Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Mastering Microsoft 365 Defender
Mastering Microsoft 365 Defender

Mastering Microsoft 365 Defender: Implement Microsoft Defender for Endpoint, Identity, Cloud Apps, and Office 365 and respond to threats

Arrow left icon
Profile Icon Ru Campbell Profile Icon Hedberg
Arrow right icon
₱1427.99 ₱2040.99
Full star icon Full star icon Full star icon Full star icon Full star icon 5 (31 Ratings)
eBook Jul 2023 572 pages 1st Edition
eBook
₱1427.99 ₱2040.99
Paperback
₱2551.99
Subscription
Free Trial
Arrow left icon
Profile Icon Ru Campbell Profile Icon Hedberg
Arrow right icon
₱1427.99 ₱2040.99
Full star icon Full star icon Full star icon Full star icon Full star icon 5 (31 Ratings)
eBook Jul 2023 572 pages 1st Edition
eBook
₱1427.99 ₱2040.99
Paperback
₱2551.99
Subscription
Free Trial
eBook
₱1427.99 ₱2040.99
Paperback
₱2551.99
Subscription
Free Trial

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Table of content icon View table of contents Preview book icon Preview Book

Mastering Microsoft 365 Defender

Microsoft and Modern Cybersecurity Threats

It’s useful to understand the state of cybersecurity as a backdrop when beginning or continuing any journey with Microsoft 365 Defender, which this book will help you master as a defender. The threats that organizations face continue to change across all industries and scales. The threats are considerably different from those experienced as long ago as the beginning of Windows’ mass adoption by the workplace, or even 5 or 10 years ago, far into IT maturity in many organizations. Nowadays, attackers’ budgets, capabilities, and demands outstrip those of a time when a conventional anti-virus and gateway firewall was all you had to consider.

Now we live in an era where the workforce has left the confines of the office or VPN; where data has jumped from your data center to someone else’s; and where hybrid identities unleash access to organizations’ apps anywhere, on any device, including that one constant across eras: email.

In this chapter, we’re going to cover the following topics:

  • The cybersecurity threat landscape
  • The cyber kill chain and MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
  • Microsoft and Zero Trust

What you learn in this chapter will paint the background of modern threats facing organizations’ IT, including the cyber-attack kill chain that Microsoft 365 Defender can be used to protect against and respond to.

It is impossible to avoid the elephant in the room: Microsoft security software.

Just as threats have changed, so has the biggest dog in the yard (and, incidentally, the company that created the yard where many of those security problems occur). Microsoft invests billions of dollars per year into security services, research, and development. The Defender of Windows XP and Vista is not the Defender of this era. We’ll conclude the chapter with what this translates to in terms of winning back your trust in the Defender brand and, no pun intended, the Zero Trust strategy that Microsoft advocates.

The cybersecurity threat landscape

Barely a week goes by that we don’t see media coverage of a security breach at a household name, business, or institution. In their announcements and disclosures confirming such breaches, necessitated either by legal obligations or media pressure, victims invariably refer to the attack as a cyber incident. This obscures the true nature of what has happened and why.

In this section, we will explain the trends defenders face against attackers and dive into the facts and figures behind them.

Microsoft publishes its Digital Defense Report annually. The findings and statistics of the 2021 release make grim reading for defenders: Ransomware actors with budgets over $1 million for zero-day research or purchase. Continued commoditization of cybercrime, with marketplaces selling compromised devices and credentials for less than $1. This resulted in reportedly 72 billion endpoint, identity, and email threats blocked across Microsoft’s services.

Million-dollar budgets are a shock to many. Attackers with considerable levels of resources and the ability to succeed are referred to as Advanced Persistent Threats (APTs). They might be state-associated or criminal enterprises. With the rise of cryptocurrency and ransomware to receive extortion payments using it, there are big budgets due to big returns. Exact global figures are hard to ascertain, but in the United States, the Financial Crimes Enforcement Network (FinCEN) published that in the first half of 2021 alone, there was approximately $590 million reported in “ransomware-related” suspicious activity reports; a 41% increase on the entire preceding year.

How many other “industries” could cite such growth during a year most notable for the pandemic’s lockdown-induced economic difficulties? Of course, not all attacks are ransomware. Data compromise in general continues, with the likes of Magecart payment card theft being observed over two million times in a year, according to RiskIQ’s Magecart: The State of a Growing Threat (2019).

