Microsoft Defender

tags: microsoft office 365 defender cybersecurity

MS Defender for office 365

• cloud based email filtering service
• protects from unknown alware and viruses + zero day protection
• real time
• rich reporting and url trace capabilities

Automated investigation and response (AIR)

• includes a set of security playbooks that can be launched automatically e.g when an alert is triggered or manually from explorer.
• AIR saves the soc team time and effort

AIR Work flow:

• An alert is triggered which initiates a security playbook
• Depending on the alert and security playbook, automated investigation begins immediately. An analyst can start an automated investigation manually from a value in a report such as explorer
• While an automated investigation runs, the scope increases as new related alerts are triggered.
• During and after an automated investigation, details and results are available to view.
• Results include recommended actions for response and remediation.
• A playbook log is available that tracks all investigation activity.
• You can leverage the Office 365 Management Activity API to view info about automated investigations and threats if your org is using custom reporting tools
• Your soc team reviews the results and recommendations and approves remediation actions.
• Remediation actions are taken only upon approval by your org's soc team

remediation actions include:

1. soft delete email messages or clusters
2. block URL (time of click)
3. Turn off external mail forwarding
4. Turn off delegation

An org can set fine-grained threat protection at the user, organization, recipient and domain level.

Safe Attachments

• protects against unknown malwares and viruses and provides zero-day protection to safeguard your messaging system.
• All messages and attachments that don't have a known virus/malware signature are routed to a special environment where MDfO365 uses a variety of ML and analysis techniques to detect malicious intent.
• If no suspicious activity is detected, the message is released for delivery to the mailbox.
• You can create a transport rule / mail flow rule in the Exchange admin Center to bypass safe attachments scanning.
• As part of the mail flow rule, modify the message properties to set a message header with the X-MS-Exchange-Organization-SkipSafeAttachmentProcessing as the header name to bypass the safe attachment policy.

Safe links

Is a feature that proactively protects users from malicious URLS in a message or in an office doc.
Safe links is available for URLs in the following apps:

• Microsoft 365 apps for enterprise on Windows or Mac
• Office for the web
• Word, Excel, Powerpoint and visio on windows, Office apps on iOS and Android devices
• MS Teams channels and chats

Safe links is both client and location agnostic in that the location and device being used will not affect the behavior of wrapped links.
It is recommended to apply MDf0365 safe links policies to all users in your org.

Microsoft Defender for Identity

Is a cloud based security solution that leverages your on-prem AD signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your oganization.

Benefits:

• monitor users, entity behavior, and activities with learning-based analytics
• Protect user identities and credentials stored in AD
• Identify and investigate suspicious user activities and advanced attacks through the kill chain
• Provide clear incident information on a simple timeline for fast triage

Recon Stage detection

• LDAP reconnaissance can be used by attackers to gain critical information about the domain environment.
• Information that helps attackers map the domain structure, and identify privileged accounts for use later.
• Microsoft Degender for Identity would trigger a detection based on computers performing suspicious LDAP enumeration queries or queries targeting sensitive groups.

Compromised Credential detection

• A Brute force attack is when an attacker attempts to authenticate with multiple passwords on different accounts until a correct password is found or by using one password in a large-scale password spray that works for at least one account.
• Once found, the attacker logs in using the authenticated account.
• Microsoft Defender for Identity can detect this when it notices multiple authentication failures occurring using Kerberos, NTLM, or use of a password spray.

Lateral Movement detection

When attackers attempt to move laterally through your environment, using pass-the-ticket, a lateral movement technique in which attackers steal a Kerberos ticket from one computer and use it to gain access to another computer by reusing the stolen ticket, Microsoft Defender for Identity detects that a Kerberos ticket is being used on two (or more) different computers.

Domain Dominance detection

• A way to establish domain dominance is the DCShadow attack.
• This attack is designed to change directory objects using malicious replication.
• It can be performed from any machine by creating a rogue domain controller using a replication process.
• In such a scenario, Microsoft Defender for Identity triggers an alert when a machine in the network tries to register as a rogue domain controller.

Note that Defender won't detect a hash passed on a local resource.
It detects when a hash is used from one resource to access another resource or a service.

Note that similar to pass the hash, Defender does not know when a ticket is passed based on local client activity.
However, it detects activity once a ticket is used to access another resource or service.

