Threat Response Strategy
Cloud Access Security Broker
Cloud App Security
This course will explore best practices and fundamentals using Microsoft 365’s Secure Score as a primary barometer to measure protection and readiness as well as timely and effective responses to threat incidents. After completing lessons and watching video demos, students should be equipped with the knowledge and skills to protect themselves and their organizations.
- Evaluate and manage Microsoft Office 365 tenant security using Secure Score
- Manage incident investigation
- Review and manage Microsoft 365 security alerts
- General cybersecurity enthusiasts who want to stay current with best practices
- People studying for the Microsoft MS-101 exam
- Cyber security professionals/administrators responsible for the safety of an organization
- Basic understanding of Office/Microsoft 365
- Basic understanding of computer networking
- General knowledge of different threat types
In this video, we'll be going over our threat response strategy. Microsoft has restructured and updated some of their dashboards. Here, I'm in the older legacy dashboard, the Office 365 Security & Compliance Center located at protection.office.com. You can see they've made an announcement that the Microsoft 365 security center, compliance center, and Exchange admin center will gradually replace this Office 365 Security & Compliance Center, the page that I'm currently on now. So, even if you navigate from this dashboard, you will be re-directed to one of the new ones.
So, for example, if I click 'Alerts' and click 'Alert policies', you'll notice that my URL changes to security.microsoft.com, which is the newer Microsoft 365 Security Center. And from here if you click 'Home', the dashboard should look familiar with your Secure Score summary. For this video, we'll focus on Policies & Rules. So, clicking 'Policies & Rules' on the left pane. And from here, let's click 'Alert policy'. This brings us to a screen of existing alert policies ranging from Low, Medium, to High severity and also some that are categorized as simply Informational.
Clicking on a policy enables us to edit and view some of the parameters. Clicking 'Edit policy' allows us to either turn on or off email notifications and edit the people who receive them. We can also set a limit to how many times per day a notification gets sent. Let's close and exit out of here. Now, let's take a look at creating our own alert policy. Just click 'New alert policy' up here and enter a name and description of your alert policy. Best practice is to make it as simple and obvious as possible. So, in this case, I'll put in, let's say Malware Detection.
We'll select the Severity for this as 'High' and under Category, we'll select 'Threat management.' Clicking 'Next.' Our next step is to choose an activity and or condition to trigger the alert. This is where we can choose Detected malware in a file, but before I click that, just note that there are many different activities that you can choose from, and in general these are sorted from most common at the top of the list to least commonly used at the bottom of the list. Once again for this policy, we're selecting 'Detected malware and file'. We can add a condition if we wanted to get more granular with the IP address, a certain user, file names or extensions. In this case, I'm going to leave it general, so I'm not going to add any conditions. When asked how do you want the alert to be triggered,
we check off every time an activity matches the rule and click 'Next.' Next step is to decide whether to send email notifications. So, in this case I'm going to leave it on and alert myself. There's also no daily notification limit here. You can choose to be notified as little as one time per day or as many as 200 times per day, or in this case, no limit. Clicking 'Next'. Review our settings. I'm happy with everything that I see here. I'm happy with everything that I see here. And I can choose to either turn the policy on right away or keep it off and I will turn it on later. In this case, I'd like to turn it on right away and click 'Finish'. And as you can see, the malware detection is now at the top of the list with the status turned on as selected.
To make any changes, simply click the policy and click 'Edit.' Also notice that a warning message appears, in this case, saying that auditing is not enabled for your tenant. So, these policies may not work. It's just that in this test environment, auditing is currently not enabled. If this pops up for you, simply click 'Audit' and click 'Start recording user and admin activity'. Okay, so now let's move on to incident management and threat response. What happens when a threat is detected? Traditionally, it's common practice to manage security for, let's say, the domain level and endpoint level separately from applications like email or cloud drive. What's great about Microsoft Defender is that it consolidates and automates many of these processes that were previously handled separately all into one place.
So, here I'm back at security.microsoft.com, on the home screen. The first thing we want to take a look at is the Incidents & alerts dashboard. Expanding Incidents & alerts and clicking 'Incidents'. I can collapse this navigation. And we can see that Incidents is under this shield icon. Now, in my test environment we don't really have any incidents to work off of. So, I'll be referring to some screenshots by Microsoft for this segment of the video. For more detail on the illustrations I'm about to use, just visit the link below at the bottom of your screen and there will also be a URL link in the transcript of this video.
Okay, so here we have a screenshot of the incident screen from Microsoft's website. This is pretty much your central location for all alerts on attacks. You'll notice that each incident has an associated level of severity along with the category. You're also given a detection sources column for further context on the incident itself. To start an investigation, you can see we're ready to click an incident right here. And clicking an incident brings us to the summary page. This tab gives you the scope and context to help you quickly understand what you're dealing with. For example, it shows you that out of 47 total alerts, two are still active. It also references that very commonly used MITRE ATTACK paradigm.
