Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations

Credit to Author: Katie McCafferty| Date: Wed, 06 Apr 2022 01:30:07 +0000

For the fourth consecutive year, Microsoft 365 Defender demonstrated its industry-leading protection in MITRE Engenuity’s independent ATT&CK® Enterprise Evaluations. Showcasing the value of an integrated XDR based defense that unifies device and identity protection with a Zero Trust approach:

  • Complete visibility and analytics to all stages of the attack chain
  • 100% protection, blocking all stages in early steps
  • Each attack generated a single comprehensive incident for the SOC
  • Differentiated XDR capabilities with integrated identity protection
  • Protection for Linux across all attack stages
  • Deep integrated Windows device sensors
  • Leading with product truth and a customer-centric approach

Microsoft 365 Defender XDR solution displayed top-class coverage by successfully surfacing to the security operations center (SOC) a single comprehensive incident per each of the attacks simulated. This comprehensive view provided in each incident detailed suspicious device and identity activities coupled with unparalleled coverage of adversary techniques across the entire attack chain. Microsoft 365 Defender also demonstrated 100% protection by blocking both attacks in early stages.

This is the third year in which Microsoft 365 Defender showcases the power of the combined XDR suite demonstrating coverage across devices, identities, and cloud applications.

Demonstrated complete visibility and analytics across all stages of the attack chain

Microsoft 365 Defender demonstrated complete technique-level coverage across all the attack stages of Wizard Spider and Sandworm, leveraging our artificial intelligence-driven adaptive protection.

diagram
Figure 1. Microsoft 365 Defender providing full attack chain coverage

Defending against human-operated ransomware requires a defense in-depth approach that continuously evaluates device, user, network, and organization risk and then leverages these signals to alert on potential threats across the entire attack chain. Providing detection and visibility enables defenders to evict the attackers from the network during the pre-ransom phase. It also minimizes the impact of encryption or extortion through data exfiltration activities.

Technique-level detection coverage in real time without delays

Human-operated ransomware attacks evolve within minutes, and the time it takes for defenders to respond and prevent attackers from performing destructive actions—such as encrypting devices or exfiltrating information for extortion—is crucial. Organizations need real-time detections with no delays  to ensure they can rapidly evict attackers before they have a chance to continue to move laterally through the infrastructure. Microsoft 365 Defender was able to provide technique-level coverage at every attack stage in real time without any delayed detections.

chart, bar chart
Figure 2. Microsoft 365 Defender providing technique-level coverage in every attack stage

100% protection coverage, blocking all stages in early steps

Microsoft 365 Defender provided superior coverage and blocked 100% of the attack stages, offering excellent coverage across Windows and Linux platforms. Moreover, its next-generation protection capabilities were able to proceed without hindering productivity by blocking benign activities or a need for user consent.  

chart, bar chart
Figure 3. Microsoft 365 Defender blocking in all stages

In real world scenarios, blocking ransomware activities early—that is, in the pre-ransom stage across all of platforms and assets—is crucial in protecting customers and mitigating the downstream extortion and disruption attack impact.

Each attack generated a single comprehensive incident for the SOC

Unlike many other vendors surfacing multiple alerts and multiple incidents, Microsoft 365 Defender, surfaced exactly one incident per attack, combining all events across device and identity into a single comprehensive view of each attack.

Microsoft 365 Defender’s unique incident correlation technology is tremendously valuable for SOC analysts in dealing with alert fatigue, it significantly improves the efficiency in responding to threats, saving time they might have otherwise spent in manual correlations or dealing with individual alerts. It makes triage and investigation easier and faster with a view of the full attack graph.  

Figure 4. Scenario 1: A single incident representing the Wizard Spider simulated attack with the attack sprawl and impacted assets summarized
Figure 5. Scenario 1: Incident graph for an at-a-glance view of the full attack, showing device and identity assets as well as all observed evidence
Figure 6. Scenario 2: A single incident representing the Sandworm simulated attack, with the attack sprawl and impacted assets summarized.

Unique and durable detections from the integrated Microsoft Defender for Identity

Microsoft 365 Defender’s integrated identity protection capabilities uncover and block identity-related attacks in durable fashion regardless of the specific attacker technique implemented on a device, making it practically impossible for attackers for evade. Furthermore, building these protections at the identity fabric provides in-depth, context-rich signals for security teams to investigate and respond effectively. Other vendors leveraging endpoint only signal may be more susceptible for evasion and their detections typically have less context.

