Information about SharePoint, Microsoft 365, Azure, Mobility and Productivity from the Computer Information Agency
In this month’s Business Dojo we take a look at create a security offering with Microsoft Sentinel. These are virtual events, hosted using Microsoft Teams, that will provide you with deep dive into a business topic from the Microsoft Cloud.
Costs:
Non CIAOPS Patrons = AU$99 inc GST
Date:
Wednesday December 22nd 0930 – 1100 Sydney AU time
If you are interested in attending please complete the expression of interest application here to be considered for the event:
and you’ll be sent more details.
Microsoft has announced some great improvements to the Microsoft Authenticator passwordless process.
One of these, as you can see above, I have already enabled on my tenant. It allows you to do number matching AND provides you the location from where you are logging in via a map.
To enable this in your tenant visit the link:
Enable additional context in the portal
This is a great enhancement for MFA with Microsoft 365. Simple and easy to use. Great work Microsoft. You can read about the other exciting announcements here:
Several Microsoft Authenticator security features are now available!
I attended a recent IT Professionals User Group meeting that featured yet another presentation by yet another ‘security’ vendor. Maybe I’m missing the point of these types of presentations but I didn’t feel it moved the needle in any meaningful way when it comes to cyber security. I wish I could get that time back I’ll be honest.
I’m finding that continual disappointment a lot if I’m honest. There is lots of talk but very little meaningful action when it comes to cyber security. Most of the focus of cyber security seems to be continually placed solely on how bad things are and this is probably more to aid in selling ‘product’ than it is in really providing real meaningful solutions. That, is a bad thing.
It is unfortunate that the whole ‘cybersecurity’ space is now seen as a revenue opportunity rather than a problem to be solved. Fear is probably the cheapest and easiest method of selling something and I see it in full swing where ever I go these days. There is no doubt that fear gets people’s attention, but fear alone does not solve the problem. Fear is an emotion not an action.
Good cyber security doesn’t need more bells, whistles and bright shiny objects, it needs people to implement and adhere to best practices and star using what they have already. Rarely does adding anything ‘more’ solve a problem because typically, more is simply a way to avoid addressing the actual root cause of the problem and making hard choices that need to be made. It is merely a way to be distracted from doing the ‘hard yards’ that implementing and adhering to best practices requires.
The amount of time, money, blood, sweat, PowerPoint slides and tears I see being utterly wasted on inconsequential approaches to cyber security utterly amazes me. Just when I think it can’t get it any worse, it does. It is no co-incidence, I would suggest, that as this wasted effort increases so to does the actual damage that cyber security incidents realise. Co-incidence? I think not! Why? All talk, no action.
Yes, there is no doubt, by any measure there is an issue. However, there isn’t a need to keep telling me this over and over and over again in the vain hope that I’ll buy some quantity of your magic cyber security snake oil remedy that in all honesty will just complicate things and rarely aid in help solve the problem. Work with what you have access to first, then seek to add more. Security starts with simplicity.
If you haven’t worked it out already, people are the problem when it comes to cyber security. Simple. The methodology and the tools to solve the problem are already available. Yet they largely lie under implemented and under utilised because of the human consequence from the lure from the next bright shiny object peddled by those regurgitating familiar statistics but with different slide decks.
Perhaps it’s just the old world engineer in me, out of touch with greater humanity, and that may be true. However, it doesn’t mean I’m wrong!
Stop trying to buy your way to peak cyber security and start doing the work. It is that simple. And guess what? All the stuff you need to improve cyber security is probably already available to you and is laying around neglected. The missing key ingredient is nothing more than effort expenditure. We’ll never solve the cyber security problem without effort and I think this quote from Edison is quite apt here:
Opportunity is missed by most people because it is dressed in overalls and looks like work
I will never claim that cyber security is easy. What I will however claim, is that there is so you much you can and should be doing but you aren’t. Everyone that is. From the business owner to the IT Professional to the government and beyond, let’s focus on solving the problem rather than simply using it as a topic of conversation or a method of sales conversion. Let your actions speak louder than your words when it comes to cyber security.
A typical tactic after a business email compromise event is the creation of email forwarding rules using any one, or more, of these methods by an attacker:
– Use rules in Outlook Web App to automatically forward messages to another account
– Sweep
It is therefore good practice to regularly check and verify the email forwarding rules inside your Microsoft 365 environment.
