sign in sign up
<<
Home , Microsoft Defender

Defender ATP

BUILT-IN. CLOUD-POWERED

Threat Management TSP Kent Husvik [email protected]

@KingKongKent Security operations that work for you

Microsoft Intelligent Security Association

Collaboration strengthens protection

Intelligent Shared intelligence Security Graph

Improved threat discoverability Extend security for mutual customers Identity & access Threat Information SecuritySecurity managementmanagement protection protection managementmanagement User and location Device

Zero Trust with

Azure AD Conditional Access Application Real time risk Azure Sentinel Microsoft Cloud App Security Extends protection & conditional Protection across the attack kill chain access to other cloud apps

Office 365 ATP Azure AD Identity detection, safe links, Protection and safe attachments Identity protection & conditional access Exfiltrate data

Brute force account or use Attacker accesses Attacker collects stolen account credentials sensitive data Phishing Open reconnaissance & attachment configuration data

Click a URL Exploitation Command & Installation & Control

Browse to a website User account Attacker attempts Privileged account Domain is compromised lateral movement compromised compromised

Microsoft Defender ATP Azure ATP Endpoint Detection and Response Identity protection (EDR) & End-point Protection (EPP) O97M/Donoff variant - Late 2015 Campaign 3500

3000

2500

2000

1500 Few minutes 1000 % 500

91 to hours 0

8:15 8:35 8:55 9:15 9:35 9:55

Time

12:35 10:15 10:35 10:55 11:15 11:35 11:55 12:15

O97M/Donoff variant - Late 2016 Campaign 600000

500000 minutes % 400000 5 68 300000

200000

100000

0 Password Spray (aka Brute Force, Hammering)

lllllllll Iterate through known account names with most common passwords Probability of account compromise by password spray: 1% [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 [email protected] RedSox2018 MFA reduces the risk of an attack by 99.9% Have you turned on MFA? 1 2 3 4

An employee receives a Initial email could be Credential harvesting Stolen credentials are phishing email with a sent to either a site used to capture used to sign in to link to a credential personal or company employee credentials. employee’s Exchange harvesting site. account. Online mailbox via legacy A fake O365 Login protocol/email client. User open link! Page! 5 6 7

❖ Use O365 Secure Score checklist as a guide for initial lockdown of tenant.

❖ Enable MFA

❖ Disable legacy protocol access to tenant

❖ Enable Mailbox Auditing for all users

Attacker conducts Attacker signs in to Attacker searches ❖ Enable Client Rules Forwarding internal phishing additional mailboxes, mailboxes for financial Block campaign to capture sets up mail related data. ❖ Limit or Disable remote PowerShell more credentials and forwarding rules. access access more mailboxes. ❖ Integrate O365 and AAD Audit logs into SIEM or review regularly

❖ Implement Conditional Access (if available)

Windows 10 Enhances Security Recommendations Improved security is one of the biggest benefits of adopting . Security and risk management leaders responsible for endpoint security should: This research explores new Windows threat resistance security features that are important to security and risk management leaders. • Ensure that future hardware purchases meet the minimum hardware recommendations for features that use virtualization-based security (VBS) for Impacts hardware-enforced isolation, Unified Extensible Firmware Interface (UEFI) Secure • Windows 10 delivers four foundational security features that security and risk Boot and Device Guard. management leaders need to consider when planning Windows 10 • is the single biggest improvement and should be migrations. implemented in all Windows 10 rollouts. Credential Guard requires the Enterprise version of the Windows 10 license. • Windows 10 embeds memory exploit protection in the OS. Continuous • Evaluate Windows Defender ATP against current EPP and EDR solutions as updates will enable security and risk management leaders to more rapidly part of Windows 10 migration planning with particular emphasis on integration eliminate future zero-day techniques. with O365, Azure and Identity. • Build operational support for automated updating using pilot production • Improvements in Microsoft’s malware detection accuracy and the testing and staged rollouts culminating with mission-critical devices. Pressure introduction of Windows Defender Advanced Threat Protection (ATP) make software suppliers to commit to early support for both feature releases and Microsoft a much more viable replacement for dedicated endpoint monthly security releases. protection platform (EPP) and endpoint detection and response (EDR). • Standardize on Edge browser by using Windows Defender Application Guard for roles and devices that do not need unfettered access to the internet.

https://www.gartner.com/doc/3890175/windows--enhances-security Real-world intelligence at work

Local ML models, behavior-based detection algorithms, generics, heuristics

Metadata-based ML models Intelligent Edge Sample analysis-based ML models Intelligent Cloud Detonation-based ML models

