rise to the level of a high-level threat. Palo Alto firewalls registers anomalous activity from the same IP address, but it isn’t risky enough to block. Separately neither of these alerts get elevated, but together they indicate a multi-stage attack. Fusion makes the connection and promotes it to a high-fidelity incident.

Infographic of the Palo Alto firewall detecting threats.

A PowerShell program on an endpoint connects to a suspicious IP address, followed by suspicious activity on the Internal network—Microsoft Defender ATP generates an alert when a PowerShell program makes a suspicious network connection. If Palo Alto allows traffic from that IP address back into the network, Fusion ties the two incidents together to create a high-fidelity incident

An endpoint connects to a suspicious IP followed by anomalous activity on the Internal network—If Microsoft Defender ATP detects an outbound connection to an IP with a history of unauthorized access and Palo Alto firewalls allows an inbound request from that same IP address, it’s elevated by Fusion.

How Fusion works

  1. Construct graph

The process starts by collecting data from several data sources, such as Microsoft products, Microsoft security partner products, and other cloud providers. Each of those security products output anomalous activity, which together can number in the billions or trillions. Fusion gathers all the low and medium level alerts detected in a 30-day window and creates a graph. The graph is hyperconnected and consists of billions of vertices and edges. Each entity is represented by a vertex (or node). For example, a vertex could be a user, an IP address, a virtual machine (VM), or any other entity within the network. The edges (or links) represent all the activities. If a user accesses company resources with a mobile device, both the device and the user are represented as vertices connected by an edge.

Image of an AAD Detect graph.

Once the graph is built there are still billions of alerts—far too many for any security operations team to make sense of. However, within those connected alerts there may be a pattern that indicates something more serious. The human brain is just not equipped to quickly remove it. This is where machine learning can make a real difference.

  1. Apply probabilistic kill chain

Fusion applies a probabilistic kill chain which acts as a regularizer to the graph. The statistical analysis is based on how real people—Microsoft security experts, vendors, and customers—triage alerts. For example, defenders prioritize kill chains that are time bound. If a kill chain is executed within a day, it will take precedence over one that is enacted over a few days. An even higher priority kill chain is one in which all steps have been completed. This intelligence is encoded into the Fusion machine learning statistical model. Once the probabilistic kill chain is applied, Fusion outputs a smaller number of sub graphs, reducing the number of threats from billions to hundreds.

  1. Score the attack

To reduce the noise further, Fusion uses machine learning to apply a final round of scoring. If labeled data exists, Fusion uses random forests. Labeled data for attacks is generated from the extensive Azure red team that execute these scenarios. If labeled data doesn’t exist Fusion uses spectral clustering.

Some of the criteria used to elevate threats include the number of high impact activity in the graph and whether the subgraph connects to another subgraph.

The output of this machine learning process is tens of threats. These are extremely high priority alerts that require immediate action. Without Fusion, these alerts would likely remain hidden from view, since they can only be seen after two or more low level threats are stitched together to shine a light on stealth activities. AI-generated alerts can now be handed off to people who will determine how to respond.

The great promise of AI in cybersecurity is its ability to enable your cybersecurity people to stay one step ahead of the humans on the other side. AI-backed Fusion is just one example of the innovative potential of partnering technology and people to take on the threats of today and tomorrow.

Learn more

Read more about Azure Sentinel and dig into all the Azure Sentinel detection scenarios.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Azure Sentinel uncovers the real threats hidden in billions of low fidelity signals appeared first on Microsoft Security.

Building on secure productivity

February 12th, 2020 No comments

Among the most common and powerful attack vectors we have seen are those that exploit the daily tradeoff users make between security and productivity. Often, this can be as simple as a document hiding an exploit or a malicious link.

As an industry, we’re used to thinking of security and productivity in tension with each other. Security teams focus on blocking capabilities and reducing access to limit risk; users create workarounds or ignore policies to get their jobs done. Organizations may respond to increasing security threats by layering multiple security point solutions on top of each other, often increasing the complexity security teams manage while encouraging users to look for even more workarounds.

We don’t think this has to be the case.

Today, we‘re announcing two new Microsoft 365 capabilities that will help organizations stay both secure and productive at the same time. The power of these capabilities comes from the seamless integration between Windows 10, Office 365 ProPlus, and Microsoft Defender Advanced Threat Protection (ATP). We previously gave a “sneak peak” at Ignite and are excited to share publicly now.

Safe Documents is now available in public preview, rolling out over the next few days

With Safe Documents, we’re bringing the power of the Intelligent Security Graph down to the desktop to verify that documents are safe at the endpoint itself.

Although Protected View helps secure documents originating outside the organization, too often users would exit this sandbox without great consideration and leave their networks vulnerable. Bringing a minimal trust approach to the Office 365 ProPlus clients, Safe Documents automatically checks the document against known risks and threat profiles before allowing to open. Users are not asked to decide on their own whether a document can be trusted; they can simply focus on the work to be done. This seamless connection between the desktop and the cloud both simplifies the user workflow and helps to keep the network more secure.

Application Guard integration with Office 365 ProPlus is significantly expanding its private preview

With Application Guard, we created a micro-VM based on the same technology that powers the Azure cloud and brought it down to the desktop. We first introduced Application Guard in Edge, bringing hardware-level containerization to the browser.

Now integrated with Office 365 ProPlus, Application Guard provides an upgrade to Protected View that helps desktop users to stay safer and more productive with container-based isolation for Office applications. Application Guard’s enforcement—with a new instance of Windows 10 and separate copy of the kernel—completely blocks access to memory, local storage, installed applications, corporate network endpoints, or any other resources of interest to the attacker.

That means Office users will be able to open an untrusted Word, Excel, or PowerPoint file in a virtualized container. Users can stay productive—make edits, print, and save changes—all while protected with hardware-level security. If the untrusted file is malicious, the attack is contained while user data and identity remains untouched. When a user wants to trust a document to save on the network or start collaborating in real-time, Safe Documents will first check to help ensure the document is safe.

Moreover, both Safe Documents and Application Guard connect to the Microsoft Security Center, providing admins with advanced visibility and response capabilities including alerts, logs, confirmation the attack was contained, and the ability to see and act on similar threats across the enterprise.

Truly Microsoft 365 capabilities

With these new capabilities, we brought together some of the best of Windows 10, Office 365 ProPlus, and Microsoft Defender ATP to help organizations stay both secure and productive. This integration also means that organizations can deploy these features with the change of a setting and manage with existing tools. And with every malicious attack contained, the entire Intelligent Security Graph becomes stronger, benefiting everyone.

Both Safe Documents and Application Guard will be available to customers with Microsoft 365 E5 and E5 Security. We encourage customers to start testing Safe Documents in their environment as it comes available (initially available for tenants in the U.S., U.K., and European Union), and to learn more about Safe Documents and Application Guard.

The post Building on secure productivity appeared first on Microsoft Security.

Threat hunting in Azure Advanced Threat Protection (ATP)

January 7th, 2020 No comments

As members of Microsoft’s Detection and Response Team (DART), we’ve seen a significant increase in adversaries “living off the land” and using compromised account credentials for malicious purposes. From an investigation standpoint, tracking adversaries using this method is quite difficult as you need to sift through the data to determine whether the activities are being performed by the legitimate user or a bad actor. Credentials can be harvested in numerous ways, including phishing campaigns, Mimikatz, and key loggers.

Recently, DART was called into an engagement where the adversary had a foothold within the on-premises network, which had been gained through compromising cloud credentials. Once the adversary had the credentials, they began their reconnaissance on the network by searching for documents about VPN remote access and other access methods stored on a user’s SharePoint and OneDrive. After the adversary was able to access the network through the company’s VPN, they moved laterally throughout the environment using legitimate user credentials harvested during a phishing campaign.

Once our team was able to determine the initially compromised accounts, we were able to begin the process of tracking the adversary within the on-premises systems. Looking at the initial VPN logs, we identified the starting point for our investigation. Typically, in this kind of investigation, your team would need to dive deeper into individual machine event logs, looking for remote access activities and movements, as well as looking at any domain controller logs that could help highlight the credentials used by the attacker(s).

