{"id":18643,"date":"2022-03-31T13:00:34","date_gmt":"2022-03-31T21:00:34","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/03\/31\/news-12376\/"},"modified":"2022-03-31T13:00:34","modified_gmt":"2022-03-31T21:00:34","slug":"news-12376","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/03\/31\/news-12376\/","title":{"rendered":"Microsoft protects against human-operated ransomware across the full attack chain in the 2022 MITRE Engenuity ATT&#038;CK\u00ae Evaluations"},"content":{"rendered":"<p><strong>Credit to Author: Paul Oliveria| Date: Thu, 31 Mar 2022 20:27:12 +0000<\/strong><\/p>\n<p>For the fourth year in a row, the independent MITRE Engenuity&nbsp;Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae)&nbsp;Evaluations demonstrated Microsoft\u2019s strong detection and protection capabilities thanks to our multi-platform extended detection and response (XDR) defenses.<\/p>\n<p>The ever-evolving threat landscape continues to deliver adversaries with new techniques, revamped tactics, and more advanced attack capabilities. Such threats demand comprehensive security solutions that provide a holistic view of the attack across endpoints and domains, prevent and block attacks at all stages, and provide security operations (SecOps) with automated tools to remediate complex threats and attackers in the network.<\/p>\n<p>This year\u2019s ATT&amp;CK Evaluations&nbsp;concentrated on advanced threat actors <a href=\"https:\/\/attack.mitre.org\/groups\/G0102\/\">Wizard Spider<\/a> and <a href=\"https:\/\/attack.mitre.org\/groups\/G0034\/\">Sandworm<\/a>. These actors are known for deploying sophisticated <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/03\/05\/human-operated-ransomware-attacks-a-preventable-disaster\/\">human-operated ransomware campaigns<\/a> designed to destabilize infrastructure and institutions. The testing included detection benchmarks and protection simulations across platforms, such as Windows and Linux, of more than 100 steps and 66 unique ATT&amp;CK techniques across the attack chain. &nbsp;<\/p>\n<p>We\u2019re proud to report that <a href=\"https:\/\/www.microsoft.com\/microsoft-365\/security\/microsoft-365-defender\">Microsoft 365 Defender<\/a> <strong><em>successfully detected and prevented malicious activity at every major attack stage, <\/em><\/strong>demonstrating<strong> <\/strong>comprehensive technique-level coverage across endpoints and identities. Rich threat intelligence synthesized from trillions of security signals on a daily basis proved key to informing both controls to be implemented in a <a href=\"https:\/\/www.microsoft.com\/security\/business\/zero-trust\">Zero Trust<\/a> approach and threat hunting.&nbsp;<\/p>\n<p>MITRE Engenuity\u2019s ATT&amp;CK Evaluations results emphasized that Microsoft\u2019s success in this simulation was largely due to our:<\/p>\n<ul>\n<li><strong>Industry-leading XDR. <\/strong>Microsoft 365 Defender simplified thousands of alerts into two incidents and a clear timeline spanning identity and endpoint to enable rapid resolution.<\/li>\n<li><strong>Superior EPP and EDR.&nbsp;<\/strong><a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/endpoint-defender\">Microsoft Defender for Endpoint<\/a> both prevented attacks and quickly identified and contained suspicious activities in the pre- and post-ransom phases to stop attacks.<\/li>\n<li><strong>Comprehensive multi-platform protection.<\/strong>&nbsp;Microsoft 365 Defender demonstrated maturity in protecting multi-platform environments. In addition to Windows, Microsoft Defender for Endpoint\u2019s behavioral and machine learning models blocked and detected every major step on Linux for the second year in a row.<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"340\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/03\/fig1-mitre-engenuity-attck-evaluation-results.png\" alt=\"Decorative image illustrating Microsoft 365 Defender's staples for protecting against ransomware.\" class=\"wp-image-110316\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/03\/fig1-mitre-engenuity-attck-evaluation-results.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/03\/fig1-mitre-engenuity-attck-evaluation-results-300x128.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/03\/fig1-mitre-engenuity-attck-evaluation-results-768x326.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 1. MITRE Engenuity\u2019s ATT&amp;CK Evaluation results demonstrated that Microsoft 365 Defender protects against ransomware with industry-leading XDR, EPP and EDR, and multi-platform protection.