Archive for November, 2021

Security baseline for Microsoft Edge v96

November 29th, 2021 No comments

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 96!


We have reviewed the settings in Microsoft Edge version 96 and updated our guidance with the addition of 2 settings. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 96 package from the Security Compliance Toolkit.


Show the Reload in Internet Explorer mode button in the toolbar

To help prevent social engineering attacks and to ensure that the IE Mode engine is only used where necessary, we have set this to Disabled to ensure any use of IEMode is controlled by the IT Administrator.


Configure Edge TyposquattingChecker

Typosquatting has been around for a while and Microsoft Edge has now added a new setting to help prevent phishing using lookalike/similar URLs. This setting is Enabled in the baseline. Additional information on Typosquatting can be found here.


Microsoft Edge version 96 introduced 15 new computer settings and 15 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.


As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.


Please continue to give us feedback through the Security Baseline Community or this post.

Categories: Uncategorized Tags:

How Red Canary and Microsoft can help reduce your alert fatigue

November 29th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog seriesLearn more about MISA.

Security alert fatigue

Organizations often feel overwhelmed by the number of security alerts they receive. Frustrated by alert fatigue, these organizations want a deeper understanding of security threats and extended coverage to protect themselves. Enterprises typically maintain 70 security products from 35 different vendors1 and burnout from alert fatigue can lead to choices that put a company’s security at risk. Prospective customers have told us they mute security alerts or create rules to ignore or turn off alerts. Some security operations leaders have even said that if a security alert isn’t resolved within a week, it’s automatically deleted from the system.

Security alert fatigue happens when employees become desensitized to alerts and alarms from tools and technology because of their frequency. Since 2019, the number of security alerts has increased by 34 percent.2 In fact, 44 percent of alerts go uninvestigated1 because of the high volume and inadequate staff levels.

Red Canary is a security ally for customers

Security alerts lack the context customers need to determine which alerts are a serious threat and which are noise. They also wonder, “If we were attacked, how fast could we contain a security threat?” Security alerts don’t answer this question. That’s why Red Canary, a cybersecurity software as a service (SaaS) company that provides outcome-focused solutions for security operations teams, developed a security operations platform that powers their Managed Detection and Response (MDR) solutions. Red Canary MDR integrates with Microsoft Defender for Endpoint to help customers detect and respond to cybersecurity threats in their environment. Red Canary MDR + Microsoft Defender for Endpoint is a powerful combination for modern security operations teams to protect their organizations.

Founded in 2014, Red Canary is a security ally for customers and an extension of their security teams. Underpinning Red Canary’s MDR solution is its all-day security operations team. These detection engineers provide extended coverage for long-term customer peace of mind. Red Canary is continuously monitoring and reviewing every potential threat—even detections that appear outwardly benign are investigated.

Red Canary’s approach

When its MDR solution detects a security threat for one customer, a logic-based detection engine is strengthened and used to detect similar threats for other customers. Thousands of detectors—a number that is growing all the time—trigger investigations on anything suspicious that’s detected.

Red Canary’s solution supercharges the already powerful Microsoft Defender for Endpoint and also now supports Microsoft Defender for Identity, to help security operations teams protect on-premises identities, and Microsoft Azure Active Directory (Azure AD) Identity Protection, to protect identities and user accounts for Azure AD customers along with recently announced support for publishing confirmed detections into Microsoft Sentinel.

The Red Canary technology is only half the story. Customers also benefit from the deep threat detection expertise with detection engineers and incident handlers available around the clock, serving as an extension of a customer’s security team.

We increase the confirmed detections and tune down the noise of security alerts.”—Cordell BaanHofman, General Manager, Red Canary + Microsoft Security at Red Canary

Red Canary by the numbers: 20,000 endpoints, 51 billion telemetry records, 69,886 tipoffs, 3,943 significant events, 74 detections, and 17 high-severity attacks.

Bridging the expertise and budget gap

Besides alert fatigue, companies also struggle with two other big challenges that restrict their ability to respond to cyberthreats: a lack of cybersecurity expertise and a limited budget. Many organizations lack the in-house expertise to review, investigate, and respond to Microsoft Defender for Endpoint security threats. Often, budget prevents them from hiring people with the expertise to operationalize Microsoft Defender for Endpoint or provide all-day coverage.

Red Canary supports these companies by giving them access to a team of cybersecurity experts and all-day coverage. It offers them an “easy button,” including customizable, automated incident response playbooks which enhance the pre-built automated incident response model of Microsoft Defender for Endpoint. Red Canary’s approach to threat detection continues to effectively protect its customer base from ransomware—like the Conti and REvil families that have been implicated in so many prominent attacks this year—and other high-impact threats.

The company analyzes alerts and raw telemetry through APIs connected to Microsoft Defender for Endpoint. Customers are only notified of confirmed threats—in the middle of the night if it’s a critical threat—and are provided with full threat context to quickly respond to stop it in its tracks. This response is achieved through a combination of automation and incident response experts to neutralize and remove the threat.

Flow chart from Microsoft Defender for Endpoint to Red Canary security operations center to customer security team and back.

After brining in Red Canary, an IT security leader said they felt positively about their security posture for the first time in their 10-year information security career. A security analyst at a different company said the solution results in every detection being actionable and reliable. The security analyst explained: “Red Canary has taken what used to be a daily workload of hours and brought it down to minutes.”

MISA membership

Red Canary is aligned with Microsoft’s security strategy, particularly extended detection and response (XDR) and the Zero Trust approach. Since becoming an inaugural MDR partner in 2019, Red Canary earned IP co-sell incentive status and shared the virtual stage at Microsoft Ignite with Microsoft Corporate Vice President Rob Lefferts during his advanced attack security keynote.

Red Canary was one of the early members of the Microsoft Intelligent Security Association (MISA), joining in January 2019, and has participated in Microsoft webinars, blog posts, and marketing workshops—all made possible by MISA.

Learn more

One of the reasons that Red Canary and Microsoft’s relationship is so strong is the two companies share a similar ethos and objective. Red Canary’s mission is to empower organizations worldwide to make their greatest impact without fear of a cyberattack. Microsoft’s mission is to empower every person and every organization on the planet to achieve more. Reach out for a demonstration of Red Canary MDR + Microsoft Defender for Endpoint.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


16 strategies to reduce cybersecurity alert fatigue in your SOC, Innocent Wafula, Microsoft. 17 February 2021.

2SOC Teams Burdened by Alert Fatigue Explore XDR, Joan Goodchild, Dark Reading. 14 May 2021.

The post How Red Canary and Microsoft can help reduce your alert fatigue appeared first on Microsoft Security Blog.

Stay safe online this holiday shopping season with tips from Microsoft

November 23rd, 2021 No comments

You may have already noticed this holiday shopping season feels different than those we’ve had before. Headlines about supply chain issues, worker shortages, costs rising—all while the pandemic continues to impact our lives. In my own inbox, I saw emails from brands touting Black Friday sales as early as October! An attempt to get ahead of any shipping delays that are widely expected to impact the holiday season. It’s no surprise that according to a recent Microsoft survey,1 at least 63 percent of holiday shopping will be done online.

While we all grapple with these challenges and what they mean for our holiday traditions and celebrations, there is another group that is evaluating what it means for them—hackers. We know bad actors aim to understand the psychology of their victims—what tricks will they fall for and what vulnerabilities they have. And this year, there are some new areas around which we all need to be extra vigilant. Luckily, if we are aware and take simple steps to protect ourselves, we can all have peace of mind this season.

Shoppers’ concerns

According to our survey, price and availability are the two most important things shoppers are considering this year. We know price is always at the top of the list for most shoppers, but availability is a newer concern for most this year. If you’re already worried about getting gifts in time, you are certainly not alone—54 percent of people report they are worried about supply chain issues. And one in five are willing to go to a third-party seller, like auction or resale sites, to get their must-have holiday gifts.

Less than half of those surveyed say they consider the safety and security of their personal information when shopping online—while I’m glad to see that it’s in the consideration set, that means more than half aren’t even thinking about it. Luckily there are a few simple things that can set us all on a path to a safer shopping experience.

The holiday shopping season presents security challenges with 63 percent taking place online this year. You can learn how to protect yourself online this year on Microsoft Security's blog.

Fortify ahead of time

Before you start making purchases, look at the things you can do now to keep yourself more secure. We know that weak passwords are the entry point for most attacks—and there are a whopping 579 password attacks every second! Stop keeping track of your passwords and look to more secure alternatives.

  • Turn on multifactor authentication: If an account or service offers multifactor authentication (MFA), turn it on. If someone else tries to log into your account, you will be able to thwart the attempt when you are notified with a text, email, or other chosen method. MFA can block over 99 percent of password attacks.
  • Use free, trusted tools: Microsoft Edge offers several free features to keep you safe while shopping online. Should any of your saved logins become compromised, Password Monitor will notify you, allowing you to quickly change your password with the new one-click Easy Update feature in Edge. Password Generator automatically generates a strong, unique password suggestion each time you need one, as you create accounts to get all those great holiday deals.
  • Delete your password altogether: Where possible, remove your password completely and choose an alternate, more secure form of authentication. We make it easy to remove your password from your Microsoft account—not only is it more secure, you never need to worry about forgetting or changing a password. Learn how to go passwordless here: The passwordless future is here for your Microsoft account.

Don’t fall for too-good-to-be-true offers

With so many people worried about availability, we all need to be extra vigilant about scams that may prey on our desires to get the gifts our loved ones want. It can be easy to get tunnel vision and when we see an ad for what we want with a “guaranteed delivery” offer. It might be tempting to go for it even if it’s a site we aren’t sure we can trust. But keep in mind, most offers that seem too good to be true are just that.

People are still falling victim to online scams like buying a fake digital gift card or making a purchase from what turned out to be a fake company. In fact, one in four have admitted to buying an item and receiving something that didn’t match the online description at all. Imagine thinking you’re getting the most popular toys of the holiday season only to get something that is more scary than merry.

And if you think that email offering extreme discounts or availability for an item that is sold out everywhere else seems a bit phishy, you may be right. Before you click, hover over any suspicious links to see if the web address matches what’s mentioned in the message. Look for any weird spellings, extra letters, or other telltale signs. When in doubt, go to the retailer website directly and see if the offer checks out. Learn more tips to spot phishing here:

These are just a few simple things you can do to help make your holiday shopping more secure, but the most important is #BeCyberSmart! Educate yourself, your family, and your friends about the threats out there and how to protect yourself. This helps us all be more vigilant and makes the world a little safer every day. To help you learn more about cybersecurity safety, visit our cybersecurity education resource center.

We’ll share more tips this holiday season—and be sure to check out what our colleagues at RiskIQ have to say about keeping e-commerce sites secure for holiday shopping.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Happy holidays!


1Data is from YouGov Omnibus among a sample of 2,010 adults in the US and was collected between 3 to 5 of November 2021. The survey was carried out online and data have been weighted to be representative of all US adults (aged 18 plus).

The post Stay safe online this holiday shopping season with tips from Microsoft appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

MVP Health Care secures member portal access with Microsoft Azure Active Directory B2C

November 23rd, 2021 No comments

Hello! I’m Sue Bohn, Microsoft Vice President of Program Management for Identity and Network Access. In today’s Voice of the Customer blog post, Chief Technology Officer and Chief Information Security Officer David Swits of MVP Health Care shares how Microsoft Azure Active Directory B2C helped the organization modernize and simplify portal authentication.

MVP Health Care modernizes and simplifies the way members gain access to health plan information

As both Chief Technology Officer and the Chief Information Security Officer at MVP Health Care, I believe you must design your technology solutions with security as the foundation and then overlay the functionality. When building online portals to be accessible to four groups—individual members, employers, healthcare providers, and brokers—MVP Health Care prioritized security as much as ease of use and the user experience (UX). After all, stolen healthcare data is highly prized by cybercriminals, and we have a duty to protect members’ information.

MVP Health Care is a regional, not-for-profit health plan with 700,000 members and 1,700 employees in New York and Vermont. When I joined in 2018, the company was eight to nine years behind on technology. Our objective was to embark on digital transformation so the company could more easily and efficiently serve our constituents. As a Microsoft-first organization, that meant turning to Microsoft technology as we reinvented our infrastructure and replaced our traditional authentication methods with Azure Active Directory (Azure AD) External Identities for B2C user journeys.

