Posted August 22, 20231 yr Organizations need processes and tools such as Microsoft Defender External Attack Surface Management (MDEASM) to help with identifying and managing the points in a software system or network infrastructure that could be targeted by potential attackers. These points, often referred to as "attack vectors," are vulnerabilities or weaknesses that attackers could exploit to gain unauthorized access, compromise systems, or steal sensitive data. The External Attack Surface specifically refers to the components and interfaces of a system that are exposed to the outside world, such as public-facing applications, network services, APIs, and other entry points. These are the points that can be targeted by attackers who are trying to breach the system from outside the organization's perimeter. In this blog, I will cover how Microsoft Security can help identify threats by leveraging Microsoft Defenders External Attack Surface Management asset discovery against the Microsoft Defender Threat Intelligence feeds. Prerequisites: Microsoft Defender External Attack Surface Management workspace Microsoft Defender External Attack Surface Management API Access and Client App Registered Azure Logic Apps Microsoft Defender Threat Intelligence API Access and Client App Registered What is Microsoft Defender Threat Intelligence Microsoft Defender Threat Intelligence (MDTI) is a service offered by Microsoft that focuses on collecting, analyzing, and disseminating information related to cybersecurity threats. It encompasses a wide range of threat data, including indicators of compromise (IoCs), attack techniques, tactics, and procedures used by cybercriminals and threat actors. MDTI leverages advanced detection techniques to identify emerging threats and vulnerabilities. This includes the analysis of telemetry data from various Microsoft products and services, allowing for the detection of patterns and anomalies that might indicate potential threats. The service also provides threat intelligence feeds that offer real-time updates on malicious domains, IP addresses, URLs, and file hashes. These feeds enable organizations to integrate threat intelligence directly into their security solutions for automated protection. Benefits of integrating Defender External Attack Surface Management data with Defender Threat Intelligence Understanding your potential weaknesses is important and these are highlighted using MDEASM. However, teams are already stretched with resource constraints so how do you prioritize? What if I prioritize the wrong vulnerabilities and we get breached? The MDEASM insights will help but the more context will always enable you to make better informed decisions. This is where the MDTI integration and automation can help. Why not use MDTI to tell you if any of your asset across your attack surface are linked to threat actors, leveraging the “most expansive source of threat intelligence telemetry” (Forrester Wave). Use Case The key objective of this integration is to send an email alert if there is any information in MDTI which will help you to understand if there is an immediate prioritization which needs both attention in MDEASM and possibly further investigation to ensure there has been no breach. Take all domains discovered in MDEASM and check them against the MDTI articles. There is a possibility that new research has been released and domains on your attack Surface have been mentioned. Extract the keywords from each of the domains in MDEASM and check them against the same MDTI endpoint. You may not have specific domains called out but there could be research which suggests that your organization is on the target list. Take the same information as mentioned above and check this against the Intel Profiles. If there is a domain/keyword associated with a known threat actor then, once again this should be treated as high priority. Finally, checking the domains against the transparent reputation score in MDTI. If there is a score then it could be that the your organization has been targeted already or that there is some reputational damage should be rectified urgently. How to get started with the MDTI integration Go to the GitHub repository for MDEASM to install the solution on your Azure Cloud instance: MDEASM-Solutions/Automation/MDTI-MDEASM-Integration at main · Azure/MDEASM-Solutions To proceed, you need to deploy the logic app which is available on the MDEASM GitHub Link (previous step). You can find the “Deploy to Azure Button” on the page and clicking on it will prompt you to provide certain parameters. Add credentials to run the project After you click the button, Azure should load in the browser and you will need to authenticate. You will be redirected to the screenshot above. Please enter your credentials as described in the screenshot and click “Review + Create”. The Logic App should now run on the schedule as instructed in the settings. Overview of the Logic App View of Logic App Call to action Proceed to the MDEASM Github page and deploy the azure logic app to deploy the solution. Conclusion The integration of Microsoft Defender External Attack Surface Management into Microsoft Defender Threat Intelligence helps organizations to understand and prioritize vulnerabilities on their Attack Surface. There is so much intelligence available that it can become difficult to set the right priorities. With all this information, how do you know which data is relevant now? The MDEASM/MDTI integration gives insight into real threats against an organization or vertical, ensuring that assets which are being targeted are prioritized with immediate effect. Continue reading...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.