Microsoft Security Experts News and Insights | Microsoft Security Blog http://approjects.co.za/?big=en-us/security/blog/products/microsoft-security-experts/ Expert coverage of cybersecurity topics Tue, 19 Nov 2024 20:20:01 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 File hosting services misused for identity phishing http://approjects.co.za/?big=en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/ Tue, 08 Oct 2024 16:00:00 +0000 Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and include business email compromise (BEC) attacks.

The post File hosting services misused for identity phishing appeared first on Microsoft Security Blog.

]]>
Microsoft has observed campaigns misusing legitimate file hosting services increasingly use defense evasion tactics involving files with restricted access and view-only restrictions. While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants. These campaigns are intended to compromise identities and devices, and most commonly lead to business email compromise (BEC) attacks to propagate campaigns, among other impacts such as financial fraud, data exfiltration, and lateral movement to endpoints.

Legitimate hosting services, such as SharePoint, OneDrive, and Dropbox, are widely used by organizations for storing, sharing, and collaborating on files. However, the widespread use of such services also makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures.

Importantly, Microsoft takes action against malicious users violating the Microsoft Services Agreement in how they use apps like SharePoint and OneDrive. To help protect enterprise accounts from compromise, by default both Microsoft 365 and Office 365 support multi-factor authentication (MFA) and passwordless sign-in. Consumers can also go passwordless with their Microsoft account. Because security is a team sport, Microsoft also works with third parties like Dropbox to share threat intelligence and protect mutual customers and the wider community.

In this blog, we discuss the typical attack chain used in campaigns misusing file hosting services and detail the recently observed tactics, techniques, and procedures (TTPs), including the increasing use of certain defense evasion tactics. To help defenders protect their identities and data, we also share mitigation guidance to help reduce the impact of this threat, and detection details and hunting queries to locate potential misuse of file hosting services and related threat actor activities. By understanding these evolving threats and implementing the recommended mitigations, organizations can better protect themselves against these sophisticated campaigns and safeguard digital assets.

Attack overview

Phishing campaigns exploiting legitimate file hosting services have been trending throughout the last few years, especially due to the relative ease of the technique. The files are delivered through different approaches, including email and email attachments like PDFs, OneNote, and Word files, with the intent of compromising identities or devices. These campaigns are different from traditional phishing attacks because of the sophisticated defense evasion techniques used.

Since mid-April 2024, we observed threat actors increasingly use these tactics aimed at circumventing defense mechanisms:

  • Files with restricted access: The files sent through the phishing emails are configured to be accessible solely to the designated recipient. This requires the recipient to be signed in to the file-sharing service—be it Dropbox, OneDrive, or SharePoint—or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service.
  • Files with view-only restrictions: To bypass analysis by email detonation systems, the files shared in these phishing attacks are set to ‘view-only’ mode, disabling the ability to download and consequently, the detection of embedded URLs within the file.

An example attack chain is provided below, depicting the updated defense evasion techniques being used across stages 4, 5, and 6:

Attack chain diagram. Step 1, attacker compromises a user of a trusted vendor via password spray/AiTM​ attack. Step 2, attacker replays stolen token a few hours later to sign into the user’s file hosting app​. Step 3, attacker creates a malicious file in the compromised user’s file hosting app​. Step 4, attacker shares the file with restrictions to a group of targeted recipients. Step 5, targeted recipient accesses the automated email notification with the suspicious file. Step 6, recipient is required to re-authenticate before accessing the shared file​. Step 7, recipient accesses the malicious shared file link​, directing to an AiTM page. Step 8, recipient submits password and MFA, compromising the user’s session token. Lastly, step 9, file shared on the compromised user’s file hosting app is used for further AiTM and BEC attack​s.
Figure 1. Example attack chain

Initial access

The attack typically begins with the compromise of a user within a trusted vendor. After compromising the trusted vendor, the threat actor hosts a file on the vendor’s file hosting service, which is then shared with a target organization. This misuse of legitimate file hosting services is particularly effective because recipients are more likely to trust emails from known vendors, allowing threat actors to bypass security measures and compromise identities. Often, users from trusted vendors are added to allow lists through policies set by the organization on Exchange Online products, enabling phishing emails to be successfully delivered.

While file names observed in these campaigns also included the recipients, the hosted files typically follow these patterns:

  • Familiar topics based on existing conversations
    • For example, if the two organizations have prior interactions related to an audit, the shared files could be named “Audit Report 2024”.
  • Familiar topics based on current context
    • If the attack has not originated from a trusted vendor, the threat actor often impersonates administrators or help desk or IT support personnel in the sender display name and uses a file name such as “IT Filing Support 2024”, “Forms related to Tax submission”, or “Troubleshooting guidelines”.
  • Topics based on urgency
    • Another common technique observed by the threat actors creating these files is that they create a sense of urgency with the file names like “Urgent:Attention Required” and “Compromised Password Reset”.

Defense evasion techniques

Once the threat actor shares the files on the file hosting service with the intended users, the file hosting service sends the target user an automated email notification with a link to access the file securely. This email is not a phishing email but a notification for the user about the sharing action. In scenarios involving SharePoint or OneDrive, the file is shared from the user’s context, with the compromised user’s email address as the sender. However, in the Dropbox scenario, the file is shared from no-reply@dropbox[.]com. The files are shared through automated notification emails with the subject: “<User> shared <document> with you”. To evade detections, the threat actor deploys the following additional techniques:

  • Only the intended recipient can access the file
    • The intended recipient needs to re-authenticate before accessing the file
    • The file is accessible only for a limited time window
  • The PDF shared in the file cannot be downloaded

These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted.

Identity compromise

When the targeted user accesses the shared file, the user is prompted to verify their identity by providing their email address:

Screenshot of the SharePoint identity verification page
Figure 2. Screenshot of SharePoint identity verification

Next, an OTP is sent from no-reply@notify.microsoft[.]com. Once the OTP is submitted, the user is successfully authorized and can view a document, often masquerading as a preview, with a malicious link, which is another lure to make the targeted user click the “View my message” access link.

Screenshot displaying a message noting a completed document due on 7/11/2024. The button at the bottom states "View my message".
Figure 3. Final landing page post authorization

This link redirects the user to an adversary-in-the-middle (AiTM) phishing page, where the user is prompted to provide the password and complete multifactor authentication (MFA). The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign.

Microsoft recommends the following mitigations to reduce the impact of this threat:

Appendix

Microsoft Defender XDR detections

Microsoft Defender XDR raises the following alerts by combining Microsoft Defender for Office 365 URL click and Microsoft Entra ID Protection risky sign-ins signal.

  • Risky sign-in after clicking a possible AiTM phishing URL
  • User compromised through session cookie hijack
  • User compromised in a known AiTM phishing kit

Hunting queries

Microsoft Defender XDR 

The file sharing events related to the activity in this blog post can be audited through the CloudAppEvents telemetry. Microsoft Defender XDR customers can run the following query to find related activity in their networks: 

Automated email notifications and suspicious sign-in activity

By correlating the email from the Microsoft notification service or Dropbox automated notification service with a suspicious sign-in activity, we can identify compromises, especially from securely shared SharePoint or Dropbox files.

let usersWithSuspiciousEmails = EmailEvents
    | where SenderFromAddress in ("no-reply@notify.microsoft.com", "no-reply@dropbox.com") or InternetMessageId startswith "<OneTimePasscode"
    | where isnotempty(RecipientObjectId)
    | distinct RecipientObjectId;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100

Files share contents and suspicious sign-in activity

In the majority of the campaigns, the file name involves a sense of urgency or content related to finance or credential updates. By correlating the file share emails with suspicious sign-ins, compromises can be detected. (For example: Alex shared “Password Reset Mandatory.pdf” with you). Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection.

let usersWithSuspiciousEmails = EmailEvents
    | where Subject has_all ("shared", "with you")
    | where Subject has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password")
    | where isnotempty(RecipientObjectId)
    | summarize RecipientCount = dcount(RecipientObjectId), RecipientList = make_set(RecipientObjectId) by Subject
    | where RecipientCount >= 10
    | mv-expand RecipientList to typeof(string)
    | distinct RecipientList;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100

BEC: File sharing tactics based on the file hosting service used

To initiate the file sharing activity, these campaigns commonly use certain action types depending on the file hosting service being leveraged. Below are the action types from the audit logs recorded for the file sharing events. These action types can be used to hunt for activities related to these campaigns by replacing the action type for its respective application in the queries below this table.

ApplicationAction typeDescription
OneDrive/
SharePoint
AnonymousLinkCreatedLink created for the document, anyone with the link can access, prevalence is rare since mid-April 2024
SharingLinkCreatedLink created for the document, accessible for everyone, prevalence is rare since mid-April 2024
AddedToSharingLinkComplete list of users with whom the file is shared is available in this event
SecureLinkCreatedLink created for the document, specifically can be accessed only by a group of users. List will be available in the AddedToSecureLink Event
AddedToSecureLinkComplete list of users with whom the file is securely shared is available in this event
DropboxCreated shared linkA link for a file to be shared with external user created
Added shared folder to own DropboxA shared folder was added to the user’s Dropbox account
Added users and/or groups to shared file/folderThese action types include the list of external users with whom the files have been shared.
Changed the audience of the shared link
Invited user to Dropbox and added them to shared file/folder

OneDrive or SharePoint: The following query highlights that a specific file has been shared by a user with multiple participants. Correlating this activity with suspicious sign-in attempts preceding this can help identify lateral movements and BEC attacks.

let securelinkCreated = CloudAppEvents
    | where ActionType == "SecureLinkCreated"
    | project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;
let filesCreated = securelinkCreated
    | where isnotempty(ObjectName)
    | distinct tostring(ObjectName);
CloudAppEvents
| where ActionType == "AddedToSecureLink"
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| extend FileShared = tostring(RawEventData.ObjectId)
| where FileShared in (filesCreated)
| extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)
| extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType
| where TypeofUserSharedWith == "Guest"
| where isnotempty(FileShared) and isnotempty(UserSharedWith)
| join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName
// Secure file created recently (in the last 1day)
| where (Timestamp - FileCreatedTime) between (1d .. 0h)
| summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared
| where NumofUsersSharedWith >= 20

Dropbox: The following query highlights that a file hosted on Dropbox has been shared with multiple participants.

