At Microsoft, we aim to help our customers meet the range of today’s security demands—together. In this environment, it is not a surprise that organizations are looking to do more with less and turning to managed security services to help their security teams.

Microsoft Security Experts

Extend your ability to defend and manage with a comprehensive line of services from the experts at Microsoft.

Learn more

Microsoft Defender Experts for XDR

In preview last year, Microsoft Defender Experts for XDR is now generally available. This managed extended detection and response (MXDR) service helps customers alleviate some of their most pressing pain points, including alert fatigue, scarce cybersecurity resources, and a limited ability to look end-to-end—beyond the endpoints—to visualize and correlate threat data across their entire digital environment. For most companies, security isn’t their core business. Defender Experts for XDR can help customers drive security operations center (SOC) efficiency and add security expertise to their team quickly, freeing up their time to work on other security priorities.

Microsoft Defender Experts for XDR helps SOC teams focus on what matters, triaging and investigating prioritized incidents on your behalf. Our Defender Experts are available around the clock to chat about specific incidents or alerts, so your team can get immediate confirmation or clarification on a particular incident. Also, they provide detailed best practices and recommendations to help your team prevent future attacks and improve your overall security posture.

To learn more about Defender Experts for XDR, read through our blog that walks through how the service works or watch our explainer video to see the service in action.

Microsoft Defender Experts for Hunting

Microsoft Defender Experts for Hunting is generally available for customers who look to Microsoft to proactively hunt for threats across Microsoft Defender data—including endpoints, email, cloud applications, and identity. Defender Experts for Hunting combines human expertise and hunter-trained AI to probe deeper to expose threats and correlate across your security stack. Improve your SOC response and prioritize significant threats with timely notifications and analysis by our expert threat hunters. And if you have questions, you can contact our Experts on Demand directly within your Microsoft Defender portal.

To learn more about how we approach active threat hunting, read through our Threat Hunting Survival Guide, or read about our participation in MITRE’s first managed services evaluation.

Microsoft Incident Response

For customers that want help remediating a complex breach (or avoiding one altogether), Microsoft Incident Response (Microsoft IR) offers an end-to-end portfolio of proactive and reactive incident response services. We’ve been helping customers with their toughest incident response challenges since 2008. And we created Microsoft IR to be the first call for customers before, during, and after an incident. We operate in 190 countries and our incident responders are seasoned veterans with more than a combined 1,000 years of career experience resolving attacks from ransomware criminals to the most sophisticated nation-state threat actor groups.

Proactive services can help organizations identify and mitigate risks before they become incidents. This includes services such as compromise assessments, threat hunting, and incident response planning. We know companies that put proactive measures in place detect breaches 108 days faster than those without support (214 days compared to 322 days).³ Reactive services can help organizations respond to a breach quickly and effectively to mitigate damage. This includes services such as incident investigation, containment, and remediation.

Since our last update, Microsoft Incident Response Retainer is now generally available. This new option is designed to give our customers a proactive way to get IR support from Microsoft and was designed to work with cyber insurance. The Microsoft IR Retainer is a flexible and scalable service that can help organizations of all sizes prepare for and respond to cyber incidents. The retainer includes pre-paid hours that provide organizations with peace of mind knowing that they have the resources they need to respond to an incident, regardless of its size or complexity. And if reactive services are not needed, the pre-paid hours can be reallocated to proactive services that help shore up the organization’s security posture. The Microsoft Incident Response Retainer is a valuable tool for organizations of all sizes that want to be prepared for the unexpected. View the explainer video for more information.

To learn more about all our Incident Response services—including the newly available retainer—visit our Microsoft Incident Response webpage or go behind the scenes for an inside look at real-life cyberattack investigations in the Cyberattack Series.

Expert-led security transformation

Microsoft Security Enterprise Services (Enterprise Services), formerly known as Microsoft Security Services for Modernization, has restructured its offerings and is now more focused on helping customers meet modern security needs. These services are ideal for large enterprises that want to leverage Microsoft best practices and know-how as they continue their security transformation. Enterprise Services offers hands-on expertise and advisory services to assess and create your modern organizational cybersecurity strategy. These offerings provide planning and operations expertise to help you mitigate business risks and meet compliance requirements to ensure your business is future-ready. The services have recently been combined into two core expertise areas:

Security Cyber Resilience: End-to-end services to modernize and secure your digital estate including identities, data, applications, and devices across Microsoft Azure and multicloud environments. Microsoft Security Cyber Resilience helps safeguard your digital estate and create a transformation program of change, strategy, and operating models.

Security Operations: Secure your digital estate and safeguard critical information and assets with a security strategy and framework designed and implemented to respond to the modern threat landscape. Security Operations helps create—and action—a program of change for cybersecurity to make your digital estate more secure.

Working alongside our partners

Cybersecurity is a team sport. Too often, organizations play it outnumbered and outsmarted by the attacker. For most companies, cybersecurity is not their core business, and hiring specialized resources to address these concerns can be a challenge. Most customers rely on a trusted security provider in some capacity to help them on their security journey.

Microsoft partners provide robust services and the ability to uniquely customize their offering to your needs. Service providers commonly protect across the breadth of your estate including Microsoft and other third-party security tools. Microsoft’s partners also routinely provide customized service level agreements, data regulatory and industry specialization, and other specialized services aligned with the specific needs you may have, ranging from remotely managed supplementary services to your in-house team through full outsourcing services as required. Microsoft Security Experts services were built to work alongside partner services, and we frequently partner with them on customer requests and design feedback for our solutions.

Over the previous 12 months, more than 40 partners in the Microsoft Cloud Partner Program with Security designations have now received this verified MXDR engineering verification. If you are considering adding MXDR services, we recommend reviewing one of Microsoft’s verified MXDR service partners.

Looking to the future

As we continue to face new cybersecurity challenges, Microsoft will continue to evolve our Microsoft Security Experts services through our innovative engineering practices while leveraging the immense power of AI and other breakthrough technologies to help protect individuals, businesses, and more. Visit the Microsoft Security Experts page to learn more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.  

¹Revealing New Opportunities for the Cybersecurity Workforce, (ISC)2. 2022.

²Top Risks in Cybersecurity 2023, Bipartisan Policy Center. February 13, 2023.

³Cost of a Data Breach Report 2023, IBM. 2023.

The post Expanded Microsoft Security Experts offerings provide comprehensive protection appeared first on Microsoft Security Blog.

Microsoft Defender Experts for XDR

Meet the new first-party MXDR services from Microsoft with end-to-end protection and expertise.

Learn more

Defender Experts for XDR builds on Microsoft’s industry-leading XDR suite

Industry-leading technologies serve as the backbone of any managed security service, and Defender Experts for XDR builds on the defining benchmark that Microsoft 365 Defender has set in the extended detection and response space. Microsoft was named a Leader in The Forrester New Wave™: Extended Detection and Response (XDR), Q4, 2021, one of only two providers to be named a Leader.⁵ Microsoft 365 Defender was rated as “differentiated” in seven criteria including detection, investigation, response, and remediation. Forrester noted that our decision to regulate inputs into XDR, specifically to rich, native telemetry, yields tailored detection, investigation, response, and mitigation capabilities.

Forrester notes that “there is a deep divide in the XDR market between those far along the path and those just starting to deliver on the vision of XDR” and those mature providers “combine the best elements of their portfolios, including industry-leading products, to simplify incident response and build targeted, high-efficacy detections.”

The right and leading technologies are crucial to implementing managed services. Microsoft has a leading endpoint detection and response (EDR) solution, and while EDR is important and serves a valuable purpose, it is insufficient as the only method to protect against evolving threats.⁶ In addition, “too many tools, or worse, duplicate tools in the SOC [security operations center] need to be rationalized and managed security services like MDR [managed detection and response] are increasingly seen as not only a cost savings opportunity but also as a way to rapidly mature their capabilities.”⁷ With Microsoft’s XDR solution coupled with Defender Experts for XDR, we can deliver end-to-end protection and expertise.

How Microsoft Defender Experts for XDR works

Our Defender Experts team delivers the essential human element that complements the power of our Microsoft 365 Defender suite. They are the tip of the spear—taking unparalleled access to data and intelligence across nation-state and e-crime activity, new vulnerability data, newly observed tactics and techniques, and more to analyze and curate a hypothesis-led hunting strategy to find emerging, suspicious activities, and in turn deliver expertise to your security team immediately to help address coverage gaps and augment your overall security operations.

