Microsoft 365 Defender (previously Microsoft Threat Protection) takes this approach and delivers coordinated defense that binds together multiple solutions in the Microsoft 365 security portfolio. Microsoft 365 Defender continuously and seamlessly scours endpoints, email and docs, cloud app, and identity activities for suspicious signals. Through deep correlation logic, Microsoft 365 Defender automatically finds links between related signals across domains. It connects related existing alerts and generates additional alerts where suspicious events that could otherwise be missed can be detected. We call these correlated cybersecurity attacks “incidents.”

How Microsoft 365 Defender’s advanced correlation make SOC analysts’ work easier and more efficient

Microsoft 365 Defender’s incident creation logic combines AI technology and our security experts’ collective domain knowledge, and builds on broad optics to provide comprehensive coverage. These correlations align with the MITRE ATT&CK framework over a unified schema of attack entities, enabling Microsoft 365 Defender to automatically connect the dots between seemingly unrelated signals.

Incidents ensure that elements otherwise spread across various portals and queues are presented in a single coherent view, helping security operations centers (SOC) in important ways. First, they reduce the SOC’s workload: incidents automatically collect and correlate isolated alerts and other related security events, so analysts have fewer, more comprehensive work items in their queue. Second, SOC analysts can analyze related alerts, affected assets, and other evidence together, reducing the need for manual correlation and making it easier and faster to understand the complete attack story and take informed actions.

Attack sprawl illustrated

The level of sophistication of today’s threats, including nation-state level attacks and human operated ransomware campaigns, highlight why coordinated defense is critical in ensuring that organizations are protected.

To illustrate how Microsoft 365 Defender protects against such sophisticated attacks, we asked our security research team to simulate an end-to-end attack chain across multiple domains, based on techniques we observed in actual investigations.

Their attack starts with a spear-phishing email targeting a specific user. The email contains a link that, when clicked, leads to the download of a malicious .lnk file that stages the Meterpreter payload. With their malicious code running on the target device, the attackers perform reconnaissance to understand which users have signed into the device and which other devices these users have access to. For example, in this case, they find the credentials of an IT helpdesk team member. Impersonating this IT helpdesk team member via overpass-the-hash, the attackers are able to move laterally to a second device.

On the second device, they steal the user’s web credentials, which they use to remotely access the user’s cloud apps like OneDrive or SharePoint. This allows the attackers to insert a malicious macro into an existing online Word document, which they then deploy in a lateral phishing attack by distributing links to the malicious document to other users in the organization.

Figure 1. Our attack case scenario showing the initial access through spear-phishing and lateral movement through overpass-the-hash attack

When we ran this attack in our simulation environment, Microsoft 365 Defender was able to track attacker activities as they accessed the target organization, established foothold, and moved across the network. Then, invoking advanced correlation, Microsoft 365 Defender automatically collected all signals, alerts, and relevant entities into a single comprehensive incident representing the whole attack:

Figure 2. Incident showing the full attack chain and affected entities

Initial access: Correlating email, identity, and endpoint signals

Let’s look behind the scenes to understand how Microsoft 365 Defender connects the dots in such an attack.

When the target of the initial spear-phishing email clicks the URL in the email, a malicious .lnk file is downloaded and run on the device. In such a scenario, Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection) flags both the email and the URL as malicious and raises an alert. Normally, SOC analysts would analyze this alert, extract attacker indicators such as the malicious URL, manually search for all devices where this malicious URL was clicked, then take remediation actions on those devices.

Microsoft 365 Defender automates this process and saves time. The intelligence behind Microsoft 365 Defender correlations combines Microsoft Defender for Office 365 signals, Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection) events, and Azure Active Directory (Azure AD) identity data to find the relevant malicious URL click activity on affected devices, even before SOC analysts starts looking at the alert. The automatic correlation of email, identity, and endpoint signals across on-premises and cloud entities raises the alert “Suspicious URL clicked”. Through this correlation-driven alert, Microsoft 365 Defender helps the SOC to expand their understanding of the attack using all relevant pieces of evidence and automate the search for compromised devices.

Figure 3. Microsoft 365 Defender correlation-driven alert “Suspicious URL clicked”

Lateral movement: Correlating overpass-the-hash attack on one device and suspicious sign-in on another

So we’ve seen how automatic correlation allows Microsoft 365 Defender to uncover attacker activity related to initial access. The same capability exposes the next stages in the attack chain: credential theft and lateral movement.

Figure 4. Attack scenario showing alerts raised by correlation of cross-domain signals

In the next stage, the attackers use the overpass-the-hash method, a well-known impersonation technique. They control one device in the network where a domain user, like the IT helpdesk team member, is currently signed in. They then harvest NTLM credentials stored on the device to obtain a Kerberos ticket on the user’s behalf. The Kerberos ticket is a valid ticket that’s encrypted with the credentials of the domain user, allowing the attackers to pretend to be that user and access all resources that the user can access. Once attackers obtain credentials for a user with high privileges, they use the stolen credentials to sign in to other devices and move laterally.