Luckily for us, this customer had deployed Azure Advanced Threat Protection (ATP) prior to the incident. By having Azure ATP operational prior to an incident, the software had already normalized authentication and identity transactions within the customer network. DART began querying the suspected compromised credentials within Azure ATP, which provided us with a broad swath of authentication-related activities on the network and helped us build an initial timeline of events and activities performed by the adversary, including:

  • Interactive logins (Kerberos and NTLM)
  • Credential validation
  • Resource access
  • SAMR queries
  • DNS queries
  • WMI Remote Code Execution (RCE)
  • Lateral Movement Paths

Azure Advanced Threat Protection

Detect and investigate advanced attacks on-premises and in the cloud.

Get started

This data enabled the team to perform more in-depth analysis on both user and machine level logs for the systems the adversary-controlled account touched. Azure ATP’s ability to identify and investigate suspicious user activities and advanced attack techniques throughout the cyber kill chain enabled our team to completely track the adversary’s movements in less than a day. Without Azure ATP, investigating this incident could have taken weeks—or even months—since the data sources don’t often exist to make this type of rapid response and investigation possible.

Once we were able to track the user throughout the environment, we were able to correlate that data with Microsoft Defender ATP to gain an understanding of the tools used by the adversary throughout their journey. Using the right tools for the job allowed DART to jump start the investigation; identify the compromised accounts, compromised systems, other systems at risk, and the tools being used by the adversaries; and provide the customer with the needed information to recover from the incident faster and get back to business.

Learn more and keep updated

Learn more about how DART helps customers respond to compromises and become cyber-resilient. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Threat hunting in Azure Advanced Threat Protection (ATP) appeared first on Microsoft Security.

CISO series: Lessons learned from the Microsoft SOC—Part 3b: A day in the life

December 23rd, 2019 No comments

The Lessons learned from the Microsoft SOC blog series is designed to share our approach and experience with security operations center (SOC) operations. We share strategies and learnings from our SOC, which protects Microsoft, and our Detection and Response Team (DART), who helps our customers address security incidents. For a visual depiction of our SOC philosophy, download our Minutes Matter poster.

For the next two installments in the series, we’ll take you on a virtual shadow session of a SOC analyst, so you can see how we use security technology. You’ll get to virtually experience a day in the life of these professionals and see how Microsoft security tools support the processes and metrics we discussed earlier. We’ll primarily focus on the experience of the Investigation team (Tier 2) as the Triage team (Tier 1) is a streamlined subset of this process. Threat hunting will be covered separately.

Image of security workers in an office.

General impressions

Newcomers to the facility often remark on how calm and quiet our SOC physical space is. It looks and sounds like a “normal” office with people going about their job in a calm professional manner. This is in sharp contrast to the dramatic moments in TV shows that use operations centers to build tension/drama in a noisy space.

Nature doesn’t have edges

We have learned that the real world is often “messy” and unpredictable, and the SOC tends to reflect that reality. What comes into the SOC doesn’t always fit into the nice neat boxes, but a lot of it follows predictable patterns that have been forged into standard processes, automation, and (in many cases) features of Microsoft tooling.

Routine front door incidents

The most common attack patterns we see are phishing and stolen credentials attacks (or minor variations on them):

  • Phishing email → Host infection → Identity pivot:

Infographic indicating: Phishing email, Host infection, and Identity pivot

  • Stolen credentials → Identity pivot → Host infection:

Infographic indicating: Stolen credentials, Identity pivot, and Host infection

While these aren’t the only ways attackers gain access to organizations, they’re the most prevalent methods mastered by most attackers. Just as martial artists start by mastering basic common blocks, punches, and kicks, SOC analysts and teams must build a strong foundation by learning to respond rapidly to these common attack methods.

As we mentioned earlier in the series, it’s been over two years since network-based detection has been the primary method for detecting an attack. We attribute this primarily to investments that improved our ability to rapidly remediate attacks early with host/email/identity detections. There are also fundamental challenges with network-based detections (they are noisy and have limited native context for filtering true vs. false positives).

Analyst investigation process

Once an analyst settles into the analyst pod on the watch floor for their shift, they start checking the queue of our case management system for incidents (not entirely unlike phone support or help desk analysts would).

While anything might show up in the queue, the process for investigating common front door incidents includes:

  1. Alert appears in the queue—After a threat detection tool detects a likely attack, an incident is automatically created in our case management system. The Mean Time to Acknowledge (MTTA) measurement of SOC responsiveness begins with this timestamp. See Part 1: Organization for more information on key SOC metrics.

Basic threat hunting helps keep a queue clean and tidy

Require a 90 percent true positive rate for alert sources (e.g., detection tools and types) before allowing them to generate incidents in the analyst queue. This quality requirement reduces the volume of false positive alerts, which can lead to frustration and wasted time. To implement, you’ll need to measure and refine the quality of alert sources and create a basic threat hunting process. A basic threat hunting process leverages experienced analysts to comb through alert sources that don’t meet this quality bar to identify interesting alerts that are worth investigating. This review (without requiring full investigation of each one) helps ensure that real incident detections are not lost in the high volume of noisy alerts. It can be a simple part time process, but it does require skilled analysts that can apply their experience to the task.

  1. Own and orient—The analyst on shift begins by taking ownership of the case and reading through the information available in the case management tool. The timestamp for this is the end of the MTTA responsiveness measurement and begins the Mean Time to Remediate (MTTR) measurement.

Experience matters

A SOC is dependent on the knowledge, skills, and expertise of the analysts on the team. The attack operators and malware authors you defend against are often adaptable and skilled humans, so no prescriptive textbook or playbook on response will stay current for very long. We work hard to take good care of our people—giving them time to decompress and learn, recruiting them from diverse backgrounds that can bring fresh perspectives, and creating a career path and shadowing programs that encourage them to learn and grow.

  1. Check out the host—Typically, the first priority is to identify affected endpoints so analysts can rapidly get deep insight. Our SOC relies on the Endpoint Detection and Response (EDR) functionality in Microsoft Defender Advanced Threat Protection (ATP) for this.

Why endpoint is important

Our analysts have a strong preference to start with the endpoint because:

  • Endpoints are involved in most attacks—Malware on an endpoint represents the sole delivery vehicle of most commodity attacks, and most attack operators still rely on malware on at least one endpoint to achieve their objective. We’ve also found the EDR capabilities detect advanced attackers that are “living off the land” (using tools deployed by the enterprise to navigate). The EDR functionality in Microsoft Defender ATP provides visibility into normal behavior that helps detect unusual command lines and process creation events.
  • Endpoint offers powerful insights—Malware and its behavior (whether automated or manual actions) on the endpoint often provides rich detailed insight into the attacker’s identity, skills, capabilities, and intentions, so it’s a key element that our analysts always check for.

Identifying the endpoints affected by this incident is easy for alerts raised by the Microsoft Defender ATP EDR, but may take a few pivots on an email or identity sourced alert, which makes integration between these tools crucial.

  1. Scope out and fill in the timeline—The analyst then builds a full picture and timeline of the related chain of events that led to the alert (which may be an adversary’s attack operation or false alarm positive) by following leads from the first host alert. The analyst travels along the timeline:
  • Backward in time—Track backward to identify the entry point in the environment.
  • Forward in time—Follow leads to any devices/assets an attacker may have accessed (or attempted to access).

Our analysts typically build this picture using the MITRE ATT&CK™ model (though some also adhere to the classic Lockheed Martin Cyber Kill Chain®).

True or false? Art or science?

The process of investigation is partly a science and partly an art. The analyst is ultimately building a storyline of what happened to determine whether this chain of events is the result of a malicious actor (often attempting to mask their actions/nature), a normal business/technical process, an innocent mistake, or something else.

This investigation is a repetitive process. Analysts identify potential leads based on the information in the original report, follow those leads, and evaluate if the results contribute to the investigation.

Analysts often contact users to identify whether they performed an anomalous action intentionally, accidentally, or was not done by them at all.

