{"id":24720,"date":"2024-06-19T19:00:44","date_gmt":"2024-06-20T03:00:44","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/06\/19\/news-18450\/"},"modified":"2024-06-19T19:00:44","modified_gmt":"2024-06-20T03:00:44","slug":"news-18450","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/06\/19\/news-18450\/","title":{"rendered":"Microsoft Defender Experts for XDR recognized in the latest MITRE Engenuity ATT&#038;CK\u00ae Evaluation for Managed Services"},"content":{"rendered":"<p><strong>Credit to Author: Ryan Kivett| Date: Tue, 18 Jun 2024 13:00:00 +0000<\/strong><\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/business\/services\/microsoft-defender-experts-xdr\">Microsoft Defender Experts for XDR<\/a> demonstrated excellent managed extended detection and response (MXDR) by unifying our human-driven services and <a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-defender-xdr\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Defender XDR<\/a> in the <a href=\"https:\/\/attackevals.mitre-engenuity.org\/managed-services\/menupass-blackcat\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE Engenuity ATT&amp;CK\u00ae Evaluations: Managed Services menuPass + ALPHV BlackCat<\/a>.\u00a0\u00a0\u00a0<\/p>\n<p><a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/dex-xdr-overview\" target=\"_blank\" rel=\"noreferrer noopener\">Defender Experts for XDR<\/a> offers a range of capabilities:&nbsp;<\/p>\n<ul>\n<li><strong>Managed detection and response<\/strong>: Let our expert analysts manage your Microsoft Defender XDR incident queue and handle triage, investigation, and response on your behalf.&nbsp;&nbsp;<\/li>\n<li><strong>Proactive threat hunting<\/strong>: Extend your team\u2019s threat hunting capabilities and prioritize significant threats with <a href=\"https:\/\/www.microsoft.com\/security\/business\/services\/microsoft-defender-experts-hunting\" target=\"_blank\" rel=\"noreferrer noopener\">Defender Experts for Hunting<\/a> built in.&nbsp;<\/li>\n<li><strong>Live dashboards and reports<\/strong>: Get a transparent view of our operations conducted on your behalf, along with a noise-free, actionable view of prioritized incidents and detailed analytics.&nbsp;<\/li>\n<li><strong>Proactive check-ins<\/strong>: Benefit from remote, periodic check-ins with your named service delivery manager (SDM) team to guide your MXDR experience and improve your security posture.&nbsp;<\/li>\n<li><strong>Fast and seamless onboarding<\/strong>: Get a guided baselining experience to ensure your Microsoft security products are correctly configured.<\/li>\n<\/ul>\n<div class=\"wp-block-msxcm-cta-block\" data-moray data-bi-an=\"CTA Block\">\n<div class=\"card d-block mx-ng mx-md-0\">\n<div class=\"row no-gutters\">\n<div class=\"col-md-4\"> \t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"600\" height=\"600\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/MSFT_M365_Apr_SecurityGIF5_Blog_GIF_240404_FINAL.gif\" class=\"card-img img-object-cover\" alt=\"\" \/>\t\t\t\t<\/div>\n<div class=\"d-flex col-md\">\n<div class=\"card-body align-self-center p-4 p-md-5\">\n<h2>Microsoft Defender Experts for XDR<\/h2>\n<div class=\"mb-3\">\n<p>Give your security operations center (SOC) team coverage with leading end-to-end protection and expertise.<\/p>\n<\/p><\/div>\n<div class=\"link-group\"> \t\t\t\t\t\t\t<a href=\"https:\/\/www.microsoft.com\/security\/business\/services\/microsoft-defender-experts-xdr\" class=\"btn btn-link text-decoration-none p-0\" > \t\t\t\t\t\t\t\t<span>Learn more<\/span> \t\t\t\t\t\t\t\t<span class=\"glyph-append glyph-append-chevron-right glyph-append-xsmall\"><\/span> \t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<h2 class=\"wp-block-heading\" id=\"cyberattacks-detected-by-defender-experts-for-xdr\">Cyberattacks detected by Defender Experts for XDR<\/h2>\n<p>In the first cyberattack, Defender Experts for XDR provided detection, visibility, and coverage under what Microsoft Threat Intelligence tracks as the threat actor <a href=\"https:\/\/security.microsoft.com\/intel-profiles\/e2ce50467bf60953a8838cf5d054caf7f89a0a7611f65e89a67e0142211a1745\" target=\"_blank\" rel=\"noreferrer noopener\">Purple Typhoon<\/a>.&nbsp;From the early steps in the intrusion, our team alerted the customer that 11 systems and 13 accounts were compromised via a malicious Remote Desktop Protocol (RDP) session, leveraging a Dynamic Link Library (DLL) Search Order Hijacking on a legitimate Notepad++ executable.