Blog Post

Microsoft Defender for Endpoint Blog
5 MIN READ

Ignite News: Augment your EDR with deception tactics to catch adversaries early

Evald Markinzon's avatar
Nov 15, 2023

Update: The Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL) is generally available as of 05/23/2024.

 

Endpoints remain critical entryways for adversaries to begin their reconnaissance before moving laterally through an organization. That’s why Endpoint Detection and Response (EDR) solutions have become a critical component in most cyber tool sets and are essential in helping SOC teams detect and respond to these threats early.

 

Today we are excited to announce deception as a built-in capability in Microsoft Defender for Endpoint. Augmenting its powerful EDR capabilities, you can now create an artificial attack surface that entices adversaries to access assets you created just for them, and triggers high-fidelity, early-stage signal when accessed. As a built-in capability, deception is generated and deployed automatically to add a new layer of protection for devices in your organization, while enabling the SOC team to speed up their response.

 

Deception in Defender for Endpoint provides customers with:

  • High confidence detections and automatic disruption of threats – Detects human operated lateral movement in the early stages of a cyber-attack and triggers attack disruption to contain the threat.
  • AI-powered generation of authentic decoys and lures – Defender for Endpoint uses machine learning to autogenerate and deploy authentic decoys and lures into your network that mirror production assets
  • Built into the existing endpoint agent - no additional deployment or management of sensors on your network.
  • Integrated into the XDR SOC experience – for easy, end to end investigation of attacks

 

What is deception?

Deception technologies help create an artificial cyber-attack surface within your network that consists of decoys and lures that look like high value assets to any outside adversary. The goal is to deceive attackers and lead them into accessing assets.

 

Decoys – fake assets that trigger an alert when an attacker engages such as fake users and hosts

Lures – are digital breadcrumbs that lead attackers to decoys and make them look more authentic, such as documents, batch files, and more.

 

Any interaction with them ensures immediate detection because high-fidelity alerts are created for the SOC and correlated into the ongoing incident. Therefore, deception technology strategically complements EDR solutions and can be the deciding factor in how much exposure your company has during a ransomware attack.

 

Image 1: Human operated ransomware attack flow with deception enabled.

 

 

Deception in Defender for Endpoint

Deception is an AI-powered and built-in capability in Defender for Endpoint. With other deception tools operating as siloed solutions that require manual work to generate and deploy, organizations often shy away from them due to the high upfront and maintenance investments required, and their reality of limited resources.

Defender for Endpoint on the other hand now enables organizations to easily enable the automatic generation and deployment of authentic-looking decoys and lures. In addition, and unique to Defender for Endpoint, deception will soon also augment its disruption capabilities to stop ransomware attacks and adversaries even sooner – without any intervention from the SOC.

 

AI-powered decoy and lure generation and simple deployment

Using sophisticated ML models, Defender for Endpoint automatically creates assets that mimic others in your environment and can withstand authenticity checks from adversaries e.g. by aligning with the existing naming convention of your hosts – all in under 5 minutes. Defender for Endpoint then uses its existing endpoint agents to deploy them, so you don’t need any separate sensors in your network. Further, automatic renewal and updates to existing decoys and lures will happen on an ongoing basis to ensure they remain authentic and recent across your network.

 

Embedded into the SOC experience and enhancement for attack disruption

Deployment is one thing, effective use is another. To make this just as easy for SOC teams, deception is deeply integrated into the existing incident and alert experience in the Defender portal. When decoys are accessed, they will generate high confidence detections that trigger an alert via Microsoft Defender for Endpoint. These will be correlated with other alerts relevant to the same incident, just like you’re used to and all common response actions are available.

And soon, deception will also fuel Microsoft Defender XDR’s attack disruption, making it possible to disrupt advanced human operated ransomware attacks even earlier in the attack chain.

 

Image 1: Deception alert within the incident investigation experience in the Defender portal.

 

 

Deception is included for customers with any of the following licenses: Microsoft Defender for Endpoint Plan 2, Microsoft Security E5, Microsoft 365 E5 at no additional cost. This allows a broad set of organizations to immediately benefit from deception and enable it in their environment.

 

 

How to get started

To enable deception in Defender for Endpoint, navigate to Settings -> Endpoints -> Advanced features and enable Deception. Then navigate to “Deception rules” to create and configure new rules for your environment.

 

Image 2: Deception rule creation in the Defender portal.

 

 

Once you create a rules and start the auto-generation of assets, this will take no more than 5 minutes. Defender for endpoint supports the automatic generation of fake users and fake hosts, but also gives you the ability to add custom ones or even edit the system-generated ones at any time. Afterwards you can add custom lures as well, but this is completely optional.

  • Support for fake users and fake hosts
  • Customers can add their own fake users or update system-generated ones
  • Customers can add their own IPs to fake hosts and lead attackers to their honeypots based on Defender for Endpoint-onboarded devices

 

Image 3: Deception rule creation in Defender for Endpoint.

 

Once setup, deception can help your SOC team in their own response and remediation. Within the incident experience you will be able to filter by the “Deception” tag to see a list of all incidents where deception assets where accessed and investigate them more in-depth within the correlated alerts as shown in image 3.

 

 

 

Other Ignite announcements

Windows subsystem for Linux support 

Windows Subsystem for Linux (WSL) is a popular tool that enables developers to engage in business tasks while simultaneously running a containerized Linux environment without the overhead of a virtual machine or dual boot setup.  

While WSL helps streamline productivity and boost performance for developers, the containerized environment can be a blind spot for security teams. To help security teams monitor what is running inside of WSL, we are excited to announce the public preview of a new Microsoft Defender for Endpoint plug-in for WSL. This plug-in allows security teams to continuously monitor for security events in all running WSL distributions, while minimally impacting performance on developer workloads.

Learn more about WSL support for Defender for Endpoint here

 

Security settings management is now GA

The General Availability of simplified security settings management in Defender for Endpoint

Check out the announcement blog for more details.

 

Additional response actions for all platforms are now in GA

To help SOC teams respond to active threats faster and more effectively, we are excited to announce the General Availability of antivirus (AV) scan and device isolation response actions in Defender for Endpoint for macOS and Linux platforms. Security teams can now easily trigger AV scans and isolate compromised devices directly from the action menu on the incident page to speed up their response.

Learn more about AV scan and Device isolation for macOS and Linux.

 

 

More information

Updated May 23, 2024
Version 6.0
  • Brizziechap's avatar
    Brizziechap
    Copper Contributor

    Windows devices that have WDAC - Deception deployment fails..... is there any advice/feedback available on this?

  • Brok3NSpear's avatar
    Brok3NSpear
    Brass Contributor

    Keep getting the error that the action has failed when turning on the default rule for this.

    No changes were made, just enabled it.

    It may be that as this is very new there are teething issues? If not, any pointers to get this up and running?

    Looking in the portal, it just shows as in Progress. 

     



    [Edit]

    This is the same when creating my own rule as well

  • Dear Brok3NSpear,
    Thank you for your feedback! 

    We're sorry that you are having difficulties. Please contact MS support teams and mention that you are having issues with the new MDE Deception feature.
    They will be sure to assist you. 

  • TakashiVV's avatar
    TakashiVV
    Copper Contributor

    if i'm an attacker,i will save stolen datas into the Decoys,and Post those from Decoys to C2..
    if i'm an attacker,i will save malicious codes into the Lures,and make those behave maliciously as a Lure..