The timeworn adage that “those who don’t learn from history are doomed to repeat it” can certainly be applied to cyber security. Microsoft is hoping to spare enterprises that use its cloud services from repeating history by sharing what it has learned.
If enterprises are going to protect themselves in a threat environment that is constantly changing and evolving, they need a posture management strategy that not only takes in industry standards and best practices from vendors but also learns from recent attacks, according to Israel Cohen, senior product manager for Microsoft 365 Defender.
The software giant is therefore adding a capability to Microsoft 365 Defender that automatically maps techniques that were used in attacks against an organization, and then recommends what security pros can do to bolster their security posture and prevent a similar attack.
“Investigating incidents that affected the organization helps understanding how the adversary got in and what misconfigurations were leveraged during the attack,” Cohen wrote in a blog post this week announcing the generally availability of the security posture recommendations. “These learnings enable security analysts to identify which settings should be addressed to close those gaps and prevent the organization from being affected by the same attack again.”
Cloud security posture management is an expanding part of the cyber security environment that could see 14.5 percent annual growth – hitting $15.2 billion by 2031. It’s a proactive cyber security measure at a time when most defenses are still reactive. Most major security vendors offer such capabilities, and the space drew its share of attention at the recent RSA Conference.
Microsoft 365 Defender researches and analyzes miscreants’ techniques and maps them to the enterprise’s security posture, with the information made available in a threat analytics report.
“For each threat, you’ll be able to view a score that reflects the severity of misconfigurations the attacker exploited and the number of affected assets,” Cohen wrote, adding that an enterprise’s security team can “view the list of recommended posture controls directly from the recommended actions tab within the incident or threat analytics page in Microsoft 365 Defender.”
Dovetailing with the proactive security posture move, Microsoft’s Defender Threat Intelligence group this week added more than two dozen new profiles of emerging threat groups – including high-profile ones like Volt Typhoon and Satin Sandstorm – to its ongoing list.
Microsoft maintains a list of Intel Profiles of known threats that enterprise security analysts can use to identify adversaries and put the necessary defenses in place. The information includes the various tools, tactics, and procedures (TTPs) each miscreant uses, indicators of compromise (IOCs), history, and trends, as well as recommended steps organizations can take.
The profiles are updated daily through automated discovery and scanning of the threat landscape, with the data maintained by a team of more than 8,000 experts around the world. Microsoft’s threat intelligence community tracks more than 300 threat groups – including 160 nation-state gangs and more than 50 ransomware operators.
Volt Typhoon is a threat group linked to the Chinese government and identified by Microsoft that is attacking critical infrastructure firms in the US – including Guam, a US territory – to disrupt communications with countries and organizations in the Asia-Pacific region. US agencies and their counterparts in Canada, Australia, New Zealand, and the UK late last month issued an advisory [PDF] about the group.
The names in the Intel Profiles reflect Microsoft’s relatively new convention for naming cyber crime groups after weather conditions. So in this case, “Typhoon” means that the group is from China and “Sandstorm” means Iran.
“This new convention brings better clarity to customers and other security researchers already confronted with overwhelming threat intelligence data,” Michael Browning, senior product marketing manager at Microsoft, wrote in a blog post. “In the new taxonomy, threat actor groups are named after weather events, which are universal forces we must all counteract and adapt to – just like cyber threats.”
A threat group by any other name …®