CloudAppEvents
| where ActionType in ("Added users and/or groups to shared file/folder", "Invited user to Dropbox and added them to shared file/folder")
| where Application == "Dropbox"
| where ObjectType == "File"
| extend FileShared = tostring(ObjectName)
| where isnotempty(FileShared)
| mv-expand ActivityObjects
| where ActivityObjects.Type == "Account" and ActivityObjects.Role == "To"
| extend SharedBy = AccountId
| extend UserSharedWith = tostring(ActivityObjects.Name)
| summarize dcount(UserSharedWith) by FileShared, AccountObjectId
| where dcount_UserSharedWith >= 20

Microsoft Sentinel

Microsoft Sentinel customers can use the resources below to find related activities similar to those described in this post:

The following query identifies files with specific keywords that attackers might use in this campaign that have been shared through OneDrive or SharePoint using a Secure Link and accessed by over 10 unique users. It captures crucial details like target users, client IP addresses, timestamps, and file URLs to aid in detecting potential attacks:

let OperationName = dynamic(['SecureLinkCreated', 'AddedToSecureLink']);
OfficeActivity
| where Operation in (OperationName)
| where OfficeWorkload in ('OneDrive', 'SharePoint')
| where SourceFileName has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password", "paycheck", "bank statement", "bank details", "closing", "funds", "bank account", "account details", "remittance", "deposit", "Reset")
| summarize CountOfShares = dcount(TargetUserOrGroupName), 
            make_list(TargetUserOrGroupName), 
            make_list(ClientIP), 
            make_list(TimeGenerated), 
            make_list(SourceRelativeUrl) by SourceFileName, OfficeWorkload
| where CountOfShares > 10

Considering that the attacker compromises users through AiTM,  possible AiTM phishing attempts can be detected through the below rule:

In addition, customers can also use the following identity-focused queries to detect and investigate anomalous sign-in events that may be indicative of a compromised user identity being accessed by a threat actor:

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post File hosting services misused for identity phishing appeared first on Microsoft Security Blog.

]]>
​​Microsoft is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms http://approjects.co.za/?big=en-us/security/blog/2024/09/25/microsoft-is-named-a-leader-in-the-2024-gartner-magic-quadrant-for-endpoint-protection-platforms/ Wed, 25 Sep 2024 19:00:00 +0000 Gartner® names Microsoft a Leader in Endpoint Protection Platforms—a reflection, we believe, of our continued progress in helping organizations protect their endpoints against even the most sophisticated attacks, while driving continued efficiency for security operations center teams.

The post ​​Microsoft is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms appeared first on Microsoft Security Blog.

]]>
Since 2023, Microsoft has seen a 2.75 times increase in the number of organizations encountering ransomware campaigns.1 And up to 90% of successful ransomware campaigns leverage unmanaged endpoints, which are typically personal devices that people bring to work.1 While the number of ransomware attempts has increased drastically, Microsoft Defender for Endpoint has reduced the percent of successful ransomware attacks at a higher rate—more than three times over the same time period.1

The key to fighting ransomware at scale is Microsoft’s unwavering commitment to simplifying, automating, and augmenting security analyst workstreams to meet the demands of today’s and tomorrow’s cyberthreat environment. We are excited to announce that Gartner has named Microsoft a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms for the fifth consecutive time. We believe this announcement reflects Microsoft’s continued progress in helping organizations protect their endpoints against even the most sophisticated attacks, while driving continued efficiency for security operations center (SOC) teams.

Microsoft Defender for Endpoint is an endpoint security platform that helps organizations secure their digital estate using AI-powered, industry-leading endpoint detection and response across Windows, Linux, macOS, Android, iOS, and Internet of Things (IoT) devices. It is core to Microsoft Defender XDR and built on global threat intelligence—informed by more than 78 trillion daily signals and more than 10,000 security experts—empowering security teams to fend off sophisticated threats.2

Graphic with four boxes showing Gartner's Magic Quadrant for Endpoint Protection Platforms that puts Microsoft as a Leader.

Our customers and partners have been an invaluable part of this multiyear journey, and we are grateful for both their business and their partnership. Read the complimentary report providing more details on our positioning as a Leader.

Microsoft Defender for Endpoint is built from the ground up with operational resilience in mind. It starts with our agent architecture that follows best practices for Windows by limiting its reliance on kernel mode while protecting customers in real-time. It does not load content updates from files in the kernel mode driver. As an added safeguard, we deliver updates to customers applying Microsoft’s long-established safe deployment practices (SDP) model. Customers have full control over how these updates are delivered and how controls are applied to their device estate. This model of shared control helps provide security and resiliency. 

Over the last 12 months, Microsoft has delivered significant innovations that have helped defenders gain the upper hand against cyberthreats including: improved attack disruption, Microsoft Copilot for Security, a new Linux agent, simplified settings management, the unified security operations platform and Microsoft Defender Experts for XDR.

Automatic attack disruption, unique to Microsoft, is a self-defense capability that stops in-progress cyberattacks by analyzing the attacker’s intent, identifying compromised assets, and isolating or disabling assets like users or devices at machine speed. For example, in July 2024 we discovered the CVE-2024-37085 vulnerability. Numerous ransomware operators exploited it to encrypt the entire file system and move laterally in the network. Attack disruption fends off such sophisticated ransomware attempts by blocking lateral movement and remote encryption in a decentralized way across all your device estate—in just three minutes on average.3 This is a capability that Microsoft continues to invest in to disrupt more scenarios even earlier in the cyberattack chain.  

Microsoft Copilot for Security is the industry’s first generative AI that empowers security teams to protect at the speed and scale of AI, generally available as of April 2024. Embedded within the Defender XDR experience, it assists analysts by providing enriched context for faster and smarter decisions. It accelerates investigation, containment, and remediation with prescriptive step-by-step guidance. Analysts can now easily understand attacker actions with intuitive script analysis and launch complex Kusto Query Language (KQL) queries using plain language. The results from a randomized controlled trial based on 147 security professionals showed significant efficiency gains including speed and quality improvements when using Copilot for Security. Security professionals were up to 22% faster across all tasks, and more than 93% of users wanted to use Copilot again.

A new Linux agent has been built from scratch, using eBPF sensor technology to deliver the performance and stability needed for mission-critical server workloads while providing visibility into cyberthreats. We continue prioritizing innovations across every type of endpoint from Windows, Linux, macOS, iOS, Android, and IoT to provide the holistic endpoint security that organizations need.

Simplified setup and change management help analysts configure devices correctly to minimize threat exposure. With the general availability of simplified settings management, SOC analysts can manage security policies without leaving the Defender XDR portal.

Unified security operations platform brings the foundational tools a SOC needs into a single experience, with a consistent data model, unified capabilities, and broad protection. This unification helps SOCs close critical security gaps and streamline their operations, delivering better overall protection, reducing their response time, and improving overall efficiency. Defender for Endpoint is core to this platform, which combines “the power of leading solutions in security information and event management (SIEM), extended detection and response (XDR), and generative AI for security.” By working seamlessly across Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Copilot for Security, security analysts need only a single set of automation rules and playbooks. Plus, they can use plain language to execute complex tasks in an instant with Copilot for Security embedded in the platform.

Microsoft Defender Experts for XDR gives your security team coverage with around-the-clock access to Microsoft expertise. Recognizing that sophisticated cyberthreats go beyond the endpoint, Microsoft offers Microsoft Defender Experts for XDR. This managed service is available 24 hours a day, 7 days a week, helping organizations extend their SOC team to fully triage events and respond to incidents across domains.

Thank you to all our customers. You inspire us as together we work to create a safer world.

Learn more

If you’re not yet taking advantage of Microsoft’s leading endpoint security solution, visit Microsoft Defender for Endpoint and start a free trial today to evaluate our leading endpoint protection platform. 

Are you a regular user of Microsoft Defender for Endpoint? Review your experience on Gartner Peer Insights™ and get a $25 gift card.    

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.


12024 Microsoft Digital Defense Report. Publishing October 15, 2024.

2Microsoft Digital Defense Report, Microsoft. 2023.

3Get end-to-end protection with Microsoft’s unified security operations platform, now in public preview, Rob Lefferts. April 3, 2024.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Evgeny Mirolyubov, Franz Hinner, Deepak Mishra, Satarupa Patnaik, Chris Silva, September 23, 2024. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, MAGIC QUADRANT and PEER INSIGHTS are registered trademarks of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

The post ​​Microsoft is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms appeared first on Microsoft Security Blog.

]]>
The art and science behind Microsoft threat hunting: Part 3 http://approjects.co.za/?big=en-us/security/blog/2024/08/28/the-art-and-science-behind-microsoft-threat-hunting-part-3/ Wed, 28 Aug 2024 19:00:00 +0000 In this blog post, read how Microsoft Incident Response leverages three types of threat intelligence to enhance incident response scenarios.

The post The art and science behind Microsoft threat hunting: Part 3 appeared first on Microsoft Security Blog.

