Tag: Security

Microsoft 365 incident response training

pexels-pixabay-69934

In early 2023 I’ll be running an incident response training course for Microsoft 365 environments. Training will held over four consecutive weeks. Each session will be two (2) hours and run from 9am Sydney time.The dates are:

Wednesday January 11th 2023 – Before an incident. What you need to do to prepare

Wednesday January 18th 2023 – During an incident. What you need to do when an incident occurs

Wednesday January 25th 2023 – After an incident. What needs to be done after an incident has occurred

Wednesday February 1st 2023 – Lab exercises and group best practice discussions

The sessions will be recorded and other materials from the sessions (checklists, etc) will be available to attendees afterwards.

This event will be conducted remotely via Microsoft Teams.

The aim of this training is to help you better prepare for a security incident inside the Microsoft 365 environment. You’ll learn what settings you should enable and what processes you should have in place before an incident occurs. The sessions will also take you through common examples of incidents and help you understand what needs to be done when they occur and how to minimise risk and impact to a business. The sessions will also take your through the post-incident process to build confidence with what information needs to be maintained and how to prevent similar incidents re-occurring. The final session will be a group hands on lab and discussion so you can put all the skills you have learned to the test.

The price for this event will be:

Gold Enterprise Patron = Free

Gold Patron = $33 inc GST

Silver Patron = $99 inc GST

Bronze Patron = $176 inc GST

Non Patron = $399 inc GST

You can learn more about the CIAOPS Patron community at www.ciaopspatron.com.

I hope that you’ll join me in January for this event as I believe it provides some much needed training in a very important aspect of managing and securing Microsoft 365. If you are serious about security for Microsoft 365, then you need a plan and this training will aim to give you just that plus some experience to boot!

You can register you interest in attending this course here – http://bit.ly/ciaopsroi after which I’ll be in contact with you to arrange payment and get you enrolled.

As always, if you have any questions about this training please email me on – director@ciaops.com.

I hope to see you there.

Enhanced phishing protection in Windows 11 22H2

image

If you have Windows 11 22H2 and you take a look at your Windows Security settings under App & Browser control, you’ll find some new settings in Reputation-based protection as shown above.

You can read about these here:

Enhanced Phishing Protection in Microsoft Defender SmartScreen

If you want to enable these settings using an Intune Device policy you can do so using the Settings Catalog like so:

image

Remember, at the moment, you need Windows 11 22H2 to configure this.

Need to Know podcast–Episode 290

I have a few updates from the Microsoft cloud for this episode followed by a discussion about Attack Surface Reduction Rules (ASR) and their importance in reducing your risk.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-290-updates/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2022.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

YouTube edition of this podcast

Microsoft Outlook, your personal organizer, helps you be more productive and in control

Microsoft Digital Defense Report 2022

Investigate incidents more effectively with the new attack story view in Microsoft 365 Defender

Announcing enhanced control for configuring Firewall rules with Windows Defender

What’s New in Microsoft Teams | October 2022

New device control capabilities to manage removable storage media access in Microsoft Intune

Demystifying attack surface reduction rules – Part 1

Demystifying attack surface reduction rules – Part 2

Demystifying attack surface reduction rules – Part 3

Demystifying attack surface reduction rules – Part 4

Enable attack surface reduction rules

Check ASR Rules

Need to Know podcast–Episode 289

I look at a few deep blog posts from Ignite on Microsoft Teams and file new experiences. I also share the latest information about Windows 11 22H2 update and then spend some time talking about Conditional Access in this episode.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-289-updates/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2022.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

YouTube version of this podcast

What’s New in Microsoft Teams | Microsoft Ignite 2022

Announcements for files experiences in Microsoft 365 at Microsoft Ignite

Making the everyday easier with new experiences available in Windows 11

Public Preview: Conditional Access filters for apps

Plan for Conditional access

Need to Know podcast–Episode 287

More updates from the Microsoft Cloud prior to Ignite in 2 weeks. Lost around security and the new Windows 11 22H2 update that is rolling out.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-287-updates/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2022.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

YouTube version of podcast

Microsoft Ignite

Forensic artifacts in Office 365 and where to find them

Defend your users from MFA fatigue attacks

Tamper protection will be turned on for all enterprise customers

Malicious OAuth applications used to compromise email servers and spread spam

What’s new in Microsoft Endpoint Manager – 2209 (September) edition

Work safer and smarter with the Windows 11 2022 Update

New Windows 11 security features are designed for hybrid work

Available today: The Windows 11 2022 Update

Phishing Protection in Microsoft Defender SmartScreen

What is smart app control?

Why am I blocked?

Adoption score

Avoid MFA fatigue attacks in Microsoft 365

A MFA fatigue attack is where an attacker will constantly attempt to login as the user causing an MFA request to appear on the users device. If this request is simply to deny or approve, and with enough requests, the user eventually approves to make theses requests go away. Such an attack recently provided very successful at Uber. You can read more about that incident here:

https://www.uber.com/newsroom/security-update

With MFA in Microsoft 365 and the Microsoft Authenticator app you can avoid this by enabling number matching for push notifications. Here’s how to do it:

image

Navigate to the Azure portal as an administrator and then to Azure Active Directory. Here, select Security from the menu on the left as shown above.

image

Here, select Authentication methods as shown above on the left.

image

Now select Microsoft Authenticator on the right.

image

Select Configure at the top of the page and ensure all the options listed are Enabled for all users. You may want to exclude any break-glass accounts though.

image

Back on the Basic tab, as shown above, ensure you have Enable set to Yes and you target all the desired users with Passwordless.

IMG_1151

Now, when users are prompted for MFA they will see the above on their devices and need to type the number that is on the screen into their device to approve the login. They will also see the geographic location the request came from and application requesting as shown above.

If you want to check yoru environment for MFA fatigue attacks you can use this KQL query in Sentinel:

https://github.com/reprise99/Sentinel-Queries/blob/main/Azure%20Active%20Directory/Identity-PotentialMFASpam.kql

Online security is something that requires constant adjustment as the bad actors adapt to the protection methods put in place. Number matching in Microsoft 365 is quick and easy to set up using the Microsoft Authenticator and the recommended approach you should take to avoid MFA fatigue attacks.

Microsoft Defender Threat Intelligence portal

image

Microsoft has a new security portal at:

https://ti.defender.microsoft.com

which comes from their recent RiskIQ acquisition. In essence it is a place that you can search for security intelligence and information around all sorts of indicators.

image

If I for example search for an IP address that showed up in my Microsoft Sentinel as a known bad IP I see the above results.

image
If you look closely, you’ll see the ‘good’ stuff requires a subscription. How much is a subscription I hear you ask? Well, make sure you are sitting down before you proceed because it is:

image

Yup, that is US$4,1667.70 per month! Wow!

image

That said, the free or ‘community’ version does provide a lot of valuable information and I would recommend that you add the site to your list of tools when threat hunting. Personally, I would have liked to have seen a pay as you go (PAYG) option provisioned out of Azure like things such as Sentinel is. Hopefully, the price will come down or at least there may eventually be a tier that smaller business can live with. But for now, have a look and use the features provided for free as there are many. You can learn more from the documentation here:

What is Microsoft Defender Threat Intelligence (Defender TI)?