It’s useful to understand the state of cybersecurity as a backdrop when beginning or continuing any journey with Microsoft 365 Defender, which this book will help you master as a defender. The threats that organizations face continue to change across all industries and scales. The threats are considerably different from those experienced as long ago as the beginning of Windows’ mass adoption by the workplace, or even 5 or 10 years ago, far into IT maturity in many organizations. Nowadays, attackers’ budgets, capabilities, and demands outstrip those of a time when a conventional anti-virus and gateway firewall was all you had to consider.
Now we live in an era where the workforce has left the confines of the office or VPN; where data has jumped from your data center to someone else’s; and where hybrid identities unleash access to organizations’ apps anywhere, on any device, including that one constant across eras: email.
In this chapter, we’re going to cover the following topics:
What you learn in this chapter will paint the background of modern threats facing organizations’ IT, including the cyber-attack kill chain that Microsoft 365 Defender can be used to protect against and respond to.
It is impossible to avoid the elephant in the room: Microsoft security software.
Just as threats have changed, so has the biggest dog in the yard (and, incidentally, the company that created the yard where many of those security problems occur). Microsoft invests billions of dollars per year into security services, research, and development. The Defender of Windows XP and Vista is not the Defender of this era. We’ll conclude the chapter with what this translates to in terms of winning back your trust in the Defender brand and, no pun intended, the Zero Trust strategy that Microsoft advocates.
Barely a week goes by that we don’t see media coverage of a security breach at a household name, business, or institution. In their announcements and disclosures confirming such breaches, necessitated either by legal obligations or media pressure, victims invariably refer to the attack as a cyber incident. This obscures the true nature of what has happened and why.
In this section, we will explain the trends defenders face against attackers and dive into the facts and figures behind them.
Microsoft publishes its Digital Defense Report annually. The findings and statistics of the 2021 release make grim reading for defenders: Ransomware actors with budgets over $1 million for zero-day research or purchase. Continued commoditization of cybercrime, with marketplaces selling compromised devices and credentials for less than $1. This resulted in reportedly 72 billion endpoint, identity, and email threats blocked across Microsoft’s services.
Million-dollar budgets are a shock to many. Attackers with considerable levels of resources and the ability to succeed are referred to as Advanced Persistent Threats (APTs). They might be state-associated or criminal enterprises. With the rise of cryptocurrency and ransomware to receive extortion payments using it, there are big budgets due to big returns. Exact global figures are hard to ascertain, but in the United States, the Financial Crimes Enforcement Network (FinCEN) published that in the first half of 2021 alone, there was approximately $590 million reported in “ransomware-related” suspicious activity reports; a 41% increase on the entire preceding year.
How many other “industries” could cite such growth during a year most notable for the pandemic’s lockdown-induced economic difficulties? Of course, not all attacks are ransomware. Data compromise in general continues, with the likes of Magecart payment card theft being observed over two million times in a year, according to RiskIQ’s Magecart: The State of a Growing Threat (2019).
What services and infrastructure are these well-funded, highly motivated attackers compromising? Unsurprisingly, Windows tops the list of endpoints. Datto’s Global State of the Channel Ransomware Report (2021) reported that 91% of ransomware attacks targeted Windows-based clients. The attacks don’t stop at endpoints, though. The same report continues to note that a majority of the MSPs surveyed have also seen attacks in the cloud/software as a service, with 64% claiming attacks in Microsoft 365 and more than half reporting the same for Dropbox. From this report, we can also gain insights into how the attackers begin a breach; the root cause. Over half come from phishing emails, and one-fifth come from open Remote Desktop Protocol (RDP) access. Phishing emails largely gather user credentials and are then used for entry to attack systems or execute malicious attachments. Respondents to Proofpoint’s State of the Phish (2021) said that over half of successful phishing attacks resulted in a credential compromise. Verizon’s Data Breach Investigations Report (2021) advises that 23% of malware arrives on a system by email, continuing the trend of emails as an attack tool.
The prevalence of both open RDP access and phishing attacks is not particularly revelatory: any IT veteran will be familiar with the need to secure RDP and email. What many might not be familiar with, until it’s too late, is what happens next. We will explore this, in additional detail, in The cyber kill chain and MITRE ATT&CK section.