Here are some examples representing Microsoft 365 Defender’s unique identity protection capabilities in the evaluation:

  • Step 5.A.4 – query to security account manager (SAM) database was uncovered using Active Directory signals with detailed context on user enumeration activity. This identity-based detection approach prevents attacker evasion and provides rich investigation context for security teams. Some other vendors in the test relied on process creation telemetry to get similar visibility but lack context and can be easily bypassed.
Figure 7. SAM database queried to enumerate users detected by the M365 Defender Identity workload, Defender for Identity
  • Step 6.A.2 – resource-access activity on a domain controller was also uncovered using our identity sensors, with details of the exposed service principal name (SPN) and the compromised related resource name. Here too this approach provides similar detection durability and investigation details advantages.
Figure 8. Timeline view of resource activity on DC and SPN exposure attack with related compromised resource

Protection for Linux across all attack stages

Microsoft 365 Defender continues to demonstrate excellent protection coverage on all platforms with top-level coverage on Windows and Linux. It covered all Linux-related stages via technique-level analytics, context-rich alerts, and in-depth investigation signals.

Customers face threats from various entry points across devices, and device discovery and lateral movement to identify high-value assets are table stakes for advanced attacks like human-operated ransomware. Therefore, having excellent coverage across all platforms is crucial to protect organizations against attacks.

chart, bar chart
Figure 9. Microsoft 365 Defender providing technique-level coverage in every Linux attack stage

For example, as seen in Figure 10 below, Defender for Endpoint on a Linux device alerted of a suspicious behavior by a web server process. The alert allowed for the blocking of sensitive file read and preventing further file read. The attacker then attempted to download and run a backdoor on the device. However, that was also blocked behaviorally, thus preventing subsequent compromise.

Figure 10. Sensitive file read by a web server process detected on Linux device

Unique and durable detections from Windows deep native sensors  

While most attack steps on devices could be observed by inspecting process and script activities, solely relying on this type of telemetry can be challenging in several aspects.

From a detection durability standpoint, attackers could easily avoid detection by obfuscating or pivoting to alternative methods. Furthermore, in terms of detection quality, relying solely on “surface-level” telemetry could potentially produce a higher number of false positives and overhead for security teams. Finally, this type of telemetry lacks the needed context to enable effective investigation and response.

Microsoft 365 Defender unique platform-native deep device sensors introduced signal depth, unlike other solutions, providing durable, context-rich signals for security teams to identify, investigate and respond to. Here are some examples, as seen during the evaluation:

  • Steps 1.A.6 and 19.A.11 were uncovered via enhanced Windows Management Instrumentation (WMI) sensors, providing visibility to evasive attacker activities without relying on a process or script execution telemetry.
Figure 11. Process creation via WMI detected natively using WMI sensors, regardless of invocation method
Figure 12. System shutdown via WMI detected natively using WMI sensors, regardless of invocation method
  • Step 3.A.4 was uncovered via COM sensors, providing visibility to the Microsoft Outlook COM interface and detecting an attacker’s search for unsecured passwords in Outlook without relying on process command lines that attackers can easily evade by using COM interfaces directly.
 Figure 13. Detection of attacker’s search for passwords in Outlook using our unique COM interface sensor integration
  • Step 17.A.2 was uncovered via Data Protection API (DPAPI) sensors, providing visibility to credential access—an extremely important activity. Other solutions monitor web browser folders for file access which is extremely prone to false positives in real-world environments.
 Figure 14. Credential access visibility via DPAPI sensor integration

A final word: Leading with product truth and a customer-centric approach

As in previous years, Microsoft’s philosophy in this evaluation was to empathize with our customers—the “protection that works for customers in the real world” approach. We participated in the evaluation with product capabilities and configuration that we expect customers to use.

As you review evaluation results, you should consider additional important aspects including depth and durability of protection, completeness of signals and actionable insights, and quality aspects such as device performance impact and false positive rates, all of which are critical to reliable operation of the solution and translate directly to protection that works in real customer production environments..

We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.

The post Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations appeared first on Microsoft Security Blog.

https://blogs.technet.microsoft.com/mmpc/feed/