]]>
Earlier in Part 11 and Part 22 of this blog series, Microsoft Incident Response outlined the strategies, methodologies, and approaches that are used while performing a cyberthreat hunt in both pre- and post-compromised environments. This chapter outlines how Microsoft Incident Response, in collaboration with partner security teams, leverages three distinct types of threat intelligence in the threat hunting cycle, and how customers can utilize these artifacts themselves to improve their own incident response preparedness. 

a conference room of people sitting around a table

Microsoft Incident Response

Strengthen your security with an end-to-end portfolio of proactive and reactive cybersecurity incident response services.

Threat intelligence is often oversimplified to represent a feed of indicators of compromise (IOCs). The intersection between multiple types of threat intelligence, however, enables organizations and their threat hunters to have a holistic understanding of the cyberattackers and techniques that can and will target them. With this comprehensive cheat sheet of knowledge, threat hunters can not only increase efficiency when responding to a compromise, but proactively hunt their systems for anomalies and fine-tune protection and detection mechanisms. 

Graph showing the organizational effort versus the effort gained when using the three types of threat intelligence. In order of most effort required and highest value gained: Strategic, Operational, Tactical.

Figure 1. Three types of threat intelligence.

Figure 1 introduces three types of threat intelligence that will be outlined in this blog—strategic, operational, and tactical. It provides a visualization of organizational effort versus the value gained when utilizing threat intelligence in more than one way. Typically, security teams integrate IOC cyberthreat feeds at a tactical level, but incorporating threat intelligence operationally requires daily investment, especially when alert queues seem endless. Strategic threat intelligence may seem familiar to most organizations but can be challenging to apply effectively, as this requires concentrated effort at multiple levels to understand the organization’s position within the overall threat landscape. How can threat hunters leverage these types of threat intelligence effectively for the benefit of their organization? 

Strategic threat intelligence: Informed hunting driven by the overarching cyberthreat landscape 

Security teams should be industry aware—being cognizant of the types of digital threats and current trends affecting industry verticals allows any team to be better prepared for potential compromise. Strategic threat intelligence is fundamentally based on understanding threat actor motives, which gives organizations an understanding of which threat actors they should be most conscious of in relation to the industry vertical or their most valuable resources. For example, government entities are traditionally targeted by nation-state advanced persistent threats (APTs) to perform cyber espionage, whereas organizations in the healthcare industry are commonly targeted by cybercriminal actor groups for ransomware operations and financial extortion due to the sensitivity of the data they possess. Understanding where the organization fits into this strategic picture determines the investment where its resources (people and time) may be constrained. Furthermore, it’s a key step toward developing an effective threat-informed defense strategy prioritizing the cyberattacks that target the organization.  

Operational threat intelligence: Informed hunting to proactively understand the environment and its data 

Having broad visibility into an organization’s attack surface is imperative when applying threat intelligence at an operational level. The crucial components spanning the perimeter of the on-premises network and extended entities such as cloud, software-as-a-service, and overall supply chain should be well understood: 

  • Where are the tier 0 systems in the organization? 
  • What intermediary lateral movement pathways exist to tier 0 systems? 
  • What security controls across the environment are (or aren’t) in place? 
  • What telemetry is produced by all systems in the environment?  

Security teams should proactively analyze the data that comes from these entities to develop a baseline of normal operations. Along with this baseline, threat hunters should comprehend and exercise organizational processes. In the event of an identified anomaly, how is that behavior deconflicted? What teams within the organization need to be consulted? What is the process for ensuring false positives can be reported and circulated efficiently and effectively? Considering the secondary questions and tertiary actions of response steps greatly benefits threat hunting timeliness, staving off confusion during a rapidly evolving incident.

Tactical threat intelligence: Informed hunting to reactively respond to a live cyberthreat 

Tactical threat intelligence is often an organization’s main integration to enhance a threat hunt, particularly in response to an active cyberattack scenario. Known-bad entities and atomic indicators such as IP addresses, domains, and file hashes are used to identify anomalies aligning to attacker techniques against targeted systems quickly. Additionally, if the cyberattack is already attributed to a threat actor, or the attack aligns to a particular motive, security teams can use these patterns of behavior to prioritize their hunting scope to their known tactics, techniques, and procedures. Novel indicators or associated research from the analysis should be shared with other vetted threat hunters within the organization and are a particularly valuable contribution to the wider threat intelligence community to further enrich detections for all organizations.  

Putting it together: Threat intelligence and iterative threat hunting 

Armed with this breakdown, threat hunters can now turn their attention to using varied threat intelligence to execute threat hunts and track down threat actors. The threat hunting iterative workflow shown in Figure 2 is something security teams will likely be familiar with; but are threat intelligence artifacts effectively being applied to create a holistic threat-informed defense strategy? 

Visualization of threat hunting iterative workflows, showing how cyber threat intelligence artifacts (strategic, operational, and tactical) feed into the iterative workflow of threat hunting. Strategic and operational artifacts feed into the hunt hypothesis phase of the threat hunting workflow, while tactical artifacts feed into the hunting phase of the workflow.

Figure 2. Feeding threat intelligence artifacts into an iterative threat hunting workflow.

When preparing a hunt, threat hunters should seek to apply strategic threat intelligence to prioritize the cyberthreats that target the organization. This directly leads into the hypothesis phase. Threat hunters include the gathered strategic artifacts in a hunt hypothesis based on the trends or threat actors impacting other organizations in the same vertical. This casts a wide net to identify anomalies and behaviors common to the industry. They are not limiting the hunt based on any one IOC, rather using the collective intelligence learned from similar intrusions to detect or prevent the attack scenario. For every investigation, whether it be proactive or reactive, Microsoft Incident Response threat hunters consider other incidents impacting victim organizations in the same industry as a guiding force to efficiently identify focus areas of analysis, leveraging research from Microsoft Threat Intelligence that outlines any applicable threat actor attribution. 

Daily workflows should be enhanced with operational threat intelligence artifacts to determine an environmental baseline. Proactive hunt hypotheses should seek to test the understanding and actively seek to identify gaps in various aspects of the baseline, identifying any behavioral anomalies straying from “normal operations” and developing high-fidelity, real-world detections based on the true attempts at intrusion to their environments. Existing detections should be continuously reviewed and refined, hunting threads should include interrogation of both successful and failed access attempts, and data integrity should be verified. Security teams should question if: 

  • Centralized data is both complete and accurate—identifying if there are any gaps in the data and why. 
  • The schema is consistent between all data sources (for example, timestamp accuracy). 
  • The correct fields are flowing through from their distributed systems’ sources.  

When security teams embody being the experts of their environment, they become more adept at identifying when a proactive threat hunt shifts into reactive response to active threat. This is invaluable when improving the speed of returning to normal operations and engaging additional support such as Microsoft Incident Response, who can enhance the hunt with threat intelligence from previous global incidents, working with the customer to deconflict abnormalities quickly for swift takeback and eviction of threat actors. 

When incident response teams like Microsoft Incident Response are engaged during a reactive incident, the objective of threat hunting is to conduct analysis of live, historical, and contextual data on targeted and compromised systems and provide a detailed story of not only the attack chain, but the threat actor(s) conducting that attack. Enriching a threat hunt with tactical threat intelligence artifacts in the form of IOCs concentrates investigation scope and allows for rapid identification of threat actor activity. As the hunt progresses, relational entities to that indicator are uncovered, such as the identities involved in activity execution and lateral movement paths to different systems. Attention shifts from atomic indicators such as IP addresses and malicious domains, to artifacts left directly on compromised systems, such as commands that were run or persistent backdoors that were installed. This builds an end-to-end timeline of malicious activity and related indicators for organizations to stay informed, implement target security controls, and prevent the same, or similar, incidents in the future.  

What is Microsoft Defender Threat Intelligence (Defender TI)?

Learn more

Adhering to the collaborative cycle of threat intelligence, Microsoft Incident Response contributes front-line research to enhance and further develop detections for customers worldwide. Entities are aligned with industry frameworks such as the Diamond Model, to build threat actor profiles detailing the relationship between adversaries’ infrastructure, capabilities and victims. Microsoft Threat Intelligence is available in Microsoft Defender XDR for the community and fellow security teams to consume, validate, and refine into proactive detections for the organization. 

How Microsoft Incident Response can support proactive threat protection

Microsoft Incident Response has cultivated and relies upon implementing the cycle between incident response and threat intelligence to protect our customers, leveraging insights from 78 trillion signals per day. Organizations can proactively position themselves to be well-informed by the threats targeting their organization by implementing threat intelligence in a holistic way, before an incident begins.  

Embracing a collaborative culture amongst the threat intelligence community to not only consume entities, but to further contribute, refine, and enhance existing research, results in improved detections, controls, and automation, allowing all security professionals to get behind the same goal—track down and protect themselves from threat actors and their malicious intent.  

You can read more blogs from Microsoft Incident Response. For more security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

Learn more

Learn more about Microsoft Incident Response.

To get notified about new Microsoft Threat Intelligence publications and to join discussions on social media, follow us on X (@MsftSecIntel).

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.


1The art and science behind Microsoft threat hunting: Part 1, Microsoft Incident Response Team. September 9, 2022.

2The art and science behind Microsoft threat hunting: Part 2, Microsoft Incident Response Team. September 21, 2022.

The post The art and science behind Microsoft threat hunting: Part 3 appeared first on Microsoft Security Blog.

]]>
How to boost your incident response readiness http://approjects.co.za/?big=en-us/security/blog/2024/06/25/how-to-boost-your-incident-response-readiness/ Tue, 25 Jun 2024 16:00:00 +0000 Discover key steps to bolster incident response readiness, from disaster recovery plans to secure deployments, guided by insights from the Microsoft Incident Response team.

