This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.
Responding to ransomware in the Modern Workplace
Over the last few weeks, we have shared the roots of Microsoft 365 threat protection and how Microsoft 365 threat protection helps protect against and detect a modern ransomware attack. Today, we conclude our blog series by discussing how Microsoft 365 threat protection can help respond to attacks and also helps educate and raise awareness of threats to end users. In our ransomware scenario, once the threat has been detected, Microsoft 365 also helps respond and remediate with automation playing a key role in making the response more manageable, accurate, and less time consuming for administration. Microsoft 365 threat protection response and remediation services are shown in figure 1 below.
|Ransomware Detection with Microsoft 365|
|Windows Defender Advanced Threat Protection|
|Azure Advanced Threat Protection|
|Microsoft Cloud App Security|
|Azure Security Center|
|Office 365 Advanced Threat Protection|
|Office 365 Threat Intelligence|
Figure 1. Microsoft 365 threat protection helps detect threats to the modern workplace
In our ransomware scenario, Windows Defender Advance Threat Protection (WDATP) alerts security operations teams about suspicious activities such as programs launching self-replicating copies. If the ransomware does manage to infect multiple devices, WDATP automatically investigates alerts, applies artificial intelligence to determine whether a threat is real and then decides what action to take. It then automatically remediates the threat from affected endpoints to stop further damage as shown in figure 2.
Figure 2. WDATP automation mapping the propagation of a threat
WDATP provides manual machine level responses, such as isolating a machine to contain the threat. Further, forensic data is collected to better understand the attack and the attacker. WDATP also includes file level response by quarantining or blocking malicious files. Azure Security Center also leverages automation by helping orchestrate these common security workflows:
- Routing alerts to a ticketing system
- Applying additional security controls
- Gathering additional information
- Asking a user to validate an action
- Blocking a suspicious user account
- Restricting traffic from an IP address
Azure Security Center employs behavioral analytics to uncover patterns and malicious activity to enable proactive policies to be set in place to help prevent impact from future attacks. Response times are also improved with expanded signal from Azure Security Centers 3rd party integrations with firewalls and anti-malware engines. While Azure Security Center enables security operations personnel to respond to threats to the enterprise infrastructure, admins can quickly respond to threats to user identities by creating activity policies with Microsoft Cloud App Security (shown in figure 3) which can take the action of suspending a user account when the predefined conditions are met. In our example, the ransomware propagates using the brute force password technique which requires multiple logins, thus login failures from a unique account are likely and this can be a trigger for Microsoft Cloud App Security to suspend an account. One of the powerful benefits of Microsoft Cloud App Security is that it extends protection beyond the Microsoft ecosystem. Even if login attempts are made from popular enterprise applications that are not Microsoft client apps, Microsoft Cloud App Security enables admins to respond to the anomalous activity.
Figure 3. Microsoft Cloud App Security General Dashboard
In Microsoft 365, threat response and remediation is offered with Office 365 Threat Intelligence. Using the Threat Explorer feature, security analysts and administrators can search for all instances of potentially malicious emails that may contain ransomware. The back-end is designed for efficient threat investigation and remediation. Emails that are part of a ransomware campaign can easily be discovered using a variety of search filters with the Threat Explorer shown in figure 4. The admin can select all the emails that need to be investigated from a specific sender and choose to take immediate action on potentially malicious emails including: move to junk, move to deleted items, soft delete, hard delete, and move to inbox. Choosing the delete action purges the malicious emails from all tenant mailboxes. There is also the option of creating an incident so that a manager must approve the action.
Figure 4. Office 365 Threat Explorer email remediation actions
Educating end users about ransomware in the modern workplace
We discussed cyber education as an important element for protecting organizations. Having end users who are prepared and informed on spotting potential cyber attacks is a powerful manner to preventing attacks from harming an organization. Attack Simulator, shown in figure 5, is a new feature of Office 365 Threat Intelligence currently in public preview. Among several simulations is the Display Name Spear Phishing Attack. Spear phishing is a subset of phishing, aimed at a specific group, individual, or organization and as we discussed before, a method of spreading ransomware. Attack Simulator harnesses signal from Office 365 Threat Intelligence which provides visibility into an organizations most targeted and potentially most vulnerable users and enables admins to launch simulated threats targeting those very same users. This provides the most targeted users with training on recognizing phish emails which include ransomware and provides admins visibility on how those users behave during an attack, enabling optimal policy updates and security protocols.
Figure 5. Attack Simulator UI
Since the attack surface of the modern workplace is complex