Barely a week goes by that we don’t see media coverage of a security breach at a household name, business, or institution. In their announcements and disclosures confirming such breaches, necessitated either by legal obligations or media pressure, victims invariably refer to the attack as a cyber incident. This obscures the true nature of what has happened and why.

In this section, we will explain the trends defenders face against attackers and dive into the facts and figures behind them.

Microsoft publishes its Digital Defense Report annually. The findings and statistics of the 2021 release make grim reading for defenders: Ransomware actors with budgets over $1 million for zero-day research or purchase. Continued commoditization of cybercrime, with marketplaces selling compromised devices and credentials for less than $1. This resulted in reportedly 72 billion endpoint, identity, and email threats blocked across Microsoft’s services.

Million-dollar budgets are a shock to many. Attackers with considerable levels of resources and the ability to succeed are referred to as Advanced Persistent Threats (APTs). They might be state-associated or criminal enterprises. With the rise of cryptocurrency and ransomware to receive extortion payments using it, there are big budgets due to big returns. Exact global figures are hard to ascertain, but in the United States, the Financial Crimes Enforcement Network (FinCEN) published that in the first half of 2021 alone, there was approximately $590 million reported in “ransomware-related” suspicious activity reports; a 41% increase on the entire preceding year.

How many other “industries” could cite such growth during a year most notable for the pandemic’s lockdown-induced economic difficulties? Of course, not all attacks are ransomware. Data compromise in general continues, with the likes of Magecart payment card theft being observed over two million times in a year, according to RiskIQ’s Magecart: The State of a Growing Threat (2019).

What services and infrastructure are these well-funded, highly motivated attackers compromising? Unsurprisingly, Windows tops the list of endpoints. Datto’s Global State of the Channel Ransomware Report (2021) reported that 91% of ransomware attacks targeted Windows-based clients. The attacks don’t stop at endpoints, though. The same report continues to note that a majority of the MSPs surveyed have also seen attacks in the cloud/software as a service, with 64% claiming attacks in Microsoft 365 and more than half reporting the same for Dropbox. From this report, we can also gain insights into how the attackers begin a breach; the root cause. Over half come from phishing emails, and one-fifth come from open Remote Desktop Protocol (RDP) access. Phishing emails largely gather user credentials and are then used for entry to attack systems or execute malicious attachments. Respondents to Proofpoint’s State of the Phish (2021) said that over half of successful phishing attacks resulted in a credential compromise. Verizon’s Data Breach Investigations Report (2021) advises that 23% of malware arrives on a system by email, continuing the trend of emails as an attack tool.

The prevalence of both open RDP access and phishing attacks is not particularly revelatory: any IT veteran will be familiar with the need to secure RDP and email. What many might not be familiar with, until it’s too late, is what happens next. We will explore this, in additional detail, in The cyber kill chain and MITRE ATT&CK section.

When it comes to responding to such threats, we see organizations struggling, particularly as they scale up. IBM Security’s Cost of a Data Breach Report (2021) notes an average of 212 days for breach identification and a further 75 for containment. Over 9 months! Even in organizations with incident response teams and capabilities, the average cost of a data breach is high, at over $3 million.

We know more organizations are trying to tackle these challenges by investing in such teams and cybersecurity resources. IDG’s State of the CIO (2022) reported that cybersecurity was the main driver of increased IT budgets. The report confirmed this comes from the top: a CEO’s top ask of CIOs is to improve the overall risk position by improving cybersecurity.

These stark numbers confirm the reality of the task defenders faces. In the next section, we’ll look at how attacks typically play out and how you can start to build systems against them. We will do this by reviewing popular cybersecurity frameworks.

In this section, we’ll explore two frameworks that are regularly referenced in cybersecurity and Microsoft 365 Defender literature: the cyber kill chain and MITRE ATT&CK. Each of these is useful in its own way for understanding how modern threat actors operate in enterprise-scale attacks and how you can defend against them. You’ll get real-world examples of the malware and threat actors. The components, lessons, and language of each framework will become recurring themes of this book and any defender’s daily toolkit.

Cyber kill chain

A cyber kill chain is a general approach toward breaking a cybersecurity attack down into stages. The term appears to have been first used by Jeffrey Carr in Russia/Georgia Cyber War: Findings and Analysis (2008). However, since then, it has been a registered trademark of Lockheed Martin, which developed it into a seven-stage framework as part of its Intelligence Driven Defense methodology.