<\/figcaption><\/figure>\n<h2>Microsoft defends against human-operated ransomware with industry-leading XDR<\/h2>\n<p>One of the most prominent dangers in today\u2019s threat landscape are human-operated ransomware campaigns, which leverage the playbook of advanced nation-state actors, where a threat actor actively targets one or more organizations using custom-built techniques for the target network. These campaigns also often involve encryption and exfiltration of high-value data, making it critical for security solutions to address the threat quickly and aggressively. If successful, human-operated ransomware attacks can cause catastrophic and visible disruption to organizations, their customers, and the rest of their communities. Protecting against these attacks requires a holistic security strategy that can resist a persistent attacker, including the ability to isolate and contain the threat to prevent widespread damage.<\/p>\n<p>As demonstrated in the evaluation, Microsoft 365 Defender protected against these sophisticated attacks with:<\/p>\n<ul>\n<li>Prevention at the earliest stages of the attack to stop further attacker activity without hindering productivity<\/li>\n<li>Diverse signal capture from devices and identities, with device-to-identity and identity-to-device signal correlation<\/li>\n<li>Coverage across device assets, including Windows, Linux, Mac, iOS, and Android<\/li>\n<li>Excellent pre-ransom and ransom protection for both automated remediation of the persistent threats and complete eviction of the attacker in network<\/li>\n<\/ul>\n<h2>Integrated identity threat protection proves critical<\/h2>\n<p>With human-operated ransomware, threat actors are constantly advancing their techniques. This year\u2019s test included domain trust discovery activity, pass-the-hash, pass-the-ticket, and stealing credentials through Kerberoasting. Microsoft supports billions of identity authentications per day, and Microsoft 365 Defender has deep integration with both on-premises and cloud identities, thus enabling a level of detection and visibility that far exceeds what is possible with endpoint data alone and by fusing endpoint and identity data. Microsoft 365 Defender protects hundreds of millions of customer identities today, and the integration of identity threats into the events timeline was instrumental in detections during evaluation.<\/p>\n<h2>Aggregating alerts into prioritized incidents streamlined the investigation experience<\/h2>\n<p>Microsoft 365 Defender streamlined the investigation experience by correlating more than a thousand alerts into significant incidents and identified complex, seemingly unrelated links between attacker activities across various domains. Time to remediate is critical in a ransomware attack, and Microsoft 365 Defender\u2019s <a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender\/incident-queue?view=o365-worldwide\">incidents page<\/a> simplifies the SecOps experience by providing essential context on active alerts, key devices, and impacted users. It also allows defenders to enable both automatic and manual remediations that offer insightful and actionable alerts, rather than filtering through unrelated events that can add strain on resources, particularly during an existing attack. EDR further enables analysts to approach investigations through multiple vectors, providing detailed behavioral telemetry that includes process information, network activities, kernel and memory manager deep optics, registry and file system changes, and user login activities to determine the start and scale of an attack.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"405\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/03\/fig2-microsoft-365-defender-incidents-page.png\" alt=\"Screenshot of Microsoft 365 Defender UI where the top section shows a notification about a multi-stage incident. The summary page provides visualizations of active alerts and lists of impacted devices and users.\" class=\"wp-image-110319\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/03\/fig2-microsoft-365-defender-incidents-page.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/03\/fig2-microsoft-365-defender-incidents-page-300x152.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/03\/fig2-microsoft-365-defender-incidents-page-768x389.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 2. Microsoft 365 Defender\u2019s incidents page correlating all the devices, users, alerts, and evidence&nbsp;that&nbsp;describe&nbsp;the attack simulated by MITRE&nbsp;Engenuity.