Running down the leads with automation

Much like analyzing physical evidence in a criminal investigation, cybersecurity investigations involve iteratively digging through potential evidence, which can be tedious work. Another parallel between cybersecurity and traditional forensic investigations is that popular TV and movie depictions are often much more exciting and faster than the real world.

One significant advantage of investigating cyberattacks is that the relevant data is already electronic, making it easier to automate investigation. For many incidents, our SOC takes advantage of security orchestration, automation, and remediation (SOAR) technology to automate investigation (and remediation) of routine incidents. Our SOC relies heavily on the AutoIR functionality in Microsoft Threat Protection tools like Microsoft Defender ATP and Office 365 ATP to reduce analyst workload. In our current configuration, some remediations are fully automatic and some are semi-automatic (where analysts review the automated investigations and propose remediation before approving execution of it).

Document, document, document

As the analyst builds this understanding, they must capture a complete record with their conclusions and reasoning/evidence for future use (case reviews, analyst self-education, re-opening cases that are later linked to active attacks, etc.).

As our analyst develops information on an incident, they capture the common, most relevant details quickly into the case such as:

  • Alert info: Alert links and Alert timeline
  • Machine info: Name and ID
  • User info
  • Event info
  • Detection source
  • Download source
  • File creation info
  • Process creation
  • Installation/Persistence method(s)
  • Network communication
  • Dropped files

Fusion and integration avoid wasting analyst time

Each minute an analyst wastes on manual effort is another minute the attacker has to spread, infect, and do damage during an attack operation. Repetitive manual activity also creates analyst toil, increases frustration, and can drive interest in finding a new job or career.

We learned that several technologies are key to reducing toil (in addition to automation):

  • Fusion—Adversary attack operations frequently trip multiple alerts in multiple tools, and these must be correlated and linked to avoid duplication of effort. Our SOC has found significant value from technologies that automatically find and fuse these alerts together into a single incident. Azure Security Center and Microsoft Threat Protection include these natively.
  • Integration—Few things are more frustrating and time consuming than having to switch consoles and tools to follow a lead (a.k.a., swivel chair analytics). Switching consoles interrupts their thought process and often requires manual tasks to copy/paste information between tools to continue their work. Our analysts are extremely appreciative of the work our engineering teams have done to bring threat intelligence natively into Microsoft’s threat detection tools and link together the consoles for Microsoft Defender ATP, Office 365 ATP, and Azure ATP. They’re also looking forward to (and starting to test) the Microsoft Threat Protection Console and Azure Sentinel updates that will continue to reduce the swivel chair analytics.

Stay tuned for the next segment in the series, where we’ll conclude our investigation, remediate the incident, and take part in some continuous improvement activities.

Learn more

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about SOCs, read previous posts in the Lessons learned from the Microsoft SOC series, including:

Watch the CISO Spotlight Series: Passwordless: What’s It Worth.

Also, see our full CISO series and download our Minutes Matter poster for a visual depiction of our SOC philosophy.

The post CISO series: Lessons learned from the Microsoft SOC—Part 3b: A day in the life appeared first on Microsoft Security.

Mobile threat defense and intelligence are a core part of cyber defense

December 19th, 2019 No comments

The modern workplace is a mobile workplace. Today’s organizations rely on mobility to increase productivity and improve the customer experience. But the proliferation of smartphones and other mobile devices has also expanded the attack surface of roughly 5 billion mobile devices in the world, many used to handle sensitive corporate data. To safeguard company assets, organizations need to augment their global cyber defense strategy with mobile threat intelligence.

When handled and analyzed properly, actionable data holds the key to enabling solid, 360-degree cybersecurity strategies and responses. However, many corporations lack effective tools to collect, analyze, and act on the massive volume of security events that arise daily across their mobile fleet. An international bank recently faced this challenge. By deploying Pradeo Security alongside Microsoft Endpoint Manager and Microsoft Defender Advanced Threat Protection (ATP), the bank was able to harness its mobile data and better protect the company.

Pradeo Security strengthens Microsoft Endpoint Manager Conditional Access policies

In 2017, the Chief Information Security Office (CISO) of an international bank recognized that the company needed to address the risk of data exposure on mobile. Cybercriminals exploit smart phones at the application, network, and OS levels, and infiltrate them through mobile applications 78 percent of the time.1 The General Data Protection Regulation (GDPR) was also scheduled to go into effect the following year. The company needed to better secure its mobile data to safeguard the company and comply with the new privacy regulations.

The company deployed Microsoft Endpoint Manager to gain visibility into the mobile devices accessing corporate resources. Microsoft Endpoint Manager is the recently announced convergence of Microsoft Intune and Configuration Manager functionality and data, plus new intelligent actions, offering seamless, unified endpoint management. Then, to ensure the protection of these corporate resources, the company deployed Pradeo Security Mobile Threat Defense, which is integrated with Microsoft.

Pradeo Security and Microsoft Endpoint Manager work together to apply conditional access policies to each mobile session. Conditional access policies allow the security team to automate access based on the circumstances. For example, if a user tries to gain access using a device that is not managed by Microsoft Endpoint Manager, the user may be forced to enroll the device. Pradeo Security enhances Microsoft Endpoint Manager’s capabilities by providing a clear security status of any mobile devices accessing corporate data, which Microsoft can evaluate for risk. If a smartphone is identified as non-compliant based on the data that Pradeo provides, conditional access policies can be applied.

For example, if the risk is high, the bank could set policies that block access. The highly granular and customizable security policies offered by Pradeo Security gave the CISO more confidence that the mobile fleet was better protected against threats specifically targeting his industry.

Get more details about Pradeo Security for Microsoft Endpoint Manager in this datasheet.

Detect and respond to advanced cyberthreats with Pradeo Security and Microsoft Defender ATP

The bank also connected Pradeo Security to Microsoft Defender ATP in order to automatically feed it with always current mobile security inputs. Microsoft Defender ATP helps enterprises prevent, detect, investigate, and respond to advanced cyberthreats. Pradeo Security enriches Microsoft Defender ATP with mobile security intelligence. Immediately, the bank was able to see information on the latest threats targeting their mobile fleet. Only a few weeks later, there was enough data in the Microsoft platform to draw trends and get a clear understanding of the company’s mobile threat environment.

Pradeo relies on a network of millions of devices (iOS and Android) across the globe to collect security events related to the most current mobile threats. Pradeo leverages machine learning mechanisms to distill and classify billions of raw and anonymous security facts into actionable mobile threat intelligence.

Today, this bank’s mobile ecosystem entirely relies on Pradeo and Microsoft, as its security team finds it to be the most cost-effective combination when it comes to mobile device management, protection, and intelligence.

About Pradeo

Pradeo is a global leader of mobile security and a member of the Microsoft Intelligent Security Association (MISA). It offers services to protect the data handled on mobile devices and applications, and tools to collect, process, and get value out of mobile security events.

Pradeo’s cutting-edge technology has been recognized as one of the most advanced mobile security technologies by Gartner, IDC, and Frost & Sullivan. It provides a reliable detection of mobile threats to prevent breaches and reinforce compliance with data privacy regulations.

For more details, contact Pradeo.

Note: Users must be entitled separately to Pradeo and Microsoft licenses as appropriate.

Learn more

To learn more about MISA, visit the MISA webpage. Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Microsoft Endpoint Manager

Transformative management and security that meets you where you are and helps you move to the cloud.

Get started

12019 Mobile Security Report, Pradeo Lab

The post Mobile threat defense and intelligence are a core part of cyber defense appeared first on Microsoft Security.

GALLIUM: Targeting global telecom

December 12th, 2019 No comments

Microsoft Threat Intelligence Center (MSTIC) is raising awareness of the ongoing activity by a group we call GALLIUM, targeting telecommunication providers. When Microsoft customers have been targeted by this activity, we notified them directly with the relevant information they need to protect themselves. By sharing the detailed methodology and indicators related to GALLIUM activity, we’re encouraging the security community to implement active defenses to secure the broader ecosystem from these attacks.

To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points.

This activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.

Following Microsoft’s internal practices of assigning chemical elements to activity groups, GALLIUM is the code name for this activity group.

