Vidur

SC200- Microsoft Defender for Endpoint

Ok, so finally, this is the first blog on my personal website. The aim is to document all of MY learning for this topic, which can be complete or incomplete, mainly what I am able to figure out.

I am not aiming for perfection, aim is consistency so incase anyone is here reading this page, please expect messiness here.

Protect against threats with MS Defender for Endpoint

Microsoft Defender for Endpoint is a platform designed to help enterprise network to prevent, detect, investigate & respond to advanced threats on there endpoints.

There are a lot of features offered by MS Def for Endpoint (I am just lazy to write it completely again & again)

  • Endpoint Behavioural Sensors
  • Cloud Security Analytics
  • Threat Intelligence
  • Attack Surface Reduction
    • It is the first line of defense, aim is to give the least amount of exposure of our asstes to get attacked.
  • Next-Generation Protection
    • MS Defender for Antivirus is a built in antivirus solution that provides next gen protection for deskops, PCs & servers
    • Its not just a standard antivirus but monitors any suscpicious behaviour which help with near-instant detection & blocking of threats
  • Endpoint Detection & Response(EDR)
    • Advanced attack detection, which is near real-time & actionable
    • EDR follows playbook to figure out what actions to take under what circumstances
  • Automate Investigation & Remediation Capability
    • To reduce alert fatigue

Threat & Vulnerability Management

In MS Def. for Endpoint Threat & Vulnerability Management is a Dashboard which help to detect if there are any active vulnerabilities or misconfiguration. This information can be acquired without the need of agents or scans.

Say if we found any issues or vulnerabilities & implement the remediations, it can be directly done through the Dashboard through MS Intune & MS Endpoint Manager.

We can Hunt deeply for threats within the network using KQL(this week I will be digging deeper into KQL. I’m excited, & nervous for that)

Deploying MS Defender for Endpoint

Deploying MS Def for Endpoint evnironment involves configuring your tenant, onboard your devices, & configuring security team’s access.

  1. First, we will intitiallize the Defender for Endpoint env.
  2. Onboard the initial devices, by running onboarding scripts on the endpoints
  3. Create device groups & assign the appropriate devices

Some noteworthy stuff
– We need to be Security Administrator for tenant
– Make sure to follow Least Privilege Mentality
Global Admin is the highest & should be used in emergency only
– Also, the data storage location currently are only US, UK, & EU. Which once selected can’t be changed later
– The date retention policy is 6 months by default

Additionally, MS Def for Endpoint is available on

  • Windows: Server & Desktop
  • MacOS: MS offers Antivirus, EDR, vulnerability management capabilities for 3 latest versions of MacOS only & is managed using MS endpoint management & jamf.
  • Linux: Preventative antivirus(aka next gen. antivirus), EDR & Vul management capabilities are available for linux servers; fully CLI experience; Can be deployed & configured using puppet, ansible or other management tool
  • Android: mobile threat defense solution for android 6.0+
  • iOS: for iOS 11.0+

Using Role Based Access Control(RBAC) we can create roles & groups to grant appropriate access to portal

With this we have precise control over who can access & see what. In other words, we have control over what users can & can’t do & access.

  • Now new users/customers will have access to Unified Role Based Access Control(URBAC), which is more of like a step up of RBAC,
    • In RBAC each MS Security Product had groups & policies individually
    • But in URBAC its all centralized, from one central place we can control all the users & groups

Implement Win. Sec enhancements with MS Defender for Endpoint

This helps mainly with reducing attack surface without negatively affecting user’s productivity.

Attack surface reduction is basically hardening the places where threat is likely to attack in your org’s devcies & network

For this purpose we will need MS Defender for Antivirus,

MS Def for Antivirus also provides,

  • network protection
  • controlled folder access, i.e., control over who or which folder one can & can’t access

Enable Attack Surface reduction Rules

These rules target certain software behaviour that are often abused by attackers

  • Like launching exe files & scripts that attempt to download or run files
  • Running suspicious scripts
  • Application behaviour out of normal

We can also exclude files & folders from being evaluated even if a rule finds a behaviour to be suspicious, a trigger won’t be generated

We can exclude files & folders but can’t exclude which rules the exclusion apply to

Audit Mode: We can use audit mode to evaluate how attack surface rules would impact your organization

Once a rule is triggered a notification is displayed on the device(the notification is customizable), it also appears withing MS Defender portal

We can enable attack surface reduction from,

  • MS Intune
  • Powershell
  • MDM
  • MS endpoint configuration management
  • Group Policy

Intune or MS Endpoint Configuration Management is recommended & will overwrite any rules by GPO or powershell

The attack surface reduction events are located under applications & services logs > Microsoft Windows (in Win Event Viewer)

Perform Device Investigation

We can get detailed device info including the forensics.

DEVICES

  • This page shows list of devices in your network where alerts were generated
  • By default devices with alerts in last 30 days only are seen
  • Risk Level: it reflects the overall risk assessments
  • Exposure Level: it reflects current exposure of the device
    • Exposure levels can be Low, Medium, & High
    • If “no data available” = OS not responding or Device Stopped Responding > 30 days
  • Health Status
    • Active: Devices are actively reporting
    • Inactive: Stopped sending signals > 7 days
    • Misconfigured: impaired communication or unable to send data
  • Antivirus Status: For win 10+ devices only

Behavioural Blocking

It helps identify & stop threats based on there behaviour

Works with MS Def. for Endpoint

Basically, it helps to detect & prevent anything malicious before or while something malicious stuff has been triggered & to control its foothold

Detect Devices with Device Discovery

To protect your env. we need to take inventory of devices in you org. That’s where MS Def for Endpoint’s device discovery capability comes into play

Once onboarded/found, we got security recommendations on how to improve these device’s security

Perform Actions on Devices

We can contain devcies & collect forensic data.

Containment action:

  • Isolate Device
  • Restrict App execitons
  • Run Antivirus Scans

Investigation Action:

  • Initiate automated investigation
  • Collect investigation package
  • Initiate live response sessions

Also, in device isolation,

  • We have option of ‘Selective Isolation’, that is, to enable some tools like outlook, teams but restrict others.
  • We can restrict a specific app too. If an app is restricted, user will get a notification of the same
  • We can also remotely initiate an antivirus scan to help identify & remediate malware.
    • This feature is available on Win 10+
  • We can collect investigation package from devices,
    • Which can be downloaded in .zip format & contain a lot & lot of info from network connection to reports to dir infomation
  • We can also remotely interact with a device & run commands using cmd. This is called Live Response
    • It needs win 10+
    • Also can download files remotely
      • get_file > limit of 3GB
      • fileinfo > limit of 10GB
      • library > limit of 250MB
    • Additional limits,
      • Limit of 10 live response sessions at a time
      • inactive timeout value is 5min
      • 1 user, 1 session at a time
      • 1 device, 1 session at a time

Perform evidence & entities Investigations

Learn more about the artifacts found & how they relate to other atrifacts, alerts & incidents

We can do deep analysis of a file, just like doing malware analysis & giving info at the same time. Deep analysis can be done for PE files like .exe & .dll

Once a device is found to be malicious, we can block & quarentine it remotely

User account investigation is also allowed

Also, investigating an IP address’s communication b/w devices & external IP add is possibly a C2 server.
At the same time we can investigate a domain, like which users & devices have visited a sucpicious domain

Configure & Manage automation

The configuration config options allow for control of how the automation is applied to devices

in