&nbsp;&nbsp;<\/figcaption><\/figure>\n<h2>Microsoft 365 Defender delivers mature multi-platform protection<\/h2>\n<p>The attack scenario mimicked a threat actor\u2019s ability to target heterogeneous environments and spread across platform ecosystems. We\u2019re proud to state that Microsoft 365 Defender\u2019s security capabilities provided superior detection and protection and complete Linux coverage for the second consecutive year.<\/p>\n<p>Microsoft 365 Defender offers comprehensive capabilities across the popular desktop and mobile operating systems, such as Linux, Mac, Windows, iOS, and Android. These capabilities include next-generation antivirus, EDR, and behavioral and heuristic coverage across numerous versions of Linux. Microsoft has invested heavily in protecting non-Windows platforms in the last four years and, today, offers the extensive capabilities organizations need to protect their networks.&nbsp;<\/p>\n<h2>Microsoft takes a customer-centered approach to tests<\/h2>\n<p>The evolving threat landscape demands security solutions with wide-ranging capabilities, and we\u2019re dedicated to helping defenders combat such threats through our industry-leading, cross-domain Microsoft Defender products. Microsoft\u2019s philosophy in this evaluation is to empathize with our customers, so we configured the product as we would expect them to. For example, we didn\u2019t perform any real-time detection tuning that might have increased the product\u2019s sensitivity to find more signals, as it would have further created an untenable number of false positives if in a real-world customer environment.<\/p>\n<p>We thank MITRE Engenuity for the opportunity to contribute to and participate in this year\u2019s evaluation.<\/p>\n<h2>Learn more<\/h2>\n<p>For more information about human-operated ransomware and how to protect your organization from it, refer to the following articles:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/security\/compass\/human-operated-ransomware\">Human-operated ransomware<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/security\/compass\/protect-against-ransomware\">Rapidly protect against ransomware and extortion<\/a><\/li>\n<\/ul>\n<p>Take advantage of Microsoft\u2019s unrivaled threat optics and proven capabilities. Learn more about&nbsp;<a href=\"https:\/\/www.microsoft.com\/microsoft-365\/security\/microsoft-365-defender\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft 365&nbsp;Defender<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/endpoint-defender\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Defender for Endpoint<\/a>, and sign up for a trial today.<\/p>\n<p>To learn more about Microsoft Security solutions,&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/business\/solutions\">visit our website.<\/a>&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us at&nbsp;<a href=\"https:\/\/twitter.com\/@MSFTSecurity\">@MSFTSecurity<\/a>&nbsp;for the latest news and updates on cybersecurity.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/03\/31\/microsoft-protects-against-human-operated-ransomware-across-the-full-attack-chain-in-the-2022-mitre-engenuity-attck-evaluations\/\">Microsoft protects against human-operated ransomware across the full attack chain in the 2022 MITRE Engenuity ATT&#038;CK\u00ae Evaluations<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/03\/31\/microsoft-protects-against-human-operated-ransomware-across-the-full-attack-chain-in-the-2022-mitre-engenuity-attck-evaluations\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Paul Oliveria| Date: Thu, 31 Mar 2022 20:27:12 +0000<\/strong><\/p>\n<p>For the fourth year in a row, the independent MITRE Engenuity ATT&#038;CK\u00ae Evaluations demonstrated that threats are no match for Microsoft\u2019s multi-platform extended detection and response (XDR) defense capabilities.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/03\/31\/microsoft-protects-against-human-operated-ransomware-across-the-full-attack-chain-in-the-2022-mitre-engenuity-attck-evaluations\/\">Microsoft protects against human-operated ransomware across the full attack chain in the 2022 MITRE Engenuity ATT&#038;CK\u00ae Evaluations<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[4500,22453,25567,25568],"class_list":["post-18643","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-cybersecurity","tag-microsoft-security-intelligence","tag-mitre-attck","tag-mitre-engenuity"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18643"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18643\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}