Figure 1. This diagram describes how Microsoft conducts its four-step Defender Experts for XDR process. It starts with triage and prioritizing Microsoft 365 Defender incidents and alerts to alleviate alert fatigue. Microsoft investigates and analyzes the most critical incidents first, documenting the process and findings. In the response step, Microsoft helps contain and mitigate incidents faster by delivering step-by-step guided and managed response, with Defender Experts available on-demand by live chat. Detailed recommendations and best practices are then provided to prevent future attacks. This process delivers continuous security posture improvements around the clock.

As an extension of your team, Defender Experts for XDR empowers you to respond with confidence. Our Defender Experts work around the clock, monitoring your environment and triaging the incidents that need immediate attention. In the event your organization is being affected by a critical incident, our team will investigate it, correlate the threat data to determine the root cause, and provide step-by-step response actions you need to take to contain and remediate the threat. You can take it further and give us permission to contain and remediate the threat for you.

Figure 2. This graphic shows a multistage incident in Microsoft 365 Defender. It includes the attack story of the active alerts related to the incident as well as the Defender Experts section that shows the guided response that includes the actions needed to resolve the incident immediately.

This is all available to you in a turnkey experience, where you can get up and running in hours, with the help of your dedicated service delivery manager (SDM)—your trusted advisor, who is available to you at any given time. And if you have any questions or need additional context on a particular incident, you can access our experts around the clock through live chat. Our detailed, real-time reporting shows you the comprehensive details of investigations into critical incidents, and how long it takes for our team to conduct the investigations on your behalf.

Figure 3. The graph highlights the number of hours that a customer spent completing guided response tasks and the potential time savings a customer can realize if Defender Experts for XDR handles response on their behalf.

“Defender Experts for XDR found a shadow IT detection on the first day of service,” said Mike Johnson, Global Cyber Threat and Incident Response Security Operations Center Manager at Verifone. “I was impressed that they found a real issue for us so fast—none of our other tools alerted us about it.”

Defender Experts for XDR also provides recommendations on how your team can be proactive to prevent the next attack and reduce the number of incidents over time to improve your security posture. “Organizations who need to augment their SOC with 24/7 coverage and immediate access to expertise that will help them quickly triage, investigate, and respond to incidents should explore a managed XDR service,“ said Craig Robinson, Vice President of Security Services at IDC Research. “Microsoft’s new MXDR service positions them to support the needs of organizations facing talent shortages who need to scale their security programs quickly, address coverage gaps, and protect their environment.”

Learn more about Microsoft Defender Experts for XDR

Defender Experts for XDR can quickly deliver expertise to your security teams, help address coverage gaps, and add capabilities like proactive threat hunting to augment your overall security operations. Our customers and partners have been instrumental in the development of Defender Experts for XDR and your continued trust in us drives our team to listen, learn, and adapt to meet your evolving needs. We’re excited about the road ahead and look forward to being a part of your security journey and building a safer world for everyone.

To learn more about the service, visit the Microsoft Defender Experts for XDR web page, read the Defender Experts for XDR docs page, download the datasheet, or watch a short video.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Building a safer world together with our partners—introducing Microsoft Security Experts, Vasu Jakkal. May 9, 2022.

²Microsoft Defender Experts for Hunting proactively hunts threats, Microsoft Security Experts. August 3, 2022.

³Microsoft Defender Experts for Hunting demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations for Managed Services, Ryan Kivett. November 9, 2022.

⁴Meet unprecedented security challenges by leveraging MXDR services, Microsoft Security Experts. July 10, 2023.

⁵Forrester Research, Inc., The Forrester New Wave™: Extended Detection And Response (XDR) Providers, Q4 2021, Allie Mellen, Joseph Blankenship, Alexis Tatro, Peggy Dostie. October 13, 2021.

⁶Microsoft is named a Leader in the 2022 Gartner® Magic Quadrant™ for Endpoint Protection Platforms, Rob Lefferts. March 2, 2023.

⁷Applying the Lessons Learned from 2022 Is Vital for Security Service Providers to Secure Growth in 2023, Doc #US50206623, IDC. February 2023.

The post Microsoft Defender Experts for XDR helps triage, investigate, and respond to cyberthreats appeared first on Microsoft Security Blog.

Endpoint-focused detection and response are insufficient to protect against evolving threats

Historically, many customers begin their security journey focusing on endpoint security products. But in today’s connected and dynamic world, organizations risk serious data breaches if they are not looking end-to-end. Specific pain points our customers often encounter include:

• Inability to resource cybersecurity experts: Teams may lack the skill sets needed to thoroughly investigate incidents and do not have the capacity for round-the-clock coverage. And even if organizations have the budget to hire internally, a resource gap in the industry can make it very difficult to hire the right talent in a timely fashion.
• Triaging vast amounts of security alerts and data: Many companies are dealing with alert fatigue, and they need to focus on the things that matter. They need help beyond just cleaning up minor incidents or false positive alerts. They need help enhancing their security posture to reduce the volume of alerts and incidents they see over time.
• Ability to look end-to-end: Many organizations have made the jump to endpoint detection and response (EDR), but they’re not getting visibility into their environment beyond the endpoint. The advantage of Managed Extended Detection and Response (MXDR) over endpoint-focused managed detection and response (MDR) solutions is the ability to go beyond the endpoint to visualize and correlate threat data across domains and have that human-led expertise delivered quickly to help organizations accelerate or augment their security operations center capabilities.

Managed Extended Detection and Response changes how security work gets done

Microsoft believes it’s critical that customers not only have their environments well protected using Zero Trust principles leveraging advanced security technologies but also have the expertise available to them to fully triage events and respond to incidents 24 hours a day, 7 days a week.

Cybersecurity is a team sport. Too often, organizations play it outnumbered and outsmarted by the attacker. When your security team is challenged by a sophisticated adversary, an MXDR service provider can bring the power of best-in-class technologies and security know-how to tip the scales in your favor.

For most companies, cybersecurity is not their core business, and having the specialized resources to address these concerns can be a challenge. According to Gartner^®, “by 2025, 60 percent of organizations will be actively using remote threat disruption and containment capabilities delivered directly by MDR providers, up from 30 percent today.”³

How an MXDR service can work for you

A Managed Extended Detection and Response (MXDR) service is an extension of your team, empowering you to have specialist resources available around the clock. Monitoring your environment and triaging incidents that need immediate attention in a timely manner is critical to maintaining a healthy security posture. In the event your organization is affected by a critical incident, you will want to ensure you have the resources to investigate the incident, correlate the threat data to determine the root cause, and implement step-by-step response actions to contain and remediate the threat.

Microsoft-verified MXDR partner services

Most customers rely on a trusted security provider in some capacity to help them on their security journey. To assist customers as they consider MXDR services to further protect their organization, Microsoft has provided our Microsoft Cloud Partner Program members a way to receive Microsoft-verified MXDR partner status. This status means Microsoft engineers have reviewed and audited a partner’s MXDR solution to meet the highest industry standards of round-the-clock security including proactive threat hunting, investigation, response, and prevention services. This verification can help you identify potential service partners who can help you secure your users and multicloud infrastructure.

Microsoft partners provide a full line of services and the ability to uniquely customize their offering to your needs. Service providers commonly protect across the breadth of your estate including Microsoft and other third-party security tools. Microsoft’s partners also routinely provide customized service level agreements, data regulatory and industry specialization, and other specialized services aligned with the specific needs you may have, ranging from remotely managed supplementary services to your in-house team through full outsourcing services as required.

Over the previous 12 months, more than 40 partners in the Microsoft Cloud Partner Program with Security designations have now received this engineering verification. If you are considering adding MXDR services, Microsoft recommends reviewing one of Microsoft’s verified MXDR service partners.

Microsoft Defender Experts for XDR

Microsoft is committed to ensuring customers have all the help they need. In addition to customizable partner offerings that work for the full range of global customer needs, for customers that require XDR products and managed services from a single platform provider, Microsoft is excited to announce the general availability of Microsoft Defender Experts for XDR, a first-party MXDR offering that gives security teams air cover with leading end-to-end protection and expertise. Powered by Microsoft’s best-in-class XDR suite, Defender Experts for XDR helps security teams triage, investigate, and respond to incidents related to email, cloud applications, endpoint, and identity to stop attackers in their tracks and prevent future compromise.

Capabilities include:

• Managed detection and response—Let our expert analysts manage your Microsoft 365 Defender incident queue and guide your response to incidents or handle triage, investigation, and response on your behalf.
• Proactive threat hunting—Extend your team’s threat-hunting capabilities and prioritize significant threats with Microsoft Defender Experts for Hunting built in.
• Live dashboards and reports—Get a transparent view of our operations conducted on your behalf, along with a noise-free, actionable view of what matters for your organization, coupled with detailed analytics.
• Proactive check-ins—Benefit from remote, periodic check-ins with your named service delivery manager to guide your MXDR experience and improve your security posture.
• Fast and seamless onboarding—Get a guided baselining experience to ensure your Microsoft security products are correctly configured.