When it comes to responding to such threats, we see organizations struggling, particularly as they scale up. IBM Security’s Cost of a Data Breach Report (2021) notes an average of 212 days for breach identification and a further 75 for containment. Over 9 months! Even in organizations with incident response teams and capabilities, the average cost of a data breach is high, at over $3 million.
We know more organizations are trying to tackle these challenges by investing in such teams and cybersecurity resources. IDG’s State of the CIO (2022) reported that cybersecurity was the main driver of increased IT budgets. The report confirmed this comes from the top: a CEO’s top ask of CIOs is to improve the overall risk position by improving cybersecurity.
These stark numbers confirm the reality of the task defenders faces. In the next section, we’ll look at how attacks typically play out and how you can start to build systems against them. We will do this by reviewing popular cybersecurity frameworks.
In this section, we’ll explore two frameworks that are regularly referenced in cybersecurity and Microsoft 365 Defender literature: the cyber kill chain and MITRE ATT&CK. Each of these is useful in its own way for understanding how modern threat actors operate in enterprise-scale attacks and how you can defend against them. You’ll get real-world examples of the malware and threat actors. The components, lessons, and language of each framework will become recurring themes of this book and any defender’s daily toolkit.
A cyber kill chain is a general approach toward breaking a cybersecurity attack down into stages. The term appears to have been first used by Jeffrey Carr in Russia/Georgia Cyber War: Findings and Analysis (2008). However, since then, it has been a registered trademark of Lockheed Martin, which developed it into a seven-stage framework as part of its Intelligence Driven Defense methodology.
In this section, we’ll explore the cyber kill chain model at each stage and gain an understanding of why the approach can be useful in defending against – and further our understanding of – the kind of threats described earlier in this chapter. You’ll find practical examples of how each stage translates to real-world threats and incidents.
Would this really be a cybersecurity book without the obligatory Sun Tzu-derived quote of know your enemy?
Indeed, this is what reconnaissance is all about for attackers: knowing you. Attackers might begin with general scans of potential targets using internet-opened ports, or they might begin their observations about you, the victim, in a targeted fashion; particularly if you are a high-risk organization and/or in a high-risk industry.
In this phase of the cyber kill chain, attackers gather public data passively or actively (by touching your environment). To do so, they will employ open source intelligence (OSINT) tools such as Shodan, which is a search engine used to find internet-connected resources. The types of data an attacker looks for during reconnaissance include the following:
onedrive_user_enum
(to see whether an account has a OneDrive for Business license/repository associated with it). In the age of the cloud, these can often be run by attackers without the target having any idea, as only the public cloud provider maintains such logs and may or may not act upon them.Through reconnaissance, the attacker hopes to find a weakness. Once it has been identified, they procure, develop, or weaponize resources to take advantage of that weakness. At this stage, the weapons have not yet been used, but the attacker generally knows what they’ll use to, at the very least, try and start their campaign. Here, the bad actor is creating the foundations of the attack.
This can take on many forms, including the following:
The weapon has been prepared, and during this stage, the victim receives it – or, hopefully, the defenses intercept it! Like weaponization, at this stage, the attacker has not necessarily detonated their attack, which comes next. Consider the following examples to help you understand exactly what is meant by delivery:
If the previous steps did not see any active exploitation of the victim’s environment, this stage does. Vulnerabilities, be they in software, hardware, or people, are now leveraged by the attacker to gain access as execution begins. Examples to help describe what this stage might include are listed as follows:
An attacker will want to maintain access to compromised assets; this is also called gaining persistence. To do so, they’ll likely have to install malware and might utilize features of the OS to leverage it, keep it running, and enable a back door.
Examples of the installation stage of an attack are listed as follows:
By this stage, tools and malware have been deployed, and the attacker will proceed to use those as a command channel for continuing their attack over the network. They will be “phoning home” between your environment and theirs.
Let’s look at some examples to understand precisely what is meant by the command and control (C2) stage:
The final stage sees our adversary use all the advantages and access they have hitherto accumulated for the execution of their objectives. They are in a position to accomplish their goals, whatever they are, that is, espionage, data exfiltration, ransomware execution, supply chain infiltration, and more:
Don’t consider the cyber kill chain linear. That is, attacks don’t always start at the first stage and then cleanly and obviously move sequentially through stages until they reach the last. For example, the installation stage is common when faced with ransomware gangs or APTs. However, many sensitive data theft attacks do not need to deploy persistence software; with credential compromise against exposed databases, often no malware deployment is necessary. Similarly, the stages are not particularly easy to differentiate: lines blur.