GALLIUM’s profile

Reconnaissance methods

As is often the case with the reconnaissance methods, it’s difficult to be definitive about those employed by GALLIUM. This is due to the passive nature of reconnaissance activities by the actor including the use of freely available data from open sources, such as public websites and social media outlets. However, based on MSTIC analyst assessments, GALLIUM’s exploitation of internet-facing services indicates it’s likely they use open source research and network scanning tools to identify likely targets.

Delivery and exploitation

To gain initial access a target network, GALLIUM locates and exploits internet-facing services such as web servers. GALLIUM has been observed exploiting unpatched web services, such as WildFly/JBoss, for which exploits are widely available. Compromising a web server gives GALLIUM a foothold in the victim network that doesn’t require user interaction, such as traditional delivery methods like phishing.

Following exploitation of the web servers, GALLIUM actors typically install web shells, and then install additional tooling to allow them to explore the target network.

Lateral movement

GALLIUM uses a variety of tools to perform reconnaissance and move laterally within a target network. The majority of these are off-the-shelf tools or modified versions of known security tools. MSTIC investigations indicate that GALLIUM modifies its tooling to the extent it evades antimalware detections rather than develop custom functionality. This behavior has been observed with GALLIUM actors across several operational areas.

GALLIUM has been observed using several tools. Samples of the most prevalent are noted in Table 1.

Tool Purpose
HTRAN Connection bouncer to proxy connections.
Mimikatz Credential dumper.
NBTScan Scanner for open NETBIOS nameservers on a local or remote TCP/IP network.
Netcat Reads from and writes to network connections using TCP or UDP protocols.
PsExec Executes a command line process on a remote machine.
Windows Credential Editor (WCE) Credential dumper.
WinRAR Archiving utility.

Table 1: GALLIUM tooling.

GALLIUM has signed several tools using stolen code signing certificates. For example, they’ve used a credential dumping tool signed using a stolen certificate from Whizzimo, LLC, as shown in Figure 1. The code signing certificate shown in Figure 1 was no longer valid at the time of writing; however, it shows GALLIUM had access to such certificates.

Image showing "Signers" using in the credential dumping tool signed using a stolen Whizzimo, LLC certificate.

Figure 1. Credential dumping tool signed using a stolen Whizzimo, LLC certificate.

GALLIUM primarily relies on compromised domain credentials to move through the target network, and as outlined above, uses several credential harvesting tools. Once they have acquired credentials, the activity group uses PsExec extensively to move laterally between hosts in the target network.

Installation

GALLIUM predominantly uses widely available tools. In certain instances, GALLIUM has modified these tools to add additional functionality. However, it’s likely these modifications have been made to subvert antimalware solutions since much of the malware and tooling employed by GALLIUM is historic and is widely detected by security products. For example, QuarkBandit is a modified version of the widely used Gh0st RAT, an openly available remote access tool (RAT). Similarly, GALLIUM has made use of a modified version of the widely available Poison Ivy RAT. These RATs and the China Chopper web shell form the basis of GALLIUM’s toolkit for maintaining access to a victim network.

Infrastructure

GALLIUM predominantly uses dynamic DNS subdomains to provide command and control (C2) infrastructure for their malware. Typically, the group uses the ddns.net and myftp.biz domains provided by noip.com. MSTIC analysis indicates the use of dynamic DNS providers as opposed to registered domains is in line with GALLIUM’s trend towards low cost and low effort operations.

GALLIUM domains have been observed hosted on infrastructure in mainland China, Hong Kong SAR, and Taiwan.

When connecting to web shells on a target network GALLIUM has been observed employing Taiwan-based servers. Observed IP addresses appear to be exclusive to GALLIUM, have little to no legitimate activity, and are reused in multiple operations. These servers provide high fidelity pivot points during an investigation.

A package of GALLIUM indicators containing GALLIUM command and control domains used during this operation have been prepared for Azure Sentinel and is available on the Microsoft GitHub.

Image showing an Azure Sentinel query of GALLIUM indicators.

Figure 2. Azure Sentinel query of GALLIUM indicators.

GALLIUM use of malware

First stage

GALLIUM does not typically use a traditional first stage installer for their malware. Instead, the group relies heavily on web shells as a first method of persistence in a victim network following successful exploitation. Subsequent malware is then delivered through existing web shell access.

Microsoft Defender Advanced Threat Protection (ATP) exposes anomalous behavior that indicate web shell installation and post compromise activity by analysing script file writes and process executions. Microsoft Defender ATP offers a number of detections for web shell activity protecting customers not just from GALLIUM activity but broader web shell activity too. Read the full report in your Microsoft Defender ATP portal.

Image showing Microsoft Defender ATP web shell detection.

Figure 3. Microsoft Defender ATP web shell detection.

When alerted of these activities, the security operations team can then use the rich capabilities in Microsoft Defender ATP to investigate web shell activity and subsequent reconnaissance and enumeration activity to resolve web shell attacks.

Image showing a Microsoft Defender ATP web shell process tree.

Figure 4. Microsoft Defender ATP web shell process tree.

In addition to standard China Chopper, GALLIUM has been observed using a native web shell for servers running Microsoft IIS that is based on the China Chopper web shell; Microsoft has called this “BlackMould.”

BlackMould contains functionality to perform the following tasks on a victim host:

  • Enumerate local drives.
  • Employ basic file operations like find, read, write, delete, and copy.
  • Set file attributes.
  • Exfiltrate and infiltrate files.
  • Run cmd.exe with parameters.

Commands are sent in the body of HTTP POST requests.

Second stage

In cases where GALLIUM has deployed additional malware on a victim network, they’ve used versions of the Gh0st RAT (modified Ghost RAT detected as QuarkBandit) and Poison Ivy malware. In both cases, GALLIUM has modified the communication method used by the malware, likely to prevent detection through existing antimalware signatures since both malware families have several detections based on their original communication methods. Malware families are noted in Table 2.

Malware family Description and primary usage
BlackMould Native IIS web shell based on the China Chopper web shell.
China Chopper Commonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM.
Poison Ivy (modified) Poison Ivy is a widely shared remote access tool (RAT) first identified in 2005. While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version that appears to be unique to GALLIUM.
QuarkBandit Gh0st RAT variant with modified configuration options and encryption.

Table 2. GALLIUM malware families.

GALLIUM’s malware and tools appear to be highly disposable and low cost. In cases where GALLIUM has invested in modifications to their toolset, they appear to focus on evading antimalware detection, likely to make the malware and tooling more effective.

The MSTIC team works closely with Microsoft security products to implement detections and protections for GALLIUM malware and tooling in a number of Microsoft products. Figure 4 shows one such detection for a GALLIUM PoisonIvy loader in Microsoft Defender ATP.

Image showing the GALLIUM PoisonIvy loader in Microsoft Defender ATP.

Figure 5. GALLIUM PoisonIvy loader in Microsoft Defender ATP.

Additionally, MSTIC has authored a number of antimalware signatures for Windows Defender Antivirus covering the aforementioned malware families, a list of GALLIUM exclusive signature can be found in the Related indicators” section.

In addition to these malware families, GALLIUM has been observed employing SoftEther VPN software to facilitate access and maintain persistence to a target network. By installing SoftEther on internal systems, GALLIUM is able to connect through that system as though they are on the internal network of the target. SoftEther provides GALLIUM with another means of persistence and flexibility with the added benefit that its traffic may appear to be benign on the target network.

Recommended defenses

The following are recommended defenses security operations teams can take to mitigate the impact of threats like GALLIUM in your corporate environment:

  • Maintain web server patching and log audits, run web services with minimum required operating system permissions
  • Install security updates on all applications and operating systems promptly. Check the Security Update Guide for detailed information about available Microsoft security updates.
  • For efficient incident response, maintain a forensics-ready network with centralized event logging, file detonation services, and up-to-date asset inventories.
  • Enable cloud-delivered protection and maintain updated antivirus.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence (AI) and machine learning to quickly identify and stop new and unknown threats.
  • Use behavior detection solutions to catch credential dumping or other activity that may indicate a breach.
  • Adopt Azure ATP—a cloud-based security solution that leverages your on-premises Active Directory signals—to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
  • Use Microsoft Defender ATP to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
  • Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
  • Institute Multi-Factor Authentication (MFA) to mitigate against compromised accounts.