The technology running previous portals was antiquated and cumbersome

Comparing healthcare plans can be confusing. We knew we had data that could make it easier. To do that, our portals needed to cut through complexity and deliver the right content for each constituent group.

The old portals—fueled by the IBM WebSphere Application Server—were cumbersome to use and support. MVP Health Care developers sometimes had to go through the back-end to fix an account. No back-end identity process existed to authenticate people who needed to access a portal, so anyone could create an identity for anyone.

Partner Edgile becomes an extension of MVP Health Care’s team

We considered augmenting what we already had with biometrics features, but those plugins didn’t mesh well with our infrastructure. In 2018, we brought on Edgile as a partner and shared our Zero Trust security approach—assuming breach and giving people the least privileged access possible. With extensive knowledge of Azure AD B2C, Edgile designed the identity infrastructure around the new portal and trained our team on best practices.

Edgile built B2C custom policies with user flows, such as seamless single sign-on and self-service password reset. Single sign-on lets people access all their apps after signing in once, while self-service password reset enables people to unlock or reset their passwords without the help desk. To preserve the user accounts from MVP’s previous identity provider, Edgile designed a migration path for users to move to Azure AD B2C the first time they signed in.

Microsoft provided feature previews to Edgile and worked with an MVP Health Care developer to port the UX designs into the HTML, JavaScript, and cascading style sheets (CSS) to refine the experience. A collection of Azure functions and a .NET Core RESTful web application from Edgile helped maintain data synchronization and the execution of complex operations.

“Edgile teamed up really well with MVP Health Care expertise in identity management including external identity management. We started first with a strategy that was followed by a successful quickstart/proof of concept that led to the broader implementation.”—Tarun Vazirani, Edgile Account Partner

Custom policies help create user journeys

MVP Health Care leveraged the custom policies, which are configuration files that define the behavior of MVP’s Azure AD B2C tenant user experience. While user flows are predefined in the Azure AD B2C portal for the most common identity tasks, a custom policy can be edited by an identity developer to be fully configurable and policy-driven. It orchestrates trust between entities in standard protocols, including OpenID Connect, OAuth, and SAML, and a few non-standard ones like REST API–based system-to-system claims exchanges. The framework creates user-friendly, white-labeled experiences to:

  • Federate with other identity providers.
  • Address first- and third-party multifactor authentication challenges.
  • Collect user input.
  • Integrate with external systems using REST API communication.

Each user journey is defined by a policy. One can build as many or as few policies as required for the best user experience.

Microsoft’s identity experience framework

Figure 1: Microsoft’s identity experience framework.

A more unified and streamlined customer experience

Three portals have launched—with the provider portal expected to go live soon. Members appreciate the simpler, modern way they access their portal.

We now have modern authentication that integrates with modern technology. We can easily connect to Google, Facebook, and other verification methods. The experience is familiar for MVP Health Care’s constituents because it’s the same as the graphical interface they see elsewhere.

Together, all the features of Azure AD add huge value. Azure AD multifactor authentication and Conditional Access support Zero Trust’s baseline security. We’re audited on how well we protect confidential information. Multifactor authentication requires identity verification, such as entering a code sent to a phone. Conditional Access policies are if-then statements for how someone gains access.

On launch day, I tested the capabilities of Azure AD B2C and the new portals. I’ll never forget that feeling of knowing we’d chosen our technology wisely. It was slick. It was effective. It was fast. And it’s been an incredible asset for our organization ever since.

Voice of the Customer: Looking ahead

Many thanks to David for sharing MVP Health Care’s story. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers’ security and implementation insights more broadly. Bookmark the Microsoft Security blog so you don’t miss the next in this series!

To learn more about Microsoft Security solutions visit our website. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post MVP Health Care secures member portal access with Microsoft Azure Active Directory B2C appeared first on Microsoft Security Blog.

How to investigate service provider trust chains in the cloud

November 22nd, 2021 No comments

In a recent Microsoft blog post, we documented technical guidance for organizations to protect themselves from the latest NOBELIUM activity that was found to target technology service providers, which are privileged in their downstream customer tenants, as a method to gain access to their downstream customers and other organizations within the trust chain.

Microsoft Detection and Response Team (DART) has been assisting multiple organizations around the world in investigating the impact of NOBELIUM’s activities. While we have already engaged directly with affected customers to assist with incident response related to NOBELIUM’s recent activity, our goal with this blog is to help you answer the common and fundamental questions: How do I determine if I am a victim? If I am a victim, what did the threat actor do? How can I regain control over my environment and make it more difficult for this threat actor to regain access to our environments?

This blog outlines steps incident responders can take to investigate potential abuse of these delegated admin permissions, independent of the threat actor. In this blog, we’ll cover:

  • Identifying trust chains in Microsoft 365 and Microsoft Azure.
  • Investigating trust chains.
  • Mitigating malicious activity.
  • Recommendations: detect and protect.

Identifying trust chains in Microsoft 365 and Microsoft Azure

Several types of trust chains exist in Microsoft 365 and Microsoft Azure, which include delegated administration privileges (DAP), Azure admin-on-behalf-of (AOBO), Microsoft Azure Active Directory (Azure AD) business-to-business (B2B), multi-tenant Azure AD applications, as well as guest users. Many of these trust chains can grant a high level of access to Azure resources and Microsoft 365, requiring close monitoring.

Delegated administration privileges

DAP is a method by which your service providers can administer a Microsoft 365 environment without needing to maintain local identities. DAP can be beneficial for both the service provider and end customer because it allows a service provider to administer a downstream tenant using their own identities and security policies. More information about delegated administration privileges and other admin-on-behalf-of scenarios are available in the following resources:

Service providers with DAP can be identified in the Microsoft 365 admin center by navigating to Settings then to Partner relationships. In the Partner relationships pane, you can view a list of all service providers that have established a billing relationship with the tenant and whether the service provider has any roles assigned (refer to Figure 1).

Partner relationships page in the Microsoft 365 admin center.

Figure 1. Identifying DAP as a downstream customer.

While end customers cannot see a list of all users in the service provider’s tenant that can make administrative changes to the end customer tenant, they can view logins by a service provider (refer to Figure 2) by viewing the Azure Active Directory sign-in logs and filtering for a Cross tenant access type of Service provider. The results can be exported by clicking Download and leveraged to further target your triage across Azure and Microsoft 365.

Sign-on logs sorted by service provider in Azure Active Directory

Figure 2: Sign-ins by service providers.

Azure AOBO

Azure AOBO is similar in nature to DAP, albeit the access is scoped to Azure Resource Manager (ARM) role assignments on individual Azure subscriptions and resources, as well as Azure Key Vault access policies. Azure AOBO brings similar management benefits as DAP does.

Note: To fully assess the AOBO permissions in your subscriptions, ensure you have granted access to the Global Administrator who will be assessing service provider access to all subscriptions in each tenant. Read our documentation for details on how to elevate to user access administrator on the tenant root group.

The Azure AOBO access is added at subscription creation time and can be seen under Access control (IAM) on a given Azure subscription (refer to Figure 3).

Foreign principal selected under the role assignments tab in an Azure subscription.

Figure 3: Foreign Principal with Owner role on subscription.

If you have multiple subscriptions, consider running the following command to identify subscriptions where service providers might have access to resources:

Get-AzSubscription | % { Set-AzContext -Subscription $_; Get-AzRoleAssignment -Scope "/subscriptions/$($_.Id)" | Where-Object {$_.DisplayName -like "Foreign Principal for * in Role 'TenantAdmins' (*)"} | Select DisplayName, Scope | Format-Table}

It is also possible to grant CSPs direct access to Key Vaults. The following PowerShell command can be used to identify Key Vaults with access policies that allow access via AOBO:

Get-AzKeyVault | % { $vault = Get-AzKeyVault -VaultName $_.VaultName; if ($vault.AccessPolicies | Where-Object {$_.DisplayName -like "Foreign Principal for '*' in role 'TenantAdmins' (*)"}) { $vault |select VaultName,ResourceId | Format-Table}}

The Azure Red Team tool Stormspotter can also be used in addition to the above commands for large environments.

The information gathered from the previous steps will be used to scope log review during triage.

Azure AD B2B

Azure AD B2B accounts (guests) can be used to administer Azure and Microsoft 365 resources. This method of administrative access leverages an individual existing identity in another tenant and is not typically recommended by Microsoft due to the limitations of control over the identity. Investigators should be mindful of the many ways in which guests can be granted access to resources in Microsoft 365, which may include Exchange Online roles and SharePoint online roles. The guidance for this type of identity should be considered non-exhaustive and focused on Azure AD and Azure specifically. For more information, read our documentation about Azure AD B2B best practices.

Azure subscriptions

In order to fully assess the B2B permissions in your subscriptions, ensure you have granted access to users who will be assessing service provider access to all subscriptions in each tenant by following the following guidance: Elevate access to manage all Azure subscriptions and management groups.

Azure AD B2B identities granted Azure roles appear in the Access control blade in the Azure Portal with (Guest) next to them (see Figure 4).

The name Joe Fabrikam is selected as a guest user under the role assignments tab in an Azure subscription.

Figure 4: Guest user with Owner role on subscription.

Azure AD B2B identities can be systematically identified with the following command, which will produce a list of identities and resources that can be used to target initial triage.

Get-AzSubscription | % { Set-AzContext -Subscription $_; Get-AzRoleAssignment -Scope "/subscriptions/$($_.Id)" | Where-Object {$_.SignInName -like "*#EXT#@*"} | Select DisplayName, SignInName, Scope | Format-Table}.

Microsoft 365 (Azure AD)

Azure AD B2B identities that have been granted roles in Azure AD can be viewed in the assignments blade of Azure AD Privileged Identity Management blade. Filtering for “#EXT#” will allow you to view all guest users assigned to administrative roles (see Figure 5).

The name Joe Fabrikam is selected as a guest user listed under all active assignments in the Azure A D Privileged Identity Management blade.

Figure 5: Filtering for guest users.

The following PowerShell can also be used to identify guest accounts with administrative roles. This identity information will be used to help target triage.

Get-AzureADDirectoryRole | Get-AzureADDirectoryRoleMember | Where-Object {$_.UserPrincipalName -like "*#EXT#@*"}.

Investigating trust chains

In Microsoft 365 and Microsoft Azure, there are multiple points of observability where activity via trust chains can be seen, including the Azure AD Audit log, Azure Activity log, Intune audit log, and the unified audit log. Using the data collected in the “identification” phase, a targeted review of logs can be performed to identify trust chain abuse. Each log should be reviewed for activity sourced from trust chains, specifically with a focus on activity that facilitates persistence, data collection, and reconnaissance.

12 indicators of tenant compromise: Mailbox notifications, transport rule/email forwarding, administrator elevation/sign in, user/group/guest modification, risk event activity, characteristics of the targeted users, new/unusual IP addresses, domain changes/additions, alert closure, application modifications, e Discovery activity, and file/access activity.

Figure 6: Indicators of tenant compromise.

Azure AD

Adversaries will often establish persistence using various methods including the creation of new service principals, addition of new secrets on to existing application registrations, service principals, creation of new privileged users, and the takeover of existing privileged accounts. You can identify modifications made to Azure AD via trust chains by reviewing the Azure AD Audit log and filtering for the users identified as having recent sign-ins during the “identification” phase. Some specific activities of interest:

  • Password resets.
  • Modification of service principals.
  • Addition of users to privileged roles.
  • Changes to multifactor authentication (MFA).
  • Creation of new users.

Unified audit log

The unified audit log can be used to identify activity performed via trust chains in SharePoint Online, Exchange Online, Azure AD, and other Microsoft 365 products.

Keep in mind that the unified audit log ingests data from across Azure AD and Office 365 and retains this data for at least 90 days, making it an incredibly valuable source of centralized information, typically with longer retention than the source (for example, Azure AD only retains data for up to 30 days). If E5 licenses are applied, this data will be retained for 1 year, with a maximum configurable retention period of 10 years using Advanced Audit.

The Search-UnifiedAuditLog cmdlet can be used to search for actions performed by the users identified during the “identification” phase. Alternatively, the logs can be searched using a GUI in the Microsoft 365 Defender portal.