&nbsp;As is common with this threat actor, the next cyberattack, established a Quasar RAT backdoor triggering keylogging, capturing credentials for the domain admin. After the loaders were executed, scheduled tasks were used to move laterally, execute discovery commands on internal network areas, and complete credential theft dumping.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p>For the second cyberattack, which used <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/security-compliance-and-identity\/new-blog-post-the-many-lives-of-blackcat-ransomware\/m-p\/3501842\" target=\"_blank\" rel=\"noreferrer noopener\">BlackCat<\/a> ransomware, Defender Experts for XDR detected and provided extensive guidance on investigation and remediation actions.&nbsp;The BlackCat ransomware, also known as\u202f<a href=\"https:\/\/www.varonis.com\/blog\/alphv-blackcat-ransomware\" target=\"_blank\" rel=\"noreferrer noopener\">ALPHV<\/a>, is a prevalent cyberthreat and a prime example of the growing\u202f<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/09\/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself\/\" target=\"_blank\" rel=\"noreferrer noopener\">ransomware-as-a-service (RaaS) gig economy.<\/a> It\u2019s noteworthy due to its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. While BlackCat&#8217;s arrival and execution vary based on the actors deploying it, the outcome is the same\u2014target data is encrypted, exfiltrated, and used for &#8220;double extortion,&#8221; where attackers threaten to release the stolen data to the public if the ransom isn\u2019t paid.&nbsp;This attack used access broker credentials to perform lateral movement, exfiltrate sensitive data via privileged execution, and execute ransomware encryption malware.&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p>In both cyberattacks, our team focused on providing focused email, in-product focus to guide the customer, and in a real world cyberattack, our service and product would take disruption actions to stop the cyberattack.<\/p>\n<h2 class=\"wp-block-heading\" id=\"comprehensive-threat-hunting-managed-response-and-product-detections\">Comprehensive threat hunting, managed response, and product detections&nbsp;<\/h2>\n<p>With complex cyberattacks, security operations teams need robust guidance on what is happening and how to prioritize remediation efforts.&nbsp;Throughout this evaluation, we provided over 18 incidents, 196 alerts, and enriched product detections with human-driven guidance via email and in product experiences using <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/managed-detection-and-response-xdr\" target=\"_blank\" rel=\"noreferrer noopener\">Managed responses<\/a>. This includes a detailed investigation summary, indicators of compromise (IOCs), advanced hunting queries (AHQs), and prioritized remediation actions to help contain the cyberthreat. Our world class hunting team focuses on providing initial response to a cyberattack, then iterations on updates based on new <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/security-101\/what-is-cyber-threat-intelligence\" target=\"_blank\" rel=\"noreferrer noopener\">threat intelligence<\/a> findings and other enrichment.&nbsp;&nbsp;&nbsp;<\/p>\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture1-2.jpg\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"539\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture1-2-1024x539.jpg\" alt=\"Incident and alerts are tagged with Defender Experts and detailed analysis provided under view Managed Response.\" class=\"wp-image-134686\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture1-2-1024x539.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture1-2-300x158.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture1-2-768x404.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture1-2-1536x808.jpg 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture1-2-2048x1077.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n<p><em>Figure 1. The incident and alerts are tagged with Defender Experts and detailed analysis provided under view Managed response<\/em>.<\/p>\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture2-2.png\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture2-2.webp\" alt=\"Managed response showing details of investigation summary, IOCs, and TTPs.\" class=\"wp-image-134694 webp-format\" style=\"width:400px\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture2-2.webp\"><\/a><\/figure>\n<p><em>Figure 2. Managed response showing details of investigation summary, IOCs, and TTPs<\/em>.