Related indicators

The list below provides known GALLIUM tooling and Indicators of Compromise (IOCs) observed during this activity. Microsoft encourages customers to implement detections and protections to identify possible prior campaigns or prevent future campaigns against their systems.

Tooling

Tool Purpose
HTRAN Connection bouncer to proxy connections.
Mimikatz Credential dumper.
NBTScan Scanner for open NETBIOS nameservers on a local or remote TCP/IP network.
Netcat Reads from and writes to network connections using TCP or UDP protocols.
PsExec Executes a command line process on a remote machine.
Windows Credential Editor (WCE) Credential dumper.
WinRAR Archiving utility.

Malware

Malware Notes
BlackMould Native IIS version of the China Chopper web shell.
China Chopper Commonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM.
Poison Ivy (modified) Poison Ivy is a widely shared remote access tool (RAT) first identified in 2005. While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version which appears to be unique to GALLIUM.
QuarkBandit Gh0st RAT variant with modified configuration options and encryption.

Indicators

Indicator Type
asyspy256[.]ddns[.]net Domain
hotkillmail9sddcc[.]ddns[.]net Domain
rosaf112[.]ddns[.]net Domain
cvdfhjh1231[.]myftp[.]biz Domain
sz2016rose[.]ddns[.]net Domain
dffwescwer4325[.]myftp[.]biz Domain
cvdfhjh1231[.]ddns[.]net Domain
9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd Sha256
7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b Sha256
657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5 Sha256
2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29 Sha256
52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77 Sha256
a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3 Sha256
5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022 Sha256
6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883 Sha256
3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e Sha256
1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7 Sha256
fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1 Sha256
7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c Sha256
178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945 Sha256
51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9 Sha256
889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79 Sha256
332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf Sha256
44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08 Sha256
63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef Sha256
056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070 Sha256
TrojanDropper:Win32/BlackMould.A!dha Signature Name
Trojan:Win32/BlackMould.B!dha Signature Name
Trojan:Win32/QuarkBandit.A!dha Signature Name
Trojan:Win32/Sidelod.A!dha Signature Name

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post GALLIUM: Targeting global telecom appeared first on Microsoft Security.

Improve cyber supply chain risk management with Microsoft Azure

December 9th, 2019 No comments

For years, Microsoft has tracked threat actors exploiting federal cyber supply chain vulnerabilities. Supply chain attacks target software developers, systems integrators, and technology companies. Tactics often include obtaining source code, build processes, or update mechanisms to compromise legitimate applications. This is a key concern for government cybersecurity in the cloud, as the expanding digital estate requires movement towards a Zero Trust security model.

There are several techniques to attack cyber supply chains in Information Communications and Technology (ICT) products and services. Supply chain attacks are most concerning because they target vulnerabilities in your infrastructure before you even deploy your assets and software.

Attackers can:

  • Compromise software building tools to ensure that their malware is imprinted into all software generated from the building tools.
  • Replace software update repositories with malicious replicas that distribute malware across entire software ecosystems.
  • Steal code-signing certificates to make malicious software appear as legitimate code.
  • Intercept hardware shipments to inject malicious code into hardware, firmware, and field-programmable gate arrays (FPGAs).
  • Pre-install malware onto IoT devices before they arrive to target organizations.

Managing Supply Chain Risk Management (SCRM) to defend against supply chain attacks

Defending against supply chain attacks requires a comprehensive approach to managing Supply Chain Risk Management (SCRM). Federal risk managers must deploy strong code integrity policies and technical screening controls to ensure their software complies with organizational directives such as applying NIST SP 800-53A security controls for Federal Information Security Management Act (FISMA) compliance. Code integrity requires full non-repudiation of software to validate information producer associations, identity, and chain of custody for systems and components (NIST SP 800-161, 2015). One critical opportunity for addressing code integrity in your supply chain is to implement and adhere to a secure software development lifecycle for applications that you develop in-house and that you acquire from third-party supply chain partners.

Microsoft continues to use the Security Development Lifecycle, a fundamental process of continuous learning and improvement in the security, integrity, and resiliency of our enterprise applications. We require supply chain providers to adhere to these practices as well.

Organizations should employ asset monitoring and tracking systems such as radio-frequency identification (RFID) and digital signatures to track hardware and software from producers to consumers to ensure system and component integrity. FIPS 200 specifies that federal organizations “must identify, report, and correct information and information system flaws in a timely manner while providing protection from malicious code at appropriate locations within organizational information systems” (FIPS 200, 2006).

How Microsoft fights against malware

Microsoft understands how to fight malware and have worked hard for many years to offer our customers leading endpoint protection to defend against increasingly sophisticated attacks across a variety of devices. These efforts have been recognized, for example, in this year’s 2019 Gartner Endpoint Protection Platforms Magic Quadrant. In addition, Microsoft Defender Advanced Threat Protection (ATP) integrates directly with Microsoft Azure Security Center to alert your security teams of threat actors exploiting your vulnerabilities.

Magic Quadrant for Endpoint Protection Platforms.*

Endpoint Protection Platforms can support software development and fight malware, but government organizations must follow recommendations for software vendors and developers by applying patches for operating systems and software, implementing mandatory integrity controls, and requiring Multi-Factor Authentication (MFA) for administrators.

Azure Security Center Recommendations help government organizations eliminate security vulnerabilities before an attack occurs by facilitating actions to secure resources, including OS vulnerability detection, mandatory controls, and enforcing authentication with MFA and secure access with just-in-time (JIT) virtual machine access.

When you remediate recommendations, your Secure Score and your workloads’ security postures improve. Azure Security Center automatically discovers new resources you deploy, assesses them against your security policy, and provides new recommendations for securing them.

Azure Security Center also facilitates cyber learning through gamification. Secure Score allows your SecOps and Security Governance Risk & Compliance (SGRC) teams to remediate vulnerabilities through a points-based system. This capability can enhance system configurations and reinforce supply chain risk management in a single pane of glass for your infrastructure security posture, and even includes a regulatory and compliance dashboard to facilitate federal compliance requirements and can be tailored to your organization.

Security of federal information systems requires compliance with stringent standards such as NIST SP 800-53, FISMA, CIS Benchmarks, and FedRAMP Moderate. Azure Blueprints facilitates compliance with these standards ensuring a secure-by-design approach to federal information security. Azure Blueprints enable cloud architects and information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements.

Azure Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as role assignments, policy assignments, and Azure Resource Manager templates. Azure Blueprints also provide recommendations and a framework to directly apply compliance requirements to your environment while monitoring configurations through Continuous Monitoring (CM).

Employing a comprehensive monitoring program

Protecting your supply chain also requires a comprehensive monitoring program with cyber incident response and security operations capabilities. Azure Sentinel is a cloud-native security information and event manager (SIEM) platform that uses built-in artificial intelligence (AI) to help analyze large volumes of data across an enterprise—fast. Azure Sentinel aggregates data from all sources, including users, applications, servers, and devices running on-premises or in any cloud, letting you reason over millions of records in a few seconds.

Azure Sentinel leverages the Microsoft Graph, which detects threats, reduces false positives, and puts your responders on target. Azure Sentinel Workbooks optimize productivity with dozens of built in dashboards to enhance security monitoring.

Azure Sentinel Analytics allow your cyber defenders to employ proactive alerting to detect threats impacting your supply chain security. Azure Sentinel Playbooks includes over 200 connectors to leverage full automation through Azure Logic Apps. This powerful capability allows federal agencies to compensate for the cyber talent gap with Security Automation & Orchestration Response (SOAR) capabilities while leveraging machine learning and AI capabilities. Azure Sentinel deep investigation allows your incident response teams to dig into incidents and identify the root cause of attacks.

Azure Sentinel’s powerful hunting search-and-query tools are based in the MITRE ATT&K Framework, allowing your responders to proactively hunt threats across the network before alerts are triggered. The Azure Sentinel community is growing on GitHub and allows your team to collaborate with the information security community for best practices, efficiencies, and security innovation.

Azure Sentinel

Intelligent security analytics for your entire enterprise.