Azure activity

Access by a malicious actor to Azure resources enables them to exfiltrate data and move laterally to other environments that are connected to the targeted Azure environment. Actors with access to the subscription can deploy new resources, access existing resources via virtual machine extensions, or simply exfiltrate data and keys directly from the Azure subscription. Access and manipulation of Azure resources can be audited by reviewing the Azure Activity logs that are present in each subscription. Refer to our blog post, Investigating Azure Activity with Microsoft Sentinel, for information about using Microsoft Sentinel queries to identify areas of interest.

Microsoft Endpoint Manager

It may be possible for a malicious actor to access Microsoft Endpoint Manager via various trust chains and as Microsoft Endpoint Manager manages the configuration of devices, it is another important audit log to review. The Microsoft Endpoint Manager audit log can be accessed under the Tenant Administration blade of the Microsoft Endpoint Manager portal. In the audit log, the initiator, “Partner,” can be used to filter for actions initiated by Partners. Actions taken by guest users, identified as having privileges during the “identification” phase, will need to be searched for by User Principal Name. These log events should be reviewed to ensure no malicious activity occurred via the identified trust chains.

Details associated with the Partner type in the audit logs in the Microsoft Endpoint Manager admin center.

Figure 7: Actions initiated by Partners.

Mitigating malicious activity

If during the investigation, malicious activity is discovered and confirmed or unneeded and overly permissive trust chains are discovered, decisive action should be taken to block or minimize access. Depending on the type of trust chain, different steps may need to be taken to block access. It is not recommended to fully delete the artifacts until the conclusion of any ongoing investigation; deleting certain artifacts may delay or make completing an investigation more difficult. Customers should talk with their service provider to understand what protections they have in place, and in the event of potential malicious activity, notify their service provider to obtain their assistance with activity validation.

Delegated administrative privileges

DAP should be removed if it is not required for the active, day-to-day administration of the tenant by the service provider. In some cases, permissions are required to facilitate administration by the service provider. In these instances, Microsoft will be introducing granular delegated admin privileges (GDAP), which will allow partners to control more granular and time-bound access to their customers’ workloads.

We recommend service providers leverage named accounts in the customer tenant to reduce blast radius and risk. In the event there is evidence of compromise stemming from a service provider relationship, it is recommended to remove the delegated admin privileges from the relationship at least until the conclusion of the investigation.

To remove delegated admin privileges, navigate to Settings then to Partner relationships in the Microsoft 365 admin center. From the Partner relationships pane, click on the relationship and then select Remove roles in the details pane. Taking this action will prevent the service provider from accessing the tenant as a Global Administrator or Helpdesk Administrator. Removing this access will not change or alter the billing relationship or licenses currently purchased through the service provider.

Azure AOBO

Azure AOBO access should be removed if it is not required for the active, day-to-day administration of the Azure subscription. If the service provider requires access to the Azure subscriptions, least privilege should be applied by adding the Foreign Principal with the proper roles and permissions. If there is evidence of compromise stemming from a service provider, the foreign group principal should be removed from every Azure Subscription.

Permissions granted via AOBO can be monitored by leveraging Azure Policy. You can deploy an Azure Policy at the Tenant Root Group that will throw non-compliance if a foreign principal is assigned permissions to resources in Azure. While the Azure Policy cannot block the creation of subscriptions with foreign principals, it simplifies reporting on the existence of them and allows the automation of their removal or prevention of creation if desired.

Azure AOBO permissions can be removed by navigating to the Access control (IAM) blade on the impacted subscription, selecting the foreign principal for the service provider, and then pressing Remove.


The foreign principal can be added back with more specific permissions if required, following the best practice of least privilege.



The centralized availability of logging is critical for responding to and investigating potential incidents and is the top blocker to DART investigations of this type. If an organization is monitoring their cloud environment for privileged access and administrative changes, then malicious activities involving delegated admin privilege abuse should be discoverable and alerted.

Cloud activity logs should be ingested into a security information and event manager (SIEM) and retained for analysis. This should include:

  • Office 365 unified audit log.
  • Azure AD admin audit logs and sign-in logs.
  • Microsoft Endpoint Manager audit log.
  • Azure Activity logs and specific data plane logs, such as Azure Key Vault and Storage Azure Policy, can be leveraged to enforce a consistent logging standard.

As incident responders, DART are at their most effective when there is data available which is rich in both quantity and quality. One log type of interest is sign-in logs; identity events can tell us a lot about an actor’s activity. Patterns can often be identified in these logs to give us confidence in our analysis of threat actor activity. These patterns can be something as simple as an IP address matching, or as complex as a UserAgent string, time of day, and application ID match.

With that said, the most critical logging is that of administrative activity. Any usage of or actions performed by administrative accounts are of great interest and should be monitored and deconflicted. In enterprise environments, most changes are usually made during approved change windows, and changes outside of this should be assessed for their validity and integrity.

Logs on their own are useful, but alerting is critical to surfacing unusual or malicious activity in a timely manner. The Microsoft 365 Defender portal has some useful alerting built-in to identify suspicious activity. Some examples of these are:

  • Elevation of Exchange admin privilege.
  • eDiscovery search started or exported.
  • Creation of forwarding or redirect rule.

Custom alerts can also be created to alert for other types of activity. Another excellent tool for alerting is Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security). This tool can ingest data from Azure AD, Office 365, Azure, Defender for Endpoint, Defender for Identity, along with many third-party services. A policy engine can be used to create alert policies based on built in templates or custom definitions. Some examples of the templated policies are:

  • Administrative activity from a non-corporate IP address.
  • Unusual administrative activity (by user).
  • Unusual addition of credentials to an OAuth application.
  • Suspicious OAuth application file download activities.
  • Multiple virtual machine creation activities.


We recommend customers engage in a dialogue with their service providers on a regular basis to understand security controls that are in place for access to their tenant. Access to resources by the service provider should be closely monitored, and if unused for a period, removed following a strong least privilege process.

Review the Microsoft Security Best Practices and Azure Security Benchmark for guidance on improving security posture in combination with Microsoft Secure Score in the Microsoft 365 Security Center and Secure Score in Microsoft Defender for Cloud.

Some specific examples for protecting administrative access includes using just-in-time administrative solutions such as Privileged Identity Management, including regular reviews of administrators to ensure their access is still required. MFA is also critical, and not just the enablement of MFA, but also ensuring that all administrators have registered MFA methods. DART has seen threat actors find an account which is enabled for MFA but has never been registered, and this allows the threat actor to register their own MFA details, elevating their level of trust in the environment.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to investigate service provider trust chains in the cloud appeared first on Microsoft Security Blog.

セキュリティ更新プログラム リリース スケジュール (2022 年)

Categories: Uncategorized Tags:

Join us at InfoSec Jupyterthon 2021

November 19th, 2021 No comments

We’re excited to invite our community of infosec analysts and engineers to the second annual InfoSec Jupyterthon taking place on December 2-3, 2021. This is an online event organized by our friends in the Open Threat Research Forge, together with folks from the  Microsoft Threat Intelligence Center (MSTIC).

Although this is not a Microsoft event, our Microsoft Security teams are delighted to be involved with helping organize it and deliver talks and workshops. Registration is free and it will be streamed on YouTube Live both days from 10:30 AM to 8:00 PM Eastern Time.

Illustration of Jupyter, tools, and community

Figure 1. InfoSec Jupyterthon 2021 event image. This image was created by Scriberia for The Turing Way community and is used under a CC-BY licence. Zenodo record.

What is InfoSec Jupyterthon?

InfoSec Jupyterthon is a forum for information security analysts and engineers to share knowledge and experiences about using Jupyter notebooks in security hunting and investigation. Last year’s conference featured talks on a variety of topics, from integrating notebooks into your security operations (SOC) processes to using GPU-accelerated graphs, time series decomposition, and pandas statistics to detect and understand attacker patterns.

Since many of last year’s attendees identified themselves as Jupyter notebooks beginners, this year’s conference will feature a series of beginner and intermediate tutorials during the mornings, covering notebooks, data analysis with pandas, visualization and using MSTIC’s infosec Python package MSTICPy. The afternoons will host speakers on a variety of notebook and info security topics, including:

  • Automating notebook execution
  • Using notebooks with Apache Spark
  • Using notebooks in incident response

What is Jupyter and why is it relevant to infosec?

Jupyter notebooks are a hybrid environment that combine code, data analysis, and visualization in a single document. Jupyter is widely used by scientists and data analysts. Some of the characteristics that make Jupyter a great platform for more advanced threat investigations are:

  • Data agnostic – you can bring data from (almost) anywhere into your analysis
  • Centralization – you can combine code, formatted text, visuals in a single document
  • Flexible structure – it’s easy to add and remove sections as needed
  • Repeatable processes – you can save and run the same notebook on different inputs and/or criteria
  • Instant reporting – you can save a notebook as a PDF or HTML page

Screenshot of a sample Jupyter notebook process tree

Figure 2: A sample visualization of a process tree generated in a Jupyter notebook.

If you ever find yourself limited by your SIEM but don’t want to break into full-blown development mode, Jupyter notebooks could be what you’re looking for. You can read more about the benefits of using Jupyter in information security in this article.

Microsoft Sentinel includes a Jupyter notebooks feature that utilizes open APIs to power advanced investigations and hunting. Notebooks are also featured in several other Microsoft services such as Azure Data Studio and Azure Machine Learning. Google’s Colab and Amazon’s Sagemaker also have a big following, making Jupyter notebooks a popular tool with broad support and a variety of use cases.

We’re looking forward to seeing you at InfoSec Jupyterthon 2021, December 2-3, 2021 from 10:00 AM to 8:00 PM Eastern Time. To attend, make sure to register for the event. You will get an email confirming your registration and well as additional information about the agenda, schedule, and workshop instructions.

To stay up to date on Microsoft’s latest security research and threat intelligence insights, make sure to read our blog.


The post Join us at InfoSec Jupyterthon 2021 appeared first on Microsoft Security Blog.

Microsoft named a Leader in IDC MarketScape for Modern Endpoint Security for Enterprise and Small and Midsize Businesses

November 18th, 2021 No comments

The security stakes have never been higher and, consequently, the protection of endpoints as a key component of any extended detection and response (XDR) strategy has never been more critical—for organizations of all sizes. Microsoft is thrilled to be recognized as a Leader in IDC’s MarketScape reports for Modern Endpoint Security for both enterprise1 and small and midsize businesses (SMB).2

The IDC MarketScape recognized Microsoft’s commitment to cross-platform support with Microsoft Defender for Endpoint, noting that “As telemetry is the rocket fuel for AI- and machine learning-infused endpoint security solutions, Microsoft’s breadth and volume are unequaled geographically and across customer segments (enterprise, small and midsize businesses, and consumer). With the support of macOS, iOS, and Android, Microsoft’s telemetry pool is expanding and diversifying. Microsoft’s expanded platform support also chips away at the long-standing advantage of endpoint security independent software vendors (ISVs).”

Microsoft’s vision for XDR was also cited as a differentiator, as Microsoft Defender for Endpoint is a key component of Microsoft 365 Defender, extending protection from devices to a single, integrated solution across all assets. “Microsoft’s strategic vantage point is more than its Windows operating system. Directory service of Active Directory, web browser of Microsoft Edge, and the ubiquitous business productivity apps of Office 365 provide Microsoft native visibility and control across common endpoint attack vectors. These security building blocks available through Microsoft licensing agreements (E3 and E5) and as standalone options have contributed to Microsoft’s market strength and momentum in modern endpoint security.”

Security for all

Everyone expects hackers to target big, lucrative targets. Modern endpoint security is a key component for any XDR strategy for enterprise security teams, along with identity, email, application, and cloud security protection. However, small businesses are also a popular target even if they are less prevalent in the headlines.

According to a recent SMB cybersecurity report, 55 percent of SMBs have experienced a cyberattack. Many SMB companies hold valuable information that can be exploited, such as customer and employee personal information, payment information, and more. Next-generation threats, like human-operated ransomware, are a danger to organizations of all sizes but are too rarely addressed by traditional endpoint protection platform (EPP) solutions.

As part of our commitment to security for all, Microsoft has renewed its pledge to bring enterprise security to SMBs and nonprofits, boosting cloud security programs and expanding intrusion prevention and detection tech to cover Amazon Web Services (AWS).