Microsoft Defender Experts for XDR

Meet the new first-party MXDR services from Microsoft with end-to-end protection and expertise.

Learn more

Learn more

To learn more about this service, visit the Defender Experts for XDR product page  and visit the Microsoft Defender Experts for XDR documentation page.  

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Anatomy of a modern attack surface: Six areas for organizations to manage, Microsoft. May 5, 2023.

²2022 Cost of Insider Threats: Global Report, The Ponemon Institute. 2022.

³Gartner®, Market Guide for Managed Detection and Response Services, Pete Shoard, Al Price, Mitchell Schneider, Craig Lawson, Andrew Davies. February 14, 2023.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post Meet unprecedented security challenges by leveraging MXDR services appeared first on Microsoft Security Blog.

To discover potential security threats like MagicWeb, Microsoft DART uses the trillions of security signals that Microsoft tracks daily that help provide broad and deep insight into the threat landscape. Microsoft DART and the Microsoft Threat Intelligence Center (MSTIC) work together to find bad actors, understand their tactics, techniques, and procedures (TTPs), and alert the organizations that are, or could be, at risk. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. In some cases, the notified customers will engage with Microsoft DART and other industry partners on investigations, gathering new insights and disrupting the threat actors at each stage of the campaign.

NOBELIUM is an advanced and persistent adversary because of its tenacious attacks and ever-evolving TTPs. Most attackers play an impressive game of checkers, but increasingly we see advanced persistent threat actors playing a masterclass-level game of chess.

MagicWeb is a great example of NOBELIUM’s advanced attacks and was first profiled by Microsoft in August 2022. It was the first time that a Global Assembly Cache (GAC) implant was seen in the wild. This malware, later named MagicWeb, allows the attacker to authenticate as anyone in a targeted network and maintain persistent access to the customer environment they compromised. The team quickly homed in on examining certificate irregularities, which helped to solve the incident. The key to understanding MagicWeb lay in highly privileged certifications that NOBELIUM used to move laterally to gain administrative privileges to an Active Directory Federation Services (AD FS) system. The team discovered that NOBELIUM was using a compromised dynamic link library (DLL) that lived in an obscure GAC, a machine-wide cache for the common language infrastructure in the .NET framework.

Read the report to go deeper into the details of the attack, including NOBELIUM’s tactics, the response activity, and lessons that other organizations can learn from this case.

What is the Cyberattack Series?

With this new Cyberattack series, customers will discover how Microsoft incident responders investigate unique and notable exploits. For each attack story, we will share:

• How the attack happened
• How the breach was discovered
• Microsoft’s investigation and eviction of the threat actor
• Strategies to avoid similar attacks

Learn more

To learn more about Microsoft incident response capabilities, visit our website or reach out to your Microsoft account manager or Premier Support contact. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Solving one of NOBELIUM’s most novel attacks: Cyberattack Series appeared first on Microsoft Security Blog.

Why it matters

In the new world of hybrid work, users may be accessing corporate resources from personally owned or unmanaged devices which increases the risk of token theft occurring. These unmanaged devices likely have weaker security controls than those that are managed by organizations, and most importantly, are not visible to corporate IT. Users on these devices may be signed into both personal websites and corporate applications at the same time, allowing attackers to compromise tokens belonging to both.

As far as mitigations go, publicly available open-source tools for exploiting token theft already exist, and commodity credential theft malware has already been adapted to include this technique in their arsenal. Detecting token theft can be difficult without the proper safeguards and visibility into authentication endpoints. Microsoft DART aims to provide defenders with the knowledge and strategies necessary to mitigate this tactic until permanent solutions become available.

Tokens are at the center of OAuth 2.0 identity platforms, such as Azure Active Directory (Azure AD). To access a resource (for example, a web application protected by Azure AD), a user must present a valid token. To obtain that token, the user must sign into Azure AD using their credentials. At that point, depending on policy, they may be required to complete MFA. The user then presents that token to the web application, which validates the token and allows the user access.

When Azure AD issues a token, it contains information (claims) such as the username, source IP address, MFA, and more. It also includes any privilege a user has in Azure AD. If you sign in as a Global Administrator to your Azure AD tenant, then the token will reflect that. Two of the most common token theft techniques DART has observed have been through adversary-in-the-middle (AitM) frameworks or the utilization of commodity malware (which enables a ‘pass-the-cookie’ scenario).

With traditional credential phishing, the attacker may use the credentials they have compromised to try and sign in to Azure AD. If the security policy requires MFA, the attacker is halted from being able to successfully sign in. Though the users’ credentials were compromised in this attack, the threat actor is prevented from accessing organizational resources.

Adversary-in-the-middle (AitM) phishing attack

Attacker methodologies are always evolving, and to that end DART has seen an increase in attackers using AitM techniques to steal tokens instead of passwords. Frameworks like Evilginx2 go far beyond credential phishing, by inserting malicious infrastructure between the user and the legitimate application the user is trying to access. When the user is phished, the malicious infrastructure captures both the credentials of the user, and the token.

If a regular user is phished and their token stolen, the attacker may attempt business email compromise (BEC) for financial gain. If a token with Global Administrator privilege is stolen, then they may attempt to take over the Azure AD tenant entirely, resulting in loss of administrative control and total tenant compromise.

Pass-the-cookie attack

A “pass-the-cookie” attack is a type of attack where an attacker can bypass authentication controls by compromising browser cookies. At a high level, browser cookies allow web applications to store user authentication information. This allows a website to keep you signed in and not constantly prompt for credentials every time you click a new page.

“Pass-the-cookie” is like pass-the-hash or pass-the-ticket attacks in Active Directory. After authentication to Azure AD via a browser, a cookie is created and stored for that session. If an attacker can compromise a device and extract the browser cookies, they could pass that cookie into a separate web browser on another system, bypassing security checkpoints along the way. Users who are accessing corporate resources on personal devices are especially at risk. Personal devices often have weaker security controls than corporate-managed devices and IT staff lack visibility to those devices to determine compromise. They also have additional attack vectors, such as personal email addresses or social media accounts users may access on the same device. Attackers can compromise these systems and steal the authentication cookies associated with both personal accounts and the users’ corporate credentials.

Commodity credential theft malware like Emotet, Redline, IcedID, and more all have built-in functionality to extract and exfiltrate browser cookies. Additionally, the attacker does not have to know the compromised account password or even the email address for this to work— those details are held within the cookie.

Recommendations

Protect

Organizations can take a significant step toward reducing the risk of token theft by ensuring that they have full visibility of where and how their users are authenticating. To access critical applications like Exchange Online or SharePoint, the device used should be known by the organization. Utilizing compliance tools like Intune in combination with device based conditional access policies can help to keep devices up to date with patches, antivirus definitions, and EDR solutions. Allowing only known devices that adhere to Microsoft’s recommended security baselines helps mitigate the risk of commodity credential theft malware being able to compromise end user devices.

For those devices that remain unmanaged, consider utilizing session conditional access policies and other compensating controls to reduce the impact of token theft:

• Reducing the lifetime of the session increases the number of times a user is forced to re-authenticate but minimizes the length of time session token is viable.
• Reducing the viable time of a token forces threat actors to increase the frequency of token theft attempts which in turn provides defenders with additional chances at detection.
• Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.

Protect your users by blocking initial access:

• Plan and implement phishing resistant MFA solutions such as FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for users.
  • While this may not be practical for all users, it should be considered for users of significant privilege like Global Admins or users of high-risk applications.
• Users that hold a high level of privilege in the tenant should have a segregated cloud-only identity for all administrative activities, to reduce the attack surface from on-premises to cloud in the event of on-premises domain compromise and abuse of privilege. These identities should also not have a mailbox attached to them to prevent the likelihood of privileged account compromise via phishing techniques.

We recognize that while it may be recommended for organizations to enforce location, device compliance, and session lifetime controls to all applications it may not always be practical. Decisionmakers should instead focus on deploying these controls to applications and users that have the greatest risk to the organization which may include:

• Highly privileged users like Global Administrators, Service Administrators, Authentication Administrators, and Billing Administrators among others.
• Finance and treasury type applications that are attractive targets for attackers seeking financial gain.
• Human capital management (HCM) applications containing personally identifiable information that may be targeted for exfiltration.
• Control and management plane access to Microsoft 365 Defender, Azure, Office 365 and other cloud app administrative portals.
• Access to Office 365 services (Exchange, SharePoint, and Teams) and productivity-based cloud apps.
• VPN or remote access portals that provide external access to organizational resources.

