Microsoft Defender ATP
BUILT-IN. CLOUD-POWERED
Threat Management TSP Kent Husvik [email protected]
@KingKongKent Security operations that work for you
Microsoft Intelligent Security Association
Collaboration strengthens protection
Intelligent Shared intelligence Security Graph
Improved threat discoverability Extend security for mutual customers Identity & access Threat Information SecuritySecurity managementmanagement protection protection managementmanagement User and location Device
Zero Trust with
Azure AD Conditional Access Application Real time risk Azure Sentinel Microsoft Cloud App Security Extends protection & conditional Protection across the attack kill chain access to other cloud apps
Office 365 ATP Azure AD Identity Malware detection, safe links, Protection and safe attachments Identity protection & conditional access Exfiltrate data
Brute force account or use Attacker accesses Attacker collects stolen account credentials sensitive data Phishing Open reconnaissance & mail attachment configuration data
Click a URL Exploitation Command & Installation & Control
Browse to a website User account Attacker attempts Privileged account Domain is compromised lateral movement compromised compromised
Microsoft Defender ATP Azure ATP Endpoint Detection and Response Identity protection (EDR) & End-point Protection (EPP) O97M/Donoff variant - Late 2015 Campaign 3500
3000
2500
2000
1500 Few minutes 1000 % 500
91 to hours 0
8:15 8:35 8:55 9:15 9:35 9:55
Time
12:35 10:15 10:35 10:55 11:15 11:35 11:55 12:15
O97M/Donoff variant - Late 2016 Campaign 600000
500000 minutes % 400000 5 68 300000
200000
100000
0 Password Spray (aka Brute Force, Hammering)
lllllllll Iterate through known account names with most common passwords Probability of account compromise by password spray: 1% [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 MFA reduces the risk of an attack by 99.9% Have you turned on MFA? 1 2 3 4
An employee receives a Initial email could be Credential harvesting Stolen credentials are phishing email with a sent to either a site used to capture used to sign in to link to a credential personal or company employee credentials. employee’s Exchange harvesting site. account. Online mailbox via legacy A fake O365 Login protocol/email client. User open link! Page! 5 6 7
❖ Use O365 Secure Score checklist as a guide for initial lockdown of tenant.
❖ Enable MFA
❖ Disable legacy protocol access to tenant
❖ Enable Mailbox Auditing for all users
Attacker conducts Attacker signs in to Attacker searches ❖ Enable Client Rules Forwarding internal phishing additional mailboxes, mailboxes for financial Block campaign to capture sets up mail related data. ❖ Limit or Disable remote PowerShell more credentials and forwarding rules. access access more mailboxes. ❖ Integrate O365 and AAD Audit logs into SIEM or review regularly
❖ Implement Conditional Access (if available)
Windows 10 Enhances Security Recommendations Improved security is one of the biggest benefits of adopting Windows 10. Security and risk management leaders responsible for endpoint security should: This research explores new Windows threat resistance security features that are important to security and risk management leaders. • Ensure that future hardware purchases meet the minimum hardware recommendations for features that use virtualization-based security (VBS) for Impacts hardware-enforced isolation, Unified Extensible Firmware Interface (UEFI) Secure • Windows 10 delivers four foundational security features that security and risk Boot and Device Guard. management leaders need to consider when planning Windows 10 • Credential Guard is the single biggest improvement and should be migrations. implemented in all Windows 10 rollouts. Credential Guard requires the Enterprise version of the Windows 10 license. • Windows 10 embeds memory exploit protection in the OS. Continuous • Evaluate Windows Defender ATP against current EPP and EDR solutions as updates will enable security and risk management leaders to more rapidly part of Windows 10 migration planning with particular emphasis on integration eliminate future zero-day techniques. with O365, Azure and Identity. • Build operational support for automated updating using pilot production • Improvements in Microsoft’s malware detection accuracy and the testing and staged rollouts culminating with mission-critical devices. Pressure introduction of Windows Defender Advanced Threat Protection (ATP) make software suppliers to commit to early support for both feature releases and Microsoft a much more viable replacement for dedicated endpoint monthly security releases. protection platform (EPP) and endpoint detection and response (EDR). • Standardize on Edge browser by using Windows Defender Application Guard for roles and devices that do not need unfettered access to the internet.