With the launch of Microsoft Defender for Business, Microsoft delivers capabilities such as antivirus, threat and vulnerability management, and endpoint detection and response (EDR), across a broad range of desktop and mobile platforms, including Windows, macOS, Android, and iOS.

Built on the foundation of Microsoft Defender for Endpoint, SMBs will be able to focus on addressing weaknesses that pose the highest risk to their environments, as well as to reduce attack surface with application control, ransomware mitigation, network and web protection, and firewall. The solution also provides next-generation protection (on devices and in the cloud) and automated investigation and remediation, while also allowing admins to automate workflows and integrate security data into existing solutions.

Defender for Business doesn’t require special security knowledge to install and use, and it comes with a simplified client configuration with recommended security policies enforced from the get-go

“We need to have security for all, security that protects everything,” said Vasu Jakkal, Corporate Vice President for Security, Compliance, and Identity. “Security is a team sport, after all.”

Learn More

Read more about Microsoft Defender for Business, which offers enterprise-grade endpoint protection that’s cost-effective and easy to use—designed especially for businesses with up to 300 employees.

Readers seeking complete endpoint security can learn more about Microsoft Defender for Endpoint, Microsoft’s industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, EDR, and mobile threat defense. Sign up for a free trial today.

You can download the excerpts of the following reports for more details:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

We thank our customers and partners for being on this journey with us.


IDC MarketScape chart for Worldwide Modern Endpoint Security for Small and Midsize Businesses Vendor Assessment. Features Microsoft in top right hand corner under Leader.
IDC MarketScape vendor analysis model is designed to provide an overview of the competitive fitness of information and communication technology (ICT) suppliers in a given market. The research methodology utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each vendor’s position within a given market. The Capabilities score measures vendor product, go-to-market, and business execution in the short term. The Strategy score measures alignment of vendor strategies with customer requirements in a three to five-year timeframe. Vendor market share is represented by the size of the icons.
IDC MarketScape chart for Worldwide Modern Endpoint Security for Enterprises Vendor Assessment. Features Microsoft in top right hand corner under Leaders.
IDC MarketScape vendor analysis model is designed to provide an overview of the competitive fitness of information and communication technology (ICT) suppliers in a given market. The research methodology utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each vendor’s position within a given market. The Capabilities score measures vendor product, go-to-market, and business execution in the short term. The Strategy score measures alignment of vendor strategies with customer requirements in a three to five-year timeframe. Vendor market share is represented by the size of the icons.


1IDC MarketScape: Worldwide Modern Endpoint Security for Enterprises 2021 Vendor Assessment, Doc #US48306021. November 2021.

2The IDC MarketScape: Worldwide Modern Endpoint Security for Small and Midsize Businesses 2021 Vendor Assessment, Doc #48304721. November 2021.

The post Microsoft named a Leader in IDC MarketScape for Modern Endpoint Security for Enterprise and Small and Midsize Businesses appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

Microsoft unpacks comprehensive security at Gartner and Forrester virtual events

November 18th, 2021 No comments

Every day, Microsoft is committed to maintaining comprehensive security for all across our interconnected global community. With that purpose in mind, we recently sponsored the 2021 Gartner Security and Risk Summit and 2021 Forester Security and Risk Forum, where we discussed ongoing changes in the security landscape. As a Leader in five Gartner® Magic Quadrant™ reports and eight Forrester Wave™ categories, our team was keen to share insights about new threats, the evolution of Zero Trust security, managing compliance, risk, and privacy, and building tomorrow’s talent.

Comprehensive security

Vasu Jakkal, Corporate Vice President of Microsoft Security, Compliance & Identity, speaking with Phil Montgomery, General Manager for Security Product Marketing GTM, at the 2021 Gartner Security and Risk Summit.

Vasu Jakkal, Corporate Vice President (CVP) of Microsoft Security, Compliance, and Identity, sat down with Phil Montgomery, General Manager for Security Product Marketing GTM, at the 2021 Gartner Security and Risk Summit for a wide-ranging fireside chat on the evolving state of cybersecurity. Phil started by addressing the elephant in the room—how the past 18 months have altered the security landscape in ways we’re still trying to understand.

“When the pandemic started, businesses had to become digital overnight,” Vasu points out. “With employees turning to personal devices to get the job done, that meant we had an exponential increase in the amount of digital attack surfaces. We saw an incredible increase in the sophistication and frequency of cyberattacks.” Vasu cites the attack on Colonial Pipeline as an example of how attacks have become more sophisticated and relentless in 2021. She also cites the phenomenon of cybercriminals expanding their operations by offering ransomware as a service. “Organizations are facing new economic challenges along with those brought by hybrid environments—multi-cloud and multi-platform,” she reiterates. “All these factors have come together to increase the complexity we face in cybersecurity.”

“You can’t secure a door and leave a window open. You have to think about your security posture as an interdependent whole—both external and internal threats.”—Vasu Jakkal, CVP of Microsoft Security, Compliance, and Identity

Eliminating complexity is one reason why Microsoft chose to integrate Microsoft Sentinel, our cloud-native SIEM + SOAR solution, and Microsoft Defender, our extended detection and response (XDR) tool. Integrating the two solutions simplifies detection and response by providing a bird’s-eye view of your digital estate, as well as enabling your security operations center (SOC) to investigate and resolve incidents at a granular level. “That kind of visibility and rapid response can really make a difference in the early stages of a ransomware attack,” Vasu stresses. “The reality today is if you’re connected; you’re vulnerable. The only way to protect a remote workforce is to have left-to-right and top-to-bottom security. That means security, compliance, identity, device management, and privacy are all interdependent.”

Beyond the technology, Vasu also points out: “The number one thing every security leader should be doing right now is building and practicing a plan with all essential members of your team. Do you have a great communications plan? Do you have a great response plan?” She also stressed the importance of training and empowering employees at every level of the organization to identify suspicious activity and escalate it.

Zero Trust comes of age in 2021

Nupur Goyal, Microsoft Group Product Marketing Manager for Identity Security & Zero Trust and Microsoft Corporate Vice President of Program Management Alex Simons talking at the 2021 Forrester Security & Risk Forum.

Earlier this month at the 2021 Forrester Security and Risk Forum, Microsoft CVP of Program Management Alex Simons also sat down for another fireside chat with Nupur Goyal, Microsoft Group Product Marketing Manager for Identity Security and Zero Trust. Alex also was struck by the rapid changes in enterprise security over the past 18 months. “If you think about the world we were in before [the pandemic],” he explains, “you were mostly protecting desktop PCs and laptops; most of your apps were on-premise. You didn’t have to worry about nation-state attackers. That’s why it’s important for enterprises to move away from the old perimeter-based security model to a Zero Trust approach.”

“The thing to remember about a Zero Trust approach, as the saying goes: you don’t have to eat the whole elephant at once. Just gradually expand multifactor authentication across your employees, beginning with those that have the access to the most important applications.”—Alex Simons, Microsoft CVP of Program Management

For some organizations, Zero Trust requires a big shift in thinking. It’s a mindset that assumes all activity, even by known users, could be an attempt to breach your systems. Alex cites attackers who are now targeting identities—both through users and the software itself—as a new threat to consider. “You really need a system that can look at what your users and their devices are doing,” he explains. “That includes all the software services that can access your resources. It really has to be a comprehensive approach. The workload identities, the ones that are your software, that’s a new thing. And you want to make sure you have a good plan in place for that.”

Alex recommends organizations begin by applying multifactor authentication to all privileged admin accounts. He also pointed out the importance of making sure that every device accessing your resources is well-managed. “Microsoft Endpoint Manager and Microsoft Defender for Endpoint help achieve that. You want to be sure every device is encrypted and protected with a PIN, but also you want each to be in a clean state from an antivirus standpoint.”

Roughly 76 percent of Microsoft customers have already begun Zero Trust implementation. Because we’re now in a boundary-less world of hybrid work, Zero Trust is exactly the security approach that’s needed. The foundation of Zero Trust is based on the three guiding principles: verify explicitly, use least-privilege access, and assume breach. Microsoft is building an identity platform to simplify and secure all relationships among employees, partners, customers, workloads, and smart devices—whether you’re a developer, an IT administrator, or a user. “There are 579 attacks happening every second,” Vasu adds. “So, effective security has to start with a strong identity foundation. We see identity as the ‘trust fabric’ of this new boundaryless collaboration.”

Managing compliance, risk, and privacy

For organizations across every sector, a tremendous amount of data is accessed, processed, and stored every day. This, along with an ever-growing universe of data regulations, is creating complexity and compliance risk. “We have personal data, which is in movement and in flux all the time,” Vasu explains. “The lines between work and home networks are all blurring. So that creates a lot of pressure about how to protect data, and how to ensure that all regulations are being followed.”

Many organizations use manual processes to discover how much personal data they have stored. There’s often a lack of actionable insights to help mitigate security and privacy risks. That’s why Microsoft recently announced privacy management for Microsoft 365. This new solution helps organizations identify critical privacy risks, automate privacy operations, and empower employees to be smart when they’re handling sensitive data.

For chief information security officers (CISOs) and risk officers, Vasu proposes a four-fold solution for balancing compliance and privacy: First, know your data. “Who’s accessing your data?” she asks. “How is your data moving? Do you have the right label? Do you have the right sensitivities? How are you protecting against insider risk? Do you have the right permissions level?” Second, establish a baseline of activity and measure anomalies to that baseline. You can’t just look at the world through the auditors’ eyes—pass or fail. You need to help your team see how they’re making progress. Third, partner with providers who can help you stay on top of changes in laws and regulations in all markets where you operate. Fourth, establish a collaborative process internally to address the risks when they arise. “It’s not just a security problem; it’s an organizational problem,” she stresses. That means ensuring that HR, legal, compliance, and risk teams are all working with your security operations center.

Zero Trust is not just about outside-in protection; it’s also inside-out. Organizations need to build compliance protections into processes to defend against insider threats. “You can’t secure a door and leave a window open,” is how Vasu sums it up. “You have to think about your security posture as an interdependent whole—both external and internal threats.” Organizations can take an easy first step just by implementing passwordless technologies like Windows Hello for desktops or the Microsoft Authenticator app for mobile devices.

Building tomorrow’s talent

For almost every two cybersecurity jobs in the United States today, a third job is sitting empty because of a shortage of skilled people. That’s why Microsoft is launching a national campaign with United States community colleges to help skill and recruit 250,000 people into the cybersecurity workforce by 2025:

  • Community colleges are everywhere. There are 1,044 community colleges located in every state and territory, and in every setting: urban, suburban, rural, and tribal.
  • Community colleges are more affordable. Tuition averages just $3,770 annually (versus $10,560 for four-year public colleges). Moreover, 59 percent of community college students can access financial aid.
  • Community colleges are diverse. Students at community colleges are 40 percent Black or African American or Hispanic. In addition, 29 percent are among their family’s first generation to attend college, while 20 percent are students with disabilities, and 5 percent are veterans. And 57 percent of students at community colleges are women.

“In March of this year, we announced Microsoft’s Career Connector,” Vasu explains, “a service that will help place 50,000 job seekers skilled by Microsoft’s nonprofit and learning partners in the Microsoft ecosystem over the next three years.” Career Connector has a specific focus on women and underrepresented minorities in technology. “I’m proud to report that our global skills initiative has reached more than 30 million people in 249 countries,” she adds. Microsoft is also extending through the end of 2021 all the free courses and low-cost certifications offered in our global skilling initiative through Microsoft Learn. To help fill talent gaps in compliance, Microsoft also offers certification courses for security, compliance, and identity. “No matter who you are, you can be a defender.”

The attackers in today’s asymmetric cyberwar come from all backgrounds, ethnicities, and regions. For that reason, we as defenders need to be just as diverse. “Along with diversity, inclusion goes hand in hand,” Vasu explains. “It’s important that we commit to hiring from places we may have not thought about before, to build a place where everyone feels like they belong.” She sees solving the talent shortage as a three-step process: get more people aware of cybersecurity; help them build the skills they need; and create spaces where everyone feels they can do their best work. As Vasu sees it: “Ultimately, security is all about humans. Whether you’ve been in the workforce for 30 years and want a change, or you’re just starting your career; either way, there’s a place for you here.”

