Ever-evolving cloud computing innovations have provided immeasurable benefits to individuals and businesses by publicly making technology available. Unfortunately, cybercriminals exploit this availability using a wide range of digital infrastructure to commit their attacks. With this growing digital landscape, cyber criminals continuously change their tooling's 'what, how, and where' to align with their goals while attempting to stay hidden.
Cyber investigators must be able to quickly and resolutely answer the 'what, how, and where' related to threats, as well as the 'why.' To answer all these questions within the context of the investigation, security teams need a variety of data sources. However, much of the data related to infrastructure is only available for a short period, and its collection requires extensive mechanisms and arduous work.
In this blog, I'll cover how Microsoft Defender Threat Intelligence (MDTI) can help enable a comprehensive threat intelligence strategy for customers using Threat Intelligence Platforms (TIPs) by filling in vital gaps to show a more complete picture of the global threat landscape showcasing a new solution built in partnership with the Admiral Group Threat intelligence team.
Understanding Microsoft Defender Threat Intelligence
Microsoft has done the hard work of building extensive data collection mechanisms to aid investigators in answering the various questions associated with different cyber investigations. This data is made available in the MDTI Platform. An Independent analysis of External Threat Intelligence Service providers by Forrester Wave called out MDTI for its "most expansive source of threat intelligence telemetry."
Microsoft telemetry has multiple uses, including assessing infrastructure on the internet to determine its reputation. Via our deep understanding of the threat landscape developed from collecting and analyzing internet data on a massive scale, Microsoft generates a reputation score for every entity we encounter. For example, specific email domains might have stricter spam filters or security measures in place due to a history of higher spam or phishing activity originating from those domains. Microsoft builds this reputation score from many factors; this is just one of the factors considered.
The telemetry surfaced within MDTI is a deeply connected set of datasets that enables a user to investigate hosts and IP addresses from multiple perspectives to help them understand where infrastructure is, the malicious tools associated with it, what other infrastructure it's connected to, how long it's been online, and more. Other Threat Intelligence features of MDTI include:
Finished Threat Intelligence articles produced by Microsoft Threat Intelligence teams
Sets of Indicators of Compromise (IoCs) that can be used in a variety of ways depending on the use case
Intel profiles on Threat Actor Groups, Threat Tooling, and Vulnerabilities
Introduction to Anomali ThreatStream
Many organizations correlate threat intelligence from multiple sources within a TIP to help better answer the questions raised by investigations. Anomali ThreatStream is a leading TIP that allows organizations to aggregate, enrich, and analyze threat intelligence data from diverse sources. All threat intelligence strategies must consider the different sources of threat intelligence they want to incorporate into a TIP.
TIPs enable security teams to detect, investigate, and mitigate potential risks more efficiently by correlating data from different sources. Integrating MDTI Feeds with Anomali ThreatStream unlocks an array of advantages for cybersecurity professionals by opening a range of datasets. This particular use case focuses on IoCs and reputation scoring available within MDTI.
Benefits of Sending MDTI content to Anomali ThreatStream
Consolidated Threat Intelligence: Combining Defender Threat Intelligence with other relevant data in Anomali ThreatStream provides a consolidated view of potential threats. This holistic perspective empowers security analysts to make informed decisions and respond rapidly to evolving attacks.
View of the Solution
The key objective of this integration is to provide enrichment into Anomali from MDTI using datasets within MDTI’s broad range of data. Two common cases include:
Use IoCs feeds provided in MDTI within Anomali to show if artifacts surfaced in Anomali have suspicious activity against them.
Use the reputation score to show if artifacts have been identified by Microsoft as having a poor or bad reputation.
Value: As mentioned, threat Intelligence collection will always have gaps, and there will be differences between providers of what has been seen. If an artifact surfaced within Anomali is in one of the MDTI IoC feeds or has a poor reputation, it will show that Microsoft has identified malicious activity associated with the artifact.
Note: IoCs vs Artifacts – Both terms refer to infrastructure such as an IP address, host, or domain. A subtle difference to note is that an artifact is something observed that is not necessarily associated with malicious activity. However, an IoC is known to be something related to malicious activity. It is a piece of information or a pattern of activity that may indicate a security incident, such as a cyberattack. These indicators can be IP addresses, file hashes, URLs, or other data that help security professionals identify and respond to threats.
Figure: architecture of the solution
Integration Steps: Sending Defender Threat Intelligence to Anomali ThreatStream:
The process of sending MDTI content to Anomali ThreatStream involves the following steps:
1) On your Microsoft Sentinel environment, proceed to the Data Connector tab and look for the Microsoft Defender Threat Intelligence Connector. Proceed to connect the source.
Figure: Enabling the MDTI Data connector in Microsoft Sentinel
Once the data connector is connected, confirm the MDTI Data feeds are being sent by pivoting to the threat intelligence blade successfully. It should look like this:
Figure: MDTI Indicators on Microsoft Sentinel Threat Intelligence blade
2) To proceed, deploy the logic app, which is available on the MDTI GitHub Link. You can find the Deploy to Azure Button on the page. Clicking on it will prompt you to provide certain parameters.
Figure: Logic app deployment
Once you have input the parameters, proceed to review and create. Once this has been done, run the logic App.
3) Once you run the logic app, it should proceed to query the Log Analytics workspace and filter the MDTI feeds.
Read a brief overview of the Logic App below:
For IP addresses and Hosts, the Logic App will run a reputation scoring against MDTI. Depending on your Scoring parameter selection, it will provide a result of IoCs above a certain reputation score, which be sent as a POST command to Anomali ThreatStream:
Figure: View of the Logic App
The successful running of the Logic app and the expected result can be seen below:
Outcome for POST Request in JSON:
Figure: Sample of POST request in JSON:
4) The POST Command then sends the indicator to Anomali ThreatStream. Depending on the rules set on Anomali ThreatStream (auto approval/or Set approval), the indicator would be displayed allowing the user the ability to approve the indicator to be installed in ThreatStream.
Figure: Indicators received in Anomali ThreatStream
The integration of MDTI into Anomali ThreatStream strengthens an organization's cybersecurity resilience by enriching threat intelligence data and providing a comprehensive view of potential threats to help analysts answer relevant investigation-related questions quickly. By leveraging seamless integration between these powerful platforms, security teams can stay one step ahead of cyber adversaries and ensure a safer digital environment for their organization and customers.