What Microsoft Defender can tell users about the network
- 19 May, 2022 06:45
Endpoint detection and response (EDR) is typically not something that smaller firms have. Defender for Business makes it easier to deploy EDR in a reasonable fashion and in an affordable package.
At US$3 per user per month, it takes the place of a traditional anti-virus solution that a user may have deployed in the office. Customers can on-board workstations using a script, Intune or Group Policy.
If they are looking for a means to better investigate security issues in their firm this may be a solution they want to review and consider. Defender for Business is designed for businesses under 300 users. Larger businesses can choose Defender for Endpoint and then opt for P1 or P2 licensing depending on their needs.
As with any threat detection tool, quick assessment of alerts is important. That often depends on how well users know their network. I know that Microsoft Defender for Business provides more protection to my firm, but it also shows how much I don’t understand about my vendors and how they code. It showcases how much more I need to know to understand what’s going on in my network.
Although I don’t handle the security of a large enterprise, I’ve been exposed enough to the threats and risks to large enterprises to understand that the difference between large firms and small firms are often just quantity, scale and budget.
It’s sometimes easier for a small firm to make dramatic shifts to more secure solutions, whereas a large enterprise has legacy programs and software in place and can’t make the migration as easily.
I’m just as mandated to report breaches both by the industry I’m in and the state I do business in. My weakness is often that I don’t have the informational resources that a large enterprise has.
I have gone to forensic courses and trained enough on the Windows registry to understand computer systems, but even with that information I often have to investigate what’s going on in my network based on my direct knowledge of my systems. The fact that I know what exactly I did helps me understand the alerts and information I get from Defender for Business.
Assessing Defender security alerts
The security alerts that I receive from my systems are, well, often triggered by my actions. I’m the one who installs and trials software in my network, so I’ll receive alerts when I’ve done something in my network that Defender for Business sees as suspicious. I might download and use forensic tools that are flagged as potentially malicious or my workstation is flagged with suspect software.
So, it was interesting the other day when I received a “suspicious process injection observed” alert from Defender for Business. This is where knowledge of what I did on the machine comes in handy and showcases why users need to question what exactly the user did on their workstation when they are investigating the alerts.
In this case, I installed software that I wanted to test. One of the functions of the software is to provide better ways to handle and sort files and images. In doing so it injected itself into File Explorer.
That action was flagged as a defence evasion incident. At first, I looked at the warning and wondered what malicious file I had downloaded. It hadn’t triggered a virus alert, just a warning of an unusual incident.
Then Defender for Business showed exactly what the software did to install itself on my system. It used a file named “FileCenterInjector64.exe” to install the software into the browsers installed on my machine as well as File Explorer. The actions taken by the installer triggered the suspicious process injection alert on the system.
Traditional forensic tools often capture a moment in time. Typically, users have to dig into log files, registry files and other static artifact evidence and attempt to make an informed decision of what went on with the system. This static review of the system often takes education about what the files will leave behind and what it looks like to determine what happened on the system.
Defender for Business/Defender for Endpoint captures the actions and records them in a portal for later review. In this case, the software I installed made adjustments to files and locations, so its behaviour was suspicious. In looking at the location that the files were installed and the date that the event occurred, I realised what software had triggered the alert.
This shows how investigations have to combine the evidence they see from the tools with the information they know about the system. Ensuring that users install only approved and vetted software allows customers to fully understand what is going on with their workstations. Defender will automatically trigger investigations when it sees unusual activity, but they can also manually trigger the investigation.
Flagging suspicious inbox forwarding rules
Defender for Business/Endpoint automatically looks for the typical ways that attackers will come after a user. For example, when I set up an email forwarding rule on a shared mailbox, Defender sent an alert on the process.
Attackers might compromise a mailbox and then set up email forwarding rules to send whatever financial related emails to the attacker directly rather than to the impacted user.
In the case of business email compromise attacks, setting a forwarding email will allow the attacker to perform actions with a third-party bank or financial institution and then not alert the impacted business.
This has occurred so often that Microsoft now makes a default rule to disallow all email forwarding. Setting up a rule to forward email triggers a Defender alert for users to investigate and verify the forwarding rule was intentional.