What services and infrastructure are these well-funded, highly motivated attackers compromising? Unsurprisingly, Windows tops the list of endpoints. Datto’s Global State of the Channel Ransomware Report (2021) reported that 91% of ransomware attacks targeted Windows-based clients. The attacks don’t stop at endpoints, though. The same report continues to note that a majority of the MSPs surveyed have also seen attacks in the cloud/software as a service, with 64% claiming attacks in Microsoft 365 and more than half reporting the same for Dropbox. From this report, we can also gain insights into how the attackers begin a breach; the root cause. Over half come from phishing emails, and one-fifth come from open Remote Desktop Protocol (RDP) access. Phishing emails largely gather user credentials and are then used for entry to attack systems or execute malicious attachments. Respondents to Proofpoint’s State of the Phish (2021) said that over half of successful phishing attacks resulted in a credential compromise. Verizon’s Data Breach Investigations Report (2021) advises that 23% of malware arrives on a system by email, continuing the trend of emails as an attack tool.

The prevalence of both open RDP access and phishing attacks is not particularly revelatory: any IT veteran will be familiar with the need to secure RDP and email. What many might not be familiar with, until it’s too late, is what happens next. We will explore this, in additional detail, in The cyber kill chain and MITRE ATT&CK section.

When it comes to responding to such threats, we see organizations struggling, particularly as they scale up. IBM Security’s Cost of a Data Breach Report (2021) notes an average of 212 days for breach identification and a further 75 for containment. Over 9 months! Even in organizations with incident response teams and capabilities, the average cost of a data breach is high, at over $3 million.

We know more organizations are trying to tackle these challenges by investing in such teams and cybersecurity resources. IDG’s State of the CIO (2022) reported that cybersecurity was the main driver of increased IT budgets. The report confirmed this comes from the top: a CEO’s top ask of CIOs is to improve the overall risk position by improving cybersecurity.

These stark numbers confirm the reality of the task defenders faces. In the next section, we’ll look at how attacks typically play out and how you can start to build systems against them. We will do this by reviewing popular cybersecurity frameworks.

The cyber kill chain and MITRE ATT&CK

In this section, we’ll explore two frameworks that are regularly referenced in cybersecurity and Microsoft 365 Defender literature: the cyber kill chain and MITRE ATT&CK. Each of these is useful in its own way for understanding how modern threat actors operate in enterprise-scale attacks and how you can defend against them. You’ll get real-world examples of the malware and threat actors. The components, lessons, and language of each framework will become recurring themes of this book and any defender’s daily toolkit.

Cyber kill chain

A cyber kill chain is a general approach toward breaking a cybersecurity attack down into stages. The term appears to have been first used by Jeffrey Carr in Russia/Georgia Cyber War: Findings and Analysis (2008). However, since then, it has been a registered trademark of Lockheed Martin, which developed it into a seven-stage framework as part of its Intelligence Driven Defense methodology.

In this section, we’ll explore the cyber kill chain model at each stage and gain an understanding of why the approach can be useful in defending against – and further our understanding of – the kind of threats described earlier in this chapter. You’ll find practical examples of how each stage translates to real-world threats and incidents.

Stage 1 – reconnaissance

Would this really be a cybersecurity book without the obligatory Sun Tzu-derived quote of know your enemy?

Indeed, this is what reconnaissance is all about for attackers: knowing you. Attackers might begin with general scans of potential targets using internet-opened ports, or they might begin their observations about you, the victim, in a targeted fashion; particularly if you are a high-risk organization and/or in a high-risk industry.

In this phase of the cyber kill chain, attackers gather public data passively or actively (by touching your environment). To do so, they will employ open source intelligence (OSINT) tools such as Shodan, which is a search engine used to find internet-connected resources. The types of data an attacker looks for during reconnaissance include the following:

  • Potential phishing victims, particularly using data from business-based platforms such as LinkedIn. There are scrapers available, such as the Harvester, that will return all the data they can gather from LinkedIn, Twitter, Bing, Google, and other services. In 2021, LinkedIn was alleged to have been subjected to a massive data scraping incident. The records of, approximately, 700 million users with publicly listed but sensitive data, including email addresses and locations, became available for sale on dark markets.
  • Lists of known accounts within the environment, using scripts and tools such as UhOh365 (to see whether an Office 365 email address is valid) or onedrive_user_enum (to see whether an account has a OneDrive for Business license/repository associated with it). In the age of the cloud, these can often be run by attackers without the target having any idea, as only the public cloud provider maintains such logs and may or may not act upon them.
  • Target applications and services, such as public-facing websites or internet-exposed lines of business applications, that might be susceptible to compromise via weaknesses such as the Log4j vulnerability called Log4Shell. Vulnerabilities are as old as IT itself, but the Log4j vulnerability that was published in 2021 is infamous. Microsoft and others have confirmed widespread scanning for at-risk systems by attackers. What makes Log4Shell so notorious is its mass and cross-platform usage, across thousands of different application vendors. A Cybersecurity and Infrastructure Security Agency (CISA) managed list, at the time of writing, reached almost 400 vendors.
  • Enterprise infrastructure that is open to vulnerabilities or attacks, such as open Windows Servers via RDP. Though useful for those maintaining an infrastructure to gain endpoint access, RDP has a prolific history of vulnerabilities. Many scanners exist to find open ports accepting RDP connections, and they won’t take long to find something. Rapid7’s Remote Desktop Protocol Exposure (2017) report found over 4 million endpoints accepting such connections. For Windows devices, many RDP sessions can be established with only a single factor of authentication, which itself may have been leaked online or otherwise compromised.