The post How to boost your incident response readiness appeared first on Microsoft Security Blog.

]]>
Cyberthreats are evolving with alarming sophistication, making it crucial for organizations to react swiftly to incidents and prepare for potential threats. Preparing your organization’s incident response readiness falls broadly into three categories: the process, the people, and the technologies. Often with cybersecurity, more focus is on the technology aspect. Although there is no question that technologies are essential, what sets successful incident response readiness and planning apart is a strong focus on the process and the people involved.

How the Microsoft Incident Response team helps customers remediate threats

Read the blog

This blog post, informed by insights from the Microsoft Incident Response team, will guide you through some key considerations of incident response readiness, structured through the people, process, and technology framework. Starting with the process, a key foundational piece, this blog post will provide guidance on actions such as:

  • Developing a robust disaster recovery plan.
  • Implementing a rigorous audit of admin accounts and services.
  • Appointing an Incident Manager and outlining communication with vendors.

Read on to dive deeper into key technical concepts and actionable steps you can take to boost your incident response readiness and proactive threat engagements.

Microsoft Incident Response

Dedicated experts work with you before, during, and after a cybersecurity incident.

Computer developer working at night in office.

The process

Developing a disaster recovery plan

Developing a robust disaster recovery plan ensures business continuity and resilience against cyberthreats, natural disasters, or other disruptive events. This plan specifies the procedures and protocols for responding to security incidents, emphasizing rapid response, data recovery, and the restoration of critical services. Many companies prepare for fires, so why not incidents? Due to lack of continuity and organization of efforts, organizations without disaster recovery plans usually experience greater impact from unforeseen incidents.

When crafting a disaster recovery plan, conduct a comprehensive risk assessment to pinpoint potential threats, vulnerabilities, and single points of failure within your infrastructure. This step requires defining recovery objectives, prioritizing critical assets and services, and setting recovery time objectives and recovery point objectives based on business requirements and risk tolerance. Many organizations lack the personnel or capability to maintain an in-house incident response team and outsource with services like Microsoft Incident Response.

Disaster recovery plans often include recommendations like implementing a tiered approach to network recovery, managing on-site backups, performing off-site replication, and using cloud-based recovery services. These practices boost resilience and redundancy, minimizing downtime and data loss. Regularly testing and validating your plan with tabletop exercises, simulations, and drills is critical for identifying gaps, refining procedures, and ensuring readiness for real-world incidents.

When Microsoft Incident Response engages with customers that have disaster recovery plans in place, those plans have tremendously aided in ensuring business continuity. Pre-existing processes, warm backups, trained staff, and communication agreements with applicable vendors all empower the investigation and recovery efforts. Rather than developing a reactive disaster recovery plan in parallel with investigation efforts, an existing disaster recovery plan allows Microsoft Incident Response and the organization to focus on investigating threat actor actions. This also enables the organization’s staff to focus solely on bringing up their line of business apps. Engaging an incident response team alongside a comprehensive disaster recovery plan greatly expedites restoration time to keep your environment running.

A schematic diagram illustrating the flow of incident management processes: Governance, Incident Command, Communications, and Regulatory Compliance.

Figure 1. Workstreams that surround and support incident response throughout the lifecycle of an incident. See our team guide for context.

Validating effective deployment mechanisms

Ensuring the integrity and authenticity of software and system updates requires secure deployment mechanisms. Protect these systems—especially since threat actors often exploit them for tool deployment—by auditing their storage and configurations regularly. Adopting best practices like code signing, secure boot, and encrypted communications prevents unauthorized process tampering.

Correct setup requires varied deployment methods to be effective during incidents. Rapid tool deployment is important when working with an incident response team. Microsoft Configuration Manager, Microsoft Intune, Group Policy, and third-party tools are commonly used. Microsoft Incident Response deploys custom security tools alongside the Microsoft Defender suite to collect metadata efficiently across the environment, enabling a stronger response.

Enabling comprehensive auditing and logging

Auditing and logging are vital for a strong cybersecurity posture, offering insight into system activities and security events. Though enabling these features on all systems might increase overhead, the advantages in threat detection, incident response, and compliance outweigh the costs.

Adopting a risk-based approach to auditing and logging and focusing on critical assets and high-risk areas are essential. Configuring logs to capture relevant security events and optimizing retention policies ensure a balance between storage needs and forensic requirements.

Many Microsoft customers leverage Microsoft Sentinel, our cloud-native security information and event management (SIEM) solution for efficient large-volume data analysis. Microsoft Sentinel allows real-time log data aggregation, correlation, and analysis from various sources, aiding security teams in swift incident detection and response. Coupled with the Defender suite and Azure, Microsoft Sentinel offers invaluable trend data for incident response investigations.

The people

Appointing an incident manager for effective coordination

Appointing an Incident Manager is critical for leading and coordinating incident response efforts, from detection to recovery. This person serves as the main point of contact for stakeholders and response teams and ensures clear communication and effective collaboration. They examine, streamline, and log all environment change requests according to the disaster recovery plan.

An Incident Manager’s deep understanding of business processes and technical infrastructure aids in making informed decisions and prioritizing actions. Strong leadership and communication skills are essential for guiding teams and achieving consensus under pressure.

Without an Incident Manager, directionless and unclear communication allows threat actors to exploit chaos. A definitive leader streamlines work and facilitates clear communication, essential for efficient incident response. The absence of a coordinated effort can lead to fragmented work, prolonged network downtime, and severe access restoration delays for users or customers.

A diagram showing the escalation points for operational decisions in an incident response team. On the left, a vertical line connects Governance Lead at the top and Incident Controller below it. Four horizontal lines extend from the Incident Controller to Investigation Lead, Infrastructure Lead, Communication Lead, and Regulatory Lead. Arrows indicate escalation points for operational and major decisions.

Figure 2. An example of the roles involved in incident response and the importance of an incident manager or controller. (See our team guide for more context.)

Maintaining open communication with security vendors

Open communication with security vendors is vital for enhancing cybersecurity. Strategic partnerships grant access to the latest technologies, threat intelligence, and best practices for threat management.

Security vendors assist in whitelisting tools, configuring policies, and optimizing security settings to meet standards and regulations. They also guide incident alert interpretation, remediation prioritization, and security measure implementation tailored to organizational needs.

Collaborating with vendors keeps organizations informed about emerging threats and attack techniques through threat intelligence feeds and security bulletins. This proactive intelligence sharing enables you to anticipate risks and mitigate them before security incidents escalate.

The technique

Enhancing security by hardening identity

Conduct a comprehensive Zero Trust audit on accounts and services with administrative privileges within your system to defend against potential security breaches effectively. This audit requires scrutinizing user and admin accounts, system configurations, and service permissions to spot anomalies or unauthorized access points. Leveraging robust identity and access management solutions is crucial to enforce the least-privilege principle. By giving users only the necessary permissions for their roles, organizations can significantly lower the attack surface and the risk of privilege escalation.

Use Enterprise Admins and Schema Admins, two built-in groups that can alter an Active Directory Forest, only for specific changes to the environment’s framework, then remove them. Also, you should audit AdminSDHolder, a common persistence method. Enforcing any privileges assigned to a user or group in the AdminSDHolder object remains effective regardless of changes in other Active Directory parts.

Microsoft Incident Response often recommends the enterprise access model or tiering to harden the identity plane for various environments. The tiering aims to protect identity (Tier 0) and all servers interacting with it, including Tier 0 management servers, all within the same plane. This model mandates administrators to have accounts in their specific plane, reducing the chances of lateral movement and privilege escalation.

Quick wins for safeguarding assets

When safeguarding accounts, methods like multifactor authentication introduce an additional security layer, making it harder for adversaries to compromise critical systems and data. Easy wins with multifactor authentication include enabling number matching and fraud alert, or mandating access through a Microsoft Entra-joined device.

Establishing an inactive (or stale) accounts policy is critical to reduce and eliminate potential entry points. Security vendors often create overprovisioned guest accounts that remain active until the contractor returns. Formulate a policy to disable and eventually delete accounts when not in use, marking a swift victory. A stale account policy, combined with a password policy and account lockout policy, helps secure the identity plane in an environment.

Proactively auditing services and machines

Auditing services and machines within the network is vital for identifying and mitigating security risks. Documenting the configurations and dependencies of all hardware and software assets, and assessing their vulnerability exposure, is important.

Automated asset management and vulnerability scanning tools streamline auditing and keep asset inventories current. Legacy software dependence, especially on unsupported systems, introduces vulnerabilities. Vulnerability scanning allows for proactive risk, patch, and configuration management, meeting security and compliance needs.

For best results, you should classify assets by criticality and sensitivity to prioritize security controls and resources. Distinguishing between protected legacy systems and risky end-of-life systems due to outdated or unsupported configurations is essential.

Driving incident response in your organization

Proactively preparing for incident response is essential given modern cybersecurity challenges. By strengthening defenses, maintaining a comprehensive disaster recovery plan, and leveraging expert resources like the Microsoft Incident Response team, you can confidently manage threats. Our expertise and quick response capabilities are invaluable in cyber risk mitigation.

Effective coordination and robust logging mechanisms reduce incident impacts and ensure operational resilience. Preparation is key in a world facing inevitable cyber threats. Learn more about Microsoft Incident Response proactive and reactive response services or find clarity in the maze of incident response in our helpful team guide.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post How to boost your incident response readiness appeared first on Microsoft Security Blog.