Approach each stage with the following list of thoughts and questions in mind, and you'll be able to use what you learn throughout this book to help protect your environment:
MITRE ATT&CK dives far deeper into technical techniques than the cyber kill chain. If we consider the cyber kill chain a decentralized, high-level approach to tackling cybersecurity, we can consider ATT&CK a centralized, low-level knowledge base (KB) of attacker methodology. Starting in 2013, MITRE made this KB universally available, at no cost, at attack.mitre.org. This online resource provides hundreds of referenced examples of techniques and groups using them.
To give you a sense of its scale, ATT&CK’s Matrix for Enterprise, which encompasses common enterprise platforms such as Windows, macOS, Office 365, and Google Workspaces, has 14 top-level tactics and over 200 techniques, not to mention the sub-techniques!
Microsoft 365 Defender heavily leverages the MITRE ATT&CK framework in its incident response capabilities that operators can report on or quickly become aware of any potential threats. Therefore, it’s an important topic to familiarize yourself with as you try to master Microsoft 365 Defender.
To get you started, let’s take a look at those top-level tactics. Each top-level tactic has an ID prefixed with TA, and each technique has an ID prefixed with T. Sub-techniques append a technique with another ID. For example, T1566.002 is the Spearphishing Link sub-technique of the Phishing technique:
Now you’re aware of what the MITRE ATT&CK framework is and the tactics and techniques that it encompasses. The MITRE ATT&CK framework is referenced consistently throughout Microsoft 365 Defender, so you’ll see it again in this book and in your use of the service.
Next, we’ll explore Microsoft’s role in the cybersecurity world.
In the concluding section of this first chapter, I want to tackle the elephant in the room and a question I help my customers with constantly: can Microsoft be taken seriously as a cybersecurity company?
We will answer this question by also exploring Microsoft’s guiding principle to security in the cloud age: Zero Trust. The Zero Trust model will supplement the frameworks you learned about in the last section to round off your understanding of Microsoft and the industry’s language and terminology.
In this section, we will separate the marketing and jargon from reality, review Microsoft’s credibility as a cyber security provider, and explain precisely what Zero Trust means.
Let’s start with some numbers. Following a number of tech industry titans meeting with the White House regarding securing American cyberinfrastructure in 2021, Microsoft pledged investment efforts of $20 billion over the next 5 years. That’s a lot of money and, for some context, is double the investment that Google announced for the same purpose.
One of the ways Microsoft improves its security offerings is by acquiring promising companies that can integrate with Microsoft platforms such as Azure and Microsoft 365. This is how we start to see the origins of Microsoft 365 Defender.
Microsoft Defender Antivirus’s roots can be traced back to the mid-2003 acquisition of Gecad’s RAV and the 2004 acquisition of GIANT Company Software. Although Windows Defender would then start as an optional anti-spyware tool, it would go on to also provide built-in anti-malware and more (as you’ll learn).
The 2014 acquisition of Aorato led to Advanced Threat Analytics for on-premises Active Directory security, which was later superseded by Defender for Identity. This was followed by 2015’s Adallom purchase, which introduced the concept of a cloud access security broker (CASB), named today as Defender for Cloud Apps. We also see Secure Islands join Microsoft that same year, laying the foundations of Azure Information Protection. One of the most powerful features of Microsoft 365 Defender, automated investigation and response, originates from Microsoft’s 2017 purchase of Hexadite. The list continues, with the most recent examples including CyberX (becoming Defender for IoT), RiskIQ, and CloudKnox.
When we consider the sheer scale at which Microsoft operates, we can see some of the unique advantages they have. Windows and Active Directory – and, increasingly, Azure and Microsoft 365 – are omnipresent in enterprise IT. Windows itself goes beyond just enterprise IT and is used by millions for their home PCs, too. For example, Azure AD reportedly handles over 18 billion login sign-in transactions each day, and Windows 10 is used on over 1.3 billion devices. Using this vast dataset, the Microsoft Intelligence Security Graph becomes enriched with contextual telemetry, feeding the cloud-delivered protective capabilities of Microsoft’s security products.