Just to emphasize:

• Safe Attachments - Protect against unknown malware and viruses by opening attachments in cordoned-off virtual environments to detect malicious behavior.
• Safe Links - Provide real-time, time-of-click protection against malicious URLs by wrapping external links in special URLs that check the destination URL for threats before opening them.
• Click Trace - Provides rich reporting and URL trace capabilities by keeping a record of every user who has clicked on a Safe Link-wrapped URL for additional protection.
• Windows Hello is a more personal, more secure way to get instant access to your Windows 10 devices using fingerprint or facial recognition.
• Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
• Microsoft Defender Application Guard designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.
• Device Guard is a group of key features designed to harden a computer system against malware. Its focus is preventing malicious code from running by ensuring only known good code can run.
• Windows Defender Antivirus delivers comprehensive, ongoing, and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud, and the web.

ASR

You can use attack surface reduction(ASR) in the Microsoft 365 Defender portal to help reduce your Windows 10 attack surfaces. Its rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
In the context of ASR:

• Detected file – the file, typically a script or document, whose contents triggered the suspected attack activity
• Rule – name describing the attack activities the rule is designed to catch
• Source app – the application that loaded or executed content triggering the suspected attack activity. This could be a legitimate application, such as web browser, an Office application, or a system tool like PowerShell.
• Publisher – the vendor that released the source app

A digital estate is a collection of tangible owned assets such as virtual machines, servers, applications, data, and so on. Essentially, a digital estate includes the IT assets that power business processes and operations.

DLP

• Use DLP policies to block the sending of emails that contain bank account information or Social Security numbers, or optionally apply encryption automatically to the messages.
• Use Microsoft Defender for Cloud Apps to block the upload, download, or sharing of sensitive information that resides in a cloud repository
• Consider applying Rights Management service (RMS) on the SharePoint library hosting the documents.

There are four key areas for preventing data loss and managing the data lifecycle.

• Detect/Discover. Identify the data you want to protect. To detect sensitive data, you can use a content scan, such as Azure Information Protection (AIP) unified labeling scanner, and define data through data classification.
• Protection. Consider the range of DLP enforcement actions you can apply to documents and emails containing sensitive information, such as block sending, block sharing, warning end-users or auditing activity.
• Visibility. Protect sensitive data while keeping its visibility for appropriate uses such as:
  • Forensics
  • Risk management reporting
  • Compliance
• Data immunization. When you apply security controls based on classification at the source (moment of creation), you can:
  • Minimize data exposure time
  • Provide context to help ensure that the data classification is correct

Defender for Cloud Reports inform you about:

• Users with the most shared files
• Matches from DLP Policies
• False positives and overrides of the DLP Polices
• Integration of third-party DLP Policy matches

Label Analytics show:

• How your organization uses retention and sensitivity labels to classify, retain, and protect cloud content.
• How your organization labels content, including frequently used labels, who's applied them, which emails and files they're applied to, and more.

Azure Information Protection analytics helps you track adoption of your data classification labels. It also enables you to:

• Monitor labeled and protected documents and emails.
• Identify documents that contain sensitive information.
• Monitor user access to labeled documents and emails, and track document classification changes.
• Identify unprotected documents with sensitive information and offer recommendations to mitigate risk.
• Identify when internal or external users access protected documents and whether they were granted access.

Microsoft 365 Compliance Center

The compliance center home page displays the following sections:

• Assess. Shows how well your organization is doing with respect to data protection and compliance.
• Protect. Contains cards that provide high-level information about labels, data loss prevention, third-party apps in use, shared files, shadow IT apps, and more.
• Respond. Surfaces alerts and pending dispositions for review and possible action.
  Other areas of the Microsoft 365 compliance center can help you gain further insights and protect your data.
• Alerts to view and resolve alerts
• Reports to view data about label usage and retention, DLP policy matches and overrides, shared files, third-party apps in use, and more.
• Classification to access your labels, label policies, sensitive information types, and label analytics.
• Policies to view alerts and to access your DLP and retention policies.
• Solutions contains links to access your organization's compliance solutions. These include:
  • Data governance > dispositions
  • eDiscovery
  • Supervision
  • Data investigations
  • Data subject requests