I have created a free PowerShell script exactly for this purpose, which you can find here:
Office365/o365-exo-fwd-chk.ps1 at master · directorcia/Office365 · GitHub
and the video:
https://www.youtube.com/watch?v=Oqk_yd6U3bk&t=16s
will provide a walk through of its execution.
This is an update to the last update about Defender products here:
To start off with there are products that are considered ‘Window Defender’ products, although I see the Windows and Microsoft brand intermingled regularly. Here is a list of specific ‘Windows Defender’ products, typically tied to Windows 10 devices, and typically only available with Windows 10 Enterprise but not always:
Windows Defender Application Control – WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients.
Windows Defender Firewall – By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.
Windows Defender Exploit Guard – Automatically applies a number of exploit mitigation techniques to operating system processes and apps.
The four components of Windows Defender Exploit Guard are:
Windows Defender Credential Guard – Uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Windows Defender System Guard – Reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It’s designed to make these security guarantees:
In contrast, here are the ‘Microsoft Defender’ products many of which have been re-branded lately:
Microsoft 365 Defender – (over arching service which includes other Defender services) is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Microsoft Defender for Office 365 – (previously Office 365 ATP) Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.
Microsoft Defender for Identity – (previously Azure ATP) Cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Microsoft Defender for Cloud – (previously Azure Defender) Provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, and more. It includes:
Microsoft Defender for Endpoint – (previously Defender ATP) an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats especially on user devices like desktops, laptops and mobiles.
There is a Microsoft for Defender P1 and P2 plan. information on the comparison of the two plans can be found here – Compare Microsoft Defender for Endpoint Plan 1 (preview) to Plan 2.
Microsoft Defender for Business – A new endpoint security solution that’s coming soon in preview. Microsoft Defender for Business is specially built to bring enterprise-grade endpoint security to businesses with up to 300 employees, in a solution that is easy-to-use and cost-effective. See Introducing Microsoft Defender for Business for more information.
Microsoft Defender Smart screen – Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
Microsoft Defender Antivirus – Brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your organization.
Microsoft Defender Application Guard – helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.
Microsoft Defender Security Center – is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
Microsoft Defender Browser Protection – a non Microsoft browser extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.
Microsoft Defender for Cloud Apps – (previously Microsoft Cloud App Security) is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.
So, as you can see, there are quite a lot of ‘Defender’ products out there from Microsoft.
For now, just be careful to investigate what is actually meant when it says ‘Defender’ in the Microsoft space!
This post is part of a series focused on Windows Defender Application Control (WDAC). The previous article can be found here:
Unfortunately, from this point forward, I can find no ‘official’ definition of the syntax of the WDAC XML file anywhere. Thus, I have done my best to try and decipher the file. However, please keep in mind, this is simply the determination that I can make looking at the file.
What I’ll focus on in this post is the FileRules block. This block is defined in the XML with the following boundaries:
<FileRules>
</FileRules>
The documentation I found about FileRules specifically is here:
Windows Defender Application Control file rule levels
which says:
File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies.
Between these headers can be the following definitions:
1. Generic Files
This would typically appear as:
<FileAttrib ID=”ID_FILEATTRIB_F_1_0_1″ FriendlyName=”Microsoft Teams” ProductName=”MICROSOFT TEAMS” />
2. Allow Files
This would typically appears as:
<Allow ID=”ID_ALLOW_A_1B_ONEDRIVE_1_1″ FriendlyName=”C:\Users\user\AppData\Local\Microsoft\OneDrive\21.119.0613.0001\ErrorPage.js Hash Sha1″ Hash=”25D362DEE9A4B04ACDFD0ABBAB7A415AA494DC98″ />
3. Deny files
<Deny ID=”ID_DENY_BASH” FriendlyName=”bash.exe” FileName=”bash.exe” MinimumFileVersion=”65535.65535.65535.65535″/>
Each of these definitions starts off with a ‘ID’ field either: FileAttrib ID, Allow ID or Deny ID. Next, comes a variable that will be used later to refer to the specifics of that file definition. Here those are: ID_FILEATTRIB_F_1_0_1, ID_ALLOW_A_1B_ONEDRIVE_1_1 and ID_DENY_BASH. From what I can determine, these IDs can be any text.
