Detecting & Analysing Threats

The faster you act in a security incident, the faster you can resolve and remediate it. That’s why having a plan in advance is so important. We are here to help you get yours in a strong place.

What are the signs of an attack?

Sometimes an attack will be obvious because that’s what the attacker wants. For example, a ransomware attacker will almost always let you know they have control of your system to get you to pay up. However, even in instances when a cyber-attack is less obvious, there will have been a chain of events before you find out. You can lean on this to ensure the attacker is locked out for good and your system is not left vulnerable to attacks again.

Common ways into a network:

The most common ways attackers get into a network are:

1. Phishing emails. The attacker uses email to get someone’s credentials or run some malware on the user’s computer. Then the attacker spreads across the network to access your valued information.
2. Compromise and remote access. The attacker will come in remotely, usually through an authorised channel.
3. Technical vulnerabilities. The attacker will be quick to latch on to published vulnerabilities, especially with exploit code available.

How to be on the look out for attackers?

Unfortunately, there’s no one tool or technique to detect an incident. You need good visibility across all areas of your network combined with good threat intelligence to build up your defence.

As a starting point:

• Look for suspicious activity around user accounts, on servers and at all network entry points.
• Check your security systems such as Azure Active Directory (AAD), Extended Detection & Response (XDR) to see if they’ve detected unusual activity.
• Look at your backups. Can you see any unusual activity? Files missing? Changes made? Attackers will destroy backups first, so you can’t use them to recover after a ransomware attack.
• Inspect traffic and transactions from network appliances, your firewalls, and your proxies.
• Look for device-level events. For example, you might see triggers from your AV or your EDR solution.

Attackers like to stay in the network, which is why remediation might not be enough on its own. You need to be sure you’ve evicted the attacker permanently.

That means knowing:

• How the attacker got into the network and stayed there?
• How long they’ve been inside the network — hours, days, weeks?
• What accounts they’ve compromised?
• What backdoors they’ve implanted?
• If sensitive information was accessed and taken?

If you don’t have the answers, you can’t know if you’ve succeeded in booting them for good.

Prepare, plan, and then plan some more

Detecting and analysing incidents means managing processes, people, and technology.

We know lots about how attackers operate, their tools and methods. Use the knowledge that’s out there to plan how you’d respond to an incident. Document, test and then refine that plan.

People

Get the right people engaged now, including Senior Executives. If everyone knows their role in advance, you’ll skip the “headless chook period” where everyone is running around trying to work out what to do.

Technology

You need good visibility of what’s happening on as much of your fleet as possible.

How Microsoft’s technology can help detect incidents

Microsoft is committed to empowering security operations analysts and defenders with an integrated toolset and security intelligence.

Extended Detection and Response or XDR is an emerging technology in threat protection. XDR makes security operations teams more efficient and effective in getting ahead of threats or responding to security incidents.

Detecting and analysing threats early is critical to fast, effective recovery and remediation. The better prepared you are to investigate then reconstruct an incident in detail, the better your response will be.