In this blog post, we are going to talk about extending the Microsoft Defender for Endpoint detection Indicator of Compromise IOC. Mainly we are going to talk about the product’s prevention capabilities with additional external source of information. What if you want to block a specific IP address or a suspicious file as a result of investigating an attack you were investigating recently?
To do that, we need to feed the Microsoft Defender for Endpoint engine with additional indicators that we know are suspicious and if found, should be blocked, or at least generate alerts. To accomplish this, Microsoft Defender for Endpoint supports what is known as Indicators of Compromise (IOC).
In the cybersecurity world, indicators are activities that lead security teams to believe a security threat or breach could be in progress or compromised. There are two main type of indicators, Indicators of Compromise (IOC) and Indicators of Attack (IOA). The two indicators approach detection in different ways.
One way to look at the difference between the two is to understand what questions each is trying to answer. Indicators of compromise help answer the question “What happened?”, while indicator of attack helps answering “What is happening and why?”.
While we will be focusing on Indicators of Compromise in this blog post, I want to help you understand the difference between Indicators of Compromise and Indicators of Attack. Let’s get started!
Read other parts here:
P1: Microsoft Defender for Endpoint – Architecture
P2: MS Defender for Security Strategy & Role of AI
P3: MS Defender for Endpoint – Threat and Vulnerability Management (TVM)
P4: MS Defender for Endpoint – Attack Surface Reduction ASR
P5: Microsoft Defender Antivirus Internal Mechanics
P6: Microsoft Defender Endpoint Detection & Response (EDR)
Indicators of Compromise IOC
Indicator of Compromise (IOC) are pieces of forensic data that identify potentially malicious activity in the network or a system such as data breaches, malware infections, and other security threats. Security teams and investigators usually gather this data after investigating a security incident or a compromised system. This information is then fed to security tools to become smarter in detecting suspicious files or activities in the future. Such information can be an MD5 hash, a C2 domain, a malicious IP address, a registry key, a filename, etc.
You can think of IOCs as the breadcrumbs that lead to detecting malicious activities. IOCs are reactive way of detecting attacks, when you find an IOC, you have been already compromised. However, they are still an important piece in your cyber defense strategy to ensure an attack is not going on long before it is stopped as part of your incident response process.
By carefully monitoring and detecting indicator of compromise, you can detect attacks and act quickly to prevent further damage from occurring or limit damage by stopping the attack in its earlier stages. They are also important during forensic investigation and can be useful in creating better defenses.
Indicators of Attack IOA
Indicators of attack focuses on detecting the intent of what the attacker is trying to accomplish, regardless of the tool or exploit used to perform the attack. They answer the question “What is happening and why”. If you are hit by a phishing attack and someone clicks on that malicious link, your machine gets infected. Once compromised, the attacker will perform a series of activities to move inside your network, maintain persistence across reboots, connect with a command and control center, and leak data. Indicators of attacks help you detect and understand the execution of these steps, the intent of the attacker and the outcome of the attack, while indicators of compromise focus on the specific tools used to accomplish the attack.
Microsoft Defender for Endpoint provides advanced detection and investigation capabilities to help you detect many indicators of attack that cover recent techniques that attackers use, such as dynamic script-based attacks, network explorations, and keylogging alerts. It also provides a rich investigation experience as we covered in previous sections.
To better detect and protect your environment from cyberattacks, a combination of indicator of compromise and indicators of attack should be used to better detect threats evading traditional defends. Microsoft Defender for Endpoint provides both detecting capabilities to better secure your endpoints from emerging threats.
Microsoft Defender for Endpoint IOC
Microsoft Defender for Endpoint gives SecOps teams the ability to set a list of indicators for detection and for blocking (prevention and response). In this section, you will learn how to define and configure indicators in Microsoft Defender for Endpoint.