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft unpacks comprehensive security at Gartner and Forrester virtual events appeared first on Microsoft Security Blog.

Categories: cybersecurity, Zero Trust Tags:

Iranian targeting of IT sector on the rise

November 18th, 2021 No comments

Iranian threat actors are increasing attacks against IT services companies as a way to access their customers’ networks. This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain. Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks. The Microsoft Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU) assess this is part of a broader espionage objective to compromise organizations of interest to the Iranian regime.

Until July 2021, Microsoft had observed relatively little history of Iranian actors attacking Indian targets. As India and other nations rise as major IT services hubs, more nation state actors follow the supply chain to target these providers’ public and private sector customers around the world matching nation state interests.

To date this year, Microsoft has issued more than 1,600 notifications to over 40 IT companies in response to Iranian targeting, compared to 48 notifications in 2020, making this a significant increase from years past (Figure 1). The focus of several Iranian threat groups on the IT sector particularly spiked in the last six months – roughly 10-13% of our notifications were related to Iranian threat activity in the last six months, compared to two and a half percent in the six months prior (Figure 2). Most of the targeting is focused on IT services companies based in India, as well as several companies based in Israel and United Arab Emirates. Although different in technique from other recent supply chain attacks, these attacks represent another example of how nation state actors are increasingly targeting supply chains as indirect vectors to achieve their objectives.

Column chart showing number of notifications for 2019, 2020, and 2021

Figure 1: Number of notifications sent to IT Services related to Iran-based actor targeting

Column chart showing percentages of notifications for 4 quarters starting Oct-Dec 2020

Figure 2: Percentage of notifications per quarter sent to IT Services NSNs related to Iran-based activity

As with any observed nation state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.

Observed activity

In July 2021, a group that MSTIC tracks as DEV-0228 and assesses as based in Iran compromised a single Israel-based IT company that provides business management software. Based on MSTIC’s assessment, DEV-0228 used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel. In September, we detected a separate Iranian group, DEV-0056, compromising email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain Government clients, who were likely DEV-0056’s ultimate target. DEV-0056 also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors, which are targets of interest to the Iranian regime. DEV-0056 maintained persistence at the IT integration organization through at least October.

MSTIC detected a significant increase in these and other Iranian groups targeting IT companies based in India beginning in mid-August. From mid-August to late September, we issued 1,788 nation state notifications (NSNs) across Iranian actors to enterprise customers in India, roughly 80% of which were to IT companies, an exponential rise from the 10 notifications we issued the previous three years in response to previous Iranian targeting. Iranian cyber actors have rarely targeted India, and the lack of pressing geopolitical issues that would have prompted such a shift suggests that this targeting is for indirect access to subsidiaries and clients outside India.

Credential theft leads to downstream compromise

DEV-0228 dumped credentials from the on-premises network of an IT provider based in Israel in early July. Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company. MSTIC assesses at least four (4) of those victims were compromised using the acquired credentials and access from the IT company in the July and August attacks. Here are two such examples:

  • DEV-0228 operators compromised the on-premises network of a law firm in Israel in August through an account managed by the IT provider via PAExec (a custom version of the Windows Sysinternals tool PsExec).

Pa.exe  \\###.##.#.## -u {user name}\{domain name} -p "********" -s cmd.exe

  • DEV-0228 operators also compromised a defense company in Israel by signing into an email account provisioned for the same IT provider on the victim’s Office 365 tenant. The attackers likely obtained those credentials from the initial compromise of the IT provider in July.

Custom implant to establish persistence

DEV-0228 operators used a custom implant to establish persistence on victim hosts and then dumped LSASS. The implant is a custom remote access Trojan (RAT) that uses Dropbox as a command and control (C2) channel and is disguised as RuntimeBroker.exe or svchost.exe.

Operators staged their tools in a C:\Windows\TAPI directory on the victim hosts:

  • C:\Windows\TAPI\lsa.exe
  • C:\Windows\TAPI\pa.exe
  • C:\Windows\TAPI\pc.exe (procdump)
  • C:\Windows\TAPI\Rar.exe

Microsoft will continue to monitor DEV-0228 and DEV-0056 activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.

Indicators of compromise (IOCs)

Type Indicator
svchost.exe 2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7
svchost.exe 9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd
lsa.exe 43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3
wdmsvc.exe 18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b
Pa.exe (PAExec.exe) ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

Recommended defenses

The following guidance can mitigate the techniques described in the threat activity:


Microsoft 365 Defender


Microsoft Defender Antivirus detects threat components as the following malware:

  • Backdoor:MSIL/ShellClient.A
  • Backdoor:MSIL/ShellClient.A!dll
  • Trojan:MSIL/Mimikatz.BA!MTB

Endpoint detection and response (EDR)

Alerts with the following titles in the security center can indicate threat activity on the network:

  • DEV-0228 actor activity
  • DEV-0056 actor activity

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity, but they are listed here for reference:

  • Suspicious connection to remote service
  • Possible command-and-control activity
  • Suspicious access to LSASS service
  • Sensitive credential memory read

Screenshot of Microsoft 365 Defender alert for Sensitive credential memory read

Figure 3: Microsoft 365 Defender alert showing credential dumping activity

Microsoft 365 Defender correlates related alerts into consolidated incidents to help customers determine with confidence if observed alerts are related to this activity. Customers using the Microsoft 365 Defender portal can view, investigate, and respond to incidents that include any detections related to the activity described in this blog.

Advanced hunting queries

Microsoft Sentinel

The indicators of compromise (IoCs) included in this blog post can be used by Microsoft Sentinel customers for detection purposes using the queries detailed below.

Command Line Activity November 2021

This hunting query looks for process command line activity related to observed activity. The query uses additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.

FilePath/Hashes query November 2021

This hunting query looks for file paths/hashes related to observed activity as detailed in this blog.

In addition to these queries, there are equivalent queries that use the Advanced SIEM Information Model (ASIM) to look for the same activity.

Microsoft 365 Defender

To locate malicious activity related to the activity described in this blog, customers can run the following queries in Microsoft 365 Defender or Microsoft Defender for Endpoint.

Identify use of PAExec in your environment

Look for PAExec.exe process executions in your environment. Run query.

| where FileName =~ "paexec.exe" or ProcessVersionInfoOriginalFileName =~ "paexec.exe"
| where not(ProcessCommandLine has_any("program files", "-service"))

Identify files created in the Windows\Tapi directory

Look for files created in the Windows\Tapi directory. Run query.

| where FolderPath has @"C:\Windows\TAPI"

Suspicious PowerShell commands

Look for suspicious PowerShell process execution. Run query.

| where ProcessCommandLine has_any("/q /c color f7&", "Net.We$()bClient", "$b,15,$b.Length-15") or
(ProcessCommandLine has "FromBase64String" and ProcessCommandLine has_all("-nop", "iex", "(iex"))

The post Iranian targeting of IT sector on the rise appeared first on Microsoft Security Blog.

Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs

November 17th, 2021 No comments

Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentials property of an Azure Active Directory (Azure AD) Application and/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property.The keyCredentials property is used to configure an …

Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs Read More »

Categories: Uncategorized Tags:

Adopting a Zero Trust approach throughout the lifecycle of data

November 17th, 2021 No comments

Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an uncontrolled network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.”

At Microsoft, we consider Zero Trust an essential component of any organization’s security plan based on these three principles:

  1. Verify explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
  2. Use least privileged access: Limit user access with just-in-time (JIT) and just-enough-access (JEA), risk-based adaptive policies, and data protection to protect both data and productivity.
  3. Assume breach: Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

In this article, we will focus on the third principle (assume breach) and how encryption and data protection play a significant role in getting prepared for a potential breach in your data center.

Protect data with end-to-end encryption

As part of a comprehensive security posture, data should always be encrypted so that in the event where an attacker is able to intercept customer data, they are unable to decipher usable information.

End-to-end encryption is applied throughout the following three stages: at rest, in transit, and in use.

Three icons representing data at rest, in transit, and in use.

Data protection is critical across all three of these stages, so let’s dive a little deeper into how each stage works and how it can be implemented.

Protect data at rest

Encryption at rest provides data protection for stored data (at rest). Attacks against data at rest include attempts to obtain physical access to the hardware on which the data is stored, and then compromising the contained data. In such an attack, a server’s hard drive may have been mishandled during maintenance allowing an attacker to remove the hard drive. Later the attacker would put the hard drive into a computer under their control to attempt to access the data.

Encryption at rest is designed to prevent the attacker from accessing the unencrypted data by ensuring the data is encrypted when on disk. If an attacker obtains a hard drive with encrypted data but not the encryption keys, the attacker must defeat the encryption to read the data. This attack is much more complex and resource-consuming than accessing unencrypted data on a hard drive. For this reason, encryption at rest is highly recommended and is a high priority requirement for many organizations.

Flow chart of Microsoft Azure Key Vault encryption process.

At rest, it is important that your data is protected through disk encryption which enables IT administrators to encrypt your entire virtual machine (VM) or operating system (OS) disks.

One of the concerns that we hear from customers is how can they reduce the chances that certificates, passwords, and other secrets may accidentally get leaked. A best practice is to use central storage of application secrets in a secured vault to have full control of their distribution. When using a secured vault, application developers no longer need to store security information in their applications, which reduces risk by eliminating the need to make this information part of the code.

Data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty. These Microsoft Azure security services are recommended for this purpose:

  • Azure Storage Service Encryption: Microsoft Azure Storage uses server-side encryption (SSE) to automatically encrypt your data when it is persisted to the cloud. Azure Storage encryption protects your data to help you to meet your organizational security and compliance commitments.
  • SQL Server Transparent Database Encryption (TDE): Encryption of a database file is done at the page level with Transparent Data Encryption. The pages in an encrypted database are encrypted before they’re written to disk and are decrypted when read into memory.
  • Secrets management: Microsoft Azure Key Vault can be used to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
  • Key management: Azure Key Vault can also be used as a key management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
  • Certificate management: Azure Key Vault lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
  • Hardware security modules (HSM): Store and protect your secrets and keys either by software or FIPS 140-2 Level 2, which validates HSMs.

Protect data in transit

A “data in transit” condition exists when data is transferred within the data center between different network elements or data centers.

Organizations that fail to protect data in transit are more susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. These attacks can be the first step attackers use to gain access to confidential data.

For example, the recent NOBELIUM cyberattacks show that no one can be 100 percent protected against a breach. During this attack, 18,000 SolarWinds customers were vulnerable, including Fortune 500 companies and multiple agencies in the US government.

Data in transit should cover two independent encryption mechanisms:

  1. Application layer—the HTTPS and TLS encryption that takes place between the client and server node.
  2. Data link layer—encryption that takes place on the frames transferred over the Ethernet protocol, just above the physical connections

It is recommended customers not only encrypt data on the application layer but also have visibility into their data in transit by using TLS inspection capabilities.

These Microsoft Azure network security services are recommended for this purpose:

As part of the TLS inspection, the above network services perform full decryption and encryption of the traverse, add such as intrusion detection and prevention system (IDPS), as well as provide customers with visibility into the data itself.

To provide customers double encryption when sending data between regions, Azure provides data link layer encryption utilizing media access control security (MACSec).

MACSec is a vendor-independent IEEE Standard (802.1ae), which provides data link layer, point-to-point encryption of traffic between network devices. The packets are encrypted/decrypted on the hardware before being sent and are designed to prevent even a physical “man-in-middle” attack. Because MACSec uses line rate encryption, it can secure data without the performance overhead and complexity of IP encryption technologies such as IPSec/GRE.

Data in transit is encrypted on the wire to block physical man-in-the-middle attacks.

Whenever Azure customer traffic moves between Azure datacenters—outside physical boundaries not controlled by Microsoft (or on behalf of Microsoft)—a data link layer encryption method using the IEEE 802.1AE MAC Security Standards is applied from point-to-point across the underlying network hardware. The packets are encrypted and decrypted on the devices before being sent and applied by default for all Azure traffic traveling within a region or between regions.

Protect data in use

We often hear from customers that they are concerned about moving extremely sensitive IP and data to the cloud. To effectively protect assets, not only must data be secured at rest and in transit, but data must also be protected from threats while in use.

To protect data in use for services across your software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) cloud models, we offer two important capabilities: Azure confidential computing and centralized storage of application secrets.

