Tag Archives: hunting

Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise – Microsoft Security

Microsoft Threat Experts is the managed threat hunting service within Microsoft Defender Advanced Threat Protection (ATP) that includes two capabilities: targeted attack notifications and experts on demand.

Today, we are extremely excited to share that experts on demand is now generally available and gives customers direct access to real-life Microsoft threat analysts to help with their security investigations.

With experts on demand, Microsoft Defender ATP customers can engage directly with Microsoft security analysts to get guidance and insights needed to better understand, prevent, and respond to complex threats in their environments. This capability was shaped through partnership with multiple customers across various verticals by investigating and helping mitigate real-world attacks. From deep investigation of machines that customers had a security concern about, to threat intelligence questions related to anticipated adversaries, experts on demand extends and supports security operations teams.

The other Microsoft Threat Experts capability, targeted attack notifications, delivers alerts that are tailored to organizations and provides as much information as can be quickly delivered to bring attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion. Together, the two capabilities make Microsoft Threat Experts a comprehensive managed threat hunting solution that provides an additional layer of expertise and optics for security operations teams.

Experts on the case

By design, the Microsoft Threat Experts service has as many use cases as there are unique organizations with unique security scenarios and requirements. One particular case showed how an alert in Microsoft Defender ATP led to informed customer response, aided by a targeted attack notification that progressed to an experts on demand inquiry, resulting in the customer fully remediating the incident and improving their security posture.

In this case, Microsoft Defender ATP endpoint protection capabilities recognized a new malicious file in a single machine within an organization. The organization’s security operations center (SOC) promptly investigated the alert and developed the suspicion it may indicate a new campaign from an advanced adversary specifically targeting them.

Microsoft Threat Experts, who are constantly hunting on behalf of this customer, had independently spotted and investigated the malicious behaviors associated with the attack. With knowledge about the adversaries behind the attack and their motivation, Microsoft Threat Experts sent the organization a bespoke targeted attack notification, which provided additional information and context, including the fact that the file was related to an app that was targeted in a documented cyberattack.

To create a fully informed path to mitigation, experts pointed to information about the scope of compromise, relevant indicators of compromise, and a timeline of observed events, which showed that the file executed on the affected machine and proceeded to drop additional files. One of these files attempted to connect to a command-and-control server, which could have given the attackers direct access to the organization’s network and sensitive data. Microsoft Threat Experts recommended full investigation of the compromised machine, as well as the rest of the network for related indicators of attack.

Based on the targeted attack notification, the organization opened an experts on demand investigation, which allowed the SOC to have a line of communication and consultation with Microsoft Threat Experts. Microsoft Threat Experts were able to immediately confirm the attacker attribution the SOC had suspected. Using Microsoft Defender ATP’s rich optics and capabilities, coupled with intelligence on the threat actor, experts on demand validated that there were no signs of second-stage malware or further compromise within the organization. Since, over time, Microsoft Threat Experts had developed an understanding of this organization’s security posture, they were able to share that the initial malware infection was the result of a weak security control: allowing users to exercise unrestricted local administrator privilege.

Experts on demand in the current cybersecurity climate

On a daily basis, organizations have to fend off the onslaught of increasingly sophisticated attacks that present unique security challenges in security: supply chain attacks, highly targeted campaigns, hands-on-keyboard attacks. With Microsoft Threat Experts, customers can work with Microsoft to augment their security operations capabilities and increase confidence in investigating and responding to security incidents.

Now that experts on demand is generally available, Microsoft Defender ATP customers have an even richer way of tapping into Microsoft’s security experts and get access to skills, experience, and intelligence necessary to face adversaries.

Experts on demand provide insights into attacks, technical guidance on next steps, and advice on risk and protection. Experts can be engaged directly from within the Windows Defender Security Center, so they are part of the existing security operations experience:

We are happy to bring experts on demand within reach of all Microsoft Defender ATP customers. Start your 90-day free trial via the Microsoft Defender Security Center today.