Moving over to the right a little bit, you can see the Scope showing the number of impacted devices, users, and mailboxes. And over on the right pane we have some more useful data like tags, Data sensitivity, Device groups, and User groups. Next, let's move on to the Alerts tab up here. Here, you can see other alerts related to this particular incident, including it's Severity, Status, and reason for the link. Going back to what I said earlier about Microsoft Defender, we can see that many of the alerts related to this incident were handled automatically, saving the human admin a little bit of time.
Moving over to the Devices tab. Here, we have a list of impacted devices, including their Risk level and some Tags. Clicking on a device like so will expand the details pane on the right side. Here, you can see a little bit of additional information about the device. Next, we would want to take a look at the Users. Here, we see a list of users associated with this incident. A very convenient feature here is the Investigation priority. This is a guideline to help you prioritize your investigation. Higher number equals higher priority. So, in a case like this, we would want to take a look at Barbara Moreland in Accounting first. Then perhaps the Infrastructure Services Manager.
Moving on over to the affected mailboxes, we can see that Barbara Moreland's mailbox was the only one affected, which if we go back actually kind of makes sense. Eric.Gubbles, although he's a Helpdesk Supervisor, was assigned a lower investigation priority probably because his inbox was not affected whereas Barbara's was. Now, let's take a look at the Investigations tab. Here, we see a list of automated investigations and their statuses. Some are marked as Remediated, others are marked as Partially remediated. And we can see that the Service Source can vary from Microsoft Defender, Advanced Threat Protection, Azure, or Office Advanced Threat Protection. If you click on one of the investigations, here we can see that Microsoft Defender went to work and immediately detected the malware.
Lastly, let's look at the Evidence tab. The first thing you provided is a summary of all the evidence, including Email, User Activities, Files, and Processes. In this particular example of malware being detected, we can see that 45 files have been remediated. And if we want to do a deeper dive, we can click on 'Files' over here, then you can get details on each of the 147 files. You could just click a file and on the details pane, you can see that this particular file was quarantined successfully. That about wraps up incidents and alerts.
Next, let's move on to threat prevention. So, now let's talk about threat prevention. While we've seen that Microsoft does have some great tools to automate remediation if something does slip through the cracks. The best defense against cybersecurity threats is to not have to play defense at all. That is to say, prevent the need for remediation in the first place. And while it's possible for an attacker to attempt to brute-force their way in past the firewall or take advantage of some network vulnerability, it's much more common to see social engineering tactics targeting human error, to deliver malicious content via email disguised as something that would otherwise be familiar and harmless. This is also known as phishing.
So, here we're going to cover a tool that Microsoft provides to help train our users' cybersecurity awareness, so that they can recognize and avoid social engineering tactics altogether. So, here I am on the security home dashboard. Again, that's at security.microsoft.com, and the tool I'm referring to is over here on the left pane called Attack simulation training. Now, before we dive in, there are a couple of prerequisites when it comes to Microsoft attacks simulator. It does come with some specific licensing requirements.
So, moving on over to this tab to compare Microsoft plans, you would need to have the Microsoft 365 E5 plan in order to access this tool. Alternatively, you can opt for the Microsoft Defender for Office 365 Plan 2, which is what we're running right now. Both plans offer access to attack simulation training. Now, if you don't have access to either of these plans, there are some third party options, but we won't be covering those in this particular video.
Let's go back to our main tab, and we're back to our security home screen. And let's move down over and click 'Attack simulation training'. Here, we have the attack simulation dashboard. In this overview tab, it looks a little bit empty because we haven't created any simulations yet. To create our first simulation, we can either click 'Launch a simulation' from the Overview page right here, or we can move on over to the simulations tab. Again, you can see we don't have anything yet, and hit this button to launch a simulation. And we can move over to the 'Payloads' tab. And here we have all sorts of different payloads commonly used in phishing attempts. I'm sure some of these look quite familiar such as the American Express password reset, that's a common one. A blocked Facebook account, and you can see that they are all assigned the type social engineering, which is what we've been talking about.
Now, over to the right-hand side, you can see that the status of all these are ready to go, they're ready to be deployed any time. And the technique used in each one of these payloads is also specified here. So, the American Express password reset is a credential harvest, where they're looking for you to enter your username and password. Whereas the blocked Facebook account contains a link to malware. You can also come over here and create a custom payload, something that is a little bit more in alignment with your organization, and therefore, might be a more challenging, more advanced phishing attempt to train on.
The other thing worth mentioning here, skipping over to 'Settings', is the repeat offender threshold. You can see that by default it is set to 2, which means that if you fail one of these simulations twice, you're going to be flagged as a repeat offender. Now, if you feel that's too harsh, you can increase it, but by default it is set to 2. And you can also enable user training reminders, and Microsoft will remind your users when their training is due, all automatically. Under simulations excluded from reporting, this is more for testing purposes if you don't want it to actually count on your report. But for now because this is a clean environment, we don't have any that fit these criteria.