Detect

When a token is replayed, the sign-in from the threat actor can flag anomalous features and impossible travel alerts. Azure Active Directory Identity Protection and Microsoft Defender for Cloud Apps both alert on these events. Azure AD Identity Protection has a specific detection for anomalous token events. The token anomaly detection in Azure AD Identity Protection is tuned to incur more noise than other alerts. This helps ensure that genuine token theft events aren’t missed.

DART recommends focusing on high severity alerts and focusing on those users who trigger multiple alerts rapidly. Detection rules that map to the MITRE ATT&CK framework can help detect genuine compromise. For example, a risky sign-in followed closely by indicators of persistence techniques, such as mailbox rule creation.

Response and investigation

If a user is confirmed compromised and their token stolen, there are several steps DART recommends evicting the threat actor. Azure AD provides the capability to revoke a refresh token. Once a refresh token is revoked, it’s no longer valid. When the associated access token expires, the user will be prompted to re-authenticate. The following graphic outlines the methods by which access is terminated entirely:

It’s crucial to use both the Azure AD portal, Microsoft Graph, or Azure AD PowerShell in addition to resetting the users’ passwords to complete the revocation process.

Importantly, revoking refresh tokens via the above methods doesn’t invalidate the access token immediately, which can still be valid for up to an hour. This means the threat actor may still have access to a compromised user’s account until the access token expires. Azure AD now supports continuous access evaluation for Exchange, SharePoint and Teams, allowing access tokens to be revoked in near real time following a ‘critical event’. This helps to significantly reduce the up to one hour delay between refresh token revocation and access token expiry.

Microsoft DART also recommends checking the compromised user’s account for other signs of persistence. These can include:

• Mailbox rules – threat actors often create specific mailbox rules to forward or hide email. These can include rules to hide emails in folders that are not often used. For example, a threat actor may forward all emails containing the keyword ‘invoice’ to the Archive folder to hide them from the user or forward them to an external email address.
• Mailbox forwarding – email forwarding may be configured to send a copy of all email to an external email address. This allows the threat actor to silently retrieve a copy of every email the user receives.
• Multifactor authentication modification – DART has detected instances of threat actors registering additional authentication methods against compromised accounts for use with MFA, such as phone numbers or authenticator apps.
• Device enrollment – in some cases, DART has seen threat actors add a device to an Azure AD tenant they control. This is an attempt to bypass conditional access rules with exclusions such as known devices.
• Data exfiltration – threat actors may use the inbuilt sharing functionality in SharePoint and OneDrive to share important or sensitive documents and organizational resources externally.

To strengthen your security posture, you should configure alerts to review high-risk modifications to a tenant. Some examples of this are:

• Modification or creation of security configurations
• Modification or creation of Exchange transport rules
• Modification or creation of privileged users or roles

Incident responders should review any audit logs related to user activity to look for signs of persistence. Logs available in the Unified Audit Log, Microsoft Defender for Cloud Apps, or SIEM solutions like Microsoft Sentinel can aid with investigations.

Conclusion

Although tactics from threat actors are constantly evolving, it is important to note that multifactor authentication, when combined with other basic security hygiene—utilizing antimalware, applying least privilege principals, keeping software up to date and protecting data—still protects against 98% of all attacks.

Fundamentally, it is important to consider the identity trust chain for the organization, spanning both internally and externally. The trust chain includes all systems (such as identity providers, federated identity providers, MFA services, VPN solutions, cloud-service providers, and enterprise applications) that issue access tokens and grant privilege for identities both cloud and on-premises, resulting in implicit trust between them.

In instances of token theft, adversaries insert themselves in the middle of the trust chain and often subsequently circumvent security controls. Having visibility, alerting, insights, and a full understanding of where security controls are enforced is key. Treating both identity providers that generate access tokens and their associated privileged identities as critical assets is strongly encouraged.

Adversaries have and will continue to find ways to evade security controls. The tactics utilized by threat actors to bypass controls and compromise tokens present additional challenges to defenders. However, by implementing the controls presented in this blog DART believes that organizations will be better prepared to detect, mitigate, and respond to threats of this nature moving forward.

The post Token tactics: How to prevent, detect, and respond to cloud token theft appeared first on Microsoft Security Blog.

A Parent company can take several approaches to integrating the Acquisition within the organization’s IT environment. These include migrating the Acquisition’s services and users into the Parent’s IT environment or directly connecting the Acquisition’s IT environment through technical means. (See Figure 1.)

The first option has long-term security benefits, given that only selected elements of the Acquisition are incorporated into the Parent environment. On the other hand, depending on the complexity of both parties, this process can be time-consuming and costly.

The second option can be quicker to execute and reduce disruption to the operations of both parties; however, there may be hidden security and technical debt that may be costly to address in the long term.

So, what should an organization consider when determining the best plan of action for security in a merger or acquisition?

Figure 1. Two avenues IT leadership can take with mergers and acquisitions.

Security risks in mergers and acquisitions

It is common for a Parent to make the decision based solely on economic considerations driven by the costs of time and effort; however, there are significant cybersecurity considerations that should be factored into the decision-making process to ensure the long-term security of both the Parent and the Acquisition.

These include:

• Technical debt: Understand how much technical debt you will inherit. Every organization carries some technical debt, and the key in mergers and acquisitions is transparency. It is critical for a Parent to understand the technical debt it will be inheriting to understand how it will compound the Parent’s own technical debt and assist in quantifying any remediation costs.
• Existing security (not exclusive to cybersecurity): Consider how the two parties will consolidate key security capabilities, such as endpoint detection and response (EDR) tools or antivirus. Also consider how they both coordinate Security teams, such as security operations and security engineering, to avoid carrying numerous capabilities, tools, and data sources.
• Compliance and regulatory implications: Research how the Acquisition handles personally identifiable information (PII), like bank account numbers, and know the regulations it must abide by, its compliance procedures, and compliance history, including any regulatory violations. If the Acquisition is in a different country or region with stricter data privacy regulations, for instance, those are the ones both Parent and Acquisition should follow in relation to shared data.
• Misconfiguration and misutilization of existing systems: Review the configuration of systems at the Acquisition because they may have been set up incorrectly, perhaps due to complexity or a lack of accountability, or they may be insufficiently utilized because of incomplete deployment, or no one has the skills to use it. You may find that the misconfiguration slipped through because there’s no testing of new systems before they are introduced. That’s a serious issue because security misconfigurations become the Parent’s liabilities.           
• Identity: Enable multifactor authentication (MFA) flow and other identity controls. Security teams should review the identity configuration, which may be bypassed because it wasn’t architected in a way that works for both companies.
• Network: Evaluate how to connect legacy devices. In a merger or acquisition, it may not be possible to connect legacy devices with each other (for example, if a customer has devices that are not considered next-generation firewalls). With older firewalls, you lose the ability to apply security controls and logging isn’t as enhanced.
• Cloud: Check whether Microsoft Azure subscriptions have MFA enabled, ports that are open in Azure infrastructure as a service, and the controls for federated identities with other providers. Conditional Access policies may cancel each other out.
• Password Management: Consider who has more access—the threat actor or you? To help ensure it’s you, secure access to your data using Privileged Identity Management and Privileged Access Management tools.
• New threats: Anticipate new threats and new-to-you threats. A small manufacturer, for example, may not know of a large-scale security threat but once acquired by a global corporation, it could become a target. Threat actors may see an acquisition as an opportunity to access the Parent through the Acquisition.

The two most common avenues of risk are:

• Current actor persistence in the acquired environment: The actor’s already there and you’re giving them an opportunity to enter the Parent environment when you connect them. This is the most obvious and ideal path.
• The security architecture of the acquired environment: It’s too hard to go against the Parent environment directly because its security posture is simply too costly for an attacker to go after, given what they could potentially gain in value. Instead, a threat actor targets the Acquisition.

If a threat actor knows about a pending acquisition, they can do reconnaissance on the acquired company to see if its security posture is weaker than the Parent’s. It may be a more attractive target to gain access to the Parent through the weaker acquisition environment.

The Acquisition likely receives support from multiple service providers. If any of those service providers are compromised, a threat actor could move into the Acquisition’s environment and then gain access to the Parent. Carefully consider the connections you have with vendors because they could bring a potentially unknown compromise and introduce security vulnerabilities and architectural weaknesses.

Deeper due diligence is key

The due diligence processes each company undergoes when making an investment will vary depending on the company, industry, and region. While there is no universal standard, it is critical that companies get it right and understand potential areas of concern they may be inheriting.

