How to use threat intelligence feeds in Microsoft XDR to enhance your organization's threat detection capabilities.

This is the third blog post where I will show how to work with threat intelligence feeds in Microsoft XDR. I will describe what threat intelligence means and how it helps in protecting against sophisticated and ongoing threats. I will demonstrate how to combine external and internal threat intelligence sources with Microsoft XDR to get more information and perspective into the alerts and incidents you face.

- Agenda:

- Introduction

- What is threat intelligence and why it matters

- How Microsoft XDR leverages threat intelligence

- How to access and use threat intelligence feeds in Microsoft XDR

- My Recommendations

- Conclusion

Introduction

Cyber threats are constantly evolving and becoming more sophisticated, posing a serious challenge for security teams in protecting their organizations. To stay ahead of the attackers, security teams need to have timely and relevant information about the latest threats, their tactics, techniques, and procedures (TTPs), and the indicators of compromise (IOCs) associated with them. This information is known as threat intelligence, and it can help security teams improve their visibility, detection, and response capabilities.

What is threat intelligence and why it matters:

Threat intelligence is the process of collecting, analyzing, and disseminating information about current and emerging cyber threats, with the aim of helping security teams make informed decisions and take appropriate actions. Threat intelligence can provide insights into various aspects of the threat landscape, such as:

- Who are the threat actors behind the attacks, what are their motivations, and what are their capabilities?

- What are the common attack vectors, vulnerabilities, and malware used by the threat actors, and how can they be detected and mitigated?

- What are the IOCs that can help identify malicious activities and artifacts in the network, such as IP addresses, domains, URLs, file hashes, and signatures?

- What are the TTPs that can help understand the behavior and modus operandi of the threat actors, such as reconnaissance, exploitation, lateral movement, persistence, exfiltration, and evasion?

Threat intelligence can help security teams improve their security posture and resilience by enabling them to:

- Prioritize the most critical and relevant threats to your organization and industry and allocate resources accordingly.

- Enhance your threat detection capabilities by enriching your security tools and systems with contextual and actionable intelligence.

- Accelerate your threat response and remediation processes by providing guidance and recommendations based on best practices and lessons learned.

- Proactively hunt for threats and identify gaps and weaknesses in your defenses and implement preventive measures to reduce the attack surface and improve security hygiene.

How Microsoft XDR leverages threat intelligence

Microsoft XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications. Microsoft XDR leverages threat intelligence from multiple sources.

Microsoft Threat Protection Intelligence Team, which is composed of expert security researchers, analysts, and engineers who monitor and analyze the threat landscape and produce high-quality threat analytics reports, threat intelligence indicators, and custom detection rules.

Microsoft Intelligent Security Graph, which is a cloud-based platform that collects and processes billions of signals from diverse sources across Microsoft and external partners and applies advanced analytics and machine learning to generate threat intelligence insights and actions.

Third-party threat intelligence providers, such as AlienVault OTX, Anomali, CrowdStrike, DomainTools, MISP, Recorded Future, ThreatConnect, and others, who offer curated and specialized threat intelligence feeds and services that can be integrated with Microsoft XDR.

How to access and use threat intelligence feeds in Microsoft XDR

Threat analytics dashboard: This is a central place to view and manage threat analytics reports, which provide in-depth analysis and guidance on active and emerging threats, such as ransomware campaigns, phishing attacks, zero-day exploits, and nation-state actors. You can access the threat analytics dashboard from the Home page or the Threat analytics page in the Microsoft Defender portal. You can also filter the reports by category, severity, status, and tag. For each report, you can see the summary, details, scope, detection, and remediation sections, as well as related incidents, alerts, and indicators. You can also take actions such as adding tags, changing status, creating incidents, and applying custom detections.

Understand the analyst report

The analyst report aims to give useful information for decision-making. The sections of the report may differ, but they usually cover the topics explained below.

Executive summary

Summary of the threat, including its first appearance, its goals, significant incidents, main victims, and unique tools and methods. You can use this information to better evaluate how to rank the threat according to your sector, geographic area, and network.

Analysis

Technical details of the threats, such as how an attack works and what new methods or targets attackers might use

MITRE ATT&CK techniques observed

How the techniques we detected relate to the MITRE ATT&CK attack framework

Mitigations

Suggestions that can prevent or lessen the damage of the threat. This section also contains steps that aren't monitored continuously as part of the threat analytics report.

Detection details

Microsoft security solutions can detect and expose specific and generic activity or elements related to the threat.

Advanced hunting

Queries for hunting that are advanced and can proactively find plaussible threat activity. Many queries are given to support detections, especially for finding components or behaviors that are potentially malicious and could not be determined to be malicious dynamically.

References

The report includes Microsoft and external publications that analysts consulted while producing the report. Microsoft researchers verify the data used in the threat analytics content. The report clearly marks information from open, third-party sources.

Change log

The time the report was published and when significant changes were made to the report.