Big data analytics (VBS)

October 2017 – Cloud-based detonation ML March 6 – Behavior-based detection models identified Bad Rabbit, protecting users algorithms blocked more than 400,000 14 minutes after the first encounter. instances of the Dofoil trojan. 2017 2018

February 3 – Client machine learning August 2018 – Cloud machine learning algorithms automatically stopped the algorithms blocked a highly targeted campaign malware attack Emotet in real time. to deliver Ursnif malware to under 200 targets

Apps

#1 #2 #3

Trustlet Trustlet Windows Platform Trustlet • Services

Kernel Kernel

Windows Operating Windows Defender System System Guard Container

(VBS)

Device Hardware Hypervisor • • WINDOWS HELLO FOR BUSINESS

Passwordless strong authentication via multiple factors

▪ PC + PIN or Biometrics

▪ PC + Companion Device

▪ PC supported Biometrics: fingerprint & facial

▪ Companion Device can support other biometrics options (e.g.: EKG)

Supported on any Windows 10 device

>100 devices supporting biometrics TODAY’S SOLUTION: CREDENTIAL GUARD

→ Pass the Hash (PtH) attacks are the

#1 go-to tool for hackers. Used in Apps #3 nearly every major breach and APT #2

type of attack

Credential Guard Trustlet → Credential Guard uses VBS to isolate Trustlet Windows Platform Windows authentication from Services Windows

→ Protects LSA Service (LSASS) and Kernel Kernel

derived credentials (NTLM Hash) Windows Operating System Windows Defender System Guard

→ Fundamentally breaks derived

credential theft using MimiKatz, Hyper-V Hyper-V (VBS) → * Windows 10 E3

Device Hardware

Hypervisor ASR # rule-block-credential-stealing-from-lsassexe FIDO board members Azure Advanced Threat Protection Security Realities

99+ >81% $500B $3.8M

The median # of days of hacking-related The total potential The average cost of a that attackers reside breaches leveraged cost of cybercrime data breach to a within a victim’s network either stolen and/or to the global company before detection weak passwords economy The anatomy of an attack

Attacker steals sensitive data

User

User account Attacker attempts Privileged account Attacker accesses is compromised lateral movement compromised sensitive data

Zero-day / brute-force attack

Attacker

Anomalous user behavior Lateral movement attacks Unfamiliar sign-in location Escalation of privileges Account impersonation Azure Advanced Threat Protection

DNS SEIM 1. Collect After installation: • Deployed directly onto domain controllers or non-intrusive port mirroring • Analyzes all network traffic • Collects relevant events from SIEM and information from Active Directory (titles, Azure groups membership, and more) ATP Azure Advanced Threat Protection

2. Analyze and Learn Azure Advanced Threat Protection: • Protect at scale with the power of Azure • Automatically starts learning and profiling entity behavior • Identifies normal behavior for entities • Patented IP name resolution mechanism • Learns continuously to update the activities of the users, devices, and resources Azure ATP What is an entity? Entity represents users, devices, or resources Azure Advanced Threat Protection

3. Detect Azure Advanced Threat Protection: • Looks for abnormal behavior and identifies suspicious activities

Azure • Only raises red flags if abnormal activities are contextually aggregated ATP • Leverages world-class security research to detect security risks and attacks in near real-time based on attackers Tactics, Techniques, and Procedures (TTPs)

Azure ATP not only compares the entity’s behavior to its own, but also to the behavior of entities in its interaction path. Azure Advanced Threat Protection

4. Alert & Investigate Azure Advanced Threat Protection: • Reports all suspicious activities on a simple, functional, actionable attack timeline • Identifies Who? What? When? How? • For each suspicious activity, provides detailed information for the investigation and remediation Azure Advanced Threat Protection Azure Advanced Threat Protection

Abnormal authentication requests Abnormal resource access Abnormal resource access Skeleton key malware Account enumeration Pass-the-Ticket Golden ticket Net Session enumeration Pass-the-Hash Remote execution DNS enumeration Overpass-the-Hash Malicious replication requests SAM-R Enumeration Compromised Malicious service creation Privilege Abnormal Modification of Credential Escalation Sensitive Groups

!

!

!

Reconnaissance MS14-068 exploit Lateral (Forged PAC) Domain Abnormal working hours Movement Dominance MS11-013 exploit (Silver Brute force using NTLM, Kerberos, or LDAP PAC) Sensitive accounts exposed in plain text authentication Service accounts exposed in plain text authentication Honey Token account suspicious activities Unusual protocol implementation Malicious Data Protection Private Information (DPAPI) Request Abnormal VPN ATP Architecture

Port mirroring Domain Azure ATP Alert notifications Domain Controller Sensor to SIEM Controller

Windows Event Forwarding Azure ATP Standalone Parsed network Sensor Alert notifications to SIEM traffic from DCs

SIEM Events

Access to console - Workspace Management Azure - Workspace portal ATP Alert notifications Windows Defender ATP ATP BUILT-IN. CLOUD-POWERED Built-in. Cloud-powered.