Ultimately, your organization is acquiring whatever unknowns are present in that environment. So that’s why it is important to ask questions before, during, and after a merger and acquisition. Anything persistent and any open backdoors affecting your environment provide a direct path into the Parent organization.

Security questions to ask before a merger or acquisition

Both parties need to foster open and honest communication and share technical data. Commit to transparency. From the exploratory phase to the official merger and acquisition negotiation process, both parties should understand the expectations, so they don’t miss details during the merger or acquisition.

Mergers and acquisitions are dynamic and complex. To achieve the economic goals of mergers and acquisitions, business leaders must understand the attack surface they’re onboarding. Discovering and cataloging the partner company’s resources and digital assets, from within the corporate perimeter to the entire internet, is a critical step of any due diligence process. These include known and unknown assets, including resources developed outside the purview of security and IT teams, like shadow IT. These audits can’t be outsourced or done just for compliance. They are top priorities every executive needs to consider to future-proof their investments.

The first step is to establish a baseline set of known facts. Ask these questions during your initial discovery phase and as part of a proactive assessment:

• What is your basic security structure?
• What is your antivirus and is it up to date?
• What is your EDR solution?
• How are you managing identity protection?
• How are you managing data access protection?
• Does the acquired company meet the current security standards of the Parent?
• How are security issues triaged?
• Do you have a form of central logging (security information and event management; security orchestration, automation, and response) solution?
• How are you tracking and repairing your online vulnerabilities and compliance risks (unmanaged assets or those that have been forgotten)?

As you get deeper into the due diligence phases, ask these questions to understand their compromise history:

• What is your history of security compromise?
• When did these compromise(s) occur?
• What are the details?
• What are the root causes of those security compromises?
• How were the threats mitigated?
• Do you have a post-incident review process? What were the results?

After this disclosure, the most important question to ask is, “Did you remediate it?” If the Acquisition had a ransomware attack or other cyberattack, what happened? If the Acquisition had an unpatched vulnerability and was able to privilege-escalate to domain admin and deploy the ransomware, we ask, what is your patching?

Before setting up legal frameworks, disclose past events and understand how to remediate what caused them. Ignore this recommendation to avoid fireworks of the non-celebratory kind.

Security questions to ask after a merger or acquisition

Arguably, the greatest risk to mergers and acquisitions security is establishing trust relationships or merging hundreds or thousands of systems into the Parent company’s enterprise infrastructure. The health and configuration of those systems should be evaluated for security risks. The presence of any malware or advanced persistent threat (APT) backdoors in the subsidiary company can threaten the Parent company after the merger. Security misconfigurations and risky decisions become the Parent company’s liabilities. Also, threat profiles need to be re-evaluated to include any geopolitical changes caused by the mergers and acquisitions process. For example, a small parts manufacturer would not be expected to be aware of risks from larger known threat actors (such as Phineas Phisher²), but after being acquired by a global oil company, it would need to be.

Take the information gathered during the pre-merger question and answer session, including compromise exposures and an analysis of the Acquisition’s existing security posture against a reference standard, and decide how to integrate that environment into yours, along with detailing the necessary technical steps. To integrate the acquired company into your environment, you’ll need to bring its security posture to your level. The Parent company will have to implement basic security practices. Here are steps to evaluate and prioritize:

1. Assess existing systems that will be part of the acquisition and the risks associated.
2. Conduct remediation based on those results.
3. Understand the timeline for integrating the networks and know whether the data is located on-premises or in the cloud.
4. Learn the process for asset refresh and retirement of systems.
5. Conduct a penetration test or risk assessment and evaluate security policies and security gaps.

What actions should companies take?

The Microsoft Detection and Response Team (DART) has worked on incident response cases where companies were breached within an hour of completing a post-merger integration. In these cases, the threat actor’s subsidiary backdoor was granted two-way trust access to the Parent company’s Microsoft Azure Active Directory (Azure AD), third-party identity providers with any form of federation, and on-premise Active Directory forest.

DART has also had to explain to customers the probable connection between an APT actor’s backdoor uncovered in its environment, and the fact that its new Parent company’s bid was the lowest amount—to the dollar—that they were willing to accept during an acquisition. For these reasons and others, many of DART’s customers ask for security assessments before, during, or immediately after completing mergers and acquisitions.

Take these steps:

1. Set the expectations of disclosure and the level of information shared about security issues early in the talks. Make this a standard part of the exploratory process when setting up the legal framework of how the merger and acquisition will run.
2. Do a pre-mergers and acquisitions security assessment, whether a proactive threat hunt that includes cross-platform systems (Mac and Linux) and third-party identity providers, or an Azure AD security assessment, or an evaluation of the maturity of the environment’s security posture.
3. Focus on evaluating and improving security visibility and logging early in the mergers and acquisitions process. This allows first-party and third-party security teams to assess and react to security issues promptly. For mergers and acquisitions-related threats, focus first on securing identity, access control, and communications. 
4. Focus security and risk audits on cataloging the company’s resources and digital assets, including the company’s external attack surface, or catalog of internet-facing assets that an attacker could leverage to gain a foothold for an attack. External attack surface management (EASM) products can highlight a range of hygiene issues, corresponding indicators of compromise and vulnerabilities, and compliance issues, giving mergers and acquisitions teams the baseline they need to conduct a cyber risk assessment and drive post-mergers and acquisitions program.

Cybersecurity risk in mergers and acquisitions is an increasing issue for both IT security and business decision-makers. Giving the IT security teams sufficient time to do thorough assessments, due diligence, inventories, and putting more controls in place will determine how much of that risk can be mitigated.

Learn more

Leverage Microsoft Security Experts today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹The Role of Cybersecurity in Mergers and Acquisitions Diligence, Forescout. 2019.

²Hacker who hacked Hacking Team published DIY how-to guide, Ms. Smith, CSO. April 17, 2016.

The post Microsoft Security tips for mitigating risk in mergers and acquisitions appeared first on Microsoft Security Blog.

In this blog post, we’ll look at the three fundamental mitigations for preventing lateral movement and how Microsoft 365 Defender can help your team achieve maximum effectiveness from each mitigation:

1. Restricting privileged domain accounts.
2. Restricting and protecting local accounts with administrator privileges.
3. Restricting inbound traffic using Windows Defender Firewall.

1. Restricting privileged domain accounts

Segmenting privileged domain accounts can be achieved through implementing the tier model. The tier model helps to mitigate credential theft by segregating your AD environment into three different tiers of varying privileges and access. Creating separate tiers cuts off lateral movement from a standard user workstation to an application server or domain controller. Meaning, if a standard user account’s machine is compromised and password hashes are obtained by an attacker, there will be no movement path toward more sensitive accounts and servers. The three tiers are arranged 0 to 2, with 0 being the most restricted:

• Tier 0: All accounts and servers in this tier are either domain administrators or have a direct path to domain administrator privileges. Examples of servers include domain controllers, AD servers, and any management server for applications and agents running on Tier 0 servers. For an account to be considered Tier 0, it does not have to be a member of domain administrators; having privileged access to any Tier 0 server or application (through things like access control lists and User Right Assignments) will also classify an account as Tier 0. 

• Tier 1: In most cases, Tier 1 will contain the most business-critical applications. All accounts and servers in this tier are either running enterprise applications or have permissions on servers running applications. Examples include file shares, application servers, and database servers.

• Tier 2: This tier can be thought of as any account or machine that does not fall into either of the other tiers. This is where normal user workstations will reside, as well as standard user accounts. 

Figure 1: Tier model for Active Directory.

For the tier model to function as intended, the different tiers must be completely segregated from each other. This can be accomplished by creating Group Policy Objects (GPOs) that deny signing in across tiers. No account can be allowed to cross the tier boundaries. For example, an administrator on Tier 0 should be denied access to a Tier 1 or Tier 2 machine. If credentials are exposed to another tier, the password must be reset for that account.

Using Privileged Access Workstations (PAW) also mitigates against lateral movement. Because an account in one tier can only sign in to computers in the same tier, users with more than one account in the domain must use separate computers. A Tier 0 user should use a PAW to access only Tier 0 assets. But the person who owns the Tier 0 account should not use the same machine for checking their email or productivity applications (a Tier 2 activity).

Note: Read-level access to higher tiers is still allowed for all users because this is crucial for AD authentication and for users to access applications.

As explained earlier, if an attacker can harvest the credentials of any of the accounts in the path, they will be able to move laterally to gain the credentials of the sensitive account. One way to spot any lateral movement paths in your environment is to use Microsoft Defender for Identity. By correlating data from account sessions, local admins on machines, and group memberships, Defender for Identity can help prevent this and quickly identify any lateral movement paths for each sensitive account. If the attacker can harvest the credentials of any of the accounts in the path, they will also be able to move laterally to gain the credentials of the sensitive account. 