If you live in New York city or just visiting, you will see in the metro stations a sign that says “if you see something, say something” as part of a public safety campaign that started after the Sept 11 attacks. The same applies of Microsoft Defender for Endpoint. IOC engine, security teams define what is malicious and ask the Microsoft Defender for Endpoint. service to say something “ or perform some action” if it sees something “the indicators”.
Indicators types
Microsoft Defender ATP allows you to define the following indicators:
- IP address
- Hash value
- Domain name or URL
- Certificates
For example, you can define a hash value of a malicious file as an indicator and ask Microsoft Defender for Endpoint. to block that file once detected on any onboarded endpoint and raise an alert in the Microsoft Defender Security Center for you to investigate.
IOC Detection Sources
Let’s try to understand how Microsoft Defender for Endpoint detect those indicators once defined. There are three main detection sources that Microsoft Defender for Endpoint uses:
Cloud detection engine
As you know by now, onboarded enMicrosoft Defender for Endpoint cloud service. Once the data is in the cloud, the Microsoft Defender for Endpoint regularly scans collected data and tries to match the indicators you set. Once a detection is found, action will be taken according to the settings you specified for the IoC. Keep in mind that detection happens in the cloud using telemetry collected from onboarded endpoints.
Microsoft Defender Antivirus (Prevention Engine)
The obvious source of detection is the Microsoft Defender Antivirus (Endpoint prevention engine) as it is already scanning files in real-time. Keep in mind that for that to happen, you should have the Microsoft Defender Antivirus as your primary AV configured. Once a detection is found, Microsoft Defender Antivirus will prevent the file execution (block and remediate) and a corresponding alert will be raised in the Microsoft Defender ATP Security Center. In this case, detection happens at the endpoint level.
AIR Engine
Another source of detection is the Automated Investigation and Remediation (AIR) engine. During an automated investigation, the AIR engine scan files from multiple endpoints and will detect the indicators defined by SecOps teams.
IOC Actions
What will happen if a detection is found? Microsoft Defender for Endpoint supports three actions:
- Allow
- Alert only
- Alert and block
This gives you the chance to test indicators you’ve defined by setting the action to “Alert Only” at first, and then change the action to “Alert and Block” later. However, when the action is set to (Allow), Microsoft Defender will not detect nor block the file from being run.
IOC Duration and scope
Apart of defining the action taken once an indicator is found, you can define an expiry date for the indicator and a scope. In this context, a scope is a machine group that you might have defined in the Microsoft Defender ATP Security Center.
How can we extract IOC
Many organizations maintain internal lists of attack indicators such as file data, IP address, or URL. Your internal security team might be investigating a current security incident, searching log files, and analyzing malicious files. The result of such security incident response process is identifying malicious entities that causes the attack to take place. This can be a good source of IOCs as you can feed that data (IP address, URL or suspicious file hash) to the Microsoft Defender for Endpoint engine to block any occurrence of that suspicious entity across your onboarded endpoints.
Another possible source of IOC is integrating with partner applications and third-party threat intelligent services that maintain a list of IOCs. Microsoft Defender ATP offers the capability to integrate with some partner applications (such as Palo Alto) and third-party threat intelligent services such as Malware Information Sharing Platform integration (MISP).
About this Microsoft Defender for Endpoint Blog Series
During the years, I have worked with many security and Infrastructure services, and I usually don’t find good information in the web on how a product or service works. For me to master a service, I need to learn how it thinks, the internal mechanics, and even how the product group who designed it really thought about different features.
So, I started blogging years back to reflect my understanding and help others find useful information that is not found elsewhere on the internet (at least in one place) and direct from my experience.
This blog series is written after careful consideration and will help you imagine how Defender for Endpoint works from the bottom up. I rarely have time to blog these days, so I might not update the blog on new features. However, the content here will give the information you need to build on top.
CREDITS Big thanks to my friend and fellow Microsoft MVP and RD: Ahmad Nabil who helped me put such content and the Microsoft 365 Security for IT PRO book family who helped in reviewing and editing this chapter. Newer version of the book is available here with updated content and valuable content about other Microsoft 365 security services. Download the new book here.