<\/p>\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture3.jpg\"><img loading=\"lazy\" decoding=\"async\" width=\"396\" height=\"882\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture3.jpg\" alt=\"Managed response focused remediation one-click actions such as blocking indicator, stopping a malicious process, and resetting passwords.\" class=\"wp-image-134688\" style=\"width:400px\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture3.jpg 396w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture3-135x300.jpg 135w\" sizes=\"auto, (max-width: 396px) 100vw, 396px\" \/><\/a><\/figure>\n<p><em>Figure 3. Managed response focused remediation one-click actions such as blocking indicator, stopping a malicious process, and resetting passwords<\/em>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"world-class-ai-driven-attack-disruption\">AI-driven attack disruption with Microsoft Defender XDR&nbsp;&nbsp;&nbsp;<\/h2>\n<p>As the second cyberattack leveraged <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/security-compliance-and-identity\/new-blog-post-the-many-lives-of-blackcat-ransomware\/m-p\/3501842\" target=\"_blank\" rel=\"noreferrer noopener\">BlackCat<\/a> ransomware, Microsoft Defender XDR\u2019s <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/automatic-attack-disruption\" target=\"_blank\" rel=\"noreferrer noopener\">attack disruption<\/a> capability automatically contained the threat and then followed up with hunter guidance on additional containment.&nbsp;This capability combines our <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/06\/03\/microsoft-is-named-a-leader-in-the-forrester-wave-for-xdr\/\">industry-leading detection<\/a> with AI-powered enforcement mechanisms to help mitigate cyberthreats early on in the cyberattack chain and contain their advancement. Analysts have a powerful tool against human-operated cyberattacks while leaving them in complete control of investigating, remediating, and bringing assets back online.&nbsp;<\/p>\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture4-1.jpg\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"539\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture4-1-1024x539.jpg\" alt=\"A summary attack graph,\u00a0managed responses and attack disruption automatically handling this ransomware threat.\" class=\"wp-image-134689\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture4-1-1024x539.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture4-1-300x158.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture4-1-768x404.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture4-1-1536x808.jpg 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture4-1-2048x1078.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n<p><em>Figure 4. A summary attack graph,&nbsp;managed responses and attack disruption automatically handling this ransomware threat<\/em>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"seamless-alert-prioritization-and-consolidation-into-notifications-for-the-soc\">Seamless alert prioritization and consolidation into notifications for the SOC&nbsp;<\/h2>\n<p>We provide prioritization and focus for a typical customer&#8217;s SOC team using tags and incident titles with Defender Experts where we enrich product detections. In addition, a dedicated SDM will conduct periodic touchpoints with customers to share productivity and service metrics, provide insights on any vulnerabilities or changes in their environment, solicit feedback, and make best practices recommendations. Our customers see a reduction in total incident volume over time, improvements in security posture, and overall lower operational overhead. Learn how Defender Experts helps <a href=\"https:\/\/customers.microsoft.com\/story\/1761599991200737574-westminster-microsoft-defender-primary-and-secondary-edu-k-12-en-australia\" target=\"_blank\" rel=\"noreferrer noopener\">Westminster School.<\/a> &nbsp;<\/p>\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture5-1.png\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture5-1.webp\" alt=\"Summary of all incidents and Defender Experts tag to help filter and prioritize for customers.