Learn more about Microsoft Defender ATP’s managed threat hunting service here: Announcing Microsoft Threat Experts.

Go to Original Article
Author: Microsoft News Center

Threat hunting technology is on the rise, so are threats

More companies are adopting threat hunting functions, according to a recent survey from Crowd Research Partners, but detection of advanced threats remains elusive.

Threat hunting typically involves human security analysts identifying impending incidents or attacks that automated threat detection systems may have missed. The frequency of threats and the potential damage and impact of security incidents continue to outpace the capabilities of security operations centers (SOC), Crowd Research Partners’ “2018 Threat Hunting Report” found.

Fifty-eight percent of IT security professionals said cyberthreats against their organizations had doubled during the past 12 months; only 8% indicated threats decreased. SOCs, on average, missed 39% of threats, with the majority of attacks discovered in one to seven days for 58% of organizations. The average dwell time for attackers was 30 days.

The top challenges facing SOCs, according to those surveyed, included the following:

  • detection of advanced cyberthreats — hidden, unknown and emerging threats (55%);
  • lack of skilled personnel (43%);
  • lack of confidence in threat detection technologies (36%);
  • too much time wasted on false alerts (35%);
  • slow response time to find or detect advanced threats (31%);
  • outdated SIEM and SOC infrastructure (29%); and
  • lack of proper reporting tools (28%).

In order to offset some of these challenges, the report found that approximately one-third of the organizations surveyed had outsourced threat hunting to a managed security service provider.

Crowd Research Partners conducted an online survey of more than 461 security and IT professionals in the Information Security Community group on LinkedIn. The survey features respondents from industries such as technology (17%); financial services, banking and insurance (14%); telecommunications (6%); and healthcare (5%). Government cybersecurity professionals represented 20% of those surveyed.

Mix of analysts and tools

According to the survey, 40% of respondents reported that security analysts at their organizations used threat hunting platforms, up 5 percentage points from a similar survey in 2017. Benefits ranged from improved detection of advanced threats to less time spent coordinating events. The top indicators of compromise most frequently investigated by security analysts included behavior anomalies (67%), IP addresses (58%), domain names (46%), denied or flagged connections (46%) and file names (32%).

Security operations centers had more analysts hunting in 2018, at 17%, compared with 14% in 2017. More than half, however, have five or fewer analysts in their SOCs dedicated to threat hunting, the report found.

While security operations centers at some organizations are maturing, along with a greater awareness of threat hunting, 33% of those surveyed indicated limited SOC capabilities when it came to emerging threats; 28% said their SOC was advanced; 24% reported it was compliant, but behind the curve; and only 15% said their SOC was cutting-edge. 

Companies used a variety of tools for threat hunting. The top technologies included the following:

  • next-generation firewalls, intrusion prevention systems and antivirus software (55%);
  • SIEM (50%);
  • antiphishing or other messaging security software (49%);
  • threat intelligence platforms (39%);
  • enrichment and investigation tools (34%); and
  • vulnerability management (32%).

The majority of threat hunting was performed in-house (56%). Some companies used a hybrid of in-house and service provider (22%); others outsourced threat hunting (11%). Meanwhile, 11% of survey respondents reported that their organizations did “no proactive threat hunting.”

Security analysts at 60% of the organizations said they do not currently use threat hunting platforms or techniques. However, six out of 10 organizations indicated plans to build a threat hunting program in the next three years, according to the “2018 Threat Hunting Report,” which is produced in partnership with multiple vendors.

Barriers to adoption ranged from lack of budget (45%) to untrained personnel (7%). The tools desired most often for threat hunting included threat intelligence (69%), user and entity behavior analytics (57%), automatic detection (56%), and machine learning and automated analytics (56%).

According to proponents of threat hunting programs, such as David Bianco, who served as a technology adviser for Sqrrl Data Inc., before the startup company was acquired by Amazon Web Services earlier this year, one of the benefits is security teams can take what they find and use it to improve automated detection.