In this section, we’ll explore the cyber kill chain model at each stage and gain an understanding of why the approach can be useful in defending against – and further our understanding of – the kind of threats described earlier in this chapter. You’ll find practical examples of how each stage translates to real-world threats and incidents.

Stage 1 – reconnaissance

Would this really be a cybersecurity book without the obligatory Sun Tzu-derived quote of know your enemy?

Indeed, this is what reconnaissance is all about for attackers: knowing you. Attackers might begin with general scans of potential targets using internet-opened ports, or they might begin their observations about you, the victim, in a targeted fashion; particularly if you are a high-risk organization and/or in a high-risk industry.

In this phase of the cyber kill chain, attackers gather public data passively or actively (by touching your environment). To do so, they will employ open source intelligence (OSINT) tools such as Shodan, which is a search engine used to find internet-connected resources. The types of data an attacker looks for during reconnaissance include the following:

• Potential phishing victims, particularly using data from business-based platforms such as LinkedIn. There are scrapers available, such as the Harvester, that will return all the data they can gather from LinkedIn, Twitter, Bing, Google, and other services. In 2021, LinkedIn was alleged to have been subjected to a massive data scraping incident. The records of, approximately, 700 million users with publicly listed but sensitive data, including email addresses and locations, became available for sale on dark markets.
• Lists of known accounts within the environment, using scripts and tools such as UhOh365 (to see whether an Office 365 email address is valid) or onedrive_user_enum (to see whether an account has a OneDrive for Business license/repository associated with it). In the age of the cloud, these can often be run by attackers without the target having any idea, as only the public cloud provider maintains such logs and may or may not act upon them.
• Target applications and services, such as public-facing websites or internet-exposed lines of business applications, that might be susceptible to compromise via weaknesses such as the Log4j vulnerability called Log4Shell. Vulnerabilities are as old as IT itself, but the Log4j vulnerability that was published in 2021 is infamous. Microsoft and others have confirmed widespread scanning for at-risk systems by attackers. What makes Log4Shell so notorious is its mass and cross-platform usage, across thousands of different application vendors. A Cybersecurity and Infrastructure Security Agency (CISA) managed list, at the time of writing, reached almost 400 vendors.
• Enterprise infrastructure that is open to vulnerabilities or attacks, such as open Windows Servers via RDP. Though useful for those maintaining an infrastructure to gain endpoint access, RDP has a prolific history of vulnerabilities. Many scanners exist to find open ports accepting RDP connections, and they won’t take long to find something. Rapid7’s Remote Desktop Protocol Exposure (2017) report found over 4 million endpoints accepting such connections. For Windows devices, many RDP sessions can be established with only a single factor of authentication, which itself may have been leaked online or otherwise compromised.

Stage 2 – weaponization

Through reconnaissance, the attacker hopes to find a weakness. Once it has been identified, they procure, develop, or weaponize resources to take advantage of that weakness. At this stage, the weapons have not yet been used, but the attacker generally knows what they’ll use to, at the very least, try and start their campaign. Here, the bad actor is creating the foundations of the attack.

This can take on many forms, including the following:

• Sending phishing messages to discovered users. Once the attacker knows the contact details of privileged users – or even low-hanging fruit – they might pursue email as a weapon to obtain credentials or convince a user to do something that furthers the campaign. In the context of Microsoft 365, tools such as evilginx2 can, in less protected environments, be used for adversary-in-the-middle (AiTM) attacks, where an attacker-owned domain passes traffic to the real Azure AD sign-in page but captures authentication tokens and cookies that can then be used by them.
• Thinking of both physical and network security, if during reconnaissance a Wi-Fi network is within reach of an attacker, tools such as Aircrack-ng might be viable options for network access if the wireless system has been insufficiently secured.
• Malware is an obvious example. What might be less obvious are the methods attackers can take to obfuscate or package these prior to delivery and execution. An interesting case study is Sevagas’s MacroPack tool. MacroPack takes advantage of the fact that Microsoft Office is ubiquitous in the enterprise but is weighed down and exploitable due to a legacy of allowing child processes to spawn through macros. Using the tool, an attacker could generate an Office document that enables execution with an anti-virus bypass. It would then make sense to include this attachment in a phishing email.