]]>
Microsoft Defender Experts for XDR recognized in the latest MITRE Engenuity ATT&CK® Evaluation for Managed Services http://approjects.co.za/?big=en-us/security/blog/2024/06/18/microsoft-defender-experts-for-xdr-recognized-in-the-latest-mitre-engenuity-attck-evaluation-for-managed-services/ Tue, 18 Jun 2024 13:00:00 +0000 Microsoft Defender Experts for XDR delivered excellent results during round 2 of the MITRE Engenuity ATT&CK® Evaluations for Managed Services menuPass + ALPHV BlackCat.

The post Microsoft Defender Experts for XDR recognized in the latest MITRE Engenuity ATT&CK® Evaluation for Managed Services appeared first on Microsoft Security Blog.

]]>
Microsoft Defender Experts for XDR demonstrated excellent managed extended detection and response (MXDR) by unifying our human-driven services and Microsoft Defender XDR in the MITRE Engenuity ATT&CK® Evaluations: Managed Services menuPass + ALPHV BlackCat.   

Defender Experts for XDR offers a range of capabilities: 

  • Managed detection and response: Let our expert analysts manage your Microsoft Defender XDR incident queue and handle triage, investigation, and response on your behalf.  
  • Proactive threat hunting: Extend your team’s threat hunting capabilities and prioritize significant threats with Defender Experts for Hunting built in. 
  • Live dashboards and reports: Get a transparent view of our operations conducted on your behalf, along with a noise-free, actionable view of prioritized incidents and detailed analytics. 
  • Proactive check-ins: Benefit from remote, periodic check-ins with your named service delivery manager (SDM) team to guide your MXDR experience and improve your security posture. 
  • Fast and seamless onboarding: Get a guided baselining experience to ensure your Microsoft security products are correctly configured.

Microsoft Defender Experts for XDR

Give your security operations center (SOC) team coverage with leading end-to-end protection and expertise.

Cyberattacks detected by Defender Experts for XDR

In the first cyberattack, Defender Experts for XDR provided detection, visibility, and coverage under what Microsoft Threat Intelligence tracks as the threat actor Purple Typhoon. From the early steps in the intrusion, our team alerted the customer that 11 systems and 13 accounts were compromised via a malicious Remote Desktop Protocol (RDP) session, leveraging a Dynamic Link Library (DLL) Search Order Hijacking on a legitimate Notepad++ executable. As is common with this threat actor, the next cyberattack, established a Quasar RAT backdoor triggering keylogging, capturing credentials for the domain admin. After the loaders were executed, scheduled tasks were used to move laterally, execute discovery commands on internal network areas, and complete credential theft dumping.       

For the second cyberattack, which used BlackCat ransomware, Defender Experts for XDR detected and provided extensive guidance on investigation and remediation actions. The BlackCat ransomware, also known as ALPHV, is a prevalent cyberthreat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. It’s noteworthy due to its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. While BlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—target data is encrypted, exfiltrated, and used for “double extortion,” where attackers threaten to release the stolen data to the public if the ransom isn’t paid. This attack used access broker credentials to perform lateral movement, exfiltrate sensitive data via privileged execution, and execute ransomware encryption malware.    

In both cyberattacks, our team focused on providing focused email, in-product focus to guide the customer, and in a real world cyberattack, our service and product would take disruption actions to stop the cyberattack.

Comprehensive threat hunting, managed response, and product detections 

With complex cyberattacks, security operations teams need robust guidance on what is happening and how to prioritize remediation efforts. Throughout this evaluation, we provided over 18 incidents, 196 alerts, and enriched product detections with human-driven guidance via email and in product experiences using Managed responses. This includes a detailed investigation summary, indicators of compromise (IOCs), advanced hunting queries (AHQs), and prioritized remediation actions to help contain the cyberthreat. Our world class hunting team focuses on providing initial response to a cyberattack, then iterations on updates based on new threat intelligence findings and other enrichment.   

Incident and alerts are tagged with Defender Experts and detailed analysis provided under view Managed Response.

Figure 1. The incident and alerts are tagged with Defender Experts and detailed analysis provided under view Managed response.

Managed response showing details of investigation summary, IOCs, and TTPs.

Figure 2. Managed response showing details of investigation summary, IOCs, and TTPs.

Managed response focused remediation one-click actions such as blocking indicator, stopping a malicious process, and resetting passwords.

Figure 3. Managed response focused remediation one-click actions such as blocking indicator, stopping a malicious process, and resetting passwords.

AI-driven attack disruption with Microsoft Defender XDR   

As the second cyberattack leveraged BlackCat ransomware, Microsoft Defender XDR’s attack disruption capability automatically contained the threat and then followed up with hunter guidance on additional containment. This capability combines our industry-leading detection with AI-powered enforcement mechanisms to help mitigate cyberthreats early on in the cyberattack chain and contain their advancement. Analysts have a powerful tool against human-operated cyberattacks while leaving them in complete control of investigating, remediating, and bringing assets back online. 

A summary attack graph, managed responses and attack disruption automatically handling this ransomware threat.

Figure 4. A summary attack graph, managed responses and attack disruption automatically handling this ransomware threat.

Seamless alert prioritization and consolidation into notifications for the SOC 

We provide prioritization and focus for a typical customer’s SOC team using tags and incident titles with Defender Experts where we enrich product detections. In addition, a dedicated SDM will conduct periodic touchpoints with customers to share productivity and service metrics, provide insights on any vulnerabilities or changes in their environment, solicit feedback, and make best practices recommendations. Our customers see a reduction in total incident volume over time, improvements in security posture, and overall lower operational overhead. Learn how Defender Experts helps Westminster School.  

Summary of all incidents and Defender Experts tag to help filter and prioritize for customers.

Figure 5. Summary of all incidents and Defender Experts tag to help filter and prioritize for customers.

Commitment to Microsoft MXDR partners 

We continue our commitment to support our partners in our Microsoft-verified MXDR program. We know that a single provider can’t meet the unique needs of every organization, so we frequently collaborate with our ecosystem of partners to provide customers the flexibility to choose what works best for them—and to leverage those trusted relationships for the best outcomes and returns on their investment. 

We acknowledge that there are areas for discussion and enhancement, but we will take these as a valuable learning opportunity to continuously improve our products and services for the customers we serve. We appreciate our ongoing collaboration with MITRE as the managed services evaluation process evolves with the growing cyberthreat landscape. We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation. 

Learn more about Microsoft Defender Experts for XDR

To learn more, visit the Microsoft Defender Experts for XDR web page, read the Defender Experts for XDR docs page, and subscribe to our ongoing news at the Microsoft Security Experts blog

Person typing on laptop with Microsoft cyberthreat protection screen

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 


© June 2024. The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. 

The post Microsoft Defender Experts for XDR recognized in the latest MITRE Engenuity ATT&CK® Evaluation for Managed Services appeared first on Microsoft Security Blog.

]]>
New Microsoft Incident Response guide helps simplify cyberthreat investigations http://approjects.co.za/?big=en-us/security/blog/2024/04/23/new-microsoft-incident-response-guide-helps-simplify-cyberthreat-investigations/ Tue, 23 Apr 2024 16:00:00 +0000 Discover how to fortify your organization's cybersecurity defense with this practical guide on digital forensics from Microsoft's Incident Response team.

The post New Microsoft Incident Response guide helps simplify cyberthreat investigations appeared first on Microsoft Security Blog.

]]>
There’s an increasing demand for skilled cybersecurity professionals. It’s being driven by a surge in cyberthreats and more sophisticated attackers. However, many employers are hesitant to fill open cybersecurity roles and are hiring conservatively in case of economic downturn—even though they understand the importance of having the right expertise to mitigate contemporary cyberrisks.

Organizations face an increasingly complex cybersecurity landscape. The cybersecurity workforce growth rate lags behind the necessary 12.6% annual expansion to effectively counter cyberthreats, only achieving an 8.7% increase. This shortfall leaves a gap of approximately 4 million professionals worldwide. Amidst this challenge, companies navigate layoffs, budget cuts, and hiring freezes with expectations of further economic tightening in 2024.1

Windows Internals Book

Learn more

Yet cybersecurity expertise is crucial, especially when dealing with complex issues like analyzing Windows Internals during forensic investigations—a task that requires deep technical knowledge to interpret various artifacts and timestamps accurately. To help like-minded defenders tackle this difficult task, Microsoft Incident Response experts have created a guide on using Windows Internals for forensic investigations.

Guidance for Incident Responders

The new guide from the Microsoft Incident Response team helps simplify forensic investigations.