Stage 2 – weaponization

Through reconnaissance, the attacker hopes to find a weakness. Once it has been identified, they procure, develop, or weaponize resources to take advantage of that weakness. At this stage, the weapons have not yet been used, but the attacker generally knows what they’ll use to, at the very least, try and start their campaign. Here, the bad actor is creating the foundations of the attack.

This can take on many forms, including the following:

  • Sending phishing messages to discovered users. Once the attacker knows the contact details of privileged users – or even low-hanging fruit – they might pursue email as a weapon to obtain credentials or convince a user to do something that furthers the campaign. In the context of Microsoft 365, tools such as evilginx2 can, in less protected environments, be used for adversary-in-the-middle (AiTM) attacks, where an attacker-owned domain passes traffic to the real Azure AD sign-in page but captures authentication tokens and cookies that can then be used by them.
  • Thinking of both physical and network security, if during reconnaissance a Wi-Fi network is within reach of an attacker, tools such as Aircrack-ng might be viable options for network access if the wireless system has been insufficiently secured.
  • Malware is an obvious example. What might be less obvious are the methods attackers can take to obfuscate or package these prior to delivery and execution. An interesting case study is Sevagas’s MacroPack tool. MacroPack takes advantage of the fact that Microsoft Office is ubiquitous in the enterprise but is weighed down and exploitable due to a legacy of allowing child processes to spawn through macros. Using the tool, an attacker could generate an Office document that enables execution with an anti-virus bypass. It would then make sense to include this attachment in a phishing email.

Stage 3 – delivery

The weapon has been prepared, and during this stage, the victim receives it – or, hopefully, the defenses intercept it! Like weaponization, at this stage, the attacker has not necessarily detonated their attack, which comes next. Consider the following examples to help you understand exactly what is meant by delivery:

  • Thinking once again of physical security, one example is the delivery of a USB device that, if used, initiates the attack. “Surely that’s just too simple,” I hear you cry. Hear me out. In January 2022, the FBI issued a warning to US organizations that the Fin7 APT group was distributing malicious USB devices via courier services. The devices were enclosed with documentation alleging they contained COVID-19 reference materials or retailer gift cards. Instead, they executed the BadUSB attack that would go on to install malware via PowerShell downloads.
  • Again, we must discuss phishing emails. During this stage, the email is distributed. Attackers continue to evade email protection capabilities, with email security vendors continually fighting back. The Microsoft 365 Defender Threat Intelligence team published findings in 2021 of a campaign that used encryption techniques to bypass their protection mechanisms. From July 2020 to July 2021, the findings revealed the attackers employed 10 different encoding techniques, making each change as protection systems identified and prevented them. Incredibly, the techniques included the repeated use of morse code, combined with other obfuscation methods.
  • One popular way of distributing malware is via the web. The attacker might control the website and has managed to get users there, or might use something such as a watering hole attack to hit targeted industries and groups. This term originates from poisoning the water source: anyone who drinks the water (uses the website) is potentially poisoned (compromised). In one 2014 example reported by Invicea (since acquired by Sophos), Forbes.com was compromised by APT19, which is also known as Codoso. The actor used a combination of zero-day vulnerabilities in Flash and Internet Explorer.

Stage 4 – exploitation

If the previous steps did not see any active exploitation of the victim’s environment, this stage does. Vulnerabilities, be they in software, hardware, or people, are now leveraged by the attacker to gain access as execution begins. Examples to help describe what this stage might include are listed as follows:

  • Users, who have had phishing emails delivered, proceed to click on links in them or open the weaponized attachment. Cofense’s Annual State of Phishing Report (2021) revealed that links might be slightly more common than attachments.
  • The most media-hyped form of exploitation is the zero-day, with famous examples including Stuxnet (2010) and Sony Pictures (2014). Unlike other vulnerabilities, zero-days do not yet have a patch available. Google’s zero-day In the Wild tracker lists 57 examples of zero-days being detected as the result of an attack in 2021.

Stage 5 – installation

An attacker will want to maintain access to compromised assets; this is also called gaining persistence. To do so, they’ll likely have to install malware and might utilize features of the OS to leverage it, keep it running, and enable a back door.