Learn more

Cyber Supply Chain Risk Management (SCRM) is a growing concern within the federal sector. Microsoft is committed to bolstering government cybersecurity in the cloud. Microsoft Azure goes the distance to protect your network against supply chain attacks through Microsoft Defender ATP’s industry leading Endpoint Protection Platform, Azure Security Center’s comprehensive continuous monitoring platform, Azure Blueprints approach to rapidly deploying a compliant cloud, and Azure Sentinel’s cloud-native SIEM that harnesses the limitless power of the cloud through threat intelligence, machine learning, AI, and automation.

Learn more about government cybersecurity in the cloud with Microsoft

Here are some of the best resource to learn more about government cybersecurity in the cloud with Microsoft:

Also, join us for the Microsoft Ignite Government Tour in Washington, D.C., February 6, 2020.

Bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity or visit our website for the latest news and updates on cybersecurity.

Are you a federal government agency that needs help with cybersecurity? Reach out to TJ Banasik or Mark McIntyre for additional details on the content above, or if you have any other questions about Microsoft’s cybersecurity investments for the federal government.

 

*This graphic was published by Gartner, Inc. as part of larger research documents and should be evaluated in the context of the entire document. The Gartner documents are available upon request from Microsoft. Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post Improve cyber supply chain risk management with Microsoft Azure appeared first on Microsoft Security.

Spear phishing campaigns—they’re sharper than you think

December 2nd, 2019 No comments

Even your most security-savvy users may have difficulty identifying honed spear phishing campaigns. Unlike traditional phishing campaigns that are blasted to a large email list in hopes that just one person will bite, advanced spear phishing campaigns are highly targeted and personal. They are so targeted, in fact, that we sometimes refer to them as “laser” phishing. And because these attacks are so focused, even tech-savvy executives and other senior managers have been duped into handing over money and sensitive files by a well-targeted email. That’s how good they are.

Even though spear phishing campaigns can be highly effective, they aren’t foolproof. If you understand how they work, you can put measures in place to reduce their power. Today, we provide an overview of how these campaigns work and steps you can take to better protect your organization and users.

Figure 1. Percentage of inbound emails associated with phishing on average increased in the past year, according to Microsoft security research (source: Microsoft Security Intelligence Report).

Step 1: Select the victims

To illustrate how clever some of these campaigns are, imagine a busy recruiter who is responsible for filling several IT positions. The IT director is under a deadline and desperate for good candidates. The recruiter posts the open roles on their social networks asking people to refer leads. A few days later they receive an email from a prospective candidate who describes the role in the email. The recruiter opens the attached resume and inadvertently infects their computer with malware. They have just been duped by a spear phisher.

How did it happen?

In a spear phishing campaign, the first thing an attacker needs to do is identify the victims. These are typically individuals who have access to the data the attacker wants. In this instance, the attackers want to infiltrate the human resources department because they want to exfiltrate employee social security numbers. To identify potential candidates they conduct extensive research, such as:

  • Review corporate websites to gain insight into processes, departments, and locations.
  • Use scripts to harvest email addresses.
  • Follow company social media accounts to understand company roles and the relationships between different people and departments.

In our example, the attackers learned by browsing the website that the convention for emails is first.last@company.com. They browsed the website, social media, and other digital sources for human resources professionals and potential hooks. It didn’t take long to notice several job openings. Once the recruiter shared details of jobs online, would-be attackers had everything they needed.

Why it might work: In this instance it would be logical for the victim to open the attachment. One of their job responsibilities is to collect resumes from people they don’t know.

Figure 2. Research and the attack are the first steps in a longer strategy to exfiltrate sensitive data.

Step 2: Identify the credible source

Now let’s consider a new executive who receives an email late at night from their boss, the CEO. The CEO is on a trip to China meeting with a vendor, and in the email, the CEO references the city they’re in and requests that the executive immediately wire $10,000 to pay the vendor. The executive wants to impress the new boss, so they jump on the request right away.

How did it happen?

In spear phishing schemes, the attacker needs to identify a credible source whose emails the victim will open and act on. This could be someone who appears to be internal to the company, a friend, or someone from a partner organization. Research into the victim’s relationships informs this selection. In the first example, we imagined a would-be job seeker that the victim doesn’t know. However, in many spear phishing campaigns, such as with our executive, the credible source is someone the victim knows.

To execute the spear phishing campaign against the executive, the attackers uncovered the following information:

  • Identified senior leaders at the company who have authority to sign off on large sums of money.
  • Selected the CEO as the credible source who is most likely to ask for the money.
  • Discovered details about the CEO’s upcoming trip based on social media posts.

Why it might work: Targeting executives by impersonating the CEO is increasingly common—some refer to it as whale phishing. Executives have more authority and access to information and resources than the average employee. People are inclined to respond quickly when the boss emails—especially if they say it’s urgent. This scenario takes advantage of those human power dynamics.

Figure 3. The more targeted the campaign, the bigger the potential payoff.

Step 3: Victim acts on the request

The final step in the process is for the victim to act on the request. In our first example, the human resources recruiter could have initiated a payload that would take over his computer or provide a tunnel for the attacker to access information. In our second scenario, the victim could have wired large sums of money to a fraudulent actor. If the victim does accidentally open the spear phishing email and respond to the call to action, open a malicious attachment, or visit an infected webpage, the following could happen:

  • The machine could be infected with malware.
  • Confidential information could be shared with an adversary.
  • A fraudulent payment could be made to an adversary.

Catch more phishy emails

Attackers have improved their phishing campaigns to better target your users, but there are steps you can take to reduce the odds that employees will respond to the call to action. We recommend that you do the following:

  • Educate users on how to detect phishing emails—Spear phishing emails do a great job of effectively impersonating a credible source; however, there are often small details that can give them away. Help users identify phish using training tools that simulate a real phish. Here are a few tells that are found in some phish that you can incorporate into your training:
    • An incorrect email address or one that resembles what you expect but is slightly off.
    • A sense of urgency coupled with a request to break company policy. For example, fast tracking payments without the usual checks and procedures.
    • Emotive language to evoke sympathy or fear. For example, the impersonated CEO might say you’re letting them down if you do not make the urgent payment.
    • Inconsistent wording or terminology. Does the business lingo align with company conventions? Does the source typically use those words?

  • Encourage users to communicate potential phishing emails—It’s important that users flag phishing emails to the proper team. This can be done natively within many enterprise email systems. It can also be helpful if users talk with their peers about the phishing emails they receive. Spear phishers typically don’t send blast emails; however, they may select several people from the same department or with business relationships. Talking will alert other users to be on the lookout for phishy emails.

Figure 4. Enhanced anti-phishing capabilities are available in Microsoft Office 365.

  • Deploy technology designed to block phishing emails—If users don’t receive the phishing email, they can’t act on it! Deploy technology that can help you catch phishing emails before they land in someone’s inbox. For instance, Office 365, one of the world’s largest email providers, offers a variety of protection against phishing attacks by default and through additional offerings such as Microsoft Advanced Threat Protection (ATP) anti-phishing. Importantly, Microsoft has both been advancing the anti-phishing capabilities of Office 365 (see Figure 4 above) and improving catch rates of phishing emails.

Get in touch

Reach out to Diana Kelley on LinkedIn or Twitter or Seema Kathuria on LinkedIn or Twitter and let them know what you’d like to see us cover as they talk about new security products and capabilities.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Spear phishing campaigns—they’re sharper than you think appeared first on Microsoft Security.

Changing security incident response by utilizing the power of the cloud—DART tools, techniques, and procedures: part 1

November 14th, 2019 No comments

This is the first in a blog series discussing the tools, techniques, and procedures that the Microsoft Detection and Response Team (DART) use to investigate cybersecurity incidents at our customer organizations. Today, we introduce the team and give a brief overview of each of the tools that utilize the power of the cloud. In upcoming posts, we’ll cover each tool in-depth and elaborate on techniques and procedures used by the team.