Azure confidential computing encrypts data in memory in hardware-based trusted execution environments (TEEs) and only processes it once the cloud environment is verified, preventing data access from cloud operators, malicious admins, and privileged software such as the hypervisor. By protecting data in use, organizations can achieve the highest levels of data privacy and enable secure multi-party data analytics, without giving access to their data.

These Azure services are recommended to be used for ‘data in use’ protection:

  1. Application Enclaves: You can optimize for confidentiality at the application level by customizing your app to run in confidential VMs with Intel SGX application enclaves, or lift and shift existing applications using an ISV partner.
  2. Confidential VMs: You can optimize for ease of use by moving your existing workloads to Azure and making them confidential without changing any code by leveraging encryption across the entire VM with AMD SEV-SNP technologies
  3. Trusted Launch: Trusted Launch with Secure boot and vTPMs ensure your virtual machines boot with legitimate code, helping you protect against advanced and persistent attack techniques such as rootkits and bootkits.
  4. Confidential Containers: AKS worker nodes are available on confidential computing VMs, allowing you to secure your containers with encrypted memory.
  5. Confidential Services: We are continuing to onboard Azure confidential services to leverage within your solutions, now supporting – Azure confidential ledger in preview, Azure SQL Always Encrypted, Azure Key Vault Managed HSM, and Microsoft Azure Attestation, all running on Azure confidential computing.

Strengthening your organization’s data protection posture

Protecting your data throughout its lifecycle and wherever it resides or travels is the most critical step to safeguard your business data.

To learn more about the end-to-end implementation of data protection as a critical part of your Zero Trust strategy, visit our Deployment Center.

To see how your organization’s data security posture stacks up against the Zero Trust maturity model, take this interactive quiz.

For more information about a Zero Trust security posture, visit the Microsoft Zero Trust website.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Adopting a Zero Trust approach throughout the lifecycle of data appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs

Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentialsproperty of an Azure Active Directory (Azure AD) Applicationand/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property.
The keyCredentials property is used to configure an application’s authentication credentials.

Categories: Uncategorized Tags:

Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs

Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentialsproperty of an Azure Active Directory (Azure AD) Applicationand/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property.
The keyCredentials property is used to configure an application’s authentication credentials.

Categories: Uncategorized Tags:

アプリケーションおよびサービス プリンシパル API での Azure Active Directory (AD) keyCredential プロパティの情報漏えいに関するガイダンス

本ブログは、“Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs” の抄訳版です。最新の情報は、原本

Categories: Uncategorized Tags:

Protect against phishing with Attack Simulation Training in Microsoft Defender for Officer 365

November 16th, 2021 No comments

Sophisticated cyberattacks are on the rise, with email phishing as the most common attack vector. We’ve seen it all over the news with stories like Hafnium that targeted Exchange servers1 or the Nobelium attack against SolarWinds,2 which show just how easy it is for bad actors to distribute a malicious URL and gain sustained access to networks to install ransomware across a wide number of industries and verticals. Working from home poses a greater security risk as organizations are required to rely more heavily on email communication to run their businesses, and cybercriminals have an increased opportunity to phish users.

Attack Simulation Training helps mitigate phishing risk

Microsoft has been working hard to understand these types of attacks and create solutions that help prevent, detect, and remediate vulnerability at the most basic point of attack: the user. Attack Simulation Training is one of those solutions. Attack Simulation Training is included in Microsoft Defender for Office 365 Plan 2 and E5 offerings and provides a behavior-based solution to mitigate phishing risk across your organization. It provides the necessary tools to run intelligent simulations and measure users for a baseline awareness of phishing risk, provide actionable insights and recommendations to remediate risk with hyper-targeted training designed to change behavior, and then measure behavioral progress against that benchmark through repeated simulation. This all happens straight from the Microsoft 365 Defender portal.

Attack Simulation Training was released as part of Microsoft Defender for Office 365 to ensure customers had a complete prevent, detect, investigate, and respond solution. Other offerings may only provide a portion of these capabilities. Microsoft Defender for Office 365 offers essential threat investigation and response capabilities to keep malicious communication from reaching users’ inboxes, and Attack Simulation Training provides the ability to test where vulnerabilities lie in your organization and reduce your phish risk score by educating users with a vast library of trainings. Together, both Microsoft Defender for Office 365 and Attack Simulation Training can prevent a future data compromise saving your organization time and unexpected costs.

Through Attack Simulation Training’s intelligent automation, you can target your simulations by setting custom criteria and creating tailored payloads to fit your business. Additionally, you can leverage hundreds of premade email payloads in the template library that were modeled on real phishing attempts. After you run simulations, you’ll get several training options of content by Terranova Security that includes a variety of tailored courses, micro learnings, and nano learnings available in over 20 different languages. If you haven’t already, try Attack Simulation Training and learn how to set up a new phish simulation in this two-part blog series.

Learn more

At Microsoft, we keep our customers top of mind when making product investment decisions. Since we announced Attack Simulation Training at Ignite in 2020, we have made significant investments to ensure our customers have the best email simulation and training platform for their businesses. Two key investment areas that the product team recently made were:

  1. The ability for customers to access all the data that they have through Graph API reads. Learn more in our Tech Community blog post.
  2. The ability for organizations to customize anything on the landing page and make it their own, including adding their own branding. Read our blog post here.

You can also read more about Attack Simulation Training’s new regional availability and access all the latest product updates in the Attack Simulation Training blog series.

Watch our overview video of Attack Simulation Training to get a better feel of the user interface and some of its key reporting and insights capabilities.

Try Attack Simulation Training straight from the Microsoft 365 Defender portal and learn how to get started today!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1HAFNIUM targeting Exchange Servers with 0-day exploits, Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, Microsoft 365 Security, Microsoft. 2 March 2021.

2New sophisticated email-based attack from NOBELIUM, Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, Microsoft. 27 May 2021.

The post Protect against phishing with Attack Simulation Training in Microsoft Defender for Officer 365 appeared first on Microsoft Security Blog.

The importance of identity and Microsoft Azure Active Directory resilience

November 16th, 2021 No comments

I love hearing my colleagues explain how they came to the industry because so many of their stories are unusual. I’m surprised how often I hear that people got into computer science by some fortuitous accident. Although he loved computers from the time he was a kid, Oren Melzer never expected to work in the software industry. Today, he’s a Principal Group Engineering Manager in the Identity and Network Access organization, working on one of our team’s most important efforts: resilience.

When he was growing up, Oren’s business-minded parents encouraged him to develop an entrepreneurial spirit. And he did. Oren’s journey reminds us that entrepreneurship isn’t limited to building a new business from scratch, where you start off doing everything yourself. Even though he’s worked in a large organization in a large company for the past several years, Oren has enjoyed participating in many entrepreneurial efforts, including his groundbreaking work on making cloud services resilient, as he tells Nadim Abdo, Corporate Vice President of Identity and Network Access Engineering.

Oren’s interview with Nadim has been edited for clarity and length. We’ve included some video snippets so you can learn more about Oren’s personal journey and his views on the work he does.

Nadim: Oren, I’d like to start by asking what got you into the industry and computers?

Oren: It all started when I was really young. My parents were immigrants from Israel to Louisville, Kentucky. Not a ton of Israelis in Kentucky! My dad was an engineer, so we had computers super early. I’m dating myself, but we had a Commodore that ran Microsoft Disk Operating System (MS-DOS). I was probably five or six, tinkering around on that thing. When my dad showed me Quick Basic interpreter (QBasic), I created a simple little program that would ask, “What is your name?” And you’d say, “Oren.” And it would say, “Hello, Oren.” I remember thinking, “That’s the coolest thing in the world. I can make a computer program that I can talk to!” I loved doing stuff on computers from then on.

Nadim: I have fond memories of QBasic as well. That integrated development environment (IDE) and debugger were pretty awesome. So, you wrote programs from an early age—do you remember any other programs you did?

Oren: Three months after I was born, my parents started a food manufacturing company, which they still run. It’s a family business, so after a few years, they put me to work. But they realized pretty quickly that this computer thing was probably more useful than me putting cans in boxes. So, I became the company computer guy.

They had software to do all their accounting and inventory, and there was a production planning module that cost $40,000. They asked me what I thought, and I said that, with what I knew, I could write it for a lot less money. I was a high schooler, and they basically threw me into this problem. I didn’t have anybody to tell me what to do or how to do it. I wrote a bunch of Visual Basic macros that pulled data from the system, pulled up some editable forms, and then popped out a production plan. That was an entire summer project, 20-plus years ago, and their company still runs on that software to this day. I actually still get tech support calls to fix random bugs.

Nadim: That’s amazing! You must’ve learned the value of customer obsession from that experience. And obviously, this segues to how you now work on some of the most critical services in the entire industry. What learnings from that experience really carried through?

Oren: First, you have to build something that works. I wrote this software when I was 16 or 17 years old, and if it breaks, they can’t produce—30 or 40 people on a factory floor don’t know what to run or they’re scrambling to try to do the same thing manually.

I didn’t know about source control then, but I learned early on to make a backup copy when making changes. If something broke, I’d copy in the one from yesterday that worked. And there’d be weird edge cases, like some new item that the string was too long to fit into how many characters I assumed it could be. So, I learned to be very fault-tolerant, catch errors, and keep on going.

Nadim: When you went to college, what did you choose as your focus? 

Oren: I was convinced that software was something everybody was doing. And I like to do things that other people aren’t doing. So, I went into college as a biomedical engineering major. I really wanted to combine the computer thing with biology, another passion I had in high school. I wanted to build medical devices and software for medical devices, pacemakers, and so forth.

A couple of things got me into software. Early on, I met another computer science major, and he became a good friend. He’s actually at Microsoft now. We started a book business together, which we wrote software for.

Video 1: Oren talks about the book business he started in college with a friend.

For a while, I actually thought this thing could be my career, but during our downtime one summer, I looked for a biomedical internship. I couldn’t find one, but who showed up at our company fair? Microsoft. I had my first internship in the identity organization after that. I loved it so much I changed my major. I ended up getting a master’s in computer science and came to Microsoft full-time. I’ve been in identity ever since.

Nadim: That’s wonderful! What do you like best about working in the identity space?

Oren: What’s cool about identity is how foundational it is, like the electric company. Very few people wake up in the morning and say, “I want to use my identity today.” But whatever you do want to do—when you look at all the Microsoft products and applications at any number of businesses—the very first question you always need to ask is, who are you? What is your identity?

Identity enables all those experiences. And when it doesn’t work, people can’t work. I tell people, “I challenge you to find another job where you can impact more people in a day than our identity system does.” We throw around numbers like “billions of authentications” like it’s nothing. That level of impact—that level of making a difference for practically every working person, and many people in college, all over the world—is practically unmatched anywhere else at Microsoft or in the industry, as far as I know.

Nadim: That’s right. The scale is certainly incredible, as is the criticality and security. With that kind of scale, there are obviously enormous technical challenges. And you’ve worked on a number of different areas within identity, right?

Oren: I started on a product called Windows CardSpace, formerly known as InfoCard. It was an identity selector in Windows, where somebody could issue you an identity to use online. To some extent, we were ahead of our time, and eventually, that project was shelved. I moved to developer frameworks and worked on Windows Identity Foundation, which became part of the Microsoft .NET Framework. I also worked on Active Directory Federation Services (AD FS).

My first entry into cloud services was the Access Control Service, which allowed admins to configure federated authentication for their apps. You could authenticate using Microsoft accounts and Google accounts and also secure your application. It was one of the identity organization’s first modern services. And it was really interesting to move from shipping software in a box, which people can download or not, to shipping something that runs all the time and is critical to day-to-day life.

Nadim: And certainly, an absolutely critical journey as part of cloud transformation with everybody using these services. Tell me about your role and what you like best about it?

Oren: I now own an area called “authentication resilience” in identity. We could build the best services in the world, with the most features, but if they’re not up all day, every day, we’re basically failing our customers. And the impact of that is enormous. We’ve learned hard lessons over the years on what can go wrong in a distributed system, so we’ve developed systems that enable us to operate, and continue to operate, in case all kinds of outages occur, whether from networking problems somewhere in Microsoft Azure, a bug that gets released in our system, or key management problems.