MSC24-China-business-Getty-1469706272-rgb

Microsoft Incident Response guide highlights

Our guide serves as an essential resource, meticulously structured to illuminate commonly seen, but not commonly understood, Windows Internals features in forensic investigations. Understanding these artifacts will strengthen your ability to conduct Windows forensic analysis. Equipped with this information and your new findings, you’ll be able to construct more complete timelines of activity. It includes the following topics:

  • AmCache’s contribution to forensic investigations: The AmCache registry hive’s role in storing information about executed and installed applications is crucial, yet it’s often mistakenly believed to capture every execution event. This misunderstanding can lead to significant gaps in forensic narratives, particularly where malware employs evasion techniques. Moreover, the lack of execution timestamp specificity in AmCache data further complicates accurate timeline reconstruction.
  • Browser forensics: Uncovering digital behaviors: The comprehensive analysis of browser artifacts is fraught with challenges, particularly regarding the interpretation of local file access records. The misconception that browsers do not track local file access can lead to significant oversight in understanding user behavior, underscoring the need for thorough and nuanced analysis of browser data.
  • The role of Link files and Jump Lists in forensics: Link, or LNK, files and Jump Lists are pivotal for documenting user behaviors. However, investigators sometimes neglect the fact that they’re prone to manipulation or deletion by users or malware. This oversight can lead to flawed conclusions. Furthermore, Windows’ automatic maintenance tasks, which can alter or delete these artifacts, add another layer of complexity to their analysis.
  • Prefetch files and program execution: Prefetch files’ role in improving application launch times and their forensic value in tracking application usage is well-documented. However, the common error of conflating the prefetch file’s creation date with the last execution date of an application leads to mistaken conclusions about usage patterns. Also, overlooking the aggregation of data from multiple prefetch files can result in a fragmented understanding of application interactions over time.
  • ShellBags forensic analysis: ShellBags, with their ability to record user interactions with the File Explorer environment, offer a rich source of information. Yet not all investigators recognize that ShellBags track deleted and moved folders, in addition to current ones. This oversight can lead to incomplete reconstructions of user activities.
  • Shimcache’s forensic evolution: The Shimcache has long served as a source of forensic information, particularly as evidence of program execution. However, the changes in Windows 10 and later have significantly impacted the forensic meaning of Shimcache artifacts: indicating file presence, and not indicating execution. This misunderstanding can mislead investigators, especially since Shimcache logs the last modification timestamp, not execution time, and data is only committed to disk upon shutdown or reboot.
  • Forensic insights with SRUM: SRUM’s tracking of application execution, network activity, and resource consumption is a boon for forensic analysts. However, the wealth of data can also be overwhelming, leading to crucial details being missed or misinterpreted. For instance, the temporal discrepancies between the SRUM database and system logs can confuse investigators, making it challenging to align activities accurately. Additionally, the finite storage of SRUM data means older information can be overwritten without notice, a fact that’s often overlooked, resulting in gaps in data analysis.
  • The importance of User Access Logging (UAL): UAL’s tracking of user activities based on roles and access origins is essential for security analysis, especially since this feature is designed for Windows Server operating systems (specifically 2012 and later). Its vast data volume can be daunting, leading to potential oversight of unusual access patterns or lateral movements. Additionally, the annual archiving system of UAL data can cause confusion regarding the longevity and accessibility of logs, impacting long-term forensic investigations.
  • Decoding UserAssist for forensic evidence: The UserAssist feature’s tracking of GUI-based program interactions is often misunderstood, with analysts mistakenly prioritizing run counts over focus time. This misstep can lead to inaccurate assumptions about application usage, as focus time—a more reliable indicator of execution—gets overlooked.

Why read this guide today

Bridging the gap between gaining insights from the Microsoft Incident Response team and the practical application of these strategies within your own organization underscores a journey from knowledge acquisition to operational implementation. By downloading the guide, you’re not just accessing a wealth of expert strategies, you’re initiating a critical shift towards a more resilient cybersecurity posture. This transition naturally leads to the understanding that while the right tools and strategies are vital, the true essence of cybersecurity lies in the practice and adoption of a security-minded culture within your organization.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.


1How the Economy, Skills Gap and Artificial Intelligence are Challenging the Global Cybersecurity Workforce, ISC2. 2023.

The post New Microsoft Incident Response guide helps simplify cyberthreat investigations appeared first on Microsoft Security Blog.

]]>
​​Frost & Sullivan names Microsoft a Leader in the Frost Radar™: Managed Detection and Response, 2024 http://approjects.co.za/?big=en-us/security/blog/2024/03/25/frost-sullivan-names-microsoft-a-leader-in-the-frost-radar-managed-detection-and-response-2024/ Mon, 25 Mar 2024 16:00:00 +0000 The Frost Radar™: Managed Detection and Response, 2024 report recognizes Microsoft as a Leader. Learn how Microsoft Defender Experts for XDR augments your security operations center team to triage, investigate, and respond to incidents for you.

The post ​​Frost & Sullivan names Microsoft a Leader in the Frost Radar™: Managed Detection and Response, 2024 appeared first on Microsoft Security Blog.

]]>
We are excited to share that Microsoft has been named a Leader by Frost & Sullivan in the Frost Radar™: Managed Detection and Response, 2024, leading in innovation and among the top two in growth. Frost & Sullivan highlighted Microsoft Defender Experts for XDR as a key component of Microsoft’s managed detection and response (MDR) offering, which delivers a managed extended detection and response service that triages, investigates, and responds to incidents to help organizations stop cyberattackers and prevent future compromise.

According to Frost & Sullivan, the market for MDR is growing rapidly, with a growth rate of 35.2%, as evidenced with 22 MDR vendors plotted in this year’s analysis. This growth is expected to continue as Frost & Sullivan cited that “faced with a lack of access to professionals and an inability to protect their business-critical data effectively, organizations are outsourcing to alleviate the issue.”

This graphic from Frost & Sullivan shows 22 managed detection and response companies in a Frost Radar measured by innovation index on the X axis and growth index on the y axis. Microsoft is shown as leading in the innovation index and among the top two in the growth index.

Figure 1. Frost RadarTM for Managed Detection and Response 2024 showing Microsoft as a leader.

Advancing cybersecurity frontiers with Defender Experts

Designated as one of the companies to be considered first for investment, partnerships, or benchmarking by Frost & Sullivan, Microsoft is a recent entrant in the MDR space, but with its focus on AI and machine learning, “especially the development of Microsoft Copilot for Security, coupled with its top-tier threat detection and response capabilities, allows it to maintain an innovation edge over other world-class competitors.”1 Our Defender Experts for XDR service helps our customers boost their security operations centers (SOCs) with security expertise and around-the-clock coverage to detect and accurately respond to incidents that matter across their varied Microsoft Defender XDR workloads.

What is Managed Detection and Response?

Learn more

The Frost & Sullivan report emphasizes the comprehensive capabilities of our Defender Experts for XDR service, which brings together human expertise with AI and automation powered by our Defender XDR suite. The service provides cross-domain MDR services with visibility over endpoints, email, cloud, and identity. In addition, Defender Experts for XDR “delivers 24/7 monitoring, detection, and response, and proactive threat hunting, combined with its world-class threat intelligence, security posture assessments, and access to its expert team.”

Charting new horizons—the convergence of managed services and generative AI

The report highlights the key innovation that Microsoft offers to customers, which is the ability to use both human-led expertise and generative AI in cybersecurity. As organizations continue to adopt MDR services to enhance their SOC efforts, the appearance of generative AI in cybersecurity solutions also offers more potential to those who want to improve their SOC teams. According to Frost & Sullivan, “AI, [machine learning], and automation have become increasingly integral to cybersecurity solutions. These technologies enhance detection and response and allow SOC analysts to focus on what’s important instead of chasing down false alerts.”

The report also recognizes Microsoft Copilot for Security as a pivotal AI assistant that enhances the capabilities of security analysts. It streamlines complex data into concise summaries, offers insights, aids in detection, accelerates response, and contextualizes alerts and incidents. This tool is instrumental in supporting both novice and seasoned analysts, enabling them to make well-informed decisions with greater confidence and speed.

Building on this, the Defender Experts team has found the utilization of Copilot for Security not only boosts productivity and streamlines workflows, but also significantly enhances threat detection and response. Insights from team leaders and real-world applications, such as script analysis and incident summaries, are detailed in a recent blog post. These examples underscore Copilot’s role in elevating the skills of analysts and enriching threat intelligence, and empowering security teams to leverage AI’s full potential in safeguarding their organizations. Microsoft will continue to invest in generative AI and unlock its potential for Defender Experts and our customers.

Microsoft Defender Experts for XDR

Give your security operations center team coverage with leading end-to-end protection and expertise.

Photo of a person sitting at a desk in front of a computer

Empower your SOC with managed XDR

Frost & Sullivan’s report praises Microsoft Defender Experts for XDR for its capacity to expedite SOC operations through expert triage and investigation, provide robust protection through human-led response and proactive remediation, offer around-the-clock access to Defender Experts for real-time consultations, and provide strategic recommendations to fortify defenses and mitigate future cyberthreats, all underscored by the transformative integration of generative AI with human expertise.

We know that a single provider can’t meet the unique needs of every organization, so we frequently collaborate with our ecosystem of partners that provide customers the flexibility to choose what works for them—and to leverage those trusted relationships for the best outcomes and returns on their investment. To date, we’ve added more than 50 partners to our Microsoft-verified MXDR program and invite you to review their offerings.

Learn more

To learn more about our service, visit the Microsoft Defender Experts for XDR web page, read the Defender Experts for XDR docs page, and subscribe to our ongoing news at the Microsoft Security Experts blog home.

Person typing on laptop with Microsoft cyberthreat protection screen

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.


1Frost & Sullivan, Frost Radar™: Managed Detection and Response, 2024, Lucas Ferreyra. March 2024.

The post ​​Frost & Sullivan names Microsoft a Leader in the Frost Radar™: Managed Detection and Response, 2024 appeared first on Microsoft Security Blog.

]]>
How Microsoft Incident Response and Microsoft Defender for Identity work together to detect and respond to cyberthreats http://approjects.co.za/?big=en-us/security/blog/2024/03/21/how-microsoft-incident-response-and-microsoft-defender-for-identity-work-together-to-detect-and-respond-to-cyberthreats/ Thu, 21 Mar 2024 16:00:00 +0000 Learn how Microsoft Incident Response works together with Microsoft Defender for Identity to give customers fast, flexible service—before, during, or after a cybersecurity incident occurs.

The post How Microsoft Incident Response and Microsoft Defender for Identity work together to detect and respond to cyberthreats appeared first on Microsoft Security Blog.

