{"id":20569,"date":"2022-11-09T08:00:52","date_gmt":"2022-11-09T16:00:52","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/11\/09\/news-14302\/"},"modified":"2022-11-09T08:00:52","modified_gmt":"2022-11-09T16:00:52","slug":"news-14302","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/11\/09\/news-14302\/","title":{"rendered":"Microsoft Defender Experts for Hunting demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&#038;CK\u00ae Evaluations for Managed Services"},"content":{"rendered":"<p><strong>Credit to Author: Christine Barrett| Date: Wed, 09 Nov 2022 15:00:00 +0000<\/strong><\/p>\n<p><strong><a href=\"https:\/\/www.microsoft.com\/security\/business\/services\/microsoft-defender-experts-hunting\">Microsoft Defender Experts for Hunting<\/a><\/strong>, our newest managed threat hunting service, delivered industry-leading results during the inaugural <a href=\"https:\/\/attackevals.mitre-engenuity.org\/managed-services\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE Engenuity ATT&amp;CK\u00ae Evaluations for Managed Services<\/a>. <\/p>\n<p>We provided a seamless, comprehensive, and rapid response to the simulated attack using expert-led threat hunting and an industry-leading extended detection and response (XDR) platform\u2014<a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-365-defender\">Microsoft 365 Defender<\/a>. This evaluation showcased our service&#8217;s strength in the following areas:<\/p>\n<ul>\n<li>In-depth visibility and analytics across all stages of the attack chain.<\/li>\n<li>Comprehensive managed hunting.<\/li>\n<li>Seamless alert prioritization and consolidation into notifications for the security operations center (SOC).<\/li>\n<li>Tailored hunting guidance and advanced hunting queries (AHQ) to optimize investigations.<\/li>\n<li>Frequently updated and customized recommendations for rapid containment and remediation.<\/li>\n<li>Threat actor attribution with tactics, techniques, and procedures (TTP) context.<\/li>\n<li>Technology powered by a team of expert hunters and a customer-centric approach.<\/li>\n<li>Commitment to managed extended detection and response (MXDR) partners running on Microsoft 365 Defender. <\/li>\n<\/ul>\n<h2>In-depth visibility and analytics across all stages of the attack chain<\/h2>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1516\" height=\"550\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_1_MITRE.jpg\" alt=\"Diagram representing a snake of how we represented the MITRE attack and our coverage.\" class=\"wp-image-124680\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_1_MITRE.jpg 1516w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_1_MITRE-300x109.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_1_MITRE-1024x372.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_1_MITRE-768x279.jpg 768w\" sizes=\"auto, (max-width: 1516px) 100vw, 1516px\" \/><\/figure>\n<p><em>Figure 1. Microsoft Defender Experts for Hunting coverage. Fully reported\u2014including initial access, execution, persistence, credential access, lateral movement, and collection\u2014reflects 100 percent acceptance of evidence submission. Majority reported\u2014including defense evasion, discovery, exfiltration, and command and control\u2014reflects some gaps in evidence acceptance.<\/em><\/p>\n<h2>Comprehensive managed hunting<\/h2>\n<p><strong>Microsoft Defender Experts for Hunting<\/strong> team identified all threats and provided a cohesive attack timeline with remediation guidance.<\/p>\n<p>From the early stages of the intrusion, our hunters alerted the customer that a malicious archive masquerading as marketing materials was potentially part of a targeted attack. After a user opened the archive, a threat actor, which we attributed with high confidence as EUROPIUM, gained access to the environment.<\/p>\n<p>Over the next few days, the threat actor used this foothold to steal credentials, move laterally in the network, deploy a web shell on an Exchange Server, and escalate privileges in the domain. The threat actor ultimately used their access to target sensitive data on an SQL server. Based on available telemetry, we reported that the threat actor staged sensitive data and may have successfully exfiltrated the data through email using a <a href=\"https:\/\/attack.mitre.org\/software\/S0495\/\" target=\"_blank\" rel=\"noreferrer noopener\">malicious RDAT utility<\/a>.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"1901\" height=\"1032\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_2-V2.jpg\" alt=\"Bar chart showing results of Microsoft against all other vendors participating in this evaluation.\" class=\"wp-image-124713\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_2-V2.jpg 1901w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_2-V2-300x163.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_2-V2-1024x556.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_2-V2-768x417.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_2-V2-1536x834.jpg 1536w\" sizes=\"auto, (max-width: 1901px) 100vw, 1901px\" \/><\/figure>\n<p><em>Figure 2. Microsoft results compared to all other vendors out of 76 total techniques.<\/em><\/p>\n<p>Microsoft threat hunters discovered and investigated all of the essential and impactful TTPs used in this evaluation.