We’re building, number one, a set of components to ensure that if the core identity system goes down, users won’t notice. We do that by allowing sessions to live longer, while also being more secure, and to react in real-time. Secondly, we built an entire decorrelated backup authentication stack where we can continue to serve authentications even if the primary system goes down completely. The vast majority of users can stay productive and have no idea that anything has gone wrong.

The goal is to prevent the outage from happening, but if a partial outage does occur, to minimize the impact.

Video 2: Oren describes his job to his parents.

Nadim: How would you say that Microsoft is differentiating our offerings in terms of resilience?

Oren: When we started on this resilience journey a couple of years ago, we weren’t aware of any cross-industry efforts on service resilience. Existing identity standards just assume everything is going to work. With OAuth and security assertion markup language (SAML), you make a request, you get a response. There was no playbook or roadmap for figuring out how to build the next level of real-time signals, more resilience, or backup systems. We weren’t going to wait for one, so we just built it. Ultimately, a working group formed in the OpenID Foundation called Shared Signals and Events, and we actively participated. I went to many of those early meetings, trying to figure out how to build a real-time resilient identity system.

It’s one thing to talk about theory. It’s another to say, “We’ve built this already. Here’s what it looks like.” As a big believer in open standards, I’m proud that we didn’t just say, “The standard must be exactly like what we built, otherwise we’re not going to be on it.” We have actually adapted our implementation to the industry standard. And we’ve been able to get our partners elsewhere in the industry—people who build other software that works with Microsoft Azure Active Directory (Azure AD)—to adopt this standard as well. Now we can say that we have resilience and continuous access, not just for Microsoft properties, but also for many other long-tail apps, built by other people, that we know our customers rely on every day.

Nadim: One of the things that’s awesome about our team is we have so many different individuals with so much talent, with different interests, passions, and ways of looking at the world. How would you describe yourself, your approach, and your strengths?

Oren: People think of software engineers hunched over in a dark room in front of a desk, pounding on a keyboard, looking at ones and zeros on a screen. I like code as much as anybody, but I am a people person. I really thrive on human interaction, on enabling somebody to be successful, and on finding the right project for someone working for me who may be struggling a bit.

The same is true when I think about the impact of the software we build. I don’t just think about the billion requests our backup systems serve today. I think about a billion people who might’ve been frustrated because they couldn’t check their email. And now they can because this backup system kicked in. What motivates me is the people—both the ones I can see in the office and the ones I can’t see. I know they’re there. Knowing that the work I do can make a difference for those people, both in terms of the technology I build and of the people I manage, is extremely motivational for me.

Video 3: Oren shares what he likes best about his job.

Learn more

Learn more about cloud resilience.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The importance of identity and Microsoft Azure Active Directory resilience appeared first on Microsoft Security Blog.

Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021

November 16th, 2021 No comments

Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At CyberWarCon 2021, MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled “The Iranian evolution: Observed changes in Iranian malicious network operations”. This blog is intended to summarize the content of that research and the topics covered in their presentation and demonstrate MSTIC’s ongoing efforts to track these actors and protect customers from the related threats.

MSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections into our products that improve customer protections. We are sharing this blog today so that others in the community can also be aware of the latest techniques we have observed being used by Iranian actors.

As with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.

Three notable trends in Iranian nation-state operators have emerged:

  • They are increasingly utilizing ransomware to either collect funds or disrupt their targets.
  • They are more patient and persistent while engaging with their targets.
  • While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.


Since September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.

Timeline showing dates, threat actor, and malware payload of ransomware attacks by Iranian threat actors

Figure 1: Timeline of ransomware attacks by Iranian threat actors

In one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks. A recent blog post by the DFIR Report describes a similar intrusion in which actors leveraged vulnerabilities in on-premise Exchange Servers to compromise a victim environment and encrypt systems via BitLocker. MSTIC also attributes this activity to PHOSPHORUS. PHOSPHORUS operators conducted widespread scanning and ransomed targeted systems through a five-step process: Scan, Exploit, Review, Stage, Ransom.


In the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to CVE-2018-13379. This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN appliances. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).


When they identified vulnerable servers, PHOSPHORUS sought to gain persistence on the target systems. In some instances, the actors downloaded a Plink runner named MicrosoftOutLookUpdater.exe. This file would beacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to download additional tools.


After gaining persistence, PHOSPHORUS actors triaged hundreds of victims to determine which of them were fitting for actions on objectives. On select victims, operators created local administrator accounts with a with a username of “help” and password of “_AS_@1394” via the commands below. On occasion, actors dumped LSASS to acquire credentials to be used later for lateral movement.

net user help _AS_@1394 /add
net localgroup administrators help /add
net localgroup "Remote Desktop Users" help /add

Stage and Ransom

Finally, MSTIC observed PHOSPHORUS employing BitLocker to encrypt data and ransom victims at several targeted organizations. BitLocker is a full volume encryption feature meant to be used for legitimate purposes. After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources. From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.

Your drives are Encrypted! Contact us: Telegram: @badguy

Patience and persistence

MSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator’s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.

PHOSHORUS – Patient and persistent

PHOSPHORUS sends “interview requests” to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.

Once the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the Google Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them to click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the link. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google Meeting link, which leads to a credential harvesting page.

MSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is sent, to the point where they are almost demanding a response from the targeted user.

CURIUM – In it for the long run

CURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users. Instead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust with targets and deliver malware.

These attackers have followed the following playbook:

  • Masquerade as an attractive woman on social media
  • Establish a connection via social media with a target user via LinkedIn, Facebook, etc.
  • Chat with the target daily
  • Send benign videos of the woman to the target to prime them to lower their guard
  • Send malicious files to the target similar the benign files previously sent
  • Request that the target user open the malicious document
  • Exfiltrate data from the victim machine

The process above can take multiple months from the initial connection to the delivery of the malicious document. The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.

By exercising patience, building relationships, and pestering targets continuously once a relationship has been formed, Iranian threat actors have had more success in compromising their targets.

Brute force

In 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of password spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian interests. MSTIC has blogged about DEV-0343 activity previously.

Analysis of Office 365 logs suggests that DEV-0343 is using a red team tool like o365spray to conduct these attacks.

Targeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.

As we discussed in our previous blog, DEV-0343 operators’ ‘pattern of life’ is consistent with the working schedule of actors based in Iran. DEV-0343 operator activity peaked Sunday through Thursday between 04:00:00 and 16:00:00 UTC.

Bar chart showing activity per hour

Figure 2: DEV-0343 observed operating hours in UTC

Bar chart showing requests per day

Figure 3: DEV-0343 observed actor requests per day

Known DEV-0343 operators have also been observed targeting the same account on the same tenant being targeted by other known Iranian operators. For example, EUROPIUM operators attempted to access a specific account on June 12, 2021 and ultimately gained access to this account on June 13, 2021. DEV-0343 was then observed targeting this same account within minutes of EUROPIUM operators gaining access to it the same day. MSTIC assesses that these observed overlapping activities suggest a coordination between different Iranian actors pursuing common objectives.

Closing thoughts: Increasingly capable threat actors

As Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:

  • Information operations
  • Disruption and destruction
  • Support to physical operations

Specifically, Iranian operators have proven themselves to be both willing and able to:

  • Deploy ransomware
  • Deploy disk wipers
  • Deploy mobile malware
  • Conduct phishing attacks
  • Conduct password spray attacks
  • Conduct mass exploitation attacks
  • Conduct supply chain attacks
  • Cloak C2 communications behind legitimate cloud services

MSTIC thanks CyberWarCon 2021 for the opportunity to present this research to the broader security community. Microsoft will continue to monitor all this activity by Iranian actors and implement protections for our customers.


The post Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

How Open Systems uses Microsoft tools to improve security maturity

November 15th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog seriesLearn more about MISA.

We’ve all seen it happen—an organization has all the top-notch security tools in place and still, they get breached. In today’s rapidly evolving threat landscape, complexity leads to vulnerability. With so many tools to monitor, it’s easy for even the best security operations center (SOC) to get overwhelmed by non-actionable alerts1 and hampered by insufficient personnel to secure a growing digital estate. Research on “security tool sprawl” shows that, on average, organizations run 25 to 49 security tools from up to 10 different vendors.2 In a time of rising cyber attacks,3 the gaps left between mismatched or poorly implemented IT and security tools can make it impossible to establish a high-maturity security program.

Managed services to simplify security

Open Systems’ award-winning Managed Detection and Response (MDR) executes repeatable security missions that protect enterprises in real-time and levels up their security posture for tomorrow. The company’s customers are typically mid-market organizations—enterprise or small-to-medium corporations (SMC)—that are looking for all-day threat detection and response but also aspire to improve their security posture and resilience against attack. Open Systems noticed that many of these customers lean heavily on Microsoft for IT and cloud infrastructure, and can unlock the value of these investments to consolidate and operationalize their security tools. Open Systems accomplishes this by providing a Microsoft Azure cloud-native Managed Detection and Response (MDR) service built for Microsoft Sentinel (formerly known as Microsoft Azure Sentinel), Microsoft Security best practices, and Microsoft 365 E5 (M365 E5).

As a six-time Gold Partner, Open Systems enables Microsoft customers to get more insights from their Microsoft Security tools, and to better grasp their attack surface. The company’s use of Microsoft’s cloud native security information event management (SIEM) and security orchestration automated response (SOAR) capabilities help deliver stronger signal fidelity through machine learning threat modeling—delivering the actionable results Open Systems’ customers need to remain confident in their security every day. Even better, customers can often achieve this level of security using the Microsoft investments they’ve already made. And by integrating with Open Systems’ MDR, they get peace of mind by delegating detection and response to Microsoft-certified SOC analysts and threat hunters, helping contain threats early in the kill chain.

Open Systems’ MDR integration with Microsoft.

Figure 1: Open Systems’ MDR integration with Microsoft.

Open Systems’ approach

As a Microsoft Advanced Threat Protection Specialization certified partner, Open Systems focuses on three critical pillars for their MDR solution: mission-driven processes, a mission-ready platform, and Microsoft-certified experts.

Because the stakes are so high, the service is run like NASA Mission Control, using mission-driven processes to deliver repeatable and predictable outcomes that ensure fast detection and remediation of threats. These mission-driven processes have been honed for over 20 years with scientific rigor to bridge IT and security silos for optimal performance and resilience against attack. This allows Open Systems to deliver outcomes not alerts, greater business value, and out-of-this-world customer satisfaction.

Complementing these mature processes is the mission-ready platform at the heart of Open Systems’ services. This cloud-native platform weaves security into the fabric of an organization’s infrastructure, eliminating the need to stitch together multiple-point security products and the associated complexity. Managed from a “single pane of glass,” the platform also helps organizations realize the full value of their Microsoft infrastructure and that of their existing Microsoft security products.

The company’s four globally distributed SOCs follow the sun, with experts working from Europe, the United States, and Asia. Each of Open Systems’ DevSecOps engineers and security analysts has completed 400 hours of hands-on training and passed rigorous certification testing before servicing customers. They are armed with machine learning-powered high fidelity detection leveraging Microsoft Sentinel runbooks to ensure they can detect threats and make critical decisions fast and accurately.

Leveraging Microsoft

Scalability and enabling customers to retain their data are key aspects of the MDR service, both of which are achieved with Microsoft Sentinel and Microsoft Azure Lighthouse. Open Systems engaged with Microsoft in the early days of Microsoft Sentinel, working with their product teams and early customers to create a solution that runs in the customer tenant. Microsoft Defender for Endpoint absorbs signals, then contains threats as part of the automated response. Open Systems also leverages Microsoft Sentinel’s SOAR capabilities by writing managed runbooks that automatically contain and shut down threats early.

The service uses Azure Lighthouse to operate things—run queries, integrate different log sources, and more. Credible threats are inspected by Open Systems’ engineers and co-managed as needed with the customer. In this way, Open Systems’ MDR service and Microsoft Security don’t just integrate, they feed off each other to deliver better results. As one of our customers put it:

“We’re experiencing exceptional support from Open Systems. They not only help us contain costs and manage Azure, but their engineers, adaptable SASE+ platform, and managed runbooks contain threats before they spread throughout the network,” said James Tsang, Systems Manager, College of Southern Nevada.

