So, you are ready to use Defender Threat Intelligence to uncover threat actors at scale and enhance your security operations. Defender Threat Intelligence can help identify and eliminate modern threats and their infrastructure with dynamic threat intelligence by applying the following capabilities:
To effectively determine the benefits of adopting Defender Threat Intelligence, you should perform a Proof of Concept (PoC). Before enabling Defender Threat Intelligence, you and your team should go through a planning process to determine a series of tasks that must be accomplished in this PoC.
Below, I’ll highlight the planning phases you and your team should undertake.
Based on the scope, you can start determining the requirements for this PoC:
How to measure success is important to establish before starting your PoC because this will help you set the right expectations to gauge whether your PoC was a success or not.
The next “Implementation and Technical Validation” section closely follows our Microsoft Defender Threat Intelligence (MDTI) Ninja Training series. If you aren’t familiar with Defender Threat Intelligence or our legacy RiskIQ PassiveTotal or Illuminate solutions, it is highly encouraged to take the Defender Threat Intelligence Ninja Training and perform the exercises laid out in modules 3 and 6. At the end, if you receive an 80% or higher, you can take the and request a certificate. This is not an official Microsoft certificate. However, it will recognize your efforts in completing the MDTI Ninja Training.
Identify if an artifact (IP, domain, or host) exists in any threat intelligence articles, what the reputation score for the artifact is and why, what information analyst insights are present, and detailed internet telemetry data about this artifact when referencing the Data tab.
Infrastructure chaining is a method by which previously unknown relationships between indicators are brought to the surface. The illustration below shows how starting with one artifact—in this case, a malware sample—leads to identifying more entities that could serve as investigative leads for incident response or threat hunting.
Figure: Infrastructure chaining concept
Since analysts usually work in collaboration, sharing work is paramount to ensuring people are not duplicating efforts and that there is a record of actions taken for a given case. Defender Threat Intelligence Projects are a lightweight case-management feature that enables analysts to work together when collecting indicators of compromise related to an investigation. This could be in response to an incident or proactively fingerprinting an actor’s infrastructure targeting their industry or organization.
Figure: Creating a Project in MDTI and adding an artifact to the project
Microsoft Sentinel users can use Defender Threat Intelligence indicators to generate detections within Microsoft Sentinel. You can see how to integrate with Microsoft Sentinel and identify detections here: MDTI Detections in Microsoft Sentinel. The key element to ensure this scenario for a PoC is ideal is to have enabled a Sentinel Log Analytics workspace with existing log types (CEF, DNS & Syslog) and the Microsoft Threat Intelligence analytics rule.
Figure: actions for Microsoft Sentinel and MDTI (IOC and Incident View)
Scenarios to evaluate when integrating with Sentinel.
Resources
File Hash and URL Search in MDTI will enable researchers, analysts, hunters, and security responders to search for high-quality threat intelligence (verdict and associated metadata) for and use this TI in their threat hunting and investigation activities. This capability will leverage the threat intelligence that Microsoft produces through static and dynamic analysis of and URLs in and outside its ecosystem. This capability has been missing in MDTI, and it’s one of the top customers requested features.
Common Use-Cases & Scenarios:
1. As an MDTI user, when I encounter a suspicious file I want to search the file hash to MDTI to obtain meaningful TI about this file, so that I can use it in my research analysis and hunting activities.
2. As an MDTI user, when I encounter a suspicious URL I want to search the URL to MDTI to obtain meaningful TI about this URL, so that I can use it in my research analysis and hunting activities.
Actions
1. Detonation TI on URL search
As an MDTI user, I can search by the full associated URL of a suspicious URL/domain, in order to obtain relevant Threat Intelligence (TI) that can be used in my research analysis and hunting activities.
- Identify the Full URL you want to investigate, take the URL and place it on the Search bar on the MDTI Workbench
figure URL added on the Search bar for the MDTI Workbench
- Click search icon , and the URL should detonate providing the results in relation to the URL
Figure: detonation analysis results (Detonation screen shots, Reputation scoring, original URL, Last Seen)
2. Detonation TI on File Hash search
As an MDTI user, I can search by the file hash of a suspicious file, in order to obtain relevant Threat Intelligence (TI) that can be used in my research analysis and hunting activities.
- Identify the File Hash you want to investigate, take the Hash and place it on the Search bar on the MDTI Workbench
figure File Hash added on the Search bar for the MDTI Workbench
- Click search icon , and the File Hash should detonate providing the results in relation to the URL
Figure: detonation analysis results (File hash, Reputation, Score, Last Seen, Detonation analysis, Detonation screenshot, File name)
Resources
What's New: Hash and URL Search Intelligence - Microsoft Community Hub
Intel Profiles are active finished intelligence on threats facing you and your organization. Profiles are updated daily when new information has been discovered. Intel Profiles are broken into two different sections, Threat actors and Tools. These specialties allow organization understanding of the threat actors on the internet, their observed targets, methods of attack, along with the infrastructure and tooling they have been observed to be utilizing.
Common Use-Cases & Scenarios for Intel Profiles
MDTI users: | Security Operations Center (SOC): | Cyber threat intelligence (CTI) analysts: | Threat hunters: |
- Identify intel profiles by searching an artifact or keyword |
- Triage events raised within their security tooling - Enriching these events with TI context, including the threat actor - Saves SOC analyst's time - Helps them evaluate the response(s) and increase their understanding of the threat(s) |
- Allows for synthesize adversary intelligence which can bypass it along to their hunting counterparts |
- Search for threat activity within their ecosystems using behaviors and IoCs to guide their analyses - Have a catalog of threat actors allows threat hunters to better understand the threat landscape - Allow for prioritize which actors their team should focus on most. - Detailed information of threat actor gives threat hunters starting points to conduct a proactive investigation. |
Action
- Listing the Threat actors within the Intel profiles
- Narrowing down to a specific Threat actor
- Narrowing down to specific tooling
Resources
Identify how the MDTI offering provided value to your organization’s overall business during the PoC.
We hope you found this blog helpful in understanding the value Defender Threat Intelligence (MDTI) can provide. If you have inquiries regarding threat intelligence use cases mentioned or not mentioned in this blog and are not currently working with a Defender Threat Intelligence Technical Specialist or Global Black Belt, please email mdti-pm@microsoft.com.
We would love to hear any ideas you may have to improve our MDTI platform or where our threat intelligence could be used elsewhere across the Microsoft Security ecosystem or other security 3rd party applications. Feel free to email mdti-pm@microsoft.com to share that feedback as well. If you are currently working with an MDTI Technical Specialist or Global Black Belt through this PoC, please communicate your requested use cases and/or product feedback to him/her directly.
Please join our Cloud Security Private Community if you’re not a member and follow our MDTI Private & Public Preview events in our MS Defender Threat Intelligence channel. You will not have access to this Teams channel until you are a Cloud Security Private Community member. Users that would like to help influence the direction/strategy of our MDTI product are encouraged to sign-up for our Private Preview events. Those participating will earn credit towards respective Microsoft product badges delivered by Credly.
If you are interested in working with an MDTI Technical Specialist or Global Black Belt, please contact our Sales team by filling out this form.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.