Microsoft Security Saturday – 10/2/2021

A guide to combatting human-operated ransomware: Part 2This blog is part two of a two-part series focused on how Microsoft DART helps customers with human-operated ransomware. For more guidance on human-operated ransomware and how to defend against these extortion-based attacks, refer to our human-operated ransomware docs page.

FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoorMicrosoft continues to work with partners and customers to track and expand our knowledge of the threat actor we refer to as NOBELIUM, the actor behind the SUNBURST backdoor, TEARDROP malware, and related components. As we stated before, we suspect that NOBELIUM can draw from significant operational resources often showcased in their campaigns, including custom-built malware and tools.

How nation-state attackers like NOBELIUM are changing cybersecurityThis is the first post in a four-part series on the NOBELIUM nation-state cyberattack. Microsoft started telling the industry about this extremely advanced cyberattack in December 2020. The NOBELIUM blog series—which mirrors Microsoft’s four-part video series “Decoding NOBELIUM”—will pull the curtain back on the world of threat detection and showcase insights from cybersecurity professionals on the front lines, both Microsoft defenders and other industry experts.

Defend against zero-day exploits with Microsoft Defender Application GuardIsolation is fully embedded into Microsoft Windows chip to cloud security posture, enabling applications to apply and run in state-of-the-art virtualization technology, such as Microsoft Defender Application Guard (Application Guard), to significantly reduce the blast radius of compatible compromised applications.

General Availability of Azure Sentinel Threat Intelligence in Public and Azure Government cloudToday we are announcing the General availability (GA) of Azure Sentinel Threat Intelligence in Public cloud and Azure Government cloud within 30 days from today. 

Monitoring Azure Sentinel Analytical Rules – Push Health NotificationsAnalytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for SOC to triage and investigate, and respond to threats with automated tracking and remediation processes.

Querying WHOIS/Registration Data Access Protocol (RDAP) with Azure Sentinel and Azure FunctionsAzure Sentinel offers us several tools we can use to automate tasks.  One method is to use Playbooks which are based on Azure Logic Apps and these provide an outstanding solution for creating a visual flow in your automation process.  We could have used one here (in fact, in the v1 of this solution I did exactly that), however, there is another method we can use as well:  Azure Functions. 

The Azure Sentinel Anomalies SimulatorWe are pleased to announce the “Unusual Mass Downgrade AIP Label” anomaly simulator, the first in a series of simulators for Azure Sentinel Anomalies. This simulator will populate the table in Azure Sentinel monitored by the relevant anomaly rule with simulated data.

Streamline your DDoS management with new Azure Firewall Manager capabilities Azure Firewall Manager is a security management service that provides a central security policy for cloud-based security perimeters. Through Azure Firewall Manager, customers can automatically deploy a firewall to a virtual network or secured virtual hub.

CloudKnox acquisition: what’s available now and what’s coming soonIt’s been a couple of months since we announced the acquisition of CloudKnox Security and our teams have been hard at work integrating the CloudKnox technology. I am thrilled to see the excitement and the interest this news has generated. Many of you have reached out with questions so I’ll share an update on our progress and answer some of these questions.

Microsoft Cloud App Security (MCAS) Ninja Training | September 2021MCAS has hundreds of amazing videos available and it can sometimes be overwhelming with determining where to start and how to progress through different levels. We’ve gone through all these and created this repository of training materials – all in one central location!  Please let us know what you think in the comments.

Become a Microsoft 365 Advanced eDiscovery NINJAIn this blog post, we share the top resources for eDiscovery users to become masters of the Advanced eDiscovery solution in Microsoft 365! After each level, we offer you a knowledge check based on the training material you have just completed. The goal of the knowledge checks is to help ensure understanding of the key concepts that were covered. 

Attack Simulation Training: Service Availability in New RegionsAttack Simulation Training is an intelligent phishing risk-reduction tool that measures behavior change and automates the design and deployment of an integrated security awareness training program across an organization. It became generally available at the start of the year and is now available in additional regions. As we continue to expand the regional availability of Attack Simulation Training, it is currently available in NAM, APC, EUR, IND, CAN, AUS, FRA, GBR, JPN, KOR, BRA, LAM, and CHE.