\" class=\"wp-image-134690 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/06\/Picture5-1.webp\"><\/a><\/figure>\n<p><em>Figure 5. Summary of all incidents and Defender Experts tag to help filter and prioritize for customers<\/em>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"commitment-to-microsoft-mxdr-partners\">Commitment to Microsoft MXDR partners&nbsp;<\/h2>\n<p>We continue our commitment to support our partners in our <a href=\"https:\/\/www.microsoft.com\/misapartnercatalog?PartnerClassifications=MicrosoftVerifiedManagedXDRSolution\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft-verified MXDR program<\/a>. We know that a single provider can\u2019t meet the unique needs of every organization, so we frequently collaborate with our ecosystem of partners to provide customers the flexibility to choose what works best for them\u2014and to leverage those trusted relationships for the best outcomes and returns on their investment.&nbsp;<\/p>\n<p>We acknowledge that there are areas for discussion and enhancement, but we will take these as a valuable learning opportunity to continuously improve our products and services for the customers we serve. We appreciate our ongoing collaboration with MITRE as the managed services evaluation process evolves with the growing cyberthreat landscape. We thank\u202f<a href=\"https:\/\/mitre-engenuity.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE Engenuity<\/a>\u202ffor the opportunity to contribute to and participate in this year&#8217;s evaluation.&nbsp;<\/p>\n<h2 class=\"wp-block-heading\" id=\"learn-more-about-microsoft-defender-experts-for-xdr\">Learn more&nbsp;about Microsoft Defender Experts for XDR<\/h2>\n<p>To learn more, visit the <a href=\"https:\/\/www.microsoft.com\/security\/business\/services\/microsoft-defender-experts-xdr\">Microsoft Defender Experts for XDR<\/a> web page, read the <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender\/dex-xdr-overview?view=o365-worldwide\" target=\"_blank\" rel=\"noreferrer noopener\">Defender Experts for XDR<\/a> docs page, and subscribe to our ongoing news at the <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-security-experts-blog\/bg-p\/MicrosoftSecurityExperts\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security Experts blog<\/a>.&nbsp;<\/p>\n<p>\u200b\u200bTo learn more about Microsoft Security solutions, visit our <a href=\"https:\/\/www.microsoft.com\/security\" target=\"_blank\" rel=\"noreferrer noopener\">website<\/a>. Bookmark the\u202f<a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Security blog<\/a>\u202fto keep up with our expert coverage on security matters. Also, follow us on LinkedIn (<a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-security\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security<\/a>) and X (<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">@MSFTSecurity<\/a>)\u202ffor the latest news and updates on cybersecurity.&nbsp;<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n<p>\u00a9 June 2024. The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.&nbsp;<\/p>\n<p>The post <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/06\/18\/microsoft-defender-experts-for-xdr-recognized-in-the-latest-mitre-engenuity-attck-evaluation-for-managed-services\/\">Microsoft Defender Experts for XDR recognized in the latest MITRE Engenuity ATT&amp;CK\u00ae Evaluation for Managed Services<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/06\/18\/microsoft-defender-experts-for-xdr-recognized-in-the-latest-mitre-engenuity-attck-evaluation-for-managed-services\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Ryan Kivett| Date: Tue, 18 Jun 2024 13:00:00 +0000<\/strong><\/p>\n<p>Microsoft Defender Experts for XDR delivered excellent results during round 2 of the MITRE Engenuity ATT&#038;CK\u00ae Evaluations for Managed Services menuPass + ALPHV BlackCat.<\/p>\n<p>The post <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/06\/18\/microsoft-defender-experts-for-xdr-recognized-in-the-latest-mitre-engenuity-attck-evaluation-for-managed-services\/\">Microsoft Defender Experts for XDR recognized in the latest MITRE Engenuity ATT&amp;CK\u00ae Evaluation for Managed Services<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[],"class_list":["post-24720","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24720","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24720"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24720\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24720"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24720"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24720"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}