Blog Post

Microsoft Defender XDR Blog
4 MIN READ

Detecting browser anomalies to disrupt attacks early

Bharat_Vaghela's avatar
Sep 18, 2024

Detecting browser anomalies is crucial for early identification and prevention of cyber threats, preventing data breaches and attacks by monitoring for unexpected browser activities. Browser anomaly detections can spot unusual session activities, preventing attackers from impersonating legitimate users. During Adversary-in-the-Middle attacks, it helps to identify unauthorized interceptions of a session cookie which can be used to gain access to user credentials. By responding swiftly to these early activities, organizations can address potential security incidents effectively, enhancing their overall security measures. Microsoft Defender XDR offers a variety of detections to detect browser anomaly and disrupt attacks automatically.

 

Microsoft Defender XDR's automatic attack disruption stops in-progress attacks and minimizes their impact on organizational assets by isolating compromised assets and providing security teams with more time to fully remediate incidents. By disrupting attacks early, it helps prevent the spread of threats and reduces wider implications-such as associated financial costs and losses in productivity.

 

This blog post offers insights into utilizing browser anomalies and malicious sign-in traits to execute attack disruption at the earliest stages, preventing attackers from achieving their objectives.

 

Browser related information – such as the user-agent string acts as an identifier to ascertain the type of browser a client is using, its version, and the operating system. Detecting anomalies in browser usage can play a critical role in identifying malicious activities. For example, if a user's account is accessed from a different browser or a distant geographical location unexpectedly, it might indicate that the account has been compromised. Furthermore, monitoring changes in browser usage is essential for detecting instances of session hijacking – where an attacker takes control of a user session after the user has authenticated. Session hijacking attacks result in a very critical attack paths like multi-stage AiTM phishing, Business Email Compromise (BEC), and Persistence through the creation of OAuth application. Maintaining the integrity of sessions requires ensuring consistency in a user’s attributes, including browser. Any sudden changes in these attributes could signal a potential security threat.

 

Identifying potential threats and unusual activities via browser anomalies demands a thorough analysis of the patterns and discrepancies observed in the browser related information, such as user-agent string during user sign-in events. Relying solely on browser related information discrepancies may not offer sufficient context to identify an anomaly. To ensure efficient detection, it typically involves correlating browser related information with additional behavioral and environmental data. Microsoft Defender XDR employs various techniques to detect browser anomalies, utilizing robust signals from Microsoft Entra to bolster confidence.

 

Here is the systematic approach used to detect browser anomalies:

  • Data collection – Gather data from user sign-in activities, focusing on browser related information such as user-agent strings, operating system, browser cookie, sessionId, IP address, and location.
  • Baseline establishment – Create a baseline profile of expected behavior for users or groups by analyzing historical data to identify normal patterns of Browser usage, location, and IP address, then flag deviations based on heuristic analysis.
  • Real-time monitoring and anomaly detection – Entra ID Protection continuously monitors and detects anomalies before, during, and after sign-in sessions in real-time using UEBA and machine learning algorithms. Enhance your security posture by implementing RBCA policies that integrate with Defender XDR, proactively assessing risks such as browser switching, unusual browser or user-agent, and geographical inconsistencies.
  • Correlating threat intelligence – Enhance detection by analyzing past attack patterns and monitoring infrastructures of known threat actors, focusing on user-agent strings linked to known threats or observed in previous real attacks.

By utilizing these high confident signals from Entra ID, Defender XDR provides multiple detectors that identifies high-confidence browser anomalies. These detectors are enabled for automatic attack disruption. Attack disruption disables the compromised user accounts in both Active Directory and Entra ID and prevents attack progression.

 

Below is a list of detections that automatically disrupt attacks based on browser anomalies.

 

Detection

Description

User signed in from suspicious browser and location

 

This XDR detection triggers based on successful sign in from suspicious browser and location.

 

User compromised through session cookie hijack

 

This detection triggers when it detects malicious sign-in activities involving multiple browsers and unusual browser switching within same session.

Read more about session hijack, how to prevent, detect, and respond to cloud token theft.

 

BEC-related authentication

 

This detection triggers by verifying the presence of threat actor based on previous attack patterns, malicious user-agent and detecting malicious browser anomaly based on real time sign-in risk.

 

Below is a real-world example of how these detectors will stop attack progression by performing early disruption.

Figure 1. Disrupt attack progression at earliest based on browser anomaly detections

 

The progression of a Business Email Compromise (BEC) attack started with malicious sign-in to Office Home with a browser anomaly, leading to subsequent account compromises and a phishing attack. Defender XDR disrupts the attack early on in the kill chain based on prevalent signals and anomaly detections to stop the progression without SOC intervention.

 

Microsoft's XDR Effectively Contains Attacks, Thwarting Attacker Objectives

Figure 2. An example of a contained incident by user disruption, with attack disruption tag

 

To ensure SOC teams have full control, they can configure automatic attack disruption and easily revert any action from the security portal.

 

Get started

  1. Make sure your organization fulfills the Microsoft Defender XDR pre-requisites
  1. Connect Microsoft Defender for Cloud Apps 
  2. Deploy Microsoft Entra ID Protection.
  3. Deploy Defender for Endpoint. A free trial is available here.
  4. Deploy Microsoft Defender for Identity.

Adversary-in-the-middle (AiTM) supported by automatic attack disruption

 

Updated Sep 18, 2024
Version 1.0
No CommentsBe the first to comment