Stage 3 – delivery

The weapon has been prepared, and during this stage, the victim receives it – or, hopefully, the defenses intercept it! Like weaponization, at this stage, the attacker has not necessarily detonated their attack, which comes next. Consider the following examples to help you understand exactly what is meant by delivery:

• Thinking once again of physical security, one example is the delivery of a USB device that, if used, initiates the attack. “Surely that’s just too simple,” I hear you cry. Hear me out. In January 2022, the FBI issued a warning to US organizations that the Fin7 APT group was distributing malicious USB devices via courier services. The devices were enclosed with documentation alleging they contained COVID-19 reference materials or retailer gift cards. Instead, they executed the BadUSB attack that would go on to install malware via PowerShell downloads.
• Again, we must discuss phishing emails. During this stage, the email is distributed. Attackers continue to evade email protection capabilities, with email security vendors continually fighting back. The Microsoft 365 Defender Threat Intelligence team published findings in 2021 of a campaign that used encryption techniques to bypass their protection mechanisms. From July 2020 to July 2021, the findings revealed the attackers employed 10 different encoding techniques, making each change as protection systems identified and prevented them. Incredibly, the techniques included the repeated use of morse code, combined with other obfuscation methods.
• One popular way of distributing malware is via the web. The attacker might control the website and has managed to get users there, or might use something such as a watering hole attack to hit targeted industries and groups. This term originates from poisoning the water source: anyone who drinks the water (uses the website) is potentially poisoned (compromised). In one 2014 example reported by Invicea (since acquired by Sophos), Forbes.com was compromised by APT19, which is also known as Codoso. The actor used a combination of zero-day vulnerabilities in Flash and Internet Explorer.

Stage 4 – exploitation

If the previous steps did not see any active exploitation of the victim’s environment, this stage does. Vulnerabilities, be they in software, hardware, or people, are now leveraged by the attacker to gain access as execution begins. Examples to help describe what this stage might include are listed as follows:

• Users, who have had phishing emails delivered, proceed to click on links in them or open the weaponized attachment. Cofense’s Annual State of Phishing Report (2021) revealed that links might be slightly more common than attachments.
• The most media-hyped form of exploitation is the zero-day, with famous examples including Stuxnet (2010) and Sony Pictures (2014). Unlike other vulnerabilities, zero-days do not yet have a patch available. Google’s zero-day In the Wild tracker lists 57 examples of zero-days being detected as the result of an attack in 2021.

Stage 5 – installation

An attacker will want to maintain access to compromised assets; this is also called gaining persistence. To do so, they’ll likely have to install malware and might utilize features of the OS to leverage it, keep it running, and enable a back door.

Examples of the installation stage of an attack are listed as follows:

• The AppleJeus malware, which steals cryptocurrency from victims, creates a scheduled task that runs as SYSTEM whenever a user logs into the OS. As one of the highest privileged account on a Windows device, SYSTEM access is highly desirable for attackers.
• To evade detection, common enterprise tools might be installed. For example, LogMeIn, the remote desktop access tool frequently used by IT support teams, has been used by the espionage group Thrip. The group, and many others, also make use of living off the land (lolbin) approaches. Built-in OS tools such as PowerShell, BITSAdmin, and certutil might raise fewer eyebrows if they show up in telemetry than third-party binaries that are installed later. These tools might also benefit from being signed by a trusted publisher.

Stage 6 – command and control (C2)

By this stage, tools and malware have been deployed, and the attacker will proceed to use those as a command channel for continuing their attack over the network. They will be “phoning home” between your environment and theirs.

Let’s look at some examples to understand precisely what is meant by the command and control (C2) stage:

• Arguably, Cobalt Strike is the most well-known C2 framework. The service is intended for legitimate use by red teams but is often used by attackers who have unauthorized versions of it, including one instance of using a legitimate business to disguise their purchase. This list includes APTs such as Codoso, SeaLotus, Nobelium, and Wicked Panda. Beacons are deployed to victim endpoints, establishing connectivity to a team server, which the attacker then operates with the Cobalt Strike client.
• Mature environments will likely monitor inbound and outbound network traffic, with abnormalities being identified or prevented. Therefore, the use of web protocols is common, as HTTP(S) is less likely to be subjected to proactive controls or be flagged in comparison to rarer protocols. The Octopus trojan has been used to spy on users and steal their data. Its communication with the C2 server was achieved using GET and POST requests over HTTP.
• Common ports aren’t always used. Described by Europol as the world’s most dangerous malware, Emotet has gone through several iterations. Although it has connected to C2s using standard HTTP(S) ports, it has also been known to use ports such as 20, 7080, 8443, and 50000.