Microsoft does have some reputational problems to overcome as a business that takes security seriously. Earlier versions of Windows, which really had no significant security measures, tarnished the image of the OS and, therefore, business. The perception became that only third-party vendors could be trusted with securing Microsoft environments.
However, times have changed, and not just recently. Each iteration of Windows sees significant security improvements. For example, Windows Vista introduced User Account Control (UAC) to remove a convention of elevated rights for standard user activities. In the server world, Windows Server 2016 introduced Windows Defender built-in, and services such as (Remote) Credential Guard and Device Guard to protect against identity and untrusted code attacks.
The security investments Microsoft continues to make, as described earlier, represent why many organizations are now fully investing in Microsoft services for security. As we proceed through this book, you’ll start to see some of the real benefits of this in the form of unified response capabilities due to shared platforms and access to that massive dataset for a rapidly evolving security context.
It is impossible to avoid the term Zero Trust when discussing Microsoft security solutions. Although not an original creation of Microsoft, the model is at the front and center of its marketing and technical messaging. Unfortunately, as with many well-intentioned security principles, you will see Zero Trust being misunderstood or, at worst, hijacked. In this section, the buzz will be separated from the reality, so you will be able to understand exactly how Zero Trust should be approached and used to secure your environment.
The term was first coined by John Kindervag (Forrester, 2010) from an idea that can be traced back to the 2004 Jericho Forum, which looked at the issue of the perimeter as security becoming insufficient. By this, we mean that you cannot simply approach the idea of a castle and moat (network and firewall) and believe everything within the boundaries of the moat (firewall) is trusted or safe. Instead, we need to go as far down the layers as possible, analyzing as many signals as possible, at as lowest level as possible, before any trust can be applied.
The increase in big data, cloud services, and processing power makes Zero Trust possible. You need a well-resourced system capable of analyzing vast signal data and applying machine learning (ML) to create context and, therefore, identify threats and risks.
Microsoft distills Zero Trust down to three guiding principles:
As we progress through this book, you will learn how Microsoft 365 Defender and its integrations with other security services serve these principles. For example, by onboarding devices to Microsoft Defender for Endpoint, risk scores can be attached that can be included when assessing access to Azure AD resources. This example’s additional layer of protection means that a username and password, or even a username, password, and multi-factor authentication, are not enough: you must also be on a device that is not compromised.
Now that you’re aware of what Zero Trust is, what isn’t Zero Trust?
Earlier, Zero Trust was explained as a response to the increasing difficulty and complexity of parameterization in cybersecurity. This has become particularly important in the world of remote and hybrid work, including on non-organizational, unmanaged devices. This does not translate to no need for perimeters. Keep in mind the saying don’t throw the baby out with the bathwater, and don’t start decommissioning your existing network segmentation capabilities. Instead, look at where you can add additional signals for decisions to authorize access.
Additionally, you cannot implement security software that contributes to Zero Trust and label the tool itself Zero Trust. Microsoft Defender for Endpoint, Azure AD Conditional Access, and other Microsoft security services are not Zero Trust, but their combined and well-architected implementation will put you on the path to Zero Trust.
In this chapter, we explored the state of cybersecurity. As someone who is deploying, operating, and responding to incidents with Microsoft 365 Defender, it’s important to know what threats exist and the frameworks the industry uses to manage them. The question of Microsoft’s commitment to security was also answered, with an overview of the Zero Trust approach that the business advocates. You learned about the cyber kill chain, its various stages, and its relationship to the MITRE ATT&CK framework. Additionally, you will now be able to articulate what Zero Trust is as one of Microsoft’s core security philosophies.
In the next chapter, we’ll take these learnings about the state of play in cybersecurity and discuss how they apply to Microsoft 365 Defender itself. An extended detection and response (XDR) platform, Microsoft 365 Defender is a relatively new breed of protection service. You’ll find out what its capabilities are, with examples of how it can be used throughout the cyber kill chain, across your environment.
You can test your knowledge of the topics covered in this chapter with the following questions. The answers can be found at the end of the book.
Several web resources have been listed for additional information and review on the subjects covered in this chapter:
Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.
If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.
Please Note: Packt eBooks are non-returnable and non-refundable.
Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:
If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:
Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.
You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.
Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.
When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.
For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.