Key lessons learned from DART’s investigation evolution

DART’s investigation procedures and technology have evolved over 14 years of assisting our customers during some of the worst hack attacks on record. Tools have evolved from primarily bespoke (custom) tools into a blend of commercially available Microsoft detection solutions plus bespoke tools, most of which extend the core Microsoft detection capabilities. The team contributes knowledge and technology back to the product groups, who leverage that experience into our products, so our customers can benefit from our (hard-won) lessons learned during our investigations.

This experience means that DART’s tooling and communication requirements during incident investigations tend to be a bit more demanding than most in-house teams, given we’re often working with complex global environments. It’s not uncommon that an organization’s ability to detect and respond to security incidents is inadequate to cope with skilled attackers who will spend days and weeks profiling the organization and its employees. Consequently, we help organizations across many different industry verticals and from those experiences we have collated some key lessons:

  • Detection is critical (and weak)—One of the first priorities when the team engages to assist with an incident investigation at a customer site is to increase the detection capability of that organization. Over the years, we’ve seen that industry-wide detection has stayed the weakest of the Protect, Detect, Respond triad. While the average dwell time numbers are trending downward, it’s still measured in days (usually double digit numbers) and days of access to your systems is plenty of time to do massive damage.
  • Inadequate auditing—More often than not, DART finds that organizations don’t turn on auditing or have misconfigured auditing with the result that there is not a full record of attacker activities. See auditing best practices for Active Directory and Office 365. In addition, given the current prolific use of weaponized PowerShell scripts by attackers, we strongly recommend implementing PowerShell auditing.
  • Static plus active containment—Static containment (protection) controls can never be 100 percent successful against skilled human attackers, so we need to add in an active containment component that can detect and contain those attackers at the edge and as they move around the environment. This second part is crucial—as they move around the environment—we need to move away from the traditional mindset of “Time to Detect” and implement a “Time to Remediate” approach with active containment procedures to disrupt attackers’ abilities to realize their objective once in the environment. Of course, attackers that have been in the organization for a very long time require more involved investigation and planning for an eviction event to be successful and lessen any potential impact to the organization.

These lessons have significantly influenced the methodology and toolsets we use in DART as we engage with our customers. In this blog series, we’ll share lessons learned and best practices of organizations and incident responders to help ensure readiness.

Observe-Orient-Decide-Act (OODA) framework

Before we can act in any meaningful way, we need to observe attacker activities, so we can orient ourselves and decide what to do. Orientation is the most critical step in the Observe-Orient-Decide-Act (OODA) framework developed by John Boyd and overviewed in this OODA article. Wherever possible, the team will light up several tools in the organization, installing the Microsoft Management Agent (MMA) and trial versions of the Microsoft Threat Protection suite, which includes Microsoft Defender ATP, Azure ATP, Office 365 ATP, and Microsoft Cloud App Security (our Cloud Access Security Broker (CASB) solution named illustrated in Figure 1). Why? Because these technologies were developed specifically to form an end-to-end picture across the attacker cyber kill-chain framework (reference Lockheed Martin) and together work swiftly to gather indicators of anomaly, attack, and compromise necessary for successful blocking of the attacker.

The Microsoft ATP platform of tools are used extensively by the Microsoft Corporate IT security operations center (SOC) in our Cyber Defence Operations Center (CDOC), whose slogan is “Minutes Matter.” Using these technologies, the CDOC has dropped their time to remediate incidents from hours to minutes—a game changer we’ve replicated at many of our customers.

Microsoft Threat Protection

The Microsoft Threat Protection platform includes Microsoft Defender ATP, Azure ATP, Office 365 ATP, as well as additional services that strengthen security for specific attack vectors, while adding security for attack vectors that would not be covered by the ATP solutions alone. Read Announcing Microsoft Threat Protection for more information. In this blog, we focus on the tools that give DART a high return on investment in terms of speed to implement versus visibility gained.

Infographic showing maximum detection during attack stages, with Office 365 ATP, Azure AD Identity Protection, and Cloud App Security.

Figure 1. Microsoft Threat Protection and the cyber kill-chain.

Although the blog series discusses Microsoft technologies preferentially, the intent here is not to replicate data or signals—the team uses what the customer has—but to close gaps where the organization might be missing signal. With that in mind, let’s move on to a brief discussion of the tools.

Horizontal tools: Visibility across the cyber kill-chain

Horizonal tools include Azure Sentinel and Azure Security Center:

  • Azure Sentinel—New to DART’s arsenal is Azure Sentinel—the first cloud-native SIEM (security investigation and event management). Over the past few months, DART has deployed Azure Sentinel as a mechanism to combine the different signal sets in what we refer to as a SIEM and SOAR as a service. SOAR, which stands for security orchestration and automation, is indispensable in its capability to respond to attacker actions with speed and accuracy. Our intention is not to replicate a customer SIEM but to use the power of the cloud and machine learning to quickly combine alerts across the cyber kill-chain in a fusion model to lessen the time it takes an investigator to understand what the attacker is doing.

Importantly, machine learning gives DART the ability to aggregate diverse signals and get an end-to-end picture of what is going on quickly and to act on that information. In this way, information important to the investigation can be forwarded to the existing SIEM, allowing for efficient and speedy analysis utilizing the power of the cloud.

  • Azure Security Center—DART also onboards the organization into Azure Security Center, if not already enabled for the organization. This tool significantly adds to our ability to investigate and pivot across the infrastructure, especially given the fact that many organizations don’t yet have Windows 10 devices deployed throughout. Security Center also does much more with machine learning for next-generation detection and simplifying security management across clouds and platforms (Windows/Linux).

DART’s focus for the tool is primarily on the log analytics capabilities that allow us to pivot our investigation and, furthermore, utilize the recommended hardening suggestions during our rapid recovery work. We also recommend the implementation of Security Center proactively, as it gives clear security recommendations that an organization can implement to secure their on-premises and cloud infrastructures. See Azure Security Center FAQs for more information.

Vertical tools: Depth visibility in designated areas of the cyber kill-chain

Vertical tools include Azure ATP, Office 365 ATP, Microsoft Defender ATP, Cloud App Security, and custom tooling:

  • Azure ATP—The Verizon Data Breach Report of 2018 reported that 81 percent of breaches are caused by compromised credentials. Every incident that DART has responded to over the last few years has had some component of credential theft; consequently Azure ATP is one of the first tools we implement when we get to a site—before, if possible—to get insight into what users and entities are doing in the environment. This allows us to utilize built-in detections to determine suspicious behaviour, such as suspicious changes of identity metadata and user privileges.
  • Office 365 ATP—With approximately 90 percent of all attacks starting with a phishing email, having ways to detect when a phishing email makes it past email perimeter defences is critical. DART investigators are always interested in which mechanism the attacker compromised the environment—simply so we can be sure to block that vector. We use Office 365 ATP capabilities— such as security playbooks and investigation graphs—to investigate and remediate attacks faster.
  • Microsoft Defender ATP—If the organization has Windows 10 devices, we can implement Microsoft Defender ATP (previously Windows Defender ATP)—a cloud-based solution that leverages a built-in agent in Windows 10. Otherwise, we’ll utilize MMA to gather information from older versions of Windows and Linux machines and pull that information into our investigation. This makes it possible to detect attacker activities, aggregate this information, and prioritize the investigation of detected activity.
  • Cloud App SecurityCloud App Security is a multi-mode cloud access security broker that natively integrates with the other tools DART deploys, giving access to sophisticated analytics to identify and combat cyberthreats across the organizations. This allows us to detect any malicious activity using cloud resources that the attacker might be undertaking. Cloud App Security, combined with Azure ATP, allows us to see if the attacker is exfiltrating data from the organization, and also allows organizations to proactively determine and assess any shadow IT they may be unaware of.
  • Custom tooling—Bespoke custom tooling is deployed depending on attacker activities and the software present in the organization. Examples include infrastructure health-check tools, which allow us to check for any modification of Microsoft technologies—such as Active Directory, Microsoft’s public key infrastructure (PKI), and Exchange health (where Office 365 is not in use) as well as tools designed to detect use of specific specialist attack vectors and persistence mechanisms. Where machines are in frame for a deeper investigation, we normally utilize a tool that runs against a live machine to acquire more information about that machine, or even run a full disk acquisition forensic tool, depending on legal requirements.