Stage 7 – actions on objectives

The final stage sees our adversary use all the advantages and access they have hitherto accumulated for the execution of their objectives. They are in a position to accomplish their goals, whatever they are, that is, espionage, data exfiltration, ransomware execution, supply chain infiltration, and more:

• HIDDEN COBRA, also known as Lazarus Group and Guardians of Peace, has been linked to the infamous attack on Sony Pictures in 2014. The group, politically associated and motivated, exfiltrated sensitive data such as email and feature films and employed destructive techniques in the compromised environment.
• The Colonial Pipeline system, which supplies the Eastern United States, faced a crippling ransomware attack in 2021, with the group DarkSide identified as the attackers. Claiming to be apolitical and purely financially motivated, the group received 75 bitcoins in ransom, though most of these were recovered within one month.

Application of the cyber kill chain

Don’t consider the cyber kill chain linear. That is, attacks don’t always start at the first stage and then cleanly and obviously move sequentially through stages until they reach the last. For example, the installation stage is common when faced with ransomware gangs or APTs. However, many sensitive data theft attacks do not need to deploy persistence software; with credential compromise against exposed databases, often no malware deployment is necessary. Similarly, the stages are not particularly easy to differentiate: lines blur.

Approach each stage with the following list of thoughts and questions in mind, and you'll be able to use what you learn throughout this book to help protect your environment:

• What is my organization currently doing to proactively defend against this?
• What capabilities do I currently have to respond to this?
• What defenses are being managed to stop escalation from this stage to the next?
• What are the assets, services, and inventory I need to prioritize against this?

MITRE ATT&CK

MITRE ATT&CK dives far deeper into technical techniques than the cyber kill chain. If we consider the cyber kill chain a decentralized, high-level approach to tackling cybersecurity, we can consider ATT&CK a centralized, low-level knowledge base (KB) of attacker methodology. Starting in 2013, MITRE made this KB universally available, at no cost, at attack.mitre.org. This online resource provides hundreds of referenced examples of techniques and groups using them.

To give you a sense of its scale, ATT&CK’s Matrix for Enterprise, which encompasses common enterprise platforms such as Windows, macOS, Office 365, and Google Workspaces, has 14 top-level tactics and over 200 techniques, not to mention the sub-techniques!

Microsoft 365 Defender heavily leverages the MITRE ATT&CK framework in its incident response capabilities that operators can report on or quickly become aware of any potential threats. Therefore, it’s an important topic to familiarize yourself with as you try to master Microsoft 365 Defender.

To get you started, let’s take a look at those top-level tactics. Each top-level tactic has an ID prefixed with TA, and each technique has an ID prefixed with T. Sub-techniques append a technique with another ID. For example, T1566.002 is the Spearphishing Link sub-technique of the Phishing technique:

