New Microsoft Security Blogs

 Title: Monitoring your Logic Apps Playbooks in Azure Sentinel

URL: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-logic-apps-playbooks-in-azure-sentinel/ba-p/1873211
Overview: In the world of cybersecurity and Security Information and Event
Management (SIEM) systems, security
orchestration, automation, and response
(SOAR) plays a crucial role.

 

Title: Using Sensitivity Labels in M365 – How to Protect NDA Data from
Leaking
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/using-sensitivity-labels-in-m365-how-to-protect-nda-data-from/ba-p/1873986
Overview: Follow along with this video covering a scenario of sales sharing active project
development for new products and understand how both admins and end user can
apply labels to prevent these actions before data leaves the company.

 

Title: Attack simulation training public preview now open to all E3
customers

URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/attack-simulation-training-public-preview-now-open-to-all-e3/ba-p/1873169
Overview: At Ignite 2020, we announced the public preview of Attack simulation training in Microsoft
Defender for Office 365. Delivered in partnership with Terranova Security, Attack simulation training is a premium
feature available to Microsoft Defender for Office 365 P2, Microsoft 365 E5 and
Microsoft Security E5 license holders.

 

Title: Using Sensitivity Labels in M365 – How to Protect NDA Data from
Leaking

URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/using-sensitivity-labels-in-m365-how-to-protect-nda-data-from/ba-p/1873986
Overview: Follow along with this video covering a scenario of sales sharing active project
development for new products and understand how both admins and end user can
apply labels to prevent these actions before data leaves the company.

 

Title: Empowering employees to securely work from anywhere with an
internet-first model and Zero Trust
URL: https://www.microsoft.com/security/blog/2020/11/11/empowering-employees-to-securely-work-from-anywhere-with-an-internet-first-model-and-zero-trust/
Overview: Like many this year, our Microsoft workforce had to quickly
transition to a work from the home model in response to COVID-19. While nobody
could have predicted the world’s current state, it has provided a very
real-world test of the investments we have made implementing a Zero Trust
security model internally.

 

Title: The Microsoft Cloud App Security (MCAS) Ninja Training is Here!
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/the-microsoft-cloud-app-security-mcas-ninja-training-is-here/ba-p/1877343
Overview: The Microsoft Cloud App Security (MCAS) Ninja Training is Here!

 

Title: Microsoft Insider Risk Management & Communication Compliance –
New Announcements & Updates
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-insider-risk-management-amp-communication-compliance/ba-p/1877730
Overview: The Microsoft 365 community is excited to announce new capabilities
in Microsoft Insider Risk Management & Communication Compliance to
help minimize internal risks by enabling you to detect, investigate, capture,
and act on malicious and inadvertent activities in your organization.

 

Title: Microsoft On-Premises DLP Webinar
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-on-premises-dlp-webinar/ba-p/1878047
Overview: The On-Premises DLP webinar provided an
overview of an MIP solution for on-premises data at rest, understanding on-prem
specific challenges, implementing methodology, and concluded with a demonstration
of the most useful scenarios that can be addressed by the on-premises scanner.

 

Title: Hunting for Barium using Azure Sentinel
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-barium-using-azure-sentinel/ba-p/1875913
Overview: Leveraging Indictors of Compromise (IOC)
and searching historical data for attack patterns is one of the primary
responsibilities of a security monitoring team.

 

Title: Security Unlocked—a new Podcast on the Technology and People
Powering Microsoft Security

URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/security-unlocked-a-new-podcast-on-the-technology-and-people/ba-p/1878709
Overview: How are we using machine learning (ML) and artificial
intelligence (AI) to improve cybersecurity today? What are the different
types of ML algorithms, and how do they differ? Taking it a step further,
how do we protect our ML systems? According to
the 2020 Microsoft Digital Defense Report,
we know adversarial machine learning and attacks on ML
systems are part of the future of cybersecurity. Yet, 89% percent of
surveyed organizations felt they don’t have the right tools in place
to secure their ML systems. 