Figure 2: Lateral movement path view from Microsoft Defender for Identity portal.

By default, Defender for Identity classifies certain groups and their members as sensitive, while providing functionality to add more accounts and groups to the classification if needed. The goal is to break the possible attack paths (see Figure 2) by removing local administrators, denying access, or by separating accounts.

2. Restricting and protecting local accounts with administrator privileges

Local admin access opens up vast credential harvesting and lateral movement possibilities, making local admins a prime target for attackers. To make matters worse, local admin management and monitoring are sometimes overlooked. Often the local administrator password is set once for all machines in the organization during the operating system deployment, including machines used by administrators. When local admin passwords are not randomized across client machines, an attacker can compromise a local account password on one machine and automatically obtain administrator-level access to all client machines in the network.

Fortunately, Microsoft Local Admin Password Solution (LAPS) is an easy-to-deploy tool that fully automates password management for local accounts. Once installed on the machine, LAPS will set the local admin account password to a random string and write it to a confidential attribute of the corresponding computer account in AD. During deployment, your team can specify computers to be managed and which users will be able to retrieve passwords from AD—for example, the helpdesk team accessing a client computer’s credentials.

Microsoft Defender for Endpoint tracks LAPS configuration on endpoints and can be found in Vulnerability management > Security recommendations.

Figure 3: LAPS security recommendations page in the Microsoft 365 Defender portal.

For a detailed report on your devices, run the following query in Advanced Hunting: 

DeviceTvmSecureConfigurationAssessment  
| where ConfigurationId == "scid-84" 
| where OSPlatform == "Windows10" 
| where IsCompliant == 0 
| project DeviceName, OSPlatform

A similar report can be found in Microsoft Defender for Cloud Apps with Defender for Identity integration. It also tracks LAPS deployment from an AD perspective by highlighting computer objects that did not have their LAPS password updated in the last 60 days. Although both reports provide similar information, it is obtained from different sources. Therefore, the two reports can be used to crosscheck LAPS deployment status.  

Defender for Endpoint customers can view all activities being monitored and configure custom detections for suspicious local administrator account behavior. For example, the following query detects local admin usage over the network: 

DeviceLogonEvents 
| where AccountSid endswith '-500' and parse_json(AdditionalFields).IsLocalLogon != true 
| join kind=leftanti IdentityLogonEvents on AccountSid // Remove the domain's built-in admin account 

Your team can also block local admin accounts’ access over the network by adding the Local account and member of Administrators group (S-1-5-114) entity to Deny access to this computer from the network GPO setting. This will further complicate an attacker’s lateral movement, as well as cover any possible extra local admin accounts available on the machine, since LAPS can only cover one account per device.

3. Restricting inbound traffic with Windows Defender Firewall

Our experience has shown that this last mitigation is often overlooked. By simply removing the ability to connect from one computer to another, this mitigation provides a simple and robust way to make lateral movement more difficult for an attacker.

Host-based firewalls may have a reputation for being difficult to manage but blocking inbound traffic on Windows clients using Windows Defender Firewall is not a tedious task. Most client-server applications initiate network communication from the client side and don’t expect any inbound connections initiated from the servers. But for this mitigation to work, Windows Defender Firewall must be set to block all inbound connections (unless specifically allowed by one of the rules). It is key to disable local firewall rules merging, since failure to do so will negate the effect of this mitigation. For details on Windows Defender Firewall configuration, please check the Pass-the-Hash Mitigations whitepaper¹ for a GPO approach or the Microsoft Intune documentation. 

Figure 4: Windows Defender Firewall settings for mitigating lateral movement.

Once initial configuration is done, it’s crucial to identify any applications that were overlooked and did not receive exceptions to accept inbound connections. This is where Defender for Endpoint can help by significantly expanding firewall monitoring and reporting capabilities. Once Windows Defender Firewall is set to block inbound connections on a test group of devices, your team can easily start analyzing firewall logs for any misconfigurations.  

The Reports section in the Microsoft 365 Defender portal has a built-in firewall report with all the information needed. Each report section contains an Advanced hunting button that shows the relevant query and allows you to dive deeper into the data. 

Figure 5: Remote IPs targeting multiple computers report in Microsoft 365 Defender portal’s Reports page.

In this example, the most relevant report is Remote IPs targeting multiple computers. The existing query can easily be adjusted to only include test devices: 

DeviceEvents 
| where DeviceName in ("testdevice1.contoso.com", "testdevice2.contoso.com") 
| where ActionType == "FirewallInboundConnectionBlocked" 
| summarize ConnectionsBlocked = count() by RemoteIP 
| sort by ConnectionsBlocked  

Once IP addresses returned by the query are verified as legitimate applications requiring inbound access to client computers (such as remote management software or any peer-to-peer applications), then the firewall configuration can be adjusted to include these IP addresses as exclusions. For extra reporting flexibility, a Power BI firewall report can be connected to Defender for Endpoint.

Learn more

At Microsoft, we believe that the mitigations outlined in this article can significantly improve your security posture and reduce the threat of lateral movement in your environment. Using Microsoft 365 Defender can help you in the process.

• Begin using Microsoft 365 Defender today.
• Read more about Microsoft Security Experts and Incident Response services.
• Learn Kusto Query Language to use the advanced hunting capabilities in Microsoft Security products. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Mitigating Pass-the-Hash Attacks and Other Credential Theft, Microsoft. July 7, 2014.

The post How to prevent lateral movement attacks using Microsoft 365 Defender appeared first on Microsoft Security Blog.

General hunting strategies

In DART, we follow a set of threat hunting strategies when our analysts start their investigations. These strategies serve as catalysts for our analysts to conduct deeper investigations. For the purposes of this blog, we are listing these strategies under the assumption that a compromise has been confirmed in the customer’s environment.

Starting with IOCs (“known bads”)

An incident response investigation is more manageable when you start off with an initial indicator of compromise (IOC) trigger, or a “known bad,” to take you to any additional findings. We typically begin with data reduction techniques to limit the data we’re looking at. One example is data stacking, which helps us filter and sort out forensic artifacts by indicator across the enterprise environment until we’ve determined that several machines across the same environment have been confirmed with that same IOC trigger. We then enter the hunting flow and rinse and repeat this process.

Figure 1: The hunting cycle starts with hunting for indicators or “known bads,” ranging from the smallest unit of indicators to behavioral indicators that may define the actor.

Types of indicators can be classified into:

• Atomic—The smallest unit. For example, IP addresses, domain names, email addresses, and file names.
• Computed—Match multiple atomic indicators. For example, hashes and regular expressions.
• Behavioral—Patterns of adversary actions. For example, tactics, techniques, and procedures (TTPs) and demonstrated actor preferences (such as file paths, usernames, and tools).

Quick wins

Unfortunately, not everything we start out with is interrelated with the trigger IOC. Another hunting strategy we employ is to look for quick wins; in other words, looking for indicators of typical adversary behavior present in a customer environment. Some examples of quick wins include typical actor techniques, actor specific TTPs, known threats, and verified IOCs. Identifying our quick wins is the most impactful to the customer, as it helps us formulate our attack narrative while guiding customers to keep the actor away from the environment.

Figure 2: Hunting order of operations.

Anomaly-based hunting

If you’re out of leads, another strategy to employ is pivoting to hunting for anomalies, which draws on information derived from our “known bads” and quick wins. We discussed anomalies in the first part of this series as part of understanding the customer data. Some techniques:

• Define baselines. Perform baseline comparisons for your dataset. Determine the usual versus the unusual in an environment.
• Summarize your data and occurrences and sort by indicator to find the outliers.
• Clean the output. We recommend formatting your data in favor of efficiency and accuracy to make the outliers and anomalies stand out.

Pure anomaly-based hunting may be performed concurrently with other hunting strategies on a customer engagement, depending on the data we’re presented. This method is incredibly nuanced and requires seasoned experts to verify whether data patterns may encompass normal or “abnormal” behavior. This prevalence checking and data science approach is the most time consuming but can bear some of the most interesting evidence in an investigation. Case in point, we can detect new advanced persistent threat (APT) actor groups and campaigns with anomaly hunting, while they are rarely detected just by searching for the “known bads.“

Tying it all together: The attack narrative

Stringing together our patterns of anomalous activity, factual data from quick wins, and analytical opinions must conclude with an attack narrative. In an incident response investigation, the MITRE ATT&CK framework serves as a foundation for adversary tactics and techniques based on real-world observations.