THREAT & VULNERABILITY ATTACK NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION,

Microsoft

Built-in. Cloud-powered.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION, APIS Vulnerability Management Isn’t Just Scanners Anymore

Continuous Discovery Vulnerable applications and configuration via continuous endpoint monitoring to gain immediate situational awareness Prioritize Context-Aware Prioritization Findings by enriching with threat intelligence sources, business context and crowd wisdom to build an accurate risk report Mitigate Surgical Mitigation & Automated Fix Threats by tailoring a surgical mitigation/fix plan based on organizational risk using Microsoft’s security stack, 1st party and 3rd party partners

Office 365 Advanced Threat Protection Productivity built on security Protect with Office 365 Advanced Threat Protection (ATP) Service architecture

Sender Exchange Online Protection • Multiple filters • Three anti-virus engines Safe Attachments Attachment detonation chamber • Supported file type (sandbox) • Clean by AV/AS filters Behavioral analysis with • Not in Reputation list machine learning Executable? Registry call? Elevation? Links • Continuously updated lists of malicious URLs Recipient Unsafe Safe Safe Links rewrite Protect your desktop clients

Improve your security against advanced threats, unknown malware, and zero-day attacks. Protect users from malicious links with time- of-click protection. Safeguard your environment from malicious documents using virtual environments. Coming Soon Safe Links protection in Microsoft Teams

Malicious URL in conversations from Guest/External user in Teams desktop client

Office 365 ATP blocks a malicious link click from Teams desktop client Safe Attachments Detonate malicious attachments

Detonation Safe Links

Time-of-click protection for malicious links.

Web servers User clicking URL Rewriting URLs perform latest is taken to EOP to redirect to a URL reputation web servers for web . check the latest check at the “time-of- click” Safe Links

Time of click verification of URLs in emails and Office documents

Safe link policies are easily configured by security teams

Apply internally for intra-org emails

Only security service that can do intra- org link analysis within compliance boundary of Office 365 URL detonation

Emails are analyzed to send suspicious links for detonation Detonation happens in a sandboxed environment exposing thousands of signals about a file Based on the verdict of detonation, users are allowed or blocked from following the link Machine Learning models examining detonation artifacts continuously improve Anti-impersonation

Protection against sophisticated attempts for user impersonation, domain impersonation and brand impersonation Easy configuration to create and update anti-impersonation Different actions can be taken when a specified user or domain is impersonated User Impersonation based on Mailbox Manager Intelligence Partner Finance

Partner X Vendor Marketing Skip Level Expanded user impersonation Manager support to provide Personalized protection from impersonation Customer Customer attacks, based on each user’s graph User Also providing support for Customer on-premises mailboxes Partner

X Customer

Vendor

Eng. Partner Partner Customer HR Message reporting

Easy way for users to report suspicious emails directly to Microsoft for analysis Helps Microsoft quickly update and enhance the protection capabilities Emails can be reported as either ‘junk’ or ‘Phish Admins have visibility into suspicious emails reported by users Safety tips

Provides information to users if and why an email is marked as spam, junk or is suspicious New Native Link rendering for Safe Links in Outlook clients

Users can hover over URLs in emails and see the original URL Supports end user education by making them more aware of malicious URLs

Unique capability that no other vendor can offer

Available today on OWA and Outlook https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.contoso.net%2F&data=02%7C01%7C client on Windows Attack Simulator

Launch realistic simulated attacks to assess user behavior Create awareness and train users to make the right decisions to prevent attacks Update security policies to better protect your organization

Microsoft Threat Protection Azure Active Azure Advanced Microsoft Cloud Directory Threat Protection App Security Identities: Validating, verifying and 1 protecting both user and admin accounts

Endpoints: protecting user devices and Microsoft Intune Windows 10 Azure Security 2 signals from sensors Center

User Data: evaluating email messages 3 and documents for malicious content Windows Defender Office Advanced Office Threat Advanced Threat Threat Protection Intelligence Cloud Apps: protecting SaaS applications 4 and their associated data stores Protection

Infrastructure: protecting servers, 5 virtual machines, databases and Exchange Online SQL Server networks across cloud and on- Linux Protection premises locations