Home SecurityNetwork Security What Microsoft Defender can tell you about your network

What Microsoft Defender can tell you about your network

Source Link

Endpoint detection and response (EDR) is typically not something that smaller firms have. Defender for Business makes it easier to deploy EDR in a reasonable fashion and in an affordable package. At $3 per user per month, it takes the place of your traditional antivirus solution that you may have deployed in your office. You can onboard workstations using a script, Intune or Group Policy. If you are looking for a means to better investigate security issues in your firm this may be a solution you want to review and consider. Defender for Business is designed for businesses under 300 users. Larger businesses can choose Defender for Endpoint and then opt for P1 or P2 licensing depending on your needs.

As with any threat detection tool, quick assessment of alerts is important. That often depends on how well you know your network. I know that Microsoft Defender for Business provides more protection to my firm, but it also shows how much I don’t understand about my vendors and how they code. It showcases how much more I need to know to understand what’s going on in my network.

Although I don’t handle the security of a large enterprise, I’ve been exposed enough to the threats and risks to large enterprises to understand that the difference between large firms and small firms are often just quantity, scale and budget. It’s sometimes easier for a small firm to make dramatic shifts to more secure solutions, whereas a large enterprise has legacy programs and software in place and can’t make the migration as easily.

I’m just as mandated to report breaches both by the industry I’m in and the state I do business in. My weakness is often that I don’t have the informational resources that a large enterprise has. I have gone to forensic courses and trained enough on the Windows registry to understand computer systems, but even with that information I often have to investigate what’s going on in my network based on my direct knowledge of my systems. The fact that I know what exactly I did helps me understand the alerts and information I get from Defender for Business.

Assessing Defender security alerts

The security alerts that I receive from my systems are, well, often triggered by my actions. I’m the one who installs and trials software in my network, so I’ll receive alerts when I’ve done something in my network that Defender for Business sees as suspicious. I might download and use forensic tools that are flagged as potentially malicious or my workstation is flagged with suspect software.

So, it was interesting the other day when I received a “Suspicious process injection observed” alert from Defender for Business. This is where knowledge of what I did on the machine comes in handy and showcases why you need to question what exactly the user did on their workstation when you are investigating the alerts.

In this case, I installed software that I wanted to test. One of the functions of the software is to provide better ways to handle and sort files and images. In doing so it injected itself into File Explorer.

bradley defender1 Susan Bradley

That action was flagged as a defense evasion incident, as shown above. At first, I looked at the warning and wondered what malicious file I had downloaded. It hadn’t triggered a virus alert, just a warning of an unusual incident. Then Defender for Business showed exactly what the software did to install itself on my system. It used a file named “FileCenterInjector64.exe” to install the software into the browsers installed on my machine as well as File Explorer. The actions taken by the installer triggered the suspicious process injection alert on the system.

bradley defender2 Susan Bradley

Traditional forensic tools often capture a moment in time. Typically, you have to dig into log files, registry files and other static artifact evidence and attempt to make an informed decision of what went on with the system. This static review of the system often takes education about what the files will leave behind and what it looks like to determine what happened on the system.

Defender for Business/Defender for Endpoint captures the actions and records them in a portal for later review. In this case, the software I installed made adjustments to files and locations, so its behavior was suspicious. In looking at the location that the files were installed and the date that the event occurred, I realized what software had triggered the alert.

This shows how investigations have to combine the evidence you see from the tools with the information you know about the system. Ensuring that end users install only approved and vetted software allows you to fully understand what is going on with your workstations. Defender will automatically trigger investigations when it sees unusual activity, but you can also manually trigger the investigation.  

Flagging suspicious inbox forwarding rules

Defender for Business/Endpoint automatically looks for the typical ways that attackers will come after a user. For example, when I set up an email forwarding rule on a shared mailbox, Defender sent an alert on the process.

bradley defender3 Susan Bradley

Attackers might compromise a mailbox and then set up email forwarding rules to send whatever financial related emails to the attacker directly rather than to the impacted user. In the case of business email compromise attacks, setting a forwarding email will allow the attacker to perform actions with a third-party bank or financial institution and then not alert the impacted business. This has occurred so often that Microsoft now makes a default rule to disallow all email forwarding. Setting up a rule to forward email triggers a Defender alert for you to investigate and verify the forwarding rule was intentional.

Copyright © 2022 IDG Communications, Inc.

Related Articles

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)