{"id":133734,"date":"2024-03-21T09:00:00","date_gmt":"2024-03-21T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=133734"},"modified":"2024-03-21T09:05:03","modified_gmt":"2024-03-21T16:05:03","slug":"how-microsoft-incident-response-and-microsoft-defender-for-identity-work-together-to-detect-and-respond-to-cyberthreats","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/03\/21\/how-microsoft-incident-response-and-microsoft-defender-for-identity-work-together-to-detect-and-respond-to-cyberthreats\/","title":{"rendered":"How Microsoft Incident Response and Microsoft Defender for Identity work together to detect and respond to cyberthreats"},"content":{"rendered":"\n
Identity-based cyberthreats are on the rise. 2023 saw a tenfold increase in threats including phishing, ransomware, and more.1<\/sup> And bad actors continue to evolve their techniques\u2014making them more sophisticated, more overwhelming, and more believable. From an employee\u2019s viewpoint, every ping, click, swipe, buzz, ding, text, and tap takes time and attention\u2014which can add up to a loss of focus, alert fatigue, and increased risk. In this post, we\u2019ll look at a human-operated ransomware attack that began with one malicious link in one user\u2019s email. Then we\u2019ll share how Microsoft Incident Response<\/a> helped facilitate collaboration among security, identity, and incident response teams to help a customer evict the bad actor from their environment and build resilience for future threats.<\/p>\n\n\n Strengthen your security with an end-to-end portfolio of proactive and reactive cybersecurity incident response services.<\/p>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t\t\t We know that 50% of Microsoft cybersecurity recovery engagements relate to ransomware,2<\/sup> and 61% of all breaches involve credentials.3<\/sup> Identity attacks continue to be a challenge for businesses because humans continue to be a central risk vector in social engineering identity attacks. People click links without thinking. Too often, users open attachments by habit, thereby opening the door to threat actors. Even when employees recognize credential harvesting attempts, they\u2019re often still susceptible to drive-by URL attacks. And teams focused on incident response are often disconnected from teams that manage corporate identities. In this incident, one click on a malicious link led a large customer to reach out to Microsoft Incident Response for help.<\/p>\n\n\n Figure 1. Diagram of a threat actor\u2019s malware moving through the network.<\/em><\/p>\n\n\n\n The malicious link the employee clicked infected their device with Qakbot. Qakbot is a modular malware that has been evolving for more than a decade. It\u2019s a multipurpose malware that unfortunately gives attackers a wide range of capabilities. Once the identity-focused threat actor had established multiple avenues of persistence in the network and seemed to be preparing to deploy ransomware, the customer\u2019s administrators and security operations staff were overwhelmed with tactical recovery and containment. That\u2019s when they called Microsoft.<\/p>\n\n\n\n Microsoft Incident Response stepped in and deployed Microsoft Defender for Identity<\/a>\u2014a cloud-based security solution that helps detect and respond to identity-related threats. Bringing identity monitoring into incident response early helped an overwhelmed security operations team regain control. This first step helped to identify the scope of the incident and impacted accounts, take action to protect critical infrastructure, and work on evicting the threat actor. Then, by leveraging Microsoft Defender for Endpoint<\/a> alongside Defender for Identity, Microsoft Incident Response was able to trace the threat actor\u2019s movements and disrupt their attempts to use compromised accounts to reenter the environment. And once the tactical containment was complete and full administrative control over the environment was restored, Microsoft Incident Response worked with the customer to move forward to build better resiliency to help prevent future cyberattacks. More information about the incident and remediation details can be found on our technical post titled \u201cFollow the Breadcrumbs with Microsoft Incident Response and Microsoft Defender for Identity: Working Together to Fight Identity-Based Attacks<\/a>.