• TA0043 Reconnaissance: You’ve already learned about this as part of the cyber kill chain. This is the tactic that represents techniques related to information gathering about the victim, including T1598 Phishing for Information and T1594 Search Victim-Owned Websites.
• TA0042 Resource Development: Attackers need resources to achieve their objectives. Botnets require masses of victim infrastructure, and general infiltration will need either exploits or credentials. This tactic covers the acquisition of such resources, using techniques such as T1583 Acquire Infrastructure and T1586 Compromise Accounts.
• TA0001 Initial Access: How do attackers get their foot in the door? Lots of ways! There are currently nine documented techniques for this tactic, including T1200 Hardware Additions and T1195 Supply Chain Compromise.
• TA0002 Execution: This refers to execution in the computing sense, that is, executing malware. But how does that malware get executed? This tactic lists techniques for that execution, be they automated or manual, such as T1053 Scheduled Task/Job and T1204 User Execution.
• TA0003 Persistence: How do attackers remain in the environment after compromise? Often, this is one of the first things a successful, long-term attack tries to achieve: persistence. There might be ways involving coding and programs, or it might be a case of simply adding another user, as covered in techniques such as T1037 Boot or Logon Initialization Scripts and T1136 Create Account.
• TA0004 Privilege Escalation: Defenders must put far greater controls around elevated privileges (that is, admin rights) than standard privileges. This is because elevated privileges allow far more control over the environment: deletion, access to control other rights, and more. This tactic includes techniques attackers use to “jump up” from lower privileged rights to higher privileged rights, in several ways, such as T1484 Domain Policy Modification and T1068 Exploitation for Privilege Escalation.
• TA0005 Defense Evasion: Attackers want to remain as quiet, hidden, and uninterrupted as possible. Defenders want the opposite: stop attackers from doing what they shouldn’t and create as much noise as possible. The tactic of defense evasion encompasses a massive 40 techniques to get past our defenses, including T1222 File and Directory Permissions Modification and T1562 Impair Defenses.
• TA0006 Credential Access: Why break down the door when you can just grab the keys? Credentials protect account access, and accounts control what a user can and can’t do. By compromising the credentials, attackers gain access in a way that is often less detectable, due to potentially less need for malware and actions that can fly under the radar. This could be achieved by techniques such as T1003 OS Credential Dumping and T1111 Two-Factor Authentication Interception.
• TA0007 Discovery: As we established in our review of reconnaissance, knowledge is power. Discovery is a tactic used by attackers to further their understanding of your environment. There are currently 29 documented techniques for this due to the sheer diversity and vastness of resources and services that exist in the modern enterprise. For example, techniques that could be used include T1069 Permission Groups Discovery and T1007 System Service Discovery.
• TA0008 Lateral Movement: Like Spider-Man swinging from one surface to the next, attackers use the lateral movement tactic to continue their journey across your environment: springing from one resource to the next. Insecure Windows domain-joined devices are particularly vulnerable to a plethora of lateral movement techniques, due to their trust relationships and credential management, with notable examples being T1563 Remote Service Session Hijacking and T1550 Use Alternate Authentication Material.
• TA0009 Collection: These tactic group techniques are used to gather information that helps the attacker achieve their objectives. This includes the steps taken, such as T1114 Email Collection and T1056 Input Capture.
• TA0011 Command and Control: You learned about C2 as part of the cyber kill chain, and MITRE ATT&CK also includes it as a tactic. C2 techniques are used by attackers to communicate with the resources they have compromised, and they might do so using examples such as T1071 Application Layer Protocol and T1573: Encrypted Channel.
• TA0010 Exfiltration: This is closely associated with TA0009 Collection. Here, we have techniques for the theft of data, be it over the network or physically, with automatic processes or manual intervention, as demonstrated in examples such as T1020 Automated Exfiltration and TA1567 Exfiltration Over Web Service.
• TA0040 Impact: The Impact tactic refers to interfering with or destroying services, such as in the Sony attack (2014), but also controlling and changing processes, including destructive tactics to clean up traces of their malicious activities. Notable techniques here are T1486 Data Encrypted for Impact and T1565 Data Manipulation.

Now you’re aware of what the MITRE ATT&CK framework is and the tactics and techniques that it encompasses. The MITRE ATT&CK framework is referenced consistently throughout Microsoft 365 Defender, so you’ll see it again in this book and in your use of the service.

Next, we’ll explore Microsoft’s role in the cybersecurity world.

In the concluding section of this first chapter, I want to tackle the elephant in the room and a question I help my customers with constantly: can Microsoft be taken seriously as a cybersecurity company?

We will answer this question by also exploring Microsoft’s guiding principle to security in the cloud age: Zero Trust. The Zero Trust model will supplement the frameworks you learned about in the last section to round off your understanding of Microsoft and the industry’s language and terminology.

In this section, we will separate the marketing and jargon from reality, review Microsoft’s credibility as a cyber security provider, and explain precisely what Zero Trust means.

Microsoft as a security company

Let’s start with some numbers. Following a number of tech industry titans meeting with the White House regarding securing American cyberinfrastructure in 2021, Microsoft pledged investment efforts of $20 billion over the next 5 years. That’s a lot of money and, for some context, is double the investment that Google announced for the same purpose.

One of the ways Microsoft improves its security offerings is by acquiring promising companies that can integrate with Microsoft platforms such as Azure and Microsoft 365. This is how we start to see the origins of Microsoft 365 Defender.

Microsoft Defender Antivirus’s roots can be traced back to the mid-2003 acquisition of Gecad’s RAV and the 2004 acquisition of GIANT Company Software. Although Windows Defender would then start as an optional anti-spyware tool, it would go on to also provide built-in anti-malware and more (as you’ll learn).