In such cases, Microsoft Defender for Identity (previously Azure Advanced Threat Protection) raises an alert on the suspicious Kerberos ticket, pointing to a potential overpass-the-hash attack. What would SOC analysts do at this point when investigating an overpass-the-hash alert? They would probably start enumerating all the users who signed in to the compromised device. They would also enumerate all other sign-ins for these users and further activities propagating to other devices in the network, all while mentally building an attack graph.

Saving precious time and eliminating manual work, Microsoft 365 Defender determines that the lateral movement activity is related to the earlier initial access. As a result, Microsoft 365 Defender correlates this activity, as well as users and devices involved, into the same incident, exposing other related activities and surfacing them as additional alerts in the same incident.

Figure 5. Correlating the overpass-the-hash alert

Microsoft 365 Defender also finds related sign-in events following the overpass-the-hash attack to trace the footprint of the impersonated user and surfaces alerts for malicious sign-ins made by the attacker. This allows Microsoft 365 Defender to elevate a series of raw sign-in events (which, when considered on their own, may lack context for detection) to alerts. The correlation-driven alert “Successful logon using potentially stolen credentials” instantly flags the compromised endpoints and pinpoints the start of the malicious activity in the timeline.

Figure 6. Correlation-driven alert can help determine the start of the attack

Lateral phishing: Correlating email, cloud, and device data

Using the breadth and depth of information available from the incident, SOC analysts can further expand their investigation. The quick pivot Go hunt action allows SOC analysts to run an exhaustive, predefined query to hunt for relevant or similar threats and malicious activities from endpoints to the cloud, whether issued from inside the network or outside organizational boundaries.

Figure 7. Generating a hunting query with a single click

 In this attack scenario, the query that Go hunt auto-generates instantly reveals suspicious OneDrive activity: while the user is operating from Great Britain, somebody from Sweden with the same account name seems to have downloaded a .docx file and replaced it with a similar file with .doc extension, indicating the insertion of the malicious macro.

Figure  8. “Go hunt” on the compromised user reveals suspicious activity

SOCs can further follow the propagation of the replaced file using an additional hunting query that combines email, OneDrive, and device data to find more affected users and devices, allowing SOC analysts to assess if additional compromise occurred and to take remediation actions. In our next blog post, we’ll provide more details about the investigation and hunting aspects of this scenario.

Conclusion: Connecting the dots and enriching incidents with more signals that tell the story

In this blog we demonstrated Microsoft 365 Defender’s unique ability to correlate signals across email and docs, devices, identities, and cloud apps, and present attack evidence in a unified form. Incidents significantly improve SOC efficiency by eliminating the need to use different portals and manually finding and connecting events, as well as enabling investigation and comprehensive response to attacks. The incident view shows alerts, affected entities, and related activities from across Microsoft 365 security solutions in a unified view.

Automatic correlations enrich incidents by consolidating relevant events and raising new alerts on malicious activities that couldn’t be flagged by any individual product on its own. These correlations paint a seamless attack story across perimeters by building an attack graph that SOC analysts can follow, starting with the earliest initial access.

Figure 9. Automatic correlation across domains

Microsoft 365 Defender harnesses the power of Microsoft 365 security products to deliver unparalleled coordinated defense that detects, correlates, blocks, remediates, and prevents attacks across an organization’s Microsoft 365 environment. Existing Microsoft 365 licenses provide access to Microsoft 365 Defender features in Microsoft 365 security center without additional cost. To start using Microsoft 365 Defender, go to security.microsoft.com.

Learn how Microsoft 365 Defender can help your organization to stop attacks with coordinated defense. Read these blog posts in the Inside Microsoft 365 Defender series:

• Inside Microsoft 365 Defender: Mapping attack chains from cloud to endpoint
• Inside Microsoft 365 Defender: Attack modeling for finding and stopping lateral movement
• Inside Microsoft 365 Defender: Correlating and consolidating attacks into incidents

Stefan Sellmer, Tali Ash, Tal Maor

Microsoft 365 Defender Team

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft 365 Defender tech community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Inside Microsoft 365 Defender: Solving cross-domain security incidents through the power of correlation analytics appeared first on Microsoft Security Blog.

Getting a unified view of an attack is a top SOC analyst priority in quickly building the end-to-end picture of attacks and tracking all relevant details necessary for effective remediation. Navigating multiple products and switching between tools introduce friction that slows down investigations, giving attackers more time to inflict damage.

Microsoft 365 Defender (previously Microsoft Threat Protection) addresses this critical SOC need through incidents, which empower SOC analysts by automatically fusing attack evidence and providing a consolidated view of an attack chain and affected assets, as well as a single-click remediation with easy-to-read analyst workflows. Microsoft 365 Defender harnesses the power of multiple solutions in the Microsoft 365 security portfolio – Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection), Microsoft Defender for Identity (previously Azure Advanced Threat Protection), Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection), and Microsoft Defender for Cloud Apps (previously Microsoft Cloud App Security) – to deliver cross-domain visibility and coordinated defense.