The MITRE framework helps us ensure that that we’re looking at our hypothesis in a structured manner to enable us to tell a cohesive narrative to the customer that is rooted in our analysis. We aim to answer questions such as:

• How did the attacker gain access?
• What did they do once inside?
• Which accounts did they use?
• Which systems did they access?
• How and where did they persist?
• Was any data accessed or exfiltrated?
• And, most importantly, are they still in the environment?

Additionally, we want to answer questions surrounding threat actor intent to help tell a better story and build better defenses. Some common attack patterns from the MITRE framework are listed in Table 1.

Table 1: Common attack patterns from MITRE.

Threat hunting tools and methodology

To ensure maximum visibility of the attack chain, hunters use data sourced from proprietary incident response tooling for point-in-time deep scanning on endpoints, as well as bespoke forensic triage tools on devices of interest.

For point-in-time deep scanning, DART uses:

• Proprietary incident response tooling for Windows and Linux.
• Forensic triage tool on devices of interest.
• Microsoft Azure Active Directory (Azure AD) security and configuration assessment.

For continuous monitoring:

• Microsoft Sentinel—Provides centralized source of event logging. Uses machine learning and artificial intelligence.
• Microsoft Defender for Endpoint—For behavioral, process-level detection. Uses machine learning and artificial intelligence to quickly respond to threats while working side-by-side with third-party antivirus vendors.
• Microsoft Defender for Identity—For detection of common threats and analysis of authentication requests. It examines authentication requests to Azure AD from all operating systems and uses machine learning and artificial intelligence to quickly report many types of threats, such as pass-the-hash, golden and silver ticket, skeleton key, and many more.
• Microsoft Defender for Cloud Apps—Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.

Figure 3 explains the products and services used to identify and monitor threats:

• Deep scan includes proprietary endpoint scanners such as ASEP, Fennec, LIFE, and FoX
• Enterprise data includes Active Directory Configuration and Antivirus logs.
• Global telemetry includes the Intelligent Security Graph, the largest sensor network in the world.

Continuous monitoring includes the following:

• Microsoft Defender for Office 365, which monitors spoofing impersonation, and content analysis.
• Microsoft Defender for Cloud Apps, which monitors app discovery, access management, and data loss prevention.
• Microsoft Defender for Endpoint, which monitors exploitation, installation, and command and control channel.
• Microsoft Defender for Identity, which monitors reconnaissance, lateral movement, and domain dominance.
• Microsoft 365 Defender, Microsoft Sentinel, and Microsoft Defender for Cloud, which include advanced hunting, alerting, and correlation across data sources.

In addition, we work with internal threat intelligence teams, like the Microsoft Threat Intelligence Center (MSTIC), to provide details from our hands-on experience with customer environments and going toe-to-toe with the threat actors. The information collected from these experiences, in turn, provides a trail of evidence to help threat teams and services conduct enriched threat intelligence and security analytics to ensure the security of our customers.

Contributing to threat intelligence innovation through openness and transparency

We give organizations and customers the visibility and relevance of security events by sharing our data from dynamic threat intelligence and our continued collaboration with the MSTIC team. This collaboration has proven successful in instances where Microsoft Security teams have actively tracked large-scale extortion campaigns targeted at multiple organizations, resulting in an industry-wide effort to understand and track the threat actor’s tactics and targets.

The NOBELIUM incident in late 2021 was another instance of a large-scale cyberattack that launched a global hunting effort formed around MSTIC and Microsoft’s team of global security experts. The threat actor targeted privileged accounts of service providers to move laterally in cloud environments, leveraging trusted relationships to gain access to downstream cloud service provider (CSP) customers. We engaged directly with affected customers to assist with incident response and drive detection and guidance around this activity. Through a successful partnership and continuous feedback loop, we have been able to improve our ability to minimize impact and protect customers over time.

The work we delivered in protecting customers against NOBELIUM attacks would not have been possible if not for the continuous hunting process and feedback loop with threat intelligence. We’ve crafted a symbiotic relationship that empowers threat hunters at DART to become better incident responders by looking at additional vectors seen in threat intelligence platforms.

Seeing events from a threat intelligence perspective, applying the art and science of threat hunting, and partnering with the security industry at large are all but signs of our commitment to growth and helping organizations stay protected from cyberattacks.

Learn more

To read about the latest attack methods and cybersecurity best practices from our investigations and engagements, visit the Microsoft Detection and Response Team (DART) blog series. To learn more about our specialized incident response and recovery services before, during, and after a cybersecurity crisis, visit Microsoft Security Services for Incident Response.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The art and science behind Microsoft threat hunting: Part 2 appeared first on Microsoft Security Blog.

After a successful compromise recovery effort, you are back in control. Likely, you gave your team a round of applause and took a sigh of relief.

Now what? Is everything going back to as it was in the past? Absolutely not! A compromise recovery engagement is an accelerated way of doing numerous amounts of cybersecurity configuration and upgrades in a short amount of time. Just because the Domain Admins have basic protection it doesn’t mean that the full environment is secure yet.

After a compromise recovery engagement, Microsoft’s compromise recovery team follows up with what we call security strategic recovery. This is the plan for moving forward to get the environment up to date with security posture. The plan consists of different components like Securing Privileged Access and extended detection and response (XDR), depending on the organizational needs, but it all points in the same direction: moving ahead with Zero Trust strategy over traditional network-based security.

Privileged administration

After we have secured the most critical privileged servers (including Domain Controllers, called also “Tier 0” server for on-premises environment) and privileged accounts (Domain Admins), the next step is to mitigate unauthorized privilege escalation for the Data/Workload and Management plane (called also “Tier 1” for on-premises environment).

An encryption attack that gets local admin permissions on all member servers will still be devastating, so a proper delegation model must be implemented. Ransomware can utilize this account to encrypt application and database servers in the same way as using a Domain Admin account. Different tools like PIM/PAM and strategies can be used to strengthen the security of the Data/Workload administrators and services. Please refer to the enterprise access model for additional details.

Privileged Access Workstation

During a compromise recovery, we are implementing what we call a “Tactical” Privileged Access Workstation. While functional for the purpose of providing a secure workstation with a “clean keyboard” to operate in a compromised environment, it is not meant to be long-lasting and engineered for broader enterprise deployment.

Implementing a proper Privileged Access Workstation together with a broader Privileged Access environment for all administrative tasks is necessary to reduce attack vectors and risk of re-compromise.

The Privileged Access Workstation configuration must include security controls and policies that restrict local administrative access and productivity tools to minimize the attack surface to only what is absolutely required for performing sensitive job tasks. Please refer to Why are privileged access devices important for additional details.

From tactical monitoring to XDR

While performing compromise recovery, we implement “tactical monitoring” to supplement the customer’s investigation, leveraging a targeted implementation of Microsoft Defender suite and Microsoft Sentinel on all critical systems.

This is key to obtain visibility on the environment and respond quickly and efficiently to abnormal or suspicious activities before it turns into another security incident.

As part of a strategic security roadmap, we strongly recommend completing the implementation of XDR with Microsoft Defender Threat Protection and leveraging automated investigation and remediation capabilities to save security operations teams’ time and effort.

Additional help to our customers to defend and manage their environment is now available from Microsoft through Microsoft Security Experts.

Zero Trust journey

The Strategic Recovery recommendation listed previously on using least privileged access for privileged administration and XDR for improving defenses are just initial steps into a broader Zero Trust journey (see Figure 1).

Figure 1 outlines the Microsoft Zero Trust Principles. The first principle is to verify explicitly, which means to always validate all available data points including user identity and location, device health, service or workload context, data classification, and anomalies. The second principle is to use least privileged access, meaning to help secure both data and productivity and limit user access using iust-in-time access (JIT), just-enough-access (JEA), risk-based adaptive policies, and data protection against out of band vectors. Finally, the third principle is assume breach, which is when you minimalize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and app awareness; encrypting all sessions end-to-end; and use analytics for threat detection and posture.

As observed during most of our compromise recovery engagements, the attackers usually came in through the abuse of user identity and then perform lateral movement and escalation to privileged access.

Most organizations have built security controls over the years based on network and perimeter protection and are still underestimating the “identity risk” in the current threat landscape.

With Strategic Recovery also comes the need for a mind shift from network and perimeter protection to identity-based protection, leveraging Zero Trust principles. Implementing a Zero Trust security strategy is a journey that needs both technology and training, but it is necessary moving forward.

Organizations may leverage the Microsoft Zero Trust Maturity Assessment Quiz to assess their current state of Zero Trust maturity and recommendations on the next steps. More details of how Microsoft can empower organizations in their Zero Trust journeys can be found in the Zero Trust Essentials eBook.

Who is CRSP?