Examples of the installation stage of an attack are listed as follows:

  • The AppleJeus malware, which steals cryptocurrency from victims, creates a scheduled task that runs as SYSTEM whenever a user logs into the OS. As one of the highest privileged account on a Windows device, SYSTEM access is highly desirable for attackers.
  • To evade detection, common enterprise tools might be installed. For example, LogMeIn, the remote desktop access tool frequently used by IT support teams, has been used by the espionage group Thrip. The group, and many others, also make use of living off the land (lolbin) approaches. Built-in OS tools such as PowerShell, BITSAdmin, and certutil might raise fewer eyebrows if they show up in telemetry than third-party binaries that are installed later. These tools might also benefit from being signed by a trusted publisher.

Stage 6 – command and control (C2)

By this stage, tools and malware have been deployed, and the attacker will proceed to use those as a command channel for continuing their attack over the network. They will be “phoning home” between your environment and theirs.

Let’s look at some examples to understand precisely what is meant by the command and control (C2) stage:

  • Arguably, Cobalt Strike is the most well-known C2 framework. The service is intended for legitimate use by red teams but is often used by attackers who have unauthorized versions of it, including one instance of using a legitimate business to disguise their purchase. This list includes APTs such as Codoso, SeaLotus, Nobelium, and Wicked Panda. Beacons are deployed to victim endpoints, establishing connectivity to a team server, which the attacker then operates with the Cobalt Strike client.
  • Mature environments will likely monitor inbound and outbound network traffic, with abnormalities being identified or prevented. Therefore, the use of web protocols is common, as HTTP(S) is less likely to be subjected to proactive controls or be flagged in comparison to rarer protocols. The Octopus trojan has been used to spy on users and steal their data. Its communication with the C2 server was achieved using GET and POST requests over HTTP.
  • Common ports aren’t always used. Described by Europol as the world’s most dangerous malware, Emotet has gone through several iterations. Although it has connected to C2s using standard HTTP(S) ports, it has also been known to use ports such as 20, 7080, 8443, and 50000.

Stage 7 – actions on objectives

The final stage sees our adversary use all the advantages and access they have hitherto accumulated for the execution of their objectives. They are in a position to accomplish their goals, whatever they are, that is, espionage, data exfiltration, ransomware execution, supply chain infiltration, and more:

  • HIDDEN COBRA, also known as Lazarus Group and Guardians of Peace, has been linked to the infamous attack on Sony Pictures in 2014. The group, politically associated and motivated, exfiltrated sensitive data such as email and feature films and employed destructive techniques in the compromised environment.
  • The Colonial Pipeline system, which supplies the Eastern United States, faced a crippling ransomware attack in 2021, with the group DarkSide identified as the attackers. Claiming to be apolitical and purely financially motivated, the group received 75 bitcoins in ransom, though most of these were recovered within one month.

Application of the cyber kill chain

Don’t consider the cyber kill chain linear. That is, attacks don’t always start at the first stage and then cleanly and obviously move sequentially through stages until they reach the last. For example, the installation stage is common when faced with ransomware gangs or APTs. However, many sensitive data theft attacks do not need to deploy persistence software; with credential compromise against exposed databases, often no malware deployment is necessary. Similarly, the stages are not particularly easy to differentiate: lines blur.

Approach each stage with the following list of thoughts and questions in mind, and you'll be able to use what you learn throughout this book to help protect your environment:

  • What is my organization currently doing to proactively defend against this?
  • What capabilities do I currently have to respond to this?
  • What defenses are being managed to stop escalation from this stage to the next?
  • What are the assets, services, and inventory I need to prioritize against this?

MITRE ATT&CK

MITRE ATT&CK dives far deeper into technical techniques than the cyber kill chain. If we consider the cyber kill chain a decentralized, high-level approach to tackling cybersecurity, we can consider ATT&CK a centralized, low-level knowledge base (KB) of attacker methodology. Starting in 2013, MITRE made this KB universally available, at no cost, at attack.mitre.org. This online resource provides hundreds of referenced examples of techniques and groups using them.

To give you a sense of its scale, ATT&CK’s Matrix for Enterprise, which encompasses common enterprise platforms such as Windows, macOS, Office 365, and Google Workspaces, has 14 top-level tactics and over 200 techniques, not to mention the sub-techniques!

Microsoft 365 Defender heavily leverages the MITRE ATT&CK framework in its incident response capabilities that operators can report on or quickly become aware of any potential threats. Therefore, it’s an important topic to familiarize yourself with as you try to master Microsoft 365 Defender.