Let's go back to simulations and let's click 'Launch a simulation'. And the first thing you need to do here is select a technique. You have several to choose from, and it's important to note that each one of these techniques follows the Mitre Framework, which as previously mentioned, is a very common framework when it comes to social engineering. Also notice under each technique is a description. So, you can click this link for a little blurb about credential harvest. For now, I'll click 'X' and I'll leave Credential Harvest selected and hit 'Next'.
Next, we have to put in a simulation name, and I'll simply call this a phish test. Now, in a real production environment, feel free to put as lengthy of a description as you see fit, and we'll hit 'Next'. Now, on the next screen, you need to select a payload. You can see here that you have 87 pre-configured payloads to choose from. Let's go with one that we've been talking about and select American Express password reset. Now, to check out a preview of what this would look like, you can hit 'Send a test', and you can send yourself a test email containing this payload. Just hit 'Confirm' and you can see that a test email was successfully sent.
Now, I've just logged into my Outlook and as you can see, we have an email from American Express. And as you might have expected, it is asking me to click a certain link to reset my password. So, this is a preview of what your users would see. And here we are back at the payload screen where we can click 'Next' if we're satisfied with that preview. Now, here we can select the users to target. You can target all of the users in your organization or just a specific. In this case, I'm going to click 'All' and hit 'Next'.
Now, here we have one of the most important parts of the campaign, and that is the training. Now, it's one thing to have a user fail the simulation, but it's also important to know where they went wrong. Fortunately for us, Microsoft provides some built-in training specifically related to the payload and the simulation that we've selected. Now, if you have your own training courses and modules, feel free to select the second option here. But by default, we can rely on Microsoft to help us. So, I'm going to leave the recommended option checked here. We can also select our training due date, and we have a couple of options. Seven days, 15 days, or 30 days after the simulation ends. So, in this case, I'm going to leave 30 days selected, and that means all users who fail the simulation will need to be trained within 30 days of the simulation ending. So, here, I will click 'Next'.
Here, you can choose the landing page that your users see when they click the link. You can choose to use Microsoft default landing page, or if you have your own, you can enter the URL here. Alternatively, you can also create your own landing page. For now, I'm going to choose the default landing page. We won't add a logo or anything like that, and we can also add payload indicators to help our users out in identifying phishing email. If we click 'Open preview panel', we'll get a sneak peek as to what they see. And it reminds them, hey, it's okay, you're human.
Let's learn from this. And as we scroll down, it offers some help to identify what makes this suspicious to begin with. A very useful tool. And we'll x out and click 'Next'. Now, we can choose when to launch this simulation. We can either schedule it or launch it as soon as we're done creating it here. You can choose how many days to run the simulation for, and in this case, I'm fine with the default of two days. And you can also enable region aware time zone delivery. So, if you have users in multiple different time zones in your organization, you would want your simulation run at the most effective time. In our case, we can leave that unchecked and we can click 'Next'. And we can now review our simulation before we hit 'Submit'. If we're happy with it, we can go ahead and click 'Submit'. And we get confirmation that our simulation has been scheduled for launch.
Switching back over to our email, we can see that we received yet another phishing attempt from American Express. Now, to demonstrate simulation failure and a need for training I'm going to click this link, and here we have the obvious phishing attempt trying to get my email credentials, which I will now provide. And boom, right away, we're notified that we were just phished by our security team. It's okay, you're human. Let's learn from this. And very similar to their preview that we saw before, we are provided some education on how to identify phishing email.
Now we're back in our attack simulation training overview tab where we can see that our phish test simulation is currently in progress. If we click on it, we can see the status of our campaign. Here, you can see that one out of the two users in this campaign were actually compromised, as I just demonstrated. The American Express payload was used and no one has completed the training yet. Over here on the bottom, we do get some recommended improvement actions by Microsoft, and we're also reminded of the impact it has on our secure score. I'll just X out for now. And now we're back in our email inbox, and we can see that we have two new emails from the security and compliance team indicating we have training required.
If we open one of these emails, we have one new training course to complete that should take about three minutes, and I have approximately 30 days to do so. My second email is virtually identical. And the reason we're sent two emails here is because there are actually two trainings to complete. So, if I click 'Go to training', you'll notice there's two trainings to complete. One about web phishing, and one about mass market phishing. So, at this point, we've pretty much gone through everything you would need to know about attack simulator from both the user's perspective and the admin perspective. Hopefully, you found this video helpful. We'll see you in the next one.
Aaron has been in the IT industry for 10 years servicing a variety of industries, from small retail businesses to multi-billion dollar hedge funds. Specializing in workflow optimization, he has helped users at all levels increase their productivity and efficiency ranging from tasks like taking medical offices to paperless, to administering patch management, JIRA, Confluence, and other project management platforms.
Prior to starting his IT career, Aaron was a test prep teacher, helping high school students improve their standardized test scores for college admissions. He joins Cloud Academy to combine his two passions, technology and teaching.