Together, the vertical tools give us unparalleled view into what is happening in the organization. These signals can be collated and aggregated into both Security Center and Azure Sentinel, where we can pull other data sources as available to the organization’s SOC.

Figure 2 represents how we correlate the signal and utilize machine learning to quickly identify compromised entities inside the organization.

Infographic showing combined signals: Identity, Cloud Apps, Data, and Devices.

Figure 2. Combining signals to identify compromised users and devices.

This gives us a very swift way to bubble up anomalous activity and allows us to rapidly orient ourselves against attacker activity. In many cases, we can then use automated playbooks to block attacker activity once we understand the attacker’s tools, techniques, and procedures; but that will be the subject of another post.

Next up—how Azure Sentinel helps DART

Today, in Part 1 of our blog series, we introduced the suite of tools used by DART and the Microsoft CDOC to rapidly detect attacker activity and actions—because in the case of cyber incident investigations, minutes matter. In our next blog we’ll drill down into Azure Sentinel capabilities to highlight how it helps DART; stay posted!

Azure Sentinel

Intelligent security analytics for your entire enterprise.


Learn more

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing security incident response by utilizing the power of the cloud—DART tools, techniques, and procedures: part 1 appeared first on Microsoft Security.

Gartner names Microsoft a Leader in the 2019 Cloud Access Security Broker (CASB) Magic Quadrant

October 29th, 2019 No comments

In Gartner’s third annual Magic Quadrant for Cloud Access Security Brokers (CASB), Microsoft was named a Leader based on its completeness of vision and ability to execute in the CASB market. Microsoft was also identified as strongest in execution.

Gartner led the industry when they defined the term CASB in 2012. We believe their report points out a key fact for the market, that Microsoft currently has the largest customer base of all participating vendors. We believe that this, along with being ranked as a Leader, reflects our continued commitment to building the best possible solution for our customers and our goal to find innovative ways of helping them better protect their Microsoft and third-party cloud apps and platforms.

Image of the Gartner Magic Quadrant, showing Microsoft as a Leader in completeness of vision and ability to execute.

This recognition comes at a great point in our evolution journey. We’re guided by a strong vision to provide a customer-centric, best-in-class CASB solution that easily integrates with our customers’ existing environment, simplifies deployment, and optimizes the experience for admins, SecOps, and end users alike.

In customer conversations, many of them embrace a similar set of key product differentiators, some of which are also referred to in the Gartner report including:

  • The ability to monitor and control any app across cloud, on-premises, and custom apps.
  • Extensive integration across products, while also offering the ability to integrate with third-party solutions.
  • Extensive set of built-in threat-protection policies and a user and entity behavior analytics (UEBA) interface that provides a consolidated risk timeline and score for each user to help prioritize investigations across hybrid identities.

As we continue to build powerful, new capabilities for our CASB offering, we’re leveraging the unique ability to natively integrate with other best-in-class solutions from Microsoft’s Security and Identity portfolio including Azure Active Directory, Microsoft Defender Advanced Threat Protection, Microsoft Intune, and more. This allows us to deliver unique CASB capabilities, provide customers with fully integrated solutions across their portfolio, and achieve single-click deployments.

CASBs are essential to any modern Cloud Security strategy to provide a central point of monitoring and control. It enables IT departments to ensure secure access and protect the flow of critical data with a consistent set of controls across the increasing number of apps and cloud workloads.

With Microsoft Ignite around the corner, we look forward to more exciting announcements in November. As you continue to plan for the needs of your organization, please let us know how we can support the work you’re doing with Microsoft 365 by reaching out to your account team.

Learn more

Read the complimentary report for the analysis behind Microsoft’s position as a Leader.

For more information about our CASB solution, visit our website and stay up to date with our blog. Want to see our CASB in action? Start a free trial today.

Gartner Magic Quadrant for Cloud Access Security Brokers, Steve Riley, Craig Lawson, 22 October 2019.

The post Gartner names Microsoft a Leader in the 2019 Cloud Access Security Broker (CASB) Magic Quadrant appeared first on Microsoft Security.

Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise

October 28th, 2019 No comments

Microsoft Threat Experts is the managed threat hunting service within Microsoft Defender Advanced Threat Protection (ATP) that includes two capabilities: targeted attack notifications and experts on demand.

Today, we are extremely excited to share that experts on demand is now generally available and gives customers direct access to real-life Microsoft threat analysts to help with their security investigations.

With experts on demand, Microsoft Defender ATP customers can engage directly with Microsoft security analysts to get guidance and insights needed to better understand, prevent, and respond to complex threats in their environments. This capability was shaped through partnership with multiple customers across various verticals by investigating and helping mitigate real-world attacks. From deep investigation of machines that customers had a security concern about, to threat intelligence questions related to anticipated adversaries, experts on demand extends and supports security operations teams.

The other Microsoft Threat Experts capability, targeted attack notifications, delivers alerts that are tailored to organizations and provides as much information as can be quickly delivered to bring attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion. Together, the two capabilities make Microsoft Threat Experts a comprehensive managed threat hunting solution that provides an additional layer of expertise and optics for security operations teams.

Experts on the case

By design, the Microsoft Threat Experts service has as many use cases as there are unique organizations with unique security scenarios and requirements. One particular case showed how an alert in Microsoft Defender ATP led to informed customer response, aided by a targeted attack notification that progressed to an experts on demand inquiry, resulting in the customer fully remediating the incident and improving their security posture.

In this case, Microsoft Defender ATP endpoint protection capabilities recognized a new malicious file in a single machine within an organization. The organization’s security operations center (SOC) promptly investigated the alert and developed the suspicion it may indicate a new campaign from an advanced adversary specifically targeting them.

Microsoft Threat Experts, who are constantly hunting on behalf of this customer, had independently spotted and investigated the malicious behaviors associated with the attack. With knowledge about the adversaries behind the attack and their motivation, Microsoft Threat Experts sent the organization a bespoke targeted attack notification, which provided additional information and context, including the fact that the file was related to an app that was targeted in a documented cyberattack.

To create a fully informed path to mitigation, experts pointed to information about the scope of compromise, relevant indicators of compromise, and a timeline of observed events, which showed that the file executed on the affected machine and proceeded to drop additional files. One of these files attempted to connect to a command-and-control server, which could have given the attackers direct access to the organization’s network and sensitive data. Microsoft Threat Experts recommended full investigation of the compromised machine, as well as the rest of the network for related indicators of attack.

Based on the targeted attack notification, the organization opened an experts on demand investigation, which allowed the SOC to have a line of communication and consultation with Microsoft Threat Experts. Microsoft Threat Experts were able to immediately confirm the attacker attribution the SOC had suspected. Using Microsoft Defender ATP’s rich optics and capabilities, coupled with intelligence on the threat actor, experts on demand validated that there were no signs of second-stage malware or further compromise within the organization. Since, over time, Microsoft Threat Experts had developed an understanding of this organization’s security posture, they were able to share that the initial malware infection was the result of a weak security control: allowing users to exercise unrestricted local administrator privilege.

Experts on demand in the current cybersecurity climate

On a daily basis, organizations have to fend off the onslaught of increasingly sophisticated attacks that present unique security challenges in security: supply chain attacks, highly targeted campaigns, hands-on-keyboard attacks. With Microsoft Threat Experts, customers can work with Microsoft to augment their security operations capabilities and increase confidence in investigating and responding to security incidents.

Now that experts on demand is generally available, Microsoft Defender ATP customers have an even richer way of tapping into Microsoft’s security experts and get access to skills, experience, and intelligence necessary to face adversaries.

Experts on demand provide insights into attacks, technical guidance on next steps, and advice on risk and protection. Experts can be engaged directly from within the Microsoft Defender Security Center, so they are part of the existing security operations experience:

We are happy to bring experts on demand within reach of all Microsoft Defender ATP customers. Start your 90-day free trial via the Microsoft Defender Security Center today.

Learn more about Microsoft Defender ATP’s managed threat hunting service here: Announcing Microsoft Threat Experts.

 

 

The post Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise appeared first on Microsoft Security.