To get you started, let’s take a look at those top-level tactics. Each top-level tactic has an ID prefixed with TA, and each technique has an ID prefixed with T. Sub-techniques append a technique with another ID. For example, T1566.002 is the Spearphishing Link sub-technique of the Phishing technique:

  • TA0043 Reconnaissance: You’ve already learned about this as part of the cyber kill chain. This is the tactic that represents techniques related to information gathering about the victim, including T1598 Phishing for Information and T1594 Search Victim-Owned Websites.
  • TA0042 Resource Development: Attackers need resources to achieve their objectives. Botnets require masses of victim infrastructure, and general infiltration will need either exploits or credentials. This tactic covers the acquisition of such resources, using techniques such as T1583 Acquire Infrastructure and T1586 Compromise Accounts.
  • TA0001 Initial Access: How do attackers get their foot in the door? Lots of ways! There are currently nine documented techniques for this tactic, including T1200 Hardware Additions and T1195 Supply Chain Compromise.
  • TA0002 Execution: This refers to execution in the computing sense, that is, executing malware. But how does that malware get executed? This tactic lists techniques for that execution, be they automated or manual, such as T1053 Scheduled Task/Job and T1204 User Execution.
  • TA0003 Persistence: How do attackers remain in the environment after compromise? Often, this is one of the first things a successful, long-term attack tries to achieve: persistence. There might be ways involving coding and programs, or it might be a case of simply adding another user, as covered in techniques such as T1037 Boot or Logon Initialization Scripts and T1136 Create Account.
  • TA0004 Privilege Escalation: Defenders must put far greater controls around elevated privileges (that is, admin rights) than standard privileges. This is because elevated privileges allow far more control over the environment: deletion, access to control other rights, and more. This tactic includes techniques attackers use to “jump up” from lower privileged rights to higher privileged rights, in several ways, such as T1484 Domain Policy Modification and T1068 Exploitation for Privilege Escalation.
  • TA0005 Defense Evasion: Attackers want to remain as quiet, hidden, and uninterrupted as possible. Defenders want the opposite: stop attackers from doing what they shouldn’t and create as much noise as possible. The tactic of defense evasion encompasses a massive 40 techniques to get past our defenses, including T1222 File and Directory Permissions Modification and T1562 Impair Defenses.
  • TA0006 Credential Access: Why break down the door when you can just grab the keys? Credentials protect account access, and accounts control what a user can and can’t do. By compromising the credentials, attackers gain access in a way that is often less detectable, due to potentially less need for malware and actions that can fly under the radar. This could be achieved by techniques such as T1003 OS Credential Dumping and T1111 Two-Factor Authentication Interception.
  • TA0007 Discovery: As we established in our review of reconnaissance, knowledge is power. Discovery is a tactic used by attackers to further their understanding of your environment. There are currently 29 documented techniques for this due to the sheer diversity and vastness of resources and services that exist in the modern enterprise. For example, techniques that could be used include T1069 Permission Groups Discovery and T1007 System Service Discovery.
  • TA0008 Lateral Movement: Like Spider-Man swinging from one surface to the next, attackers use the lateral movement tactic to continue their journey across your environment: springing from one resource to the next. Insecure Windows domain-joined devices are particularly vulnerable to a plethora of lateral movement techniques, due to their trust relationships and credential management, with notable examples being T1563 Remote Service Session Hijacking and T1550 Use Alternate Authentication Material.
  • TA0009 Collection: These tactic group techniques are used to gather information that helps the attacker achieve their objectives. This includes the steps taken, such as T1114 Email Collection and T1056 Input Capture.
  • TA0011 Command and Control: You learned about C2 as part of the cyber kill chain, and MITRE ATT&CK also includes it as a tactic. C2 techniques are used by attackers to communicate with the resources they have compromised, and they might do so using examples such as T1071 Application Layer Protocol and T1573: Encrypted Channel.
  • TA0010 Exfiltration: This is closely associated with TA0009 Collection. Here, we have techniques for the theft of data, be it over the network or physically, with automatic processes or manual intervention, as demonstrated in examples such as T1020 Automated Exfiltration and TA1567 Exfiltration Over Web Service.
  • TA0040 Impact: The Impact tactic refers to interfering with or destroying services, such as in the Sony attack (2014), but also controlling and changing processes, including destructive tactics to clean up traces of their malicious activities. Notable techniques here are T1486 Data Encrypted for Impact and T1565 Data Manipulation.

Now you’re aware of what the MITRE ATT&CK framework is and the tactics and techniques that it encompasses. The MITRE ATT&CK framework is referenced consistently throughout Microsoft 365 Defender, so you’ll see it again in this book and in your use of the service.

Next, we’ll explore Microsoft’s role in the cybersecurity world.

Microsoft and Zero Trust

In the concluding section of this first chapter, I want to tackle the elephant in the room and a question I help my customers with constantly: can Microsoft be taken seriously as a cybersecurity company?

We will answer this question by also exploring Microsoft’s guiding principle to security in the cloud age: Zero Trust. The Zero Trust model will supplement the frameworks you learned about in the last section to round off your understanding of Microsoft and the industry’s language and terminology.

