Defender Experts’ recommendations for impactful security posture management

Introduction

The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.

 

While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.

 

Top Configuration Recommendations

Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.

 

Microsoft Defender for Office

--------------------------------------------------------------------------------------------------------

 

Restrict user ability to release emails from quarantine

The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.

 

Fortunately, regardless of the quarantine policy applied, users can't release their own messages that were quarantined as malware or high confidence phishing - they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.

 

• Limited access permissions group
  • This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
• No access permissions group
  • No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.

 

Implementation

Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.

 

• Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn

• Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn

 

 

Microsoft Defender for Endpoint

-------------------------------------------------------------------------------------------------------

 

Enable tamper protection

Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.

 

Implementation

Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.

 

• Protect security settings with tamper protection | Microsoft Learn

 

Enable network protection in block mode

Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.

 

If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?

 

Implementation

Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.

 

• Turn on network protection | Microsoft Learn     

 

Block untrusted and unsigned processes that run from USB

This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.

 

Implementation

Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.

 

• Block untrusted and unsigned processes that run from USB | Microsoft Learn

 

Block JavaScript or VBScript from launching downloaded executable content

This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.

 

Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.

 

Implementation

Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.

 

• Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn

 

Block Office applications from creating executable content

This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.

 

Implementation

Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.

 

• Block Office applications from creating executable content | Microsoft Learn

 

Block executable content from email client and webmail        

This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.

 

Implementation

Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.

 

• Block executable content from email client and webmail | Microsoft Learn

 

 

Microsoft Entra ID

-------------------------------------------------------------------------------------------------------

 

Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID

For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:

 

• Global administrator
  • The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
• Billing administrator
  • The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.

 

Implementation

Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.

 

• Require MFA for administrators with Conditional Access - Microsoft Entra ID | Microsoft Learn

 

Require MFA for self-service password reset (SSPR)

Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.

 

Implementation

Within Entra ID under password reset, set authentication methods to two.

 

• Select authentication methods and registration options - Microsoft Entra ID | Microsoft Learn

 

 

Microsoft Defender for Identity

-------------------------------------------------------------------------------------------------------

 

Set a honeytoken account

A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.

 

Implementation

Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.

 

• Entity tags in Microsoft Defender for Identity - Microsoft Defender for Identity | Microsoft Learn

 

Conclusion

Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.

 

If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.