 

Title: Secure your Calls- Monitoring Microsoft TEAMS CallRecords Activity
Logs using Azure Sentinel
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/secure-your-calls-monitoring-microsoft-teams-callrecords/ba-p/1574600
Overview: Collecting TEAMS CallRecords Activity Data 

 

Title: Best practices for deploying and using the AIP UL scanner
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/best-practices-for-deploying-and-using-the-aip-ul-scanner/ba-p/1878168
Overview: In this article we would like to summarize what we know about the AIP
scanner and share lessons learned while helping our enterprise customers deploy
the AIP scanner to production, so that you can avoid possible pitfalls and make
your implementation of the AIP scanner easier, faster, more efficient, and get
the most out of your investments.

 

Title: System Management Mode deep dive: How SMM isolation hardens the
platform
URL: https://www.microsoft.com/security/blog/2020/11/12/system-management-mode-deep-dive-how-smm-isolation-hardens-the-platform/
Overview: Key to defending the hypervisor, and by extension the rest of the OS,
from low-level threats is protecting System Management Mode (SMM), an execution
mode in x86-based processors that runs at a higher effective privilege than the
hypervisor.

 

Title: Using Azure Data Explorer for long term retention of Azure
Sentinel logs
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/using-azure-data-explorer-for-long-term-retention-of-azure/ba-p/1883947
Overview: In this blog post, we will explain how you can use Azure Data
Explorer (will be referred to in this blog post as ADX from now on) as a
secondary log store and when this might be appropriate for your .

 

 

Warning about false updates

 Riding on the edge of current events is one of the best ways to catch someone unaware. Having, or hinting at, something that is still unknown can provide enough cover for a malicious entity to confuse a victim into falling for a trap. A common technique includes providing false updates for a program that is new enough to precede the victim’s expertise, thus taking advantage of their naiveé. There were a glut of issues and vulnerabilities when Zoom had just started out as a popular videoconferencing tool. Microsoft Teams is now getting their fair share of trouble.

Microsoft is warning customers in a non-public security advisory, reported by BleepingComputer, that a malicious ad campaign is evolving and infecting users with ransomware, infostealer, and even Cobalt Strike to be used in conjunction with the ZeroLogon vulnerability. They call it the FakeUpdate attack. The attack begins with the victim accessing a malicious server and downloading the mal-ware themselves, convinced that they need an update to Microsoft Teams. The Microsoft Teams program is a widely used business communication platform that performs the services of an instant messenger, a videoconferencing soft-ware, file storage, and application integration. The file contained in the sup-posed update delivers a PowerShell script that bears on its back a host of mal-ware that has shown its evolution. It initially carried only DoppelPaymer ransomware, but then moved onto WastedLocker and the Cobalt Strike threat emulation software. It also provides an actual copy of Microsoft Teams so they might actually be updating the victim’s Teams software. Previous FakeUpdate campaigns carried the Predator the Thief infostealer, the Bladabindi (NJRat) backdoor, and Zloader stealer.

The attackers were able to use Google Ads services as a force multiplier by purchasing a search engine ad which made search results for Microsoft Teams pro-vide a malicious link as one of the top results. Links in ads are a constant source of suspicion already, but it is understandable for less savvy users to engage in the convenience without recognizing the risk.

Microsoft itself is advising users to use web browsers that can provide a degree of protection by exerting discretion against malicious websites and to maintain standard strong passwords for local admin privileges. Organizations can also minimize attack surfaces by blocking executable files or blocking JavaScript and VBScript from downloading potentially malicious content.

Sources

https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/

https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/

https://securityaffairs.co/wordpress/110693/malware/fake-microsoft-teams-cobalt-strike.html

Performance Measurement Guide for Information Security

 

EXTENSION: Call for Comments Extended to
December 10th for “Performance Measurement Guide for Information Security

NIST
is extending the public comment period on Special Publication (SP) 800-55
Revision 1, “Performance Measurement Guide for Information Security,” to
December 10, 2020.  See the Publication Details link for a link to the
document and instructions for submitting comments.

