Microsoft Defender for Identity
Security tools are continuing to become smarter and some might say that Microsoft’s responsibility to help end users and businesses is becoming more and more vital. The attack or threat vectors (how hackers can get to your systems and data) are becoming wider and to counter this, the Microsoft cloud app security has been tightened through the use of a suite of tools that have been aligned into specific groups.
Let’s remind ourselves of these groups, and highlight the group this guide addresses:
- Protection at the endpoint level.
- Delivered via a unified platform for both preventative protection, detection as well as automated investigated and response.
- Protection at the email level and collaboration tools.
- Safeguarding measures against malicious threats via email messages, links and other collaboration tools.
- Protection at the identity level via Azure Active Directory Domain Services (Azure AD DS).
- Identify / Detect / Investigate compromised identities and insider actions.
- Previously known as Microsoft Advanced Threat Protection (ATP)
- Protection at the Application level.
- Cross SaaS based solution allowing deep visibility, data controls and threat protection across business aps.
Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection or Azure ATP and has been widely adopted by many companies as their core cloud-based security solution.
The system takes advantage of utilizing an organisations on-premises Active Directory, the mechanism used to provide authentication of users and control the access and permissions for those users to the corporate resources. Microsoft Defender for Identity uses sensors to analyse signals to identify and investigate advanced threats, compromised identities, and malicious insider actions directed at your organisation.
Defender for Identity enables SecOp analysts and security teams to closely monitor users and asset behaviours, learning about how the domain is accessed and navigated in order to provide insights and focus to operational teams responsible for cloud and on-premise hybrid environments.
Speeding up the investigation of suspicious activities, whether user led or via external advanced attacks by providing easy to understand timeline event reporting allows the SecOps teams to triage potential threats more proficiently and process actions to mitigate the risk throughout the kill chain.
The main features of Microsoft Defender for Identity are:
Monitoring and analysis of behaviours
The users of a network are usually the unwitting victims of a cyber attack as the sophistication the attacker uses is unrecognized by the user and therefore the attack is executed “in the clear” or in plain sight. The development of the monitoring and analytics tools in Defender for Identity use sensors and advanced learning to continually monitor the behaviour of users connected to the network and to spot new or inconsistent patterns to their use and access, such as trying to access certain parts of a system or network not regularly requested. This behavioural baseline for each user allows Defender for Identity to identify the anomalies and report these to a SecOps team or take automated action to mitigate the risk.
Through the adaptive intelligence design of the tool, a compromised user account or device that is being attacked is identified quickly and quarantined so that access to the network is bared. Some of the most sophisticated cyber attacks are launched from inside the corporate walls of defence by threat actors already authorised to access the environment. Defender for Identity does not delineate between known users and external threats, its intelligence based algorithms and self-learning capabilities means it can identify unusual or suspicious behaviour from any source.
With this type of analysis and defence Microsoft Defender for Identify (formally Microsoft Azure ATP) has been a huge success in protecting an organisation’s assets.
Reducing the attack vectors of user identities
The attack vectors of a cyber attack are no different to any physical assault, where the weakest point is identified, exploited and the attack is executed. These weak points are generally users or automated access requests or links that are used for the point of entry, but are then discarded as the attacker traverses up and down the corporate network finding easier or more valuable attack points until they arrive at an asset that they can steal or exploit.
Defender for Identity utilises a process of analysing visual Lateral Movement Paths (LMP)’s that are used by SecOps and security teams help you quickly understand exactly how an attacker can move laterally inside your organisation’s network to compromise sensitive accounts and user behaviours that could be used in these lateral attacks such as users and devices that authenticate using clear-text passwords.
Defender for Identity provides you invaluable insights on identity configurations and suggested security best-practices. Through security reports and user profile analytics, Defender for Identity helps dramatically reduce your organisational attack surface, making it harder to compromise user credentials, and advance an attack.
Protecting the use of Federated Services
Federated Services is a component of Microsoft web services that enables the connection and trust of two security domains. Its primary application is to allow a single sign on or authentication process to be used when differently secured systems interconnect and access each other’s networks.
Active Directory is Microsoft’s user and access authentication tool that controls how assets are viewed, moved, modified or deleted. This facility is of key importance to the security of a system and therefore is a highly prized attack surface for hackers.
Active Directory Federation Services (AD FS) plays an important role in today’s infrastructure when it comes to authentication in hybrid environments where cloud and on premise applications are accessed and updated. Defender for Identity protects these federated AD services by detecting attacks launched at AD FS by on premise resources, providing visibility into authentication events generated by users.
Identify suspicious activities and attacks across the cyber attack kill chain
The term kill chain related to a military attack concept that dissects the stages of an attack or “chain”. The traditional chain of attack is target identification, launching a force towards the target, “go, no go” decision to attack, and finally the execution of the attack with the intent of the target’s destruction.
The idea of combating an attackers kill chain by mounting a defensive posture ahead of a strike or launching a pre-emptive strike of your own to defeat the attackers intentions.
In a cyber threat world, attacks are launched against any accessible entity, such as a low-privileged user, and then quickly move laterally until the attacker gains access to valuable assets – such as sensitive accounts, domain administrators, and highly sensitive data. Defender for Identity identifies these advanced threats at the source throughout the entire cyber-attack kill chain such as rouge user searches and IP hijack, compromised user credentials employed to mount brute force attacks on logon details, user groups and membership change, lateral movements and Pass-the-Hash (PtH) or password hash attacks.
These PtH attacks use the mathematical representation of a password as an authenticator to access services on behalf of the user through single sign-on (SSO) authentication.
Microsoft Defender for Identity is strong enough in its intelligence and algorithms to also counter some of the most destructive attacks that can be launched against a corporate network such as Golden ticket and DCShadow attacks where the attacker has been able to access the organisations domain controllers and remotely launch obfuscated code on the controllers with the intent to replicate the domain controller to enact control over the corporate network.