A complete look at the attack chain to prevent attack sprawl

A typical attack starts with a phishing email that installs malware on an endpoint. The malware then steals the user’s credentials, which the attackers utilize to access resources on other endpoints, on-premises applications, and cloud services. Individual security solutions that focus on only one domain may alert on and remediate a portion of the attack but will likely miss other parts of the attacker operations, putting an organization at risk while creating a false sense of security.

The incidents view in Microsoft 365 Defender solves this challenge by providing a single place to view and investigate an attack across stages, from initial access to impact. Based on individual detection leads, Microsoft 365 Defender uses artificial intelligence (AI) to automatically expand an investigation, like an experienced analyst would, and gather related telemetry and other alerts that belong to the same attack. Microsoft 365 Defender also uses AI to continually analyze the vast amount of available data and, if necessary, suggest more evidence for the analyst to add to the incident. This enables your SOC analysts to focus on what matters, while Microsoft 365 Defender saves them time and helps discover undetected evidence.

Even if you don’t have all the Microsoft 365 security solutions in your organization, Microsoft 365 Defender incidents correlate threat data for the services you have deployed, reducing the clutter and providing one view of the attack, including all relevant alerts, impacted assets and associated risk levels, remediation actions and status.

Streamlining investigations across domains

Microsoft 365 Defender simplifies the complex task of investigating end-to-end attacks by allowing SOC analysts to pivot and see entities – devices, files, users, emails, and processes – in the right context within a single view.

Microsoft 365 Defender breaks down the silos and combines all alerts and insights automatically across Microsoft 365 services to reveal the full picture, helping ease digital forensics work for SOC analysts. This also enables analysts to gain comprehensive understanding of attacks that they wouldn’t otherwise get from isolated out-of-context alerts.

But Microsoft 365 Defender doesn’t stop there. To help support effective triage processes, Microsoft 365 Defender prioritizes incidents, illustrates the attack chain progression, shows the attack timeline, and generates a comprehensive name for the incident. With just one click, analysts can answer questions like: Does a file observed on one device exist on other devices? Which email messages did a file come from, and was this file also shared through a cloud app?

In addition, SOC analysts can easily search for additional related activities with Go hunt, which automatically creates and runs an advanced hunting query based on information from the incident. SOC analysts can also use attack-specific insights gained during hunting to capture fine-tuned logic and nuances in a custom detection. Custom detections continuously hunt for new activities and pull new findings to the relevant incident automatically, further enriching your view of the attack.

A clear view of the remediation status

When your organization is under attack, it’s essential to act swiftly but thoughtfully through a thorough understanding at any point in time of the remediation status of all affected assets and entities. Microsoft 365 Defender incidents play a critical part in remediation by:

• Removing some of the burden off the analysts’ shoulders by launching automated investigation and response (AIR) self-healing playbooks that conduct in-depth asset-based investigation and work to find and remediate all malicious evidence (attack tools, malware), persistence methods (Oauth apps, ASEP in devices), exfiltration activities (email FWD rules, SPO shares),
• Orchestrating cross-asset and cross-domain playbook invocations, tracking attacker activity across the environment
• Providing a comprehensive view of the remediation status based on actions taken by AIR, in addition to manual actions by the analyst

When the investigation is complete, Microsoft 365 Defender incidents capture the investigation comments for record-keeping and knowledge-sharing with peers, with easy and in-context information for reference.

Microsoft 365 Defender provides the SOC with a complete picture of attacks in real-time

The incidents view in Microsoft 365 Defender correlates alerts and all affected entities into a cohesive view that enables your SOC to determine the full scope of threats across your Microsoft 365 services. Armed with a complete picture of attacks in real-time, your SOCs are better empowered to defend your organization against threats.

Microsoft 365 Defender delivers coordinated defense by leveraging the power of multiple Microsoft 365 security solutions. Through automation, built-in intelligence, and end-to-end visibility into malicious activities, Microsoft 365 Defender detects, correlates, blocks, remediates, and prevents attacks.

Microsoft 365 Defender harnesses the power of Microsoft 365 security products to deliver unparalleled coordinated defense that detects, correlates, blocks, remediates, and prevents attacks across an organization’s Microsoft 365 environment. Existing Microsoft 365 licenses provide access to Microsoft 365 Defender features in Microsoft 365 security center without additional cost. To start using Microsoft 365 Defender, go to security.microsoft.com.

Learn how Microsoft 365 Defender can help your organization to stop attacks with coordinated defense. Read these blog posts in the Inside Microsoft 365 Defender series:

• Inside Microsoft 365 Defender: Mapping attack chains from cloud to endpoint
• Inside Microsoft 365 Defender: Attack modeling for finding and stopping lateral movement
• Inside Microsoft 365 Defender: Solving cross-domain security incidents through the power of correlation analytics

Idan Pelleg

Microsoft 365 Defender Team

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft 365 Defender tech community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Inside Microsoft 365 Defender: Correlating and consolidating attacks into incidents appeared first on Microsoft Security Blog.