Publication
Details:
https://csrc.nist.gov/publications/detail/sp/800-55/rev-2/draft


NIST
Cybersecurity and Privacy Program
NIST Computer Security Division (CSD)
Questions/Comments regarding SP 800-55 Rev. 1 – send email to [email protected]
CSRC Website Questions? Send email to: [email protected] 

National Online Informative References (OLIR) Program: NISTIRs 8278 and 8278A Published

 NISTIR 8278National Cybersecurity Online Informative References (OLIR)
Program: Program Overview and OLIR Uses
, describes the
OLIR Program, what OLIRs are, what benefits they provide, how anyone
can search and access OLIRs, and how subject matter experts can contribute
OLIRs. This report includes:

  • Additional Focal Document
    Templates
  • Functional enhancements to the
    OLIR Catalog and Derived Relationships Mapping (DRM) display tool

NISTIR 8278ANational Cybersecurity Online Informative References (OLIR)
Program: Submission Guidance for OLIR Developers
, replaces NISTIR
8204. The primary focus of NISTIR 8278A is to instruct Developers on how
to complete the OLIR Focal Document spreadsheet when submitting an Informative
Reference to NIST for inclusion in the OLIR Catalog. This report includes:

  • Requirement guidance to include
    additional focal document templates introduced in NISTIR 8278.
  • A “Strength of Relationships”
    section (3.2.11) that includes guidance for populating the magnitude field
    when evaluating focal and reference document elements.  Interested
    commenters should read the ‘Note to Reviewers’ (page iii) as we seek
    feedback on this requested feature describing additional detail about the
    relationship.

Both
publications are based on feedback received from early adopters as well as
discussions at the December 2019
OLIR workshop
.

 

NISTIR
8278 details:
https://csrc.nist.gov/publications/detail/nistir/8278/final

NISTIR
8278A details:
https://csrc.nist.gov/publications/detail/nistir/8278a/final

OLIR
Workshop (December 2019):
https://www.nccoe.nist.gov/events/workshop-cybersecurity-online-informative-references

Classes of Ransomware

 Intel 471 recently released a report out-lining the most popular, up-and-coming, and some deep cuts in the ransomware world. They separate the groups into three tiers based on how prevalent and successful they have been. But all of these groups work by specializing and delegating tasks.

The lowest tier groups include the likes of CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, XINOF, and Zeoticus. These groups have had low publicity regarding their attacks, but their marketing exists and persists, so it stands to reason that they are func-tional and operating. The main deviation from the other groups is how they don’t publish the data from victims who refuse to pay the ransom and how little infor-mation there is about their supposed victims.

The next tier includes the rising stars of the Ransomware as a Service (RaaS) world: Avaddon, Conti, Clop, DarkSide, Pysa/Mespinoza, Ragnar, Ranzy, SunCrypt, and Thanos. These are the names to keep an eye on. They have had successful confirmed attacks and employ their own blogs for the “expose and shame” tactics which embarrass victims who don’t pay the ransom, and encourage further victims with a credibility to back their threats.

Their final group includes the heaviest hitters with whom all our readers should be familiar. This rogues gallery includes DoppelPaymer, Egregor/Maze, Netwalker, REvil, and Ryuk. DoppelPaymer runs the Dopple Leaks blog and was behind the first mortality due to malware. Egregor/Maze had announced their retirement from the cybercrime scene, but have had an impressive record in their attacks on Barnes & Noble, Crytek, and Ubisoft. Netwalker began in September of 2019 and has had an efficient pattern of spear phishing their targets to establish a foot-hold and following it up with a fileless attack that undermines Windows OSs of 7 and up. They also have an “individual mode” which locks a single device and offers only the key to that device, as op-posed to their “network mode” which encrypts an entire network and offers options for individual keys or a master key to use with their decryption tool. REvil has been seen leveraging the popular Blue-Gate vulnerability and working with other groups to help gain access to networks for infection. By separating the tasks they’ve seen increases in profits from the tens of thousands in profit per target to the mil-lions in profit. Lastly the Ryuk ransomware has been seen in conjunction with both Trickbo, Emotet, and, most recently, BazarLoader. Ryuk has been seen working with up to three teams: one to direct spam campaigns to infect victims, a team to spread the attack through corporate networks, and a last team to deploy the ransomware and conduct negotiations.