The 2014 acquisition of Aorato led to Advanced Threat Analytics for on-premises Active Directory security, which was later superseded by Defender for Identity. This was followed by 2015’s Adallom purchase, which introduced the concept of a cloud access security broker (CASB), named today as Defender for Cloud Apps. We also see Secure Islands join Microsoft that same year, laying the foundations of Azure Information Protection. One of the most powerful features of Microsoft 365 Defender, automated investigation and response, originates from Microsoft’s 2017 purchase of Hexadite. The list continues, with the most recent examples including CyberX (becoming Defender for IoT), RiskIQ, and CloudKnox.

When we consider the sheer scale at which Microsoft operates, we can see some of the unique advantages they have. Windows and Active Directory – and, increasingly, Azure and Microsoft 365 – are omnipresent in enterprise IT. Windows itself goes beyond just enterprise IT and is used by millions for their home PCs, too. For example, Azure AD reportedly handles over 18 billion login sign-in transactions each day, and Windows 10 is used on over 1.3 billion devices. Using this vast dataset, the Microsoft Intelligence Security Graph becomes enriched with contextual telemetry, feeding the cloud-delivered protective capabilities of Microsoft’s security products.

Microsoft does have some reputational problems to overcome as a business that takes security seriously. Earlier versions of Windows, which really had no significant security measures, tarnished the image of the OS and, therefore, business. The perception became that only third-party vendors could be trusted with securing Microsoft environments.

However, times have changed, and not just recently. Each iteration of Windows sees significant security improvements. For example, Windows Vista introduced User Account Control (UAC) to remove a convention of elevated rights for standard user activities. In the server world, Windows Server 2016 introduced Windows Defender built-in, and services such as (Remote) Credential Guard and Device Guard to protect against identity and untrusted code attacks.

The security investments Microsoft continues to make, as described earlier, represent why many organizations are now fully investing in Microsoft services for security. As we proceed through this book, you’ll start to see some of the real benefits of this in the form of unified response capabilities due to shared platforms and access to that massive dataset for a rapidly evolving security context.

Zero Trust

It is impossible to avoid the term Zero Trust when discussing Microsoft security solutions. Although not an original creation of Microsoft, the model is at the front and center of its marketing and technical messaging. Unfortunately, as with many well-intentioned security principles, you will see Zero Trust being misunderstood or, at worst, hijacked. In this section, the buzz will be separated from the reality, so you will be able to understand exactly how Zero Trust should be approached and used to secure your environment.

The term was first coined by John Kindervag (Forrester, 2010) from an idea that can be traced back to the 2004 Jericho Forum, which looked at the issue of the perimeter as security becoming insufficient. By this, we mean that you cannot simply approach the idea of a castle and moat (network and firewall) and believe everything within the boundaries of the moat (firewall) is trusted or safe. Instead, we need to go as far down the layers as possible, analyzing as many signals as possible, at as lowest level as possible, before any trust can be applied.

The increase in big data, cloud services, and processing power makes Zero Trust possible. You need a well-resourced system capable of analyzing vast signal data and applying machine learning (ML) to create context and, therefore, identify threats and risks.

Microsoft distills Zero Trust down to three guiding principles:

• Verify explicitly: Make decisions about allowing access based on all data you have available. Effectively, default to denying access and leverage multiple layers of policy and data to allow access. No matter the source, authenticate and authorize all types of actions.
• Use least privileged access: Minimize access and administrator rights. Effectively, default to as few permissions and little time to them as possible to get the job done.
• Assume breach: Attackers will get in somewhere at some point, so have layered defenses to stop them moving. Effectively, leverage defense-in-depth and detection strategies so that unauthorized access to one resource doesn’t open access to all resources.

As we progress through this book, you will learn how Microsoft 365 Defender and its integrations with other security services serve these principles. For example, by onboarding devices to Microsoft Defender for Endpoint, risk scores can be attached that can be included when assessing access to Azure AD resources. This example’s additional layer of protection means that a username and password, or even a username, password, and multi-factor authentication, are not enough: you must also be on a device that is not compromised.

Now that you’re aware of what Zero Trust is, what isn’t Zero Trust?