Managed security leads to $2.5 million in savings

A publicly traded clinical research organization came to Open Systems for help streamlining their security architecture. They wanted to move away from siloed third-party systems that created too much complexity, too many vulnerabilities, and drove up costs. They needed a cloud platform to provide the accessibility and service necessary to protect their offices worldwide and their hybrid and remote workers. Open Systems partnered with Microsoft and demonstrated how Microsoft 365 E5 and Microsoft Sentinel could work together to help improve the company’s compliance, data protection, and security posture.

The Open Systems team also identified opportunities to replace legacy monitoring tools with Microsoft Azure Monitor and consolidate compliance and security data onto Microsoft Azure Log Analytics, helping reduce the number of suppliers and reduce costs. Together with Microsoft, Open Systems performed a cloud readiness and economic assessment using the company’s real-world costs—learning that the Azure implementation would result in $2.5 million annual savings by eliminating existing applications and unnecessary data centers. Moreover, optimizing Microsoft 365 E5 eliminated the need for several of the company’s existing tools, resulting in additional annual savings of $400,000.

The Open Systems and Microsoft monitoring tools’ capabilities.

Figure 2: Azure Monitor.

MISA membership

Cybersecurity is a high-trust business: trust in technology, trust in services, and trust in the partnership you have with your security vendor. Most of Open Systems customers come to the company through word-of-mouth references; many customers have worked with the company for years. Open Systems joined the Microsoft Intelligent Security Association (MISA) in July 2020 as part of the managed security service providers (MSSP) pilot. Being a MISA member gives Open Systems customers trust that the company can integrate its technologies with their existing Microsoft products, both on-premises and in the cloud. Customers want leadership, and alignment with Microsoft solutions they are investing in. Some of the company’s other ‘wow’ moments since joining MISA include:

As Mandana Javaheri, Global Director, Cybersecurity Solutions Group at Microsoft Corp put it in Open Systems’ press release, “MISA members are the cybersecurity industry leaders, unified by the common goal of helping secure our customers by offering their own valuable expertise and making the association more effective as it expands.”

Learn more

Want to learn more? Check out Open Systems’ Managed Detection and Response solution in the Azure Marketplace or visit the Open Systems’ Microsoft Solutions page.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


16 strategies to reduce cybersecurity alert fatigue in your SOC, Innocent Wafula, Microsoft Security, Microsoft. 17 February 2021.

2Too many security tools can be as bad as too few, Taylor Armerding, Security Boulevard. 14 August 2020.

3Why ransomware attacks are on the rise — and what can be done to stop them, Lynsey Jeffery, Vignesh Ramachandran, PBS. 8 July 2021.

The post How Open Systems uses Microsoft tools to improve security maturity appeared first on Microsoft Security Blog.

AI-driven adaptive protection against human-operated ransomware

November 15th, 2021 No comments

In human-operated ransomware attacks, threat actors use predictable methods to enter a device but eventually rely on hands-on-keyboard activities to move inside a network. To fortify our existing cloud-delivered automated protection against complex attacks like human-operated ransomware, we developed a cloud-based machine learning system that, when queried by a device, intelligently predicts if it is at risk, then automatically issues a more aggressive blocking verdict to protect the device, thwarting an attacker’s next steps.

The data-driven decisions the system makes are based on extensive research and experimentation to maximize blocking effectiveness without impacting customer experience. Since the adaptive protection is AI-driven, the risk score given to a device is not only dependent on individual indicators but on a broad swath of patterns and features that the system uses to determine whether an attack is imminent or underway. This capability is suited in fighting against human-operated ransomware because even if attackers use an unknown or benign file or even a legitimate file or process, the system can help prevent the file or process from launching.

In a customer environment, the AI-driven adaptive protection feature was especially successful in helping prevent humans from entering the network by stopping the binary that would grant them access. By considering indicators that would otherwise be considered low priority for remediation, adaptive protection stopped the attack chain at an early stage such that the overall impact of the attack was significantly reduced. The threat turned out to be Cridex, a banking trojan commonly used for credential theft and data exfiltration, which are also key components in many cyberattacks including human-operated ransomware.

Microsoft Defender for Endpoint customers who have enabled cloud protection are already getting the benefits of this improvement on their devices (servers excluded)—no additional step required. While cloud-delivered protection is turned on by default, we encourage customers to check and ensure that it remains on. This backend enhancement can help prevent human-operated attacks and other sophisticated threats from progressing inside a network and give incident responders more time to analyze and remediate attacks when they do happen. Microsoft will continue to use data science techniques to enrich and develop machine learning algorithms used in Microsoft 365 Defender.

Seeing adaptive protection in action

At Microsoft, our data scientists are constantly researching and prototyping advanced AI techniques to battle ransomware attackers. One feature that has proven to be effective against these attacks is the new AI-driven adaptive protection, recently released to our enterprise customers.

Figure 1. How the AI-driven adaptive protection works. Note that the device risk scoring is done in real time by design and thus does not cause any latency.

The adaptive protection feature works on top of the existing robust cloud protection, which defends against threats through different next-generation technologies. Compared to the existing cloud protection level feature, which relies on admins to manually adjust the cloud protection level, the adaptive protection is smarter and faster. It can, when queried by a device, automatically ramp the aggressiveness of cloud-delivered blocking verdicts up or down based on real-time machine learning predictions, thus proactively protecting the device.

We can see the AI-driven adaptive protection in action in a case where the system blocked a certain file. Before the occurrence of this file on the device, there were suspicious behaviors observed on the device such as system code injection and task scheduling. These signals, among others, were all taken into consideration by the AI-driven adaptive protection’s intelligent cloud classifiers, and when the device was predicted as “at risk,” the cloud blocking aggressiveness was instantly ramped up. Owing to the increased aggressiveness, Microsoft Defender Antivirus detected and blocked this file. It’s more difficult by nature to detect and block new malware at first sight, so without the adaptive cloud protection capability, this file might not have been blocked on this customer’s device.

Later the file was determined as a variant of Cridex, which is commonly used for credential theft and data exfiltration, leading to these credentials and data being used by cybercriminals in later attacks. These behaviors are also key components in human-operated ransomware attacks, where early detection is critical to prevent further impact. We elaborate more on how the adaptive cloud protection can protect customers from human-operated ransomware attacks in the next sections.

Using machine learning to power adaptive cloud protection

For this feature to perform as we intended, we needed it to do two things quite well. One, we needed the system to accurately determine whether a device is at risk. Two, the system then needed to respond and adjust depending on the previous judgment or score.

Predicting whether a device is at risk

As devices come under attack, activities on a device often start as a small number of suspicious indicators that would not, in isolation, typically be surfaced as a malicious attack. However, when these signals are seen in sequence over time or in a cluster pattern, AI-driven protection can assess the state of a device at the arrival time of each new signal and can immediately adjust the risk score of the device accordingly. Example signals include previous malware encounters, threats, behavior events, and other relevant information.

If a device is incorrectly scored as not at risk when it is in fact at risk, the attacker could perform additional activities that might be more difficult for detection technologies to catch, for instance if the attacker steals credentials and uses them to move laterally. Conversely, if a device is incorrectly determined as at risk when it is not, then the customer experience suffers. To strike a balance, we needed to find an intelligent machine learning model that can give an accurate score and test that model vigorously.

The model we chose is a binary classifier with pattern recognition (specifically, frequent itemset mining) integrated. A study has shown that the co-occurrence or pattern is a stronger discriminator for these purposes rather than individual tokens, and that using co-occurrence increases the overall robustness of the model. To this end, we’ve included frequent patterns that commonly show up in the malicious samples as input features. To further increase the accuracy of the model (or the number of correct classifications over total predictions), only discriminative patterns were selected by excluding the patterns that have a small Jaccard similarity distance to the frequent patterns present in the benign samples.

The risk score for the device as calculated by the model at that point in time then determines the system’s next steps.

Adjusting cloud blocking aggressiveness automatically

If the risk score of the given device exceeds a certain threshold, cloud protection automatically switches to aggressive blocking. This level of blocking means that some processes or files that would not immediately be considered malicious might also be blocked given that the device is at risk, and they are likely to have been used maliciously. Both the risk score threshold and the switch to aggressive mode are data-driven decisions based on intensive research and experiments to maximize blocking effectiveness without impacting customer experience.

Furthermore, since the risk of a device is scored and refreshed in real time, the cloud immediately ramps down the aggressiveness right after the device is deemed to be no longer at risk. Therefore, we can make sure that this AI-driven adaptive protection feature won’t cause unnecessary false positives or disrupt customer experience.

Delivering contextual and personalized protection

The responsiveness of the blocking mechanism to the real-time risk score computation in the cloud assures that the system makes better-informed decisions, resulting in contextual or stateful blocking in devices. This level of protection customization is such that the protection experience on each device is different—even for the same file or behavior.

For instance, process A can be allowed on a device that has a low risk score, but process A can be blocked and alerted on a potentially risky device. This “personalization” is beneficial for customers because they are less likely to contract false positives or false negatives, unlike machine learning models trained on a dataset that is a mix of every device. Essentially, each device receives a level of protection that is tailored to it.

Adaptive cloud machine learning against human-operated ransomware

AI-driven adaptive protection has a wide range of use cases and tremendous potential value. Its application in human-operated ransomware prevention has been particularly successful. Human-operated ransomware attack chains usually follow specific patterns, starting with campaigns to distribute malicious files, then using techniques such as lateral movement for credential theft and data exfiltration, and finally deploying and activating ransomware payloads to encrypt files on the device and display a ransom note.

However, since threat actors react and adjust to specific findings in the environment, they are able to move fast and use a variety of alternatives to get to their next steps. This makes it challenging for incident responders to quickly determine whether an attack is underway and how to stop the attackers. Our adaptive protection, however, can pick up traces of attacker activity that occur before the actual encryption of files. These data are all collected by our machine learning algorithm and used as evidence to evaluate risk. When the system determines that the current device is compromised or at risk, aggressive cloud blocking kicks in instantly.

Detecting and blocking abuse of legitimate processes or files

In the hands-on-keyboard phase of human-operated ransomware attacks, attackers often use legitimate processes or files for their succeeding steps. For example, network enumeration is a benign behavior by nature, but when it is observed on a device that is determined to be compromised, the likelihood that attackers are performing reconnaissance activities and identifying targets is greater. Adaptive protection can intelligently block network enumeration behavior on risky devices to stop the attack chain and prevent further attacks.

Detecting and blocking ransomware loaders

Ransomware loaders refer to a set of tools or commodity malware that are usually used in the initial and intermediate stages of a ransomware attack. For example, Ryuk is delivered through banking trojan infections like Trickbot. If Trickbot infections go undetected, attackers may be able to move laterally and gain privilege on critical accounts, leading to destructive outcomes.

Known ransomware loaders are fairly easy to detect, so attackers usually make slight changes to the file to evade file signature matching. They then distribute many versions of the file so they can increase the chances that at least one will not be blocked. Due to their polymorphic nature, these files can sometimes be missed by traditional approaches to malware detection. However, with real-time knowledge of the device state, adaptive cloud machine learning significantly reduces the chance of missing them.

Stopping ransomware payloads

Hypothetically, in attacks where early to mid-stage attack activities are not detected and blocked, AI-driven adaptive protection can still demonstrate huge value when it comes to the final ransomware payload. Given the device is already compromised, our AI-driven adaptive protection system can easily and automatically switch to the most aggressive mode and block the actual ransomware payloads, preventing important files and data from being encrypted so attackers won’t be able to demand ransom for them.

Smarter, faster protection from the cloud

With the AI-driven adaptive protection, Microsoft Defender for Endpoint can adjust the aggressiveness in real time according to the device state, buy security operations centers more time when incidents happen, and potentially stop an attack chain from the beginning. With the wide coverage and high blocking quality of this feature, we believe it will benefit all enterprise customers and further enhance next-generation of AI-powered protection.

The AI-driven adaptive protection feature in Microsoft Defender for Endpoint is just one of the many different AI layers that support our threat intelligence, which strengthen our ability to detect and protect against security threats. More threat data increases the quality of signals analyzed by Microsoft 365 Defender as it provides cross-domain defense against costly attacks like human-operated ransomware.


Microsoft 365 Defender Research Team

The post AI-driven adaptive protection against human-operated ransomware appeared first on Microsoft Security Blog.