Criminals working together is always a concern as the age-old adage says, “Teamwork makes the dream work”. Keeping up to date and aware of the various groups is critical to maintaining vigilance against their tactics.

Sources:

https://www.bleepingcomputer.com/news/security/dozens-of-ransomware-gangs-partner-with-hackers-to-extort-victims/

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer

New Android malware marks the latest evolution of mobile ransomware

 Attackers are persistent and motivated to continuously evolve – and no platform is immune. That is why Microsoft has been working to extend its industry-leading endpoint protection capabilities beyond Windows. The addition of mobile threat defense into these capabilities means that Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection) now delivers protection on all major platforms.

Microsoft’s mobile threat defense capabilities further enrich the visibility that organizations have on threats in their networks, as well as provide more tools to detect and respond to threats across domains and across platforms. Like all of Microsoft’s security solutions, these new capabilities are likewise backed by a global network of threat researchers and security experts whose deep understanding of the threat landscape guide the continuous innovation of security features and ensure that customers are protected from ever-evolving threats.

For example, we found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior, exemplifying the rapid evolution of mobile threats that we have also observed on other platforms. The mobile ransomware is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop. This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures, including masquerading as popular apps, cracked games, or video players. The new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions.

As with most Android ransomware, this new threat doesn’t actually block access to files by encrypting them. Instead, it blocks access to devices by displaying a screen that appears over every other window, such that the user can’t do anything else. The said screen is the ransom note, which contains threats and instructions to pay the ransom.

What’s innovative about this ransomware is how it displays its ransom note. In this blog, we’ll detail the innovative ways in which this ransomware surfaces its ransom note using Android features we haven’t seen leveraged by malware before, as well as incorporating an open-source machine learning module designed for context-aware cropping of its ransom note.

To read the full article  on Microsoft SECURITY Blog go to  https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/

Microsoft Digital Defense Report 2020: Cyber Threat Sophistication on the Rise

 For years I have talk about the security while papers and docs that talk about what’s happening in the world of IT and security… Here is a new report Cyber Threat Sophistication on the Rise..

Today, Microsoft is releasing a new annual report, called the Digital Defense Report, covering cybersecurity trends from the past year. This report makes it clear that threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets. For example, nation-state actors are engaging in new reconnaissance techniques that increase their chances of compromising high-value targets, criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services, and attackers have developed new ways to scour the internet for systems vulnerable to ransomware.

In addition to attacks becoming more sophisticated, threat actors are showing clear preferences for certain techniques, with notable shifts towards credential harvesting and ransomware, as well as an increasing focus on Internet of Things (IoT) devices. Among the most significant statistics on these trends:

  • In 2019 we blocked over 13 billion malicious and suspicious mails, out of which more than 1 billion were URLs set up for the explicit purpose of launching a phishing credential attack.
  • Ransomware is the most common reason behind our incident response engagements from October 2019 through July 2020.
  • The most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and Virtual Private Network (VPN) exploits.
  • IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.

Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace; that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies, and, especially, enabling multi-factor authentication (MFA).  Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.

To read the full blog and download the Digital Defense Report visit the Microsoft On-the-issues Blog.

Content from Microsoft

New York Metro Joint Cyber-Security Conference

 I will be teaching at the New York Metro Joint Cyber-Security Conference (NYMJCSC.ORG).