Next, is the FriendlyName field, which again can be any text but typically will be the file name, with or without the path. From what I can determine, this is simply a ‘tagging’ field. If the FileName or is not specified this Friendlyname field will be used as the actual file name.
The next field options are used to actually define the individual file on the system. This can be achieved in a number of different ways specified, including by path and file name, hash, file path, publisher and more as detailed here:
Windows Defender Application Control policy – file rule levels
The most common types of definitions I have found are:
– FileName field, which actually refers to the executable file i.e. bash.exe as shown above.
– FilePath field. which refers to the location of the executables i.e. C:\Program Files\*
– ProductName can be used to identify the file in question. I assume this refers to a product that is registered with the operating system.
– Hash which specifies a unique file hash
It appears that you can also use the field MinimumFileversion when specifying the Fieldname and Productname definitions
These file rule definitions will be utilised by later items in the XML configuration, so they must be present if they are going to referred to.
You can use the
and
for drivers
PowerShell command to generate these file rules.
The precedence order of these file rules is defined here:
but is basically, deny, then allow, then the rest.
That’s the best I can work out from the documentation and experimenting. I’m sure there is more information somewhere, and if you do find any, please let me know.
Part 5 – Specifying Signers
Hopefully, you are aware that Microsoft 365 provides users the ability to report a suspected email. I have spoken about this here:
Improved security is a shared responsibility
What you may not be aware of is that these submissions can viewed and action in the Microsoft Security Center:
https://security.microsoft.com
under the Submissions menu option as shown above.
You may also not be aware that there are further actions you can take in here:
You can provide feedback directly to the user about their submission using the Mark as an notify option as shown above.
Doing so will send the user an email, like that shown above, to provide feedback about that submission for the user. Doing provides important reinforcement of users remaining vigilant as well as helping them better identify threats.
You’ll also find actions you can take on that message that will provide feedback directly to Microsoft, as shown above.
Even better, if you go into Policies & rules | Threat Policies | User submissions you are able to customise what is sent to the user, both before and after reporting as shown above.
For more information on these capabilities visit:
Admin review for reported messages
Getting users involved in security is important. Part of that is providing them feedback and recognition of their contribution, no matter how small. Using these capabilities for reported messages, you are able to do that quickly and easily.
There a public threat intelligence feeds available that Azure Sentinel can take advantage of. Think of these as providing information around entities that represent threats such as compromised IP addresses, botnet domains and so on. Typically, these feeds will support the TAXII connector inside Azure Sentinel.
Select the Data connectors option from the Azure Sentinel menu on the left. Next search for TAXII. Finally, select Threat Intelligence as shown above, then the Open connector page in the lower right.
On the right hand side of the page, you see the Configuration area as shown above. Here you’ll require information on the following items:
– API root URL
– Collection ID
– Username
– Password
If you have a look at the bottom of this article:
Connect Azure Sentinel to STIX/TAXII threat intelligence feeds
you’ll find the details for the free Anomali Limo threat feed, which is:
– API root URL = https://limo.anomali.com/api/v1/taxii2/feeds/
– Collection ID = see list in article (i.e. 107, 135, 136, etc)
For the username and password of all these feeds use:
guest
Complete the details for each Collection ID, like what is shown above. When you have completed each feed select the Add button.
The feed will be validated and if successful, an alert will confirm this at the top of the page as shown above.
The entered feed will appear in a list at the bottom of the page. At this point, feed information will start flowing into your environment depending on the Polling Frequency you selected for the feed.
Once the feed has started to import data select the Threat intelligence from the main Sentinel menu as shown above. You should see a range of entries. These entries can now be utilised throughout your Sentinel environment. This is detailed here:
Work with threat indicators in Azure Sentinel
This data is stored in a table called ThreatIntelligenceIndicator as shown above, which can be used directly in hunting queries.
Keep in mind that any threat indicator data incurs an ingestion and data storage cost. However, this is not a great amount and the value they provide is well worth that minor cost. You can track threat indicator costs using workbooks that Sentinel provides. You can add more feeds if you wish and details about what is available can be found at:
Threat intelligence integration in Azure Sentinel
Having additional threat data provides more signal information for Sentinel when it examines your environment. If information from these threat indicators is detected in your environment, then alerts will be generated. For a small ingest and storage cost having these threat indicators flow into your Sentinel environment provided a huge amount of value and increase your security.
CIAOPS 