\u201d<\/p>\n\n\n\n We know protecting user identities can help prevent incidents before they happen. But that protection can take many forms. Multiple, collaborative layers of defense\u2014or defense in depth\u2014can help build up protection so no single control must shoulder the entire defense. These layers include multifactor authentication, conditional access rules, mobile device and endpoint protection policies, and even new tools\u2014like Microsoft Copilot for Security<\/a>. Defense in depth can help prevent many cyberattacks\u2014or at least make them difficult to execute\u2014through the implementation and maintenance of layers of basic security controls.<\/p>\n\n\n\n In a recent Cyberattack Series<\/a> blog post and report, we go more in depth on how to protect credentials against social engineering attacks. The cyberattack series case involved Octo Tempest\u2014a highly active cyberthreat actor group which utilizes varying social engineering campaigns with the goal of financial extortion across many business sectors through means of data exfiltration and ransomware. Octo Tempest compromised a customer with a targeted phishing and smishing (text-based phishing) attack. That customer then reached out to Microsoft Incident Response for help to contain, evict, and detect any further threats. By collaborating closely with the victim organization\u2019s IT and security teams, the compromised systems were isolated and contained. Throughout the entire process, effective communication and coordination between the incident response team and the affected organization is crucial. The team provides regular updates on their progress, shares threat intelligence, and offers guidance on remediation and prevention strategies. By working together seamlessly, the incident response team and the affected organization can mitigate the immediate cyberthreat, eradicate the cyberattacker’s presence, and strengthen the organization’s defenses against future cyberattacks.<\/p>\n\n\n\n Another layer of protection for user identities is the decoy account. These accounts are set up expressly to lure attackers, diverting their attention away from real targets and harmful activities\u2014like accessing sensitive resources or escalating privileges. The decoy accounts are called honeytokens, and they can provide security teams with a unique opportunity to detect, deflect, or study attempted identity attacks. The best honeytokens are existing accounts with histories that can help hide their true nature. Honeytokens can also be a great way to monitor in-progress attacks, helping to discover where attackers are coming from and where they may be positioned in the network. For more detailed instructions on how to tag an account as a honeytoken and best practices for honeytoken use, read our tech community post titled \u201cDeceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity<\/a>.\u201d<\/p>\n\n\n\n Microsoft Incident Response is the first call for customers who want to access dedicated experts before, during, and after any cybersecurity incident. With on-site and remote assistance on a global scale, unprecedented access to product engineering, and the depth and breadth of Microsoft Threat Intelligence, it encompasses both proactive and reactive incident response services. Collaboration is key. Microsoft Incident Response works with the tools and teams available to support incident response\u2014like Defender for Identity, Defender for Endpoint, and now Copilot for Security\u2014to defend against identity-based attacks, together. And that collaboration helps ensure better outcomes for customers. Learn more about the Microsoft Incident Response<\/a> proactive and reactive response services or see it in action in the fourth installment of our ongoing Cyberattack Series<\/a>.<\/p>\n\n\n\n To learn more about Microsoft Security solutions, visit our website.<\/a> Bookmark the Security blog<\/a> to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security<\/a>) and X (@MSFTSecurity<\/a>) for the latest news and updates on cybersecurity.<\/p>\n\n\n\n 1<\/sup>Microsoft Digital Defense Report<\/a>, Microsoft. 2023.<\/p>\n\n\n\n 2<\/sup>Microsoft Digital Defense Report<\/a>, Microsoft. 2022.<\/p>\n\n\n\n 3<\/sup>2023 Data Breach Investigations Report<\/a>, Verizon. <\/p>\n\n\n\nMicrosoft Incident Response <\/h2>\n\n\t\t\t\t\t
\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\n
One click opens the door to a threat actor<\/h2>\n\n\n\n
<\/figure>\n\n\n\n
Your first call before, during, and after a cybersecurity incident<\/h2>\n\n\n\n
Strengthen your identity posture with defense in depth<\/h2>\n\n\n\n\n\n
Honeytokens: A sweet way to defend against identity-based attacks<\/h2>\n\n\n\n
Working together to build better resilience<\/h2>\n\n\n\n
\n\n\n\n