In this section, we will separate the marketing and jargon from reality, review Microsoft’s credibility as a cyber security provider, and explain precisely what Zero Trust means.

Microsoft as a security company

Let’s start with some numbers. Following a number of tech industry titans meeting with the White House regarding securing American cyberinfrastructure in 2021, Microsoft pledged investment efforts of $20 billion over the next 5 years. That’s a lot of money and, for some context, is double the investment that Google announced for the same purpose.

One of the ways Microsoft improves its security offerings is by acquiring promising companies that can integrate with Microsoft platforms such as Azure and Microsoft 365. This is how we start to see the origins of Microsoft 365 Defender.

Microsoft Defender Antivirus’s roots can be traced back to the mid-2003 acquisition of Gecad’s RAV and the 2004 acquisition of GIANT Company Software. Although Windows Defender would then start as an optional anti-spyware tool, it would go on to also provide built-in anti-malware and more (as you’ll learn).

The 2014 acquisition of Aorato led to Advanced Threat Analytics for on-premises Active Directory security, which was later superseded by Defender for Identity. This was followed by 2015’s Adallom purchase, which introduced the concept of a cloud access security broker (CASB), named today as Defender for Cloud Apps. We also see Secure Islands join Microsoft that same year, laying the foundations of Azure Information Protection. One of the most powerful features of Microsoft 365 Defender, automated investigation and response, originates from Microsoft’s 2017 purchase of Hexadite. The list continues, with the most recent examples including CyberX (becoming Defender for IoT), RiskIQ, and CloudKnox.

When we consider the sheer scale at which Microsoft operates, we can see some of the unique advantages they have. Windows and Active Directory – and, increasingly, Azure and Microsoft 365 – are omnipresent in enterprise IT. Windows itself goes beyond just enterprise IT and is used by millions for their home PCs, too. For example, Azure AD reportedly handles over 18 billion login sign-in transactions each day, and Windows 10 is used on over 1.3 billion devices. Using this vast dataset, the Microsoft Intelligence Security Graph becomes enriched with contextual telemetry, feeding the cloud-delivered protective capabilities of Microsoft’s security products.

Microsoft does have some reputational problems to overcome as a business that takes security seriously. Earlier versions of Windows, which really had no significant security measures, tarnished the image of the OS and, therefore, business. The perception became that only third-party vendors could be trusted with securing Microsoft environments.

However, times have changed, and not just recently. Each iteration of Windows sees significant security improvements. For example, Windows Vista introduced User Account Control (UAC) to remove a convention of elevated rights for standard user activities. In the server world, Windows Server 2016 introduced Windows Defender built-in, and services such as (Remote) Credential Guard and Device Guard to protect against identity and untrusted code attacks.

The security investments Microsoft continues to make, as described earlier, represent why many organizations are now fully investing in Microsoft services for security. As we proceed through this book, you’ll start to see some of the real benefits of this in the form of unified response capabilities due to shared platforms and access to that massive dataset for a rapidly evolving security context.

Zero Trust

It is impossible to avoid the term Zero Trust when discussing Microsoft security solutions. Although not an original creation of Microsoft, the model is at the front and center of its marketing and technical messaging. Unfortunately, as with many well-intentioned security principles, you will see Zero Trust being misunderstood or, at worst, hijacked. In this section, the buzz will be separated from the reality, so you will be able to understand exactly how Zero Trust should be approached and used to secure your environment.

The term was first coined by John Kindervag (Forrester, 2010) from an idea that can be traced back to the 2004 Jericho Forum, which looked at the issue of the perimeter as security becoming insufficient. By this, we mean that you cannot simply approach the idea of a castle and moat (network and firewall) and believe everything within the boundaries of the moat (firewall) is trusted or safe. Instead, we need to go as far down the layers as possible, analyzing as many signals as possible, at as lowest level as possible, before any trust can be applied.

The increase in big data, cloud services, and processing power makes Zero Trust possible. You need a well-resourced system capable of analyzing vast signal data and applying machine learning (ML) to create context and, therefore, identify threats and risks.

Microsoft distills Zero Trust down to three guiding principles:

  • Verify explicitly: Make decisions about allowing access based on all data you have available. Effectively, default to denying access and leverage multiple layers of policy and data to allow access. No matter the source, authenticate and authorize all types of actions.
  • Use least privileged access: Minimize access and administrator rights. Effectively, default to as few permissions and little time to them as possible to get the job done.
  • Assume breach: Attackers will get in somewhere at some point, so have layered defenses to stop them moving. Effectively, leverage defense-in-depth and detection strategies so that unauthorized access to one resource doesn’t open access to all resources.