This conference 2 day of security content that is being offered by the following Groups

Organizational Partners:

  • InfraGard Members Alliance – New York Metro Chapter
  • Information Systems Audit and Control Association (ISACA) – New Jersey Chapter
  • Information Systems Audit and Control Association (ISACA) – Greater Hartford CT Chapter
  • High Technology Crime Investigation Association (HTCIA) – New York City Metro Chapter
  • Internet Society (ISOC) – New York Chapter
  • Information Systems Security Association (ISSA) – New York Chapter

Community Partners:

  • (ISC)2 – New Jersey Chapter
  • Information Systems Audit and Control Association (ISACA) – New York Metro Chapter
  • Cloud Security Alliance (CSA) – New York Metro Chapter
  • Association of Certified Fraud Examiners (ACFE) – New Jersey Chapter
  • Association of Continuity Professionals (ACP) – New York City Metro Chapter
Please look at this link and i believe you find some great content at a very reasonable price.

The link is NYMJCSC.ORG

Latest Microsoft Security blog posts

 Title: Find your unscanned and overexposed shares on-premises with an
on-premises scanner

URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/find-your-unscanned-and-overexposed-shares-on-premises-with-an/ba-p/1744783
Overview: Microsoft Information Protection is a built-in, intelligent, unified,
and extensible solution to protect sensitive data across your enterprise – in
Microsoft 365 cloud services, on-premises, third-party SaaS applications, and
more. Microsoft Information Protection provides a unified set of capabilities
to know your data, protect your data, and prevent data loss across cloud services,
devices, and on-premises file shares.

 

Title: Microsoft Information Protection and Compliance Resources
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-information-protection-and-compliance-resources/ba-p/1184950
Overview: The Microsoft Information Protection and Compliance Customer
Experience (CXE) team work with Microsoft’s largest enterprise customers to
provide guidance and advisory services to help them deploy our information
protection and compliance solutions.

 

Title: Why integrated phishing-attack training is reshaping
cybersecurity—Microsoft Security
URL: https://www.microsoft.com/security/blog/2020/10/05/why-integrated-phishing-attack-training-is-reshaping-cybersecurity-microsoft-security/
Overview: Phishing is still one of the most significant risk vectors facing
enterprises today. Innovative email security technology like Microsoft Defender
for Office 365 stops a majority of phishing attacks before they hit user
inboxes, but no technology in the world can prevent 100 percent of phishing
attacks from hitting user inboxes. At that point in…

 

Title: Azure Sentinel To-Go (Part2): Integrating a Basic Windows Lab 🧪
via ARM Templates
🚀
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-to-go-part2-integrating-a-basic-windows-lab-via/ba-p/1742165
Overview: Most of the time when we think about the basics of a detection
research lab, it is an environment with Windows endpoints, audit policies
configured, a log shipper, a server to centralize security event logs and an
interface to query, correlate and visualize the data collected.

 

Title: 3 ways Microsoft helps build cyber safety awareness for all
URL: https://www.microsoft.com/security/blog/2020/10/05/3-ways-microsoft-helps-build-cyber-safety-awareness-for-all/
Overview: Learn how Microsoft is helping secure your online life through user
education, cybersecurity workshops, and continued diversity in hiring.

 

Title: Migrating from Exchange Transport Rules to Unified DLP – The
complete playbook

URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/migrating-from-exchange-transport-rules-to-unified-dlp-the/ba-p/1749723
Overview: This document provides an overview of how enterprise customers can
migrate their existing Exchange Transport Rules to Unified DLP portal. It walks
through the different stages of migration and shows the effectiveness of the
unified DLP portal as a single place to define all aspects of your DLP
strategy.
In summary, this play book will help to
Understand the
migration process.
Understand the
unified console and interface.
Develop a
strategy for the migration.
Ensure a smooth
migration process.
Find resources
to support the migration process. 

 

Python for Beginners a free resource from Microsoft

 Probably the largest hurdle when learning any new programming language is simply knowing where to get started. This is why we, Chris and Susan, decided to create this series about Python for Beginners!


Even though we won’t cover everything there is to know about Python in the course, we want to make sure we give you the foundation on programming in Python, starting from common everyday code and scenarios. At the end of the course, you’ll be able to go and learn on your own, for example with docs, tutorials, or books.

This is all on youtube.com
Go to this LINK