<\/p>\n<h2>Seamless alert prioritization and consolidation into notifications for the SOC<\/h2>\n<p>From initial malware execution to data theft, Microsoft 365 Defender seamlessly detected and correlated alerts from all stages of the attack chain into two overarching incidents that provided end-to-end attack stories (see Figure 3). Microsoft 365&nbsp;Defender\u2019s&nbsp;incident correlation technology&nbsp;helps SOC analysts to counter alert fatigue, and our hunters then enrich these incidents by finding new attacks with the existing deep signals and custom alerting.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"2560\" height=\"516\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_3_MITRE-scaled.jpg\" alt=\"Two Incidents identified and enriched by our Defender Experts for Hunting Team.\" class=\"wp-image-124684\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_3_MITRE-scaled.jpg 2560w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_3_MITRE-300x60.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_3_MITRE-1024x206.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_3_MITRE-768x155.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_3_MITRE-1536x309.jpg 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_3_MITRE-2048x413.jpg 2048w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><\/figure>\n<p><em>Figure 3. Consolidated incidents enriched by Defender Experts for Hunting as illustrated in the above tags.<\/em><\/p>\n<p>Our hunters followed up on automated alerting with Defender Expert notifications (DENs) to provide additional context on the threat activity with an executive summary, threat actor attribution, detailed scope of impact, recommendations, and advanced hunting queries to self-serve investigations and response actions. This human enrichment helps the customer prioritize their time and focused actions in the SOC.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"1950\" height=\"967\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_4_MITRE.jpg\" alt=\"Custom advanced hunting queries provided by our Defender Experts for Hunting Team in Microsoft 365 Defender.\" class=\"wp-image-124686\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_4_MITRE.jpg 1950w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_4_MITRE-300x149.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_4_MITRE-1024x508.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_4_MITRE-768x381.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_4_MITRE-1536x762.jpg 1536w\" sizes=\"auto, (max-width: 1950px) 100vw, 1950px\" \/><\/figure>\n<p><em>Figure 4. Beginning of incident executive summary provided by Defender Experts.<\/em><\/p>\n<h2>Tailored hunting guidance and AHQ to optimize investigations<\/h2>\n<p>Within the DENs, our hunters additionally provided tailored hunting guidance and AHQs to enable investigators to hunt for and identify relevant attack activity in each incident. Figure 5 shows one example where we directly flagged to the customer that a series of file modification events were consistent with data exfiltration attempts.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"1916\" height=\"803\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_5_MITRE.jpg\" alt=\"Custom advanced hunting queries provided by our Defender Experts for Hunting Team in M365D.\" class=\"wp-image-124688\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_5_MITRE.jpg 1916w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_5_MITRE-300x126.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_5_MITRE-1024x429.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_5_MITRE-768x322.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_5_MITRE-1536x644.jpg 1536w\" sizes=\"auto, (max-width: 1916px) 100vw, 1916px\" \/><\/figure>\n<p><em>Figure 5. Example of running provided AHQs to surface activity of interest.<\/em><\/p>\n<h2>Frequently updated and customized recommendations for containment and remediation<\/h2>\n<p>Throughout the attack, our hunters regularly shared remediation guidance to aid the customer in a rapid response (Figure 6). As the incident developed, using the Recommendation Summary, we kept the customer apprised of the scope of the attack and the efforts needed to contain it.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"1917\" height=\"1032\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_6_MITRE.jpg\" alt=\"Recommendations for remediation provided by our Defender Experts for Hunting Team.\" class=\"wp-image-124691\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_6_MITRE.jpg 1917w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_6_MITRE-300x162.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_6_MITRE-1024x551.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_6_MITRE-768x413.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_6_MITRE-1536x827.jpg 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_6_MITRE-389x209.jpg 389w\" sizes=\"auto, (max-width: 1917px) 100vw, 1917px\" \/><\/figure>\n<p><em>Figure 6. Excerpt of custom recommendations in the Microsoft 365 Defender portal.<\/em><\/p>\n<h2>Threat actor attribution with TTP context<\/h2>\n<p>Microsoft Defender Experts for Hunting provided the customer with nation-state attribution based on observed TTPs and behaviors. We identified the activity was consistent with the threat actor EUROPIUM, also known as <a href=\"https:\/\/attack.mitre.org\/groups\/G0049\/\" target=\"_blank\" rel=\"noreferrer noopener\">APT34 and OilRig<\/a>, which Microsoft has observed as far back as 2015. EUROPIUM is a well-resourced actor capable of multiple types of attacks\u2014from spear phishing and social engineering to remote exploitation of internet-facing devices.