As we progress through this book, you will learn how Microsoft 365 Defender and its integrations with other security services serve these principles. For example, by onboarding devices to Microsoft Defender for Endpoint, risk scores can be attached that can be included when assessing access to Azure AD resources. This example’s additional layer of protection means that a username and password, or even a username, password, and multi-factor authentication, are not enough: you must also be on a device that is not compromised.

Now that you’re aware of what Zero Trust is, what isn’t Zero Trust?

Earlier, Zero Trust was explained as a response to the increasing difficulty and complexity of parameterization in cybersecurity. This has become particularly important in the world of remote and hybrid work, including on non-organizational, unmanaged devices. This does not translate to no need for perimeters. Keep in mind the saying don’t throw the baby out with the bathwater, and don’t start decommissioning your existing network segmentation capabilities. Instead, look at where you can add additional signals for decisions to authorize access.

Additionally, you cannot implement security software that contributes to Zero Trust and label the tool itself Zero Trust. Microsoft Defender for Endpoint, Azure AD Conditional Access, and other Microsoft security services are not Zero Trust, but their combined and well-architected implementation will put you on the path to Zero Trust.

Summary

In this chapter, we explored the state of cybersecurity. As someone who is deploying, operating, and responding to incidents with Microsoft 365 Defender, it’s important to know what threats exist and the frameworks the industry uses to manage them. The question of Microsoft’s commitment to security was also answered, with an overview of the Zero Trust approach that the business advocates. You learned about the cyber kill chain, its various stages, and its relationship to the MITRE ATT&CK framework. Additionally, you will now be able to articulate what Zero Trust is as one of Microsoft’s core security philosophies.

In the next chapter, we’ll take these learnings about the state of play in cybersecurity and discuss how they apply to Microsoft 365 Defender itself. An extended detection and response (XDR) platform, Microsoft 365 Defender is a relatively new breed of protection service. You’ll find out what its capabilities are, with examples of how it can be used throughout the cyber kill chain, across your environment.

Questions

You can test your knowledge of the topics covered in this chapter with the following questions. The answers can be found at the end of the book.

  1. Which of these techniques is an example of the privilege escalation tactic?
    1. Domain policy modification
    2. Use of an alternate authentication method
    3. Email collection
    4. Phishing for information
  2. Which of the following is not a principle of Microsoft’s Zero Trust guidance?
    1. Use least privileged access
    2. Assume breach
    3. Decommission network perimeters
    4. Verify explicitly
  3. Which of the following refers to an approach attackers can use to avoid installing their own malware and, instead, leverage built-in capabilities?
    1. lolcat
    2. lolbin
    3. lolsys
    4. lolwin
  4. According to a 2021 IBM Security report, how many days, on average, did it take for a cybersecurity breach to be identified?
    1. 31
    2. 90
    3. 182
    4. 212
  5. What are the risks of Remote Desktop Protocol (RDP) being exposed over the internet? Choose all that apply.
    1. Credentials might have leaked online.
    2. RDP is inherently an insecure protocol.
    3. Authentication might be protected with only a single factor of authentication.
    4. CredSSP does not support encrypting credentials over the internet.

Further reading

Several web resources have been listed for additional information and review on the subjects covered in this chapter:

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Help in understanding Microsoft 365 Defender and how it is crucial for security operations
  • Implementation of the proactive security defense capabilities of Microsoft Defender for Endpoint, Identity, Office 365, and Cloud Apps so that attacks can be stopped before they start
  • A guide to hunting and responding to threats using M365D’s extended detection and response capabilities

Description

This book will help you get up and running with Microsoft 365 Defender and help you use the whole suite effectively. You’ll start with a quick overview of cybersecurity risks that modern organizations face, such as ransomware and APT attacks, how Microsoft is making massive investments in security today, and gain an understanding of how to deploy Microsoft Defender for Endpoint by diving deep into configurations and their architecture. As you progress, you’ll learn how to configure Microsoft Defender Antivirus, and onboard and manage macOS, Android, and Linux MDE devices for effective solutions. You’ll also learn how to deploy Microsoft Defender for Identity and explore its different deployment methods that can protect your hybrid identity platform, as well as how to configure Microsoft Defender for Office 365 and Cloud Apps, and manage KQL queries for advanced hunting with ease. Toward the end, you’ll find out how M365D can be integrated with Sentinel and how to use APIs for incident response. By the end of this book, you will have a deep understanding of Microsoft 365 Defender, and how to protect and respond to security threats.

Who is this book for?