Apply additional mitigations

The Exposure & mitigations tab shows graphs and tables of the status of security updates and secure configurations that are tracked by threat analytics. The analyst report also talks about mitigations that are not tracked dynamically. Here are some examples of important mitigations that do not have dynamic tracking:

· Block emails with .lnk attachments or other suspicious file types

· Randomize local administrator passwords

· Educate end users about phishing email and other threat vectors

· Turn on specific attack surface reduction rules

The Exposure & mitigations tab helps you evaluate your security risk from a threat, but these recommendations help you do more to enhance your security. Follow the analyst report's advice on how to reduce your risk as much as you can.

Understand how each threat can be detected

The report also shows the findings from Microsoft Defender Antivirus and EDR features.

Antivirus detections

Devices with Microsoft Defender Antivirus enabled have these detections. Devices that are also enrolled in Microsoft Defender for Endpoint generate alerts when these detections happen. These alerts show up on the graphs in the report.

The report also shows generic detections that can spot many kinds of threats, besides the ones or actions related to the threat being tracked. The charts don't include these generic detections.

Endpoint detection and response (EDR) alerts

Devices that use Microsoft Defender for Endpoint can raise EDR alerts. These alerts usually depend on security signals that the Microsoft Defender for Endpoint sensor and other endpoint capabilities— such as antivirus, network protection, tamper protection—collect as powerful signal sources.

Some EDR alerts are meant to warn about suspicious behavior that may not be related to the monitored threat. When this happens, the report will clearly mark the alert as "generic" and that it doesn't affect any of the charts in the report.

Email-related detections and mitigations

Microsoft Defender for Office 365 provides email-related data and actions in analyst reports, along with the endpoint data that Microsoft Defender for Endpoint already offers.

This data shows you if the threat described in the analyst report tried to target your organization, even if the attack was successfully stopped before reaching the inbox or sent to the junk mail folder.

Find subtle threat artifacts using advanced hunting

Detecting threats automatically can help you identify and stop them, but some attacks are more subtle and need more investigation. Some attack behaviors can also be normal, so detecting them dynamically can cause operational noise or false alarms.

Advanced hunting lets you use a query interface based on Kusto Query Language to find subtle signs of threat activity easily. It also helps you bring up contextual information and check whether signs are linked to a threat.

Advanced hunting queries in the analyst reports have been checked by Microsoft analysts and are ready for you to run in the advanced hunting query editor. You can also make custom detection rules from the queries that generate alerts for future matches.

Impacted Assets

Use the Impacted Assets tab in the threat analytics reports to view a list of devices that have been affected by the threat or may be vulnerable to it.

You can filter the list by device name, risk level, exposure status, operating system, or tags. You can also sort the list by any of these columns.

Click on a device name to open the device page, where you can see more details about the device, its activities, alerts, and vulnerabilities. You can also take response actions on the device, such as isolate, collect investigation package, or run antivirus scan.

You can export the list of impacted assets to a CSV file for further analysis or reporting. You can also use the advanced hunting query editor to run custom queries on the impacted assets data.

Recommended Actions

In the recommended actions section, you will find the same recommended actions that you know from Secure Score. However, these are only the ones that pertain to this risk.

My recommendations

To make the most out of threat intelligence feeds in Microsoft XDR, here are some best practices and tips to follow:

Review the threat analytics reports regularly and apply the recommended actions to mitigate the risks and protect your organization from the latest threats.
Customize the threat analytics reports according to your needs and preferences, such as adding tags, changing status, creating incidents, and applying custom detections.
Monitor the threat intelligence indicators and verify their accuracy, relevance, and freshness, and update or remove them as needed.
Create custom detection rules based on the threat intelligence indicators or the advanced hunting queries that match your use cases and scenarios, and test and validate them before enabling them.
Integrate third-party threat intelligence feeds with Microsoft XDR to enrich your threat detection capabilities with additional sources of intelligence and insights.
Use the advanced hunting feature to proactively hunt for threats and anomalies in your environment, using the threat intelligence data from Microsoft XDR and other sources.

Monitor and analyze the alerts and incidents generated by the threat intelligence feeds in Microsoft XDR and use the rich contextual information and automated investigation tools to quickly triage and respond to them.

Learn from the best practices and recommendations provided by the threat intelligence experts and analysts in Microsoft XDR and apply them to your environment to enhance your security configuration and policies.

Share and collaborate with other security teams and partners using the threat intelligence data from Microsoft XDR and leverage the collective knowledge and experience of the security community to improve your defense strategies and tactics.

Conclusion

Microsoft XDR is a game-changer for threat detection and response. It provides a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response. By using threat intelligence feeds in Microsoft XDR, security teams can achieve better visibility, efficiency, and effectiveness in protecting and detecting their organizations from sophisticated attacks.

One of the key benefits of using threat intelligence feeds in Microsoft XDR is that they enable security teams to adopt a proactive and preventive approach to threat detection and response. Rather than waiting for alerts or incidents to occur, security teams can use threat intelligence data to identify potential threats, vulnerabilities, and attack vectors in their environment, and take action to mitigate or eliminate them before they cause damage. This way, security teams can reduce the attack surface, improve the security posture, and enhance the resilience of their organization against current and emerging threats. With Microsoft XDR, security teams can leverage the power of threat intelligence to stay ahead of adversaries and protect their organization from sophisticated attacks.