The Microsoft Compromise Recovery Security Practice (CRSP) is a worldwide team of cybersecurity experts operating in most countries, across both public and private organizations, with deep expertise to secure an environment post-security breach and to help you prevent a breach in the first place. The CRSP is a specialist team within the wider Microsoft Security Experts. Microsoft Security Experts help customers through the entire cyberattack from investigation to successful containment and recovery related activities. The response and recovery services are offered via two highly integrated teams, the Detection and Response Team (DART) with a focus on the investigation and groundwork for recovery, and the Compromise Recovery Security Practice (CRSP), which focuses on the containment and recovery aspects.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Implementing a Zero Trust strategy after compromise recovery appeared first on Microsoft Security Blog.

Why do incident responders hunt?

The Microsoft Detection and Response Team (DART) mission is to respond to security incidents and help our customers become cyber-resilient. This involves incorporating threat hunting as part of our proactive and reactive investigative service offerings to determine the following:

• Whether systems are under targeted exploitation through investigation for signs of advanced implants and anomalous behavior.
• Identifying groundwork for the recovery process of evicting the attacker from the environment.
• Strategic recommendations for protecting against sophisticated threat actors.

In reactive incident response investigations, threat hunting helps determine the full scope of the incident and informs an effective recovery and remediation strategy. In proactive investigations, a threat hunt can discover latent threats or existing compromises as well as demonstrate the effectiveness of current security controls and their security operations processes. By uncovering novel attacker campaigns and previously undetected threats, DART provides valuable feedback to improve product detections, both for Microsoft security products and for the entire security ecosystem.

How do we approach threat hunting?

The canonical definition of threat hunting involves three interrelated things:

• Targeted threat hunting—We define targeted hunting as actively looking for and rooting out cyberthreats that have penetrated an environment, and looking beyond the known alerts or malicious threats to discover new potential threats and vulnerabilities. Targeted threat hunting has a scope where we are looking for specific classes of indicators. For example, given a recently revealed attack, an organization may want to assess its environment to see if it, too, has been affected.
• Security monitoring—Process of continuously monitoring the state of an environment to detect unusual or unauthorized activities. This involves a network operations center (NOC) and an SOC to ensure that networks are protected against disruptions and threats.
• Incident response investigation—An investigation to identify the root cause and develop a remediation plan to regain and retain positive control over the environment following the detection of unauthorized access or suspicious activity.

Each organization approaches threat hunting differently. Sometimes, the customer will have specific outcomes in mind that align with the known techniques. We center on a general approach based on anomaly detection and pivoting combined with a knowledge of the overall environment. This allows us to accomplish multiple goals, versus employing an approach solely focused on a targeted threat hunt where additional threats and risks may be overlooked.

We will go into more detail about hunting for anomalies later in this blog.

Threat hunting principles

Our forensic investigators at DART lean on the Alexiou Principle, which states four key questions for our investigators to answer:

1. What question are you trying to answer?

Threat hunting varies depending on the main objectives or questions that need to be answered. This involves trying to understand a threat actor’s main objective, the cyber terrain in which they operate, and understanding how you can get closer to those objectives. Framing the question clearly helps us define the scope of every threat hunt.

2. What data do you need to answer that question?

To answer the previous question would involve a two-pronged approach with a focus on determining what data is required, and how to obtain that data. During DART investigations, we often get a variety of datasets while entering a customer investigation, such as live feeds and telemetry. We want to pick up everything that is currently in the environment, enumerate directories that we know bad actors like to live in, collect event logs that will potentially show us evidence of historical or current badness, registry keys that we see bad actors like to tamper with, and many more.

We use a tiered data collection model and start by collecting a snapshot of the densest, most indicator-rich data we can from every object and endpoint we can reach. This data is intended to provide information about any known threats, known attack patterns, and many (but not all) indicators of suspicious or anomalous activity. Where systems of interest are identified, we return and collect a larger, more complete dataset of logs and forensic artifacts.

3. How do you extract that data?

Now that you’ve identified the data, you’ll need to capture it using various toolsets, such as a point-in-time snapshot tool or, if the customer doesn’t have one deployed already, an endpoint detection and response tool, such as Microsoft Defender for Endpoint, to obtain the data. From the analytics captured, we can see things that are potentially good, bad, or interesting. Part of this phase also takes data ingestion into account. We consider how the collected data is consumed and how to efficiently separate threats from the background noise of a complex global enterprise.

4. What does the data tell you?

Looking at the collected data now becomes an exercise in data analytics. It’s a question of evaluating prevalence and frequency by taking everything that occurs within an environment and trying to figure out what belongs and what doesn’t belong. This train of thought can take a handful of different forms, that can be something as simple as “How often does this secure hashing algorithm show up across the entire environment?” to a more nuanced and precise way, such as asking “How often does it show up only on domain controllers? On devices in this organizational unit? How about when it’s seen with this other user account?”

As it turns out, there are a lot of different ways for us to do this counting game. Our role as threat hunters is to figure out the most relevant, high-priority way to account for these interesting findings and see if patterns revealed themselves. We’re looking for indicators of attack or compromise that maybe others haven’t found. It all depends on what data is available to us and understanding it.

Understanding the data

We approach understanding the data by looking for anomalies, the current state, and the absence of data.

Where the rubber meets the road: forming the attack narrative

We believe there’s a clear art and science to threat hunting, but at the end of the day, we seek to understand the anomalies in the acquired evidence. One way we do this is by using the knowledge of what is typical in an environment to identify what isn’t. Understanding the typical scenario and marrying that with the knowledge of threat actor tools, techniques, and processes allows us to gain a deep understanding of the data and the systems we’re looking at. Stringing these anomalies together can then create a pattern of anomalies, helping us form a story using analytical opinions based on facts, also known as the attack narrative.

The ability to identify anomalies makes for an important skill set for an analyst, but understanding the current state is just as crucial. Anomaly-based hunting will be discussed in more detail in the second part of this series when we go into general hunting strategies.

Looking at the current state

If an investigator is lucky enough, they might be dealing with forensic data for the anomaly hunt. But often, there will be times when our observations are limited to the current state of the environment. Even if we don’t have the luxury of historical artifacts, looking at the current state can provide valuable information.

Our proactive Cybersecurity Operations Services prior to an incident allow organizations to gain better knowledge of their current security posture and risk exposure before an incident even occurs.

By understanding the current state and its configurations, you can determine where the potentially malicious or anomalous activity lies as an initial starting point.

Asking questions like “How did it get into that state? Was that it in that state intentionally or was that the result of somebody doing something malicious?” allows our investigators to build from something of interest, look a little bit closer, and then pivot from there until we find true signs of malicious activity.

Looking at the absence of data

The absence of data is just as important as understanding the presence of it. Often, we are provided with data that is lacking or missing, and so the questions gleaned from these observations become: “Why don’t I have that artifact(s)? What didn’t happen? Was it because this data wasn’t recorded? Was the data removed?”

In the absence of data, we also try to determine what could have happened at a given stage of a compromise and what normally happens at that stage. With that information, we try and form our hypothesis about the stages of compromise, if it occurs in an environment. For instance, a customer during an incident response engagement might halt further investigation or response simply because they’re not seeing data exfiltration activity on their sensors and logs.

The approach to understanding the data varies depending on the analyst, but the goal is to answer a series of questions and turn those questions into more questions, and then stop at some point so you can paint the most complete picture possible.

Knowing when to stop

Following an investigative trail results in some form of data aggregation. Knowing when to stop this trail can often be challenging. An indication of knowing when to stop is when the picture doesn’t change even after pulling in more information, leaving you with a nexus of truth about that event or indicator. A comparison to this is the computer science algorithm of depth-first search versus breadth-first search, where investigators can potentially chase one single trail too far, investing too much time on one possible indicator of an attack, and running out of time to investigate other possible indicators. One approach we take to avoid the pitfalls of digging for data is to consult with fellow analysts to get a different perspective to ensure that you are looking at everything from every possible angle. Weighted risk analysis also helps us narrow down what leads to follow. We ask ourselves “what is the probability that a lead I’m investigating will turn out to be malicious?” Multiply that by the potential impact that malicious activity would have. Using that value to rank which leads are most important to follow first helps find higher-risk threats (ransomware, full-domain compromises) faster than low-risk threats (adware, coin miners).

We’ve just described DART’s threat hunting principles and the art form that is understanding the data we’re dealing with when it comes to our incident response work, combing through the data, and creating patterns of suspicious activity by applying critical thinking. In our follow-up post, we will talk about general strategies behind threat hunting and how we work with threat intelligence. Stay tuned.

Learn more

Go to our DART blog series to learn more about the Microsoft Detection and Response Team.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The art and science behind Microsoft threat hunting: Part 1 appeared first on Microsoft Security Blog.