<\/p>\n<p>We leveraged this attribution to provide valuable incident context, such as potential intrusion goals and relevant TTP, to the customer.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"1917\" height=\"904\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_7_MITRE.jpg\" alt=\"Nation state attribution of this attack by Defender Experts for Hunting Team.\" class=\"wp-image-124693\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_7_MITRE.jpg 1917w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_7_MITRE-300x141.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_7_MITRE-1024x483.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_7_MITRE-768x362.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure_7_MITRE-1536x724.jpg 1536w\" sizes=\"auto, (max-width: 1917px) 100vw, 1917px\" \/><\/figure>\n<p><em>Figure 7. Incident attribution in Microsoft 365 Defender portal.<\/em><\/p>\n<h2>Technology powered by a team of expert hunters<\/h2>\n<p>The Microsoft philosophy in this evaluation was to represent product truth and real-world service delivery for our customers. We participated in the evaluation using our Defender Experts for Hunting team and product capabilities and configurations that we expect customers to use. As you review evaluation results, you should consider additional aspects including depth and durability of protection, completeness of signals, actionable insights, and the quality of what our hunters provided to enrich both the incidents and component alerts. All of these factors are critical in delivering a world-class hunting service to protect real customer production environments.<\/p>\n<h2>Commitment to MXDR partners running on Microsoft 365 Defender<\/h2>\n<p>Microsoft supported several of our verified MXDR partners in this evaluation. Our collaborative efforts reinforce our commitment to our partners\u2019 success in building managed services to meet growing demand and support our joint customers. <\/p>\n<p>We thank <a href=\"https:\/\/mitre-engenuity.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE Engenuity<\/a> for the opportunity to contribute to and participate in this year\u2019s evaluation.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"343\" height=\"356\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Picture10.png\" alt=\"The MITRE Engenuity ATT&amp;CK Evaluations Managed Services OilRig 2022 participant badge.\" class=\"wp-image-124547\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Picture10.png 343w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Picture10-289x300.png 289w\" sizes=\"auto, (max-width: 343px) 100vw, 343px\" \/><\/figure>\n<p>Read more about the <a href=\"https:\/\/attackevals.mitre-engenuity.org\/managed-services\/managed-services\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE Managed Services Evaluations<\/a>.<\/p>\n<h2>Learn more<\/h2>\n<p>Learn more about&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/business\/services\/microsoft-defender-experts-hunting\">Microsoft Defender Experts for Hunting<\/a>.<\/p>\n<p>To learn more about Microsoft Security solutions,&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/business\/solutions\">visit our&nbsp;website<\/a>.&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us at&nbsp;<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">@MSFTSecurity<\/a>&nbsp;for the latest news and updates on cybersecurity.<\/p>\n<div style=\"height:27px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n<p>\u00a9 November 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/09\/microsoft-defender-experts-for-hunting-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations-for-managed-services\/\">Microsoft Defender Experts for Hunting demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&#038;CK\u00ae Evaluations for Managed Services<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/09\/microsoft-defender-experts-for-hunting-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations-for-managed-services\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Christine Barrett| Date: Wed, 09 Nov 2022 15:00:00 +0000<\/strong><\/p>\n<p>Microsoft Defender Experts for Hunting, our newest managed threat hunting service, delivered top-class results during the inaugural MITRE Engenuity ATT&#038;CK\u00ae Evaluations for Managed Services. Defender Experts for Hunting provided a seamless, comprehensive, and rapid response to the simulated attack using expert-led threat hunting and an industry-leading platform\u2014Microsoft 365 Defender.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/09\/microsoft-defender-experts-for-hunting-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations-for-managed-services\/\">Microsoft Defender Experts for Hunting demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&#038;CK\u00ae Evaluations for Managed Services<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[4500,27209],"class_list":["post-20569","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-cybersecurity","tag-microsoft-security-experts"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20569","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20569"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20569\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20569"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20569"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}