https://www.gartner.com/doc/3890175/windows--enhances-security Real-world intelligence at work
Local ML models, behavior-based detection algorithms, generics, heuristics
Metadata-based ML models Intelligent Edge Sample analysis-based ML models Intelligent Cloud Detonation-based ML models
Big data analytics (VBS)
October 2017 – Cloud-based detonation ML March 6 – Behavior-based detection models identified Bad Rabbit, protecting users algorithms blocked more than 400,000 14 minutes after the first encounter. instances of the Dofoil trojan. 2017 2018
February 3 – Client machine learning August 2018 – Cloud machine learning algorithms automatically stopped the algorithms blocked a highly targeted campaign malware attack Emotet in real time. to deliver Ursnif malware to under 200 targets
Apps
#1 #2 #3
•
Trustlet Trustlet Windows Platform Trustlet • Services
Kernel Kernel
Windows Operating Windows Defender System System Guard Container
•
(VBS)
Device Hardware Hypervisor • • WINDOWS HELLO FOR BUSINESS
Passwordless strong authentication via multiple factors
▪ PC + PIN or Biometrics
▪ PC + Companion Device
▪ PC supported Biometrics: fingerprint & facial
▪ Companion Device can support other biometrics options (e.g.: EKG)
Supported on any Windows 10 device
>100 devices supporting biometrics TODAY’S SOLUTION: CREDENTIAL GUARD
→ Pass the Hash (PtH) attacks are the
#1 go-to tool for hackers. Used in Apps #3 nearly every major breach and APT #2
type of attack
Credential Guard Trustlet → Credential Guard uses VBS to isolate Trustlet Windows Platform Windows authentication from Services Windows operating system
→ Protects LSA Service (LSASS) and Kernel Kernel
derived credentials (NTLM Hash) Windows Operating System Windows Defender System Guard
→ Fundamentally breaks derived
credential theft using MimiKatz, Hyper-V Hyper-V (VBS) → * Windows 10 E3
Device Hardware
Hypervisor ASR # rule-block-credential-stealing-from-lsassexe FIDO board members Azure Advanced Threat Protection Security Realities
99+ >81% $500B $3.8M
The median # of days of hacking-related The total potential The average cost of a that attackers reside breaches leveraged cost of cybercrime data breach to a within a victim’s network either stolen and/or to the global company before detection weak passwords economy The anatomy of an attack
Attacker steals sensitive data
User
User account Attacker attempts Privileged account Attacker accesses is compromised lateral movement compromised sensitive data
Zero-day / brute-force attack
Attacker
Anomalous user behavior Lateral movement attacks Unfamiliar sign-in location Escalation of privileges Account impersonation Azure Advanced Threat Protection
DNS SEIM 1. Collect After installation: • Deployed directly onto domain controllers or non-intrusive port mirroring • Analyzes all Active Directory network traffic • Collects relevant events from SIEM and information from Active Directory (titles, Azure groups membership, and more) ATP Azure Advanced Threat Protection
2. Analyze and Learn Azure Advanced Threat Protection: • Protect at scale with the power of Azure • Automatically starts learning and profiling entity behavior • Identifies normal behavior for entities • Patented IP name resolution mechanism • Learns continuously to update the activities of the users, devices, and resources Azure ATP What is an entity? Entity represents users, devices, or resources Azure Advanced Threat Protection
3. Detect Azure Advanced Threat Protection: • Looks for abnormal behavior and identifies suspicious activities
Azure • Only raises red flags if abnormal activities are contextually aggregated ATP • Leverages world-class security research to detect security risks and attacks in near real-time based on attackers Tactics, Techniques, and Procedures (TTPs)
Azure ATP not only compares the entity’s behavior to its own, but also to the behavior of entities in its interaction path. Azure Advanced Threat Protection
4. Alert & Investigate Azure Advanced Threat Protection: • Reports all suspicious activities on a simple, functional, actionable attack timeline • Identifies Who? What? When? How? • For each suspicious activity, provides detailed information for the investigation and remediation Azure Advanced Threat Protection Azure Advanced Threat Protection
Abnormal authentication requests Abnormal resource access Abnormal resource access Skeleton key malware Account enumeration Pass-the-Ticket Golden ticket Net Session enumeration Pass-the-Hash Remote execution DNS enumeration Overpass-the-Hash Malicious replication requests SAM-R Enumeration Compromised Malicious service creation Privilege Abnormal Modification of Credential Escalation Sensitive Groups
!
!
!
Reconnaissance MS14-068 exploit Lateral (Forged PAC) Domain Abnormal working hours Movement Dominance MS11-013 exploit (Silver Brute force using NTLM, Kerberos, or LDAP PAC) Sensitive accounts exposed in plain text authentication Service accounts exposed in plain text authentication Honey Token account suspicious activities Unusual protocol implementation Malicious Data Protection Private Information (DPAPI) Request Abnormal VPN ATP Architecture
Port mirroring Domain Azure ATP Alert notifications Domain Controller Sensor to SIEM Controller
Windows Event Forwarding Azure ATP Standalone Parsed network Sensor Alert notifications to SIEM traffic from DCs
SIEM Events
Access to console - Workspace Management Azure - Workspace portal ATP Alert notifications Windows Defender ATP Microsoft Defender ATP BUILT-IN. CLOUD-POWERED Built-in. Cloud-powered.
THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS
CENTRALIZED CONFIGURATION AND ADMINISTRATION, APIS
Microsoft
Built-in. Cloud-powered.
THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS
CENTRALIZED CONFIGURATION AND ADMINISTRATION, APIS Vulnerability Management Isn’t Just Scanners Anymore
Continuous Discovery Vulnerable applications and configuration via continuous endpoint monitoring to gain immediate situational awareness Prioritize Context-Aware Prioritization Findings by enriching with threat intelligence sources, business context and crowd wisdom to build an accurate risk report Mitigate Surgical Mitigation & Automated Fix Threats by tailoring a surgical mitigation/fix plan based on organizational risk using Microsoft’s security stack, 1st party and 3rd party partners
Office 365 Advanced Threat Protection Productivity built on security Protect with Office 365 Advanced Threat Protection (ATP) Service architecture
Sender Exchange Online Protection • Multiple filters • Three anti-virus engines Safe Attachments Attachment detonation chamber • Supported file type (sandbox) • Clean by AV/AS filters Behavioral analysis with • Not in Reputation list machine learning Executable? Registry call? Elevation? Links • Continuously updated lists of malicious URLs Recipient Unsafe Safe Safe Links rewrite Protect your desktop clients
Improve your security against advanced threats, unknown malware, and zero-day attacks. Protect users from malicious links with time- of-click protection. Safeguard your environment from malicious documents using virtual environments. Coming Soon Safe Links protection in Microsoft Teams
Malicious URL in conversations from Guest/External user in Teams desktop client
Office 365 ATP blocks a malicious link click from Teams desktop client Safe Attachments Detonate malicious attachments
Detonation Safe Links
Time-of-click protection for malicious links.
Web servers User clicking URL Rewriting URLs perform latest is taken to EOP to redirect to a URL reputation web servers for web server. check the latest check at the “time-of- click” Safe Links
Time of click verification of URLs in emails and Office documents
Safe link policies are easily configured by security teams
Apply internally for intra-org emails
Only security service that can do intra- org link analysis within compliance boundary of Office 365 URL detonation
Emails are analyzed to send suspicious links for detonation Detonation happens in a sandboxed environment exposing thousands of signals about a file Based on the verdict of detonation, users are allowed or blocked from following the link Machine Learning models examining detonation artifacts continuously improve Anti-impersonation
Protection against sophisticated attempts for user impersonation, domain impersonation and brand impersonation Easy configuration to create and update anti-impersonation settings Different actions can be taken when a specified user or domain is impersonated User Impersonation based on Mailbox Manager Intelligence Partner Finance
Partner X Vendor Marketing Skip Level Expanded user impersonation Manager support to provide Personalized protection from impersonation Customer Customer attacks, based on each user’s graph User Also providing support for Customer on-premises mailboxes Partner
X Customer
Vendor
Eng. Partner Partner Customer HR Message reporting
Easy way for users to report suspicious emails directly to Microsoft for analysis Helps Microsoft quickly update and enhance the protection capabilities Emails can be reported as either ‘junk’ or ‘Phish Admins have visibility into suspicious emails reported by users Safety tips
Provides information to users if and why an email is marked as spam, junk or is suspicious New Native Link rendering for Safe Links in Outlook clients
Users can hover over URLs in emails and see the original URL Supports end user education by making them more aware of malicious URLs
Unique capability that no other vendor can offer
Available today on OWA and Outlook https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.contoso.net%2F&data=02%7C01%7C client on Windows Attack Simulator
Launch realistic simulated attacks to assess user behavior Create awareness and train users to make the right decisions to prevent attacks Update security policies to better protect your organization
Microsoft Threat Protection Azure Active Azure Advanced Microsoft Cloud Directory Threat Protection App Security Identities: Validating, verifying and 1 protecting both user and admin accounts
Endpoints: protecting user devices and Microsoft Intune Windows 10 Azure Security 2 signals from sensors Center
User Data: evaluating email messages 3 and documents for malicious content Windows Defender Office Advanced Office Threat Advanced Threat Threat Protection Intelligence Cloud Apps: protecting SaaS applications 4 and their associated data stores Protection
Infrastructure: protecting servers, 5 virtual machines, databases and Windows Server Exchange Online SQL Server networks across cloud and on- Linux Protection premises locations