You’re a security engineer, incident responder, blue teamer, or an IT security professional who wants to deploy and manage Microsoft 365 Defender services and successfully investigate and respond tocyber threats You have a basic understanding of networking, vulnerabilities, operating systems, email, Active Directory, and cloud apps

What you will learn

  • Understand the Threat Landscape for enterprises
  • Effectively implement end-point security
  • Manage identity and access management using Microsoft 365 defender
  • Protect the productivity suite with Microsoft Defender for Office 365
  • Hunting for threats using Microsoft 365 Defender

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jul 28, 2023
Length: 572 pages
Edition : 1st
Language : English
ISBN-13 : 9781803240749
Category :
Concepts :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Product Details

Publication date : Jul 28, 2023
Length: 572 pages
Edition : 1st
Language : English
ISBN-13 : 9781803240749
Category :
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just ₱5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just ₱5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 7,144.97
Mastering Microsoft 365 Defender
₱2551.99
Azure Security Cookbook
₱2040.99
Microsoft Defender for Endpoint in Depth
₱2551.99
Total 7,144.97 Stars icon

Table of Contents

32 Chapters
Part 1: Cyber Threats and Microsoft 365 Defender Chevron down icon Chevron up icon
Chapter 1: Microsoft and Modern Cybersecurity Threats Chevron down icon Chevron up icon
Chapter 2: Microsoft 365 Defender: The Big Picture Chevron down icon Chevron up icon
Part 2: Microsoft Defender for Endpoint Chevron down icon Chevron up icon
Chapter 3: The Fundamentals of Microsoft Defender for Endpoint Chevron down icon Chevron up icon
Chapter 4: Onboarding Windows Clients and Servers Chevron down icon Chevron up icon
Chapter 5: Getting Started with Microsoft Defender Antivirus for Windows Chevron down icon Chevron up icon
Chapter 6: Advanced Microsoft Defender Antivirus for Windows Chevron down icon Chevron up icon
Chapter 7: Managing Attack Surface Reduction for Windows Chevron down icon Chevron up icon
Chapter 8: Managing Additional Capabilities for Windows Chevron down icon Chevron up icon
Chapter 9: Onboarding and Managing macOS Chevron down icon Chevron up icon
Chapter 10: Onboarding and Managing Linux Servers Chevron down icon Chevron up icon
Chapter 11: Onboarding and Managing iOS and Android Chevron down icon Chevron up icon
Part 3: Microsoft Defender for Identity Chevron down icon Chevron up icon
Chapter 12: Deploying Microsoft Defender for Identity Chevron down icon Chevron up icon
Chapter 13: Managing Defender for Identity Chevron down icon Chevron up icon
Part 4: Microsoft Defender for Office 365 Chevron down icon Chevron up icon
Chapter 14: Deploying Exchange Online Protection Chevron down icon Chevron up icon
Chapter 15: Deploying Defender for Office 365 Chevron down icon Chevron up icon
Part 5: Microsoft Defender for Cloud Apps Chevron down icon Chevron up icon
Chapter 16: Implementing and Managing Microsoft Defender for Cloud Apps Chevron down icon Chevron up icon
Part 6: Proactive Security and Incident Response Chevron down icon Chevron up icon
Chapter 17: Maintaining Security Hygiene and Threat Awareness Chevron down icon Chevron up icon
Chapter 18: Extended Detection and Response with Microsoft 365 Defender Chevron down icon Chevron up icon
Chapter 19: Advanced Hunting with KQL Chevron down icon Chevron up icon
Chapter 20: Microsoft Sentinel Integration Chevron down icon Chevron up icon
Chapter 21: Understanding Microsoft 365 Defender APIs Chevron down icon Chevron up icon
Part 7: Glossary and Answers Chevron down icon Chevron up icon
Chapter 22: Glossary Chevron down icon Chevron up icon
Chapter 23: Answers Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Full star icon 5
(31 Ratings)
5 star 100%
4 star 0%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




N/A Feb 21, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Pubblicazioni interessanti scritti con il giusto livello tecnico ma soprattutto chiaro.
Feefo Verified review Feefo
N/A Feb 05, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Feefo Verified review Feefo
Michael Crane Jul 30, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
When the authors state that it excludes fluff, they mean it. This book is truly amazing. New or seasoned, engineers, architects or sales folks must make this a read. I work on every platform what the book covers and it is the most accurate best practice to book I’ve read thus far. Make this a mandatory read for you and your teams, it gets you going out the gate!
Amazon Verified review Amazon
Shail Nov 05, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Disclaimer wanted to learn the different products within the MS 365 suite of tools and luckily got one evaluation copy, too.This book organically moves from the Cyber Kill Chain and MITRE framework to the MS 365 offerings. There is one chapter that has the summary of all the tools from MS 365 and then each tool has its own separate chapter, too.Overall, a great book for both technical and people at the leadership level who want to learn the different products within MS 365.
Amazon Verified review Amazon
Brandon Lachterman Aug 01, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Whether you're new to this product or need to fill some gaps, this book is worth the buy. Very informative and well written.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.