Earlier, Zero Trust was explained as a response to the increasing difficulty and complexity of parameterization in cybersecurity. This has become particularly important in the world of remote and hybrid work, including on non-organizational, unmanaged devices. This does not translate to no need for perimeters. Keep in mind the saying don’t throw the baby out with the bathwater, and don’t start decommissioning your existing network segmentation capabilities. Instead, look at where you can add additional signals for decisions to authorize access.

Additionally, you cannot implement security software that contributes to Zero Trust and label the tool itself Zero Trust. Microsoft Defender for Endpoint, Azure AD Conditional Access, and other Microsoft security services are not Zero Trust, but their combined and well-architected implementation will put you on the path to Zero Trust.

In this chapter, we explored the state of cybersecurity. As someone who is deploying, operating, and responding to incidents with Microsoft 365 Defender, it’s important to know what threats exist and the frameworks the industry uses to manage them. The question of Microsoft’s commitment to security was also answered, with an overview of the Zero Trust approach that the business advocates. You learned about the cyber kill chain, its various stages, and its relationship to the MITRE ATT&CK framework. Additionally, you will now be able to articulate what Zero Trust is as one of Microsoft’s core security philosophies.

In the next chapter, we’ll take these learnings about the state of play in cybersecurity and discuss how they apply to Microsoft 365 Defender itself. An extended detection and response (XDR) platform, Microsoft 365 Defender is a relatively new breed of protection service. You’ll find out what its capabilities are, with examples of how it can be used throughout the cyber kill chain, across your environment.

You can test your knowledge of the topics covered in this chapter with the following questions. The answers can be found at the end of the book.

1. Which of these techniques is an example of the privilege escalation tactic?
   1. Domain policy modification
   2. Use of an alternate authentication method
   3. Email collection
   4. Phishing for information
2. Which of the following is not a principle of Microsoft’s Zero Trust guidance?
   1. Use least privileged access
   2. Assume breach
   3. Decommission network perimeters
   4. Verify explicitly
3. Which of the following refers to an approach attackers can use to avoid installing their own malware and, instead, leverage built-in capabilities?
   1. lolcat
   2. lolbin
   3. lolsys
   4. lolwin
4. According to a 2021 IBM Security report, how many days, on average, did it take for a cybersecurity breach to be identified?
   1. 31
   2. 90
   3. 182
   4. 212
5. What are the risks of Remote Desktop Protocol (RDP) being exposed over the internet? Choose all that apply.
   1. Credentials might have leaked online.
   2. RDP is inherently an insecure protocol.
   3. Authentication might be protected with only a single factor of authentication.
   4. CredSSP does not support encrypting credentials over the internet.

Several web resources have been listed for additional information and review on the subjects covered in this chapter:

• Jeffrey Carr’s first use of the cyber kill chain: http://jeffreycarr.blogspot.com/2013/08/the-cyber-kill-chain-trademarked-by.html
• Lockheed Martin’s Cyber Kill Chain framework: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
• MITRE ATT&CK official knowledge base: https://attack.mitre.org
• CNBC: Google, Microsoft plan to spend billions on cybersecurity after meeting with Biden: https://www.cnbc.com/2021/08/25/google-microsoft-plan-to-spend-billions-on-cybersecurity-after-meeting-with-biden.html
• Notable Microsoft security acquisitions:
  • Aortao: https://blogs.microsoft.com/blog/2014/11/13/microsoft-acquires-aorato-give-enterprise-customers-better-defense-digital-intruders-hybrid-cloud-world
  • Secure Islands: https://blogs.microsoft.com/blog/2015/11/09/microsoft-to-acquire-secure-islands-a-leader-in-data-protection-technology
  • Hexadite: https://news.microsoft.com/2017/06/08/microsoft-signs-agreement-to-acquire-hexadite
  • CyberX: https://blogs.microsoft.com/blog/2020/06/22/microsoft-acquires-cyberx-to-accelerate-and-secure-customers-iot-deployments
  • RiskIQ: https://www.microsoft.com/security/blog/2021/07/12/microsoft-to-acquire-riskiq-to-strengthen-cybersecurity-of-digital-transformation-and-hybrid-work
  • CloudKnox: https://blogs.microsoft.com/blog/2021/07/21/microsoft-acquires-cloudknox-security-to-offer-unified-privileged-access-and-cloud-entitlement-management
• The Microsoft Zero Trust Maturity Assessment tool: https://info.microsoft.com/ww-landing-Zero-Trust-Assessment.html
• Microsoft Digital Defense Report: https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report