]]>
Identity-based cyberthreats are on the rise. 2023 saw a tenfold increase in threats including phishing, ransomware, and more.1 And bad actors continue to evolve their techniques—making them more sophisticated, more overwhelming, and more believable. From an employee’s viewpoint, every ping, click, swipe, buzz, ding, text, and tap takes time and attention—which can add up to a loss of focus, alert fatigue, and increased risk. In this post, we’ll look at a human-operated ransomware attack that began with one malicious link in one user’s email. Then we’ll share how Microsoft Incident Response helped facilitate collaboration among security, identity, and incident response teams to help a customer evict the bad actor from their environment and build resilience for future threats.

Microsoft Incident Response

Strengthen your security with an end-to-end portfolio of proactive and reactive cybersecurity incident response services.

A man standing, pointing at a large monitor screen displaying a world map

One click opens the door to a threat actor

We know that 50% of Microsoft cybersecurity recovery engagements relate to ransomware,2 and 61% of all breaches involve credentials.3 Identity attacks continue to be a challenge for businesses because humans continue to be a central risk vector in social engineering identity attacks. People click links without thinking. Too often, users open attachments by habit, thereby opening the door to threat actors. Even when employees recognize credential harvesting attempts, they’re often still susceptible to drive-by URL attacks. And teams focused on incident response are often disconnected from teams that manage corporate identities. In this incident, one click on a malicious link led a large customer to reach out to Microsoft Incident Response for help.

Flow diagram illustrating lateral movement by a threat actor within a security ecosystem after collecting user information.

Figure 1. Diagram of a threat actor’s malware moving through the network.

The malicious link the employee clicked infected their device with Qakbot. Qakbot is a modular malware that has been evolving for more than a decade. It’s a multipurpose malware that unfortunately gives attackers a wide range of capabilities. Once the identity-focused threat actor had established multiple avenues of persistence in the network and seemed to be preparing to deploy ransomware, the customer’s administrators and security operations staff were overwhelmed with tactical recovery and containment. That’s when they called Microsoft.

Your first call before, during, and after a cybersecurity incident

Microsoft Incident Response stepped in and deployed Microsoft Defender for Identity—a cloud-based security solution that helps detect and respond to identity-related threats. Bringing identity monitoring into incident response early helped an overwhelmed security operations team regain control. This first step helped to identify the scope of the incident and impacted accounts, take action to protect critical infrastructure, and work on evicting the threat actor. Then, by leveraging Microsoft Defender for Endpoint alongside Defender for Identity, Microsoft Incident Response was able to trace the threat actor’s movements and disrupt their attempts to use compromised accounts to reenter the environment. And once the tactical containment was complete and full administrative control over the environment was restored, Microsoft Incident Response worked with the customer to move forward to build better resiliency to help prevent future cyberattacks. More information about the incident and remediation details can be found on our technical post titled “Follow the Breadcrumbs with Microsoft Incident Response and Microsoft Defender for Identity: Working Together to Fight Identity-Based Attacks.”

Strengthen your identity posture with defense in depth

We know protecting user identities can help prevent incidents before they happen. But that protection can take many forms. Multiple, collaborative layers of defense—or defense in depth—can help build up protection so no single control must shoulder the entire defense. These layers include multifactor authentication, conditional access rules, mobile device and endpoint protection policies, and even new tools—like Microsoft Copilot for Security. Defense in depth can help prevent many cyberattacks—or at least make them difficult to execute—through the implementation and maintenance of layers of basic security controls.

In a recent Cyberattack Series blog post and report, we go more in depth on how to protect credentials against social engineering attacks. The cyberattack series case involved Octo Tempest—a highly active cyberthreat actor group which utilizes varying social engineering campaigns with the goal of financial extortion across many business sectors through means of data exfiltration and ransomware. Octo Tempest compromised a customer with a targeted phishing and smishing (text-based phishing) attack. That customer then reached out to Microsoft Incident Response for help to contain, evict, and detect any further threats. By collaborating closely with the victim organization’s IT and security teams, the compromised systems were isolated and contained. Throughout the entire process, effective communication and coordination between the incident response team and the affected organization is crucial. The team provides regular updates on their progress, shares threat intelligence, and offers guidance on remediation and prevention strategies. By working together seamlessly, the incident response team and the affected organization can mitigate the immediate cyberthreat, eradicate the cyberattacker’s presence, and strengthen the organization’s defenses against future cyberattacks.

Honeytokens: A sweet way to defend against identity-based attacks

Another layer of protection for user identities is the decoy account. These accounts are set up expressly to lure attackers, diverting their attention away from real targets and harmful activities—like accessing sensitive resources or escalating privileges. The decoy accounts are called honeytokens, and they can provide security teams with a unique opportunity to detect, deflect, or study attempted identity attacks. The best honeytokens are existing accounts with histories that can help hide their true nature. Honeytokens can also be a great way to monitor in-progress attacks, helping to discover where attackers are coming from and where they may be positioned in the network. For more detailed instructions on how to tag an account as a honeytoken and best practices for honeytoken use, read our tech community post titled “Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity.”

Working together to build better resilience

Microsoft Incident Response is the first call for customers who want to access dedicated experts before, during, and after any cybersecurity incident. With on-site and remote assistance on a global scale, unprecedented access to product engineering, and the depth and breadth of Microsoft Threat Intelligence, it encompasses both proactive and reactive incident response services. Collaboration is key. Microsoft Incident Response works with the tools and teams available to support incident response—like Defender for Identity, Defender for Endpoint, and now Copilot for Security—to defend against identity-based attacks, together. And that collaboration helps ensure better outcomes for customers. Learn more about the Microsoft Incident Response proactive and reactive response services or see it in action in the fourth installment of our ongoing Cyberattack Series.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.


1Microsoft Digital Defense Report, Microsoft. 2023.

2Microsoft Digital Defense Report, Microsoft. 2022.

32023 Data Breach Investigations Report, Verizon.

4Microsoft Entra: 5 identity priorities for 2023, Joy Chik. January 9, 2023.

The post How Microsoft Incident Response and Microsoft Defender for Identity work together to detect and respond to cyberthreats appeared first on Microsoft Security Blog.

]]>
Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team http://approjects.co.za/?big=en-us/security/blog/2024/02/08/microsoft-copilot-for-security-provides-immediate-impact-for-the-microsoft-defender-experts-team/ Thu, 08 Feb 2024 17:00:00 +0000 Microsoft Copilot for Security provides tangible applications to the Defender Experts’ daily work—including building incident narratives, analyzing threats, time-saving tips, upskilling, and more.

The post Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team appeared first on Microsoft Security Blog.

]]>
Organizations everywhere are on a lightning-fast learning trajectory to understand the potential of generative AI and its implications for their security, their workforce, and the industry at large. AI is quickly becoming a force multiplier—presenting significant opportunities for security teams to increase productivity, save time, upskill resources, and more. News and information about “the age of AI” is everywhere. But while AI generates a lot of buzz, it’s not all just talk. Microsoft Copilot for Security is already showing immediate impact for security teams at Microsoft.

Our own Microsoft Defender Experts team has been using and exploring Copilot, and finding new ways it can streamline, inform, and optimize their daily work—from improving communication clarity to data analysis and upskilling. Through their work on the Microsoft Defender Experts for XDR service, they serve as an extension of our customers’ security operations center (SOC) teams. They proactively hunt for serious cyberthreats using Microsoft Defender data. They triage, investigate, and expose advanced threats, identify the scope and impact of malicious activity, and then take action on a customer’s behalf to remediate the incident. And now with Copilot, Defender Experts have a powerful new security tool.

Microsoft Copilot logo

Microsoft Copilot for Security

Powerful new capabilities, new integrations, and industry-leading generative AI.

A leadership view of Copilot for Security

In this new series of short videos, our Defender Experts share real-world scenarios where Copilot is helping them navigate threat detection, investigation, and managed response. To begin, Ryan Kivett, Partner Group Manager for Defender Experts, Microsoft, shares his leadership view on how Copilot helps support learning and career growth for his team. Then Brian Hooper, Principal Research Lead for Defender Experts, Microsoft, talks about how Copilot can help minimize the mundane tasks that take security analysts away from their most important work—serious threat investigations.

Watch the video “A leadership view on deploying Copilot.”

Save time and increase efficiency

From a leadership level, it’s easy to see the potential of Copilot. But when every second counts—like during an active security incident—that potential needs to be fully realized and actionable. Copilot for Security puts critical guidance and context into the hands of your security team so they can respond to incidents in minutes instead of hours or days. In our next video clip, Phoebe Rogers, a senior member of the Microsoft Defender Experts analyst team, shares how Copilot helps her shave minutes off every script analysis—which adds up to real saved time, increased efficiency and understanding, and greater incident insight. Watch as she shares how she uses Copilot to analyze a suspicious script, step by step.

Watch the video “Script Analysis.”

When security analysts communicate with customers, they need to provide a clear, concise, and comprehensive summary of an active incident in a timely manner, so customers have a deep understanding of the situation. In the following video, Brian Hooper shares a detailed walkthrough of how Copilot is helping analysts write up these incident narratives 90% faster than in the past.

Watch the video “Incident Summaries.”

Upskill junior analysts and develop critical expertise

Most complex and sophisticated attacks like ransomware evade detection through numerous ways, including the use of scripts and PowerShell. Moreover, these scripts are often obfuscated, which adds to the complexity of detection and analysis. In our next video, Brian Hooper shows how the detailed, line-by-line script examination in Copilot allows security analysts to quickly assess and identify a script as malicious or benign. It also helps junior security analysts upskill their expertise. With Copilot, any analyst can use natural language prompts to initiate and perform tasks that they may not have a lot of experience with or expertise in, and the outputs of Copilot will help them both accomplish the right results quickly, and, more importantly, help them develop those critical skills for long-term use.

“Copilot for Security really helps our junior analysts, as if they had a coach next to them, guiding them through the learning phase of their role. And for our senior analysts, it’s really helping them push past what would have otherwise been possible, in terms of reaching their potential.”

—Ryan Kivett, Partner Group Manager for Defender Experts, Microsoft

Watch the video “Script Analyzer in Defender.”

Get rich, contextual information with threat intelligence

Understanding an organization’s external threat surface can take a lot of time and tools. Often, analysts must go to multiple repositories to obtain the critical data sets they need to assess a suspicious domain, host, or IP address. DNS data, WHOIS information, malware, and SSL certificates provide important context to indicators of compromise (IOCs), but these repositories are widely distributed and don’t always share a common data structure, making it difficult to ensure analysts have all relevant data needed to make a proper and timely assessment of suspicious infrastructure. Getting threat intelligence data and rich, contextual information from Microsoft Defender Threat Intelligence and Copilot helps security analysts make determinations, like whether an IP is malicious or not. In the next video clip, Phoebe Rogers uses Defender Threat Intelligence and Copilot to compare a user’s sign-in properties with their authentication history, surfacing the relevant information to streamline her analysis and determine whether or not it’s a threat.

Watch the video “Getting threat intel data.”

Once a determination is made, it can still take time and effort for an analyst to summarize and communicate a threat to affected parties. But Copilot can help. In our last video clip, Phoebe explains how Copilot can quickly explain the impact of common vulnerabilities and exposures (CVEs) and summarize relevant content like impacted products, bad actors known to exploit the vulnerability, and mitigation recommendations.

Watch the video “CVEs and Vulnerabilities.”

Protect at the speed and scale of AI

When faced with incomplete and imperfect data and the need to investigate a potential threat, communicate that threat to a customer, or craft a timely response, security analysts are realizing tangible, measurable benefits from using Copilot in their daily work. It helps them protect and defend their organization at machine speed and scale. Of course, the ability to leverage generative AI is not exclusive to security teams. It may also be leveraged by potential threat actors. So, the sooner security teams can experience and evaluate generative AI to augment and improve their security, the better. That’s why Brian Hooper encourages department leadership who are building their plan to deploy Copilot within their team to encourage exploration. “Let the team try different prompts. Let the team summarize incidents. Let the team analyze scripts. Let the team find out about intelligence that Microsoft knows about attacks. Organically, they will find all different places that it’s going to help them.”

Learn more

To learn more about Microsoft Copilot for Security, visit the product page, and for more helpful tips and information, view the Copilot for Security Playlist on the Microsoft Security Channel on YouTube.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team appeared first on Microsoft Security Blog.

]]>
New Microsoft Incident Response guides help security teams analyze suspicious activity http://approjects.co.za/?big=en-us/security/blog/2024/01/17/new-microsoft-incident-response-guides-help-security-teams-analyze-suspicious-activity/ Wed, 17 Jan 2024 18:00:00 +0000 Access the first two cloud investigation guides from Microsoft Incident Response to improve triage and analysis of data in Microsoft 365 and Microsoft Entra ID.

The post New Microsoft Incident Response guides help security teams analyze suspicious activity appeared first on Microsoft Security Blog.

]]>
Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant.

With more than 3,000 different activities (also known as operations) logged into the Microsoft 365 suite, knowing which are useful for your investigation can be daunting. With these guides, our goal is to make triaging and analyzing data in Microsoft 365 simpler. Many of these operations are data-based storytelling vehicles, helping Microsoft Incident Response to piece together an attack chain from beginning to end. We have worked on hundreds of cloud-centric cases with our customers, and while tactics, techniques, and procedures (TTPs) change with the times, analysis methodology and data triage techniques remain consistently successful. To enable Microsoft Incident Response to find ground truth quickly and effectively in an investigation, data mining based on known factors is essential. The known factors could be investigation specific, such as an IP address, known compromised username, or suspicious user agent string. It is also just as important to filter based on how actors move through a cloud environment and gather data. This is where these guides come into their own, and our hope is that sharing these guides can help you in the same way they help us every day.

Microsoft Incident Response guides

These new one-page guides from Microsoft Incident Response helps security teams analyze cyberthreat data in Microsoft 365 and Microsoft Entra.

Two male engineers sitting in front of a computer screen.

Analyze the Unified Audit Log in Microsoft 365

First up is our general Microsoft 365 guide, centered around key activities in Exchange Online and SharePoint—Microsoft 365 products commonly targeted in cybersecurity attacks. Keep in mind that the motives of a Threat Actor, the tools available to them, and the level of access they have achieved will determine the actions they take. No two incidents are ever the same.

Actions carried out in a tenant are recorded in the Unified Audit Log, which can be accessed from the Security Portal or through PowerShell. You can filter the audit log by date, user, activity, IP address, or file name. You can also export the audit log to a CSV file for further analysis.

Most of the operations in these sheets are self-explanatory in nature, but a few deserve further context:

SearchQueryPerformed—A user or an administrator has performed a search query in SharePoint Online or OneDrive for Business. This operation returns information about a search query performed in SharePoint Online, including the query text used. Keep in mind that interacting with certain components of SharePoint will trigger background ‘searches.’

SearchQueryInitiatedSharePoint and SearchQueryInitiatedExchange—These operations are only logged if you have enabled them using the Set-Mailbox PowerShell cmdlet. This operation is much like SearchQueryPerformed, but applies to mailbox-level searches.

SearchExportDownloaded—A report was downloaded of the results from a content search in Microsoft 365. This operation returns information about the content search, such as the name, status, start time, and end time.

Update—A message item was updated, including metadata. One example of this is when an email attachment is opened, which updates the metadata of the message item and generates this event. An update operation is not always indicative of an email message being purposefully modified by a Threat Actor.

FileSyncDownloadedFull—User establishes a sync relationship and successfully downloads files for the first time to their computer from a SharePoint or OneDrive for Business document library.

Detailed identity and access data with Microsoft Entra

Our Microsoft Entra guide covers actions which allow organizations to manage and protect their identities, data, and devices in the cloud. As an industry-leading identity platform, Microsoft Entra ID offers advanced security features, such as multifactor authentication, Conditional Access policies, identity protection, privileged access management, and identity governance.

To view the activities performed by users and administrators in Microsoft Entra ID, you can use the Microsoft Entra ID audit log, which stores events related to role management, device registration, and directory synchronization to name a few. To view detailed sign-in information, you can use the Sign-In Logs. The events located in these two data sources can help you detect and investigate security incidents, such as unauthorized access or configuration changes to the identity plane.

You can use the following methods to access Microsoft Entra ID audit log data:

Microsoft Entra Admin Portal—Go to the portal and sign in as an administrator. Navigate to Audit and/or Sign-ins under Monitoring. Filter, sort, and export the data as needed.

Graph PowerShell—Install the Graph PowerShell module and connect to Microsoft Entra ID. Use Get-MgAuditLogDirectoryAudit and/or Get-MgAuditLogSignIn to get the data you need.

Microsoft Graph API—Register an application in Microsoft Entra ID and give it the permissions to read audit log data (AuditLog.Read.All and Directory.Read.All). Use /auditLogs/directoryAudits and /auditLogs/signIns API endpoints to query the data, along with query parameters such as $filter to refine the results.

Most of the operations in these sheets are self-explanatory in nature, but as with our Microsoft 365 operations, a few deserve further context:

Suspicious activity reported—This log event indicates that a user or an administrator has reported a sign-in attempt as suspicious. The log event contains information about the reported sign-in—such as the user, the IP address, the device, the browser, the location, and the risk level. It also shows the status of the report—whether it was confirmed, dismissed, or ignored by the user or the administrator. This log event can help identify potential security incidents, including phishing, credential compromise, or malicious insiders.

Update application: Certificates and secrets management—This log event indicates that an administrator has updated the certificates or secrets associated with an application registered in Microsoft Entra ID—such as creation, deletion, expiration, or renewal. Applications are frequently misused by Threat Actors to gain access to data, making this a critical administrative event if found during an investigation.

Any operation ending in ‘(bulk)’—These are interesting as they demonstrate a bulk activity being performed—such as ‘Download users’ or ‘Delete users.’ Keep in mind, however, that these are only logged if the bulk activity is performed using the graphical user interface. If PowerShell is used, you will not see these entries in your log.

Elevate Access—Assigns the currently logged-in identity the User Access Administrator role in Azure Role-Based Access Control at root scope (/). This grants permissions to assign roles in all Azure subscriptions and management groups associated with the Microsoft Entra directory. This toggle is only available to users who are assigned the Global Administrator role in Microsoft Entra ID. It can be used by Threat Actors to gain complete control of Azure resources, often for the purposes of crypto mining or lateral movement from cloud to on-premises.

Improve security analysis with the Microsoft Incident Response guides

We hope that these one-page guides will be a valuable resource for you when you need to quickly identify and analyze suspicious or malicious activity in Microsoft 365 and Microsoft Entra ID. Print them out, save them as your desktop background, or put them on a mouse pad. Whatever you do, let us know what you find useful and remember that the audit logs in Microsoft 365 and Microsoft Entra ID are not the only source of evidence in a cloud-based case, and you should always correlate and validate your findings with other data sources where possible.

To access further information on what data lies in these logs and how you can access them, reference the following blog posts from the Microsoft Incident Response team:

Learn more

Learn more about Microsoft Incident Response.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post New Microsoft Incident Response guides help security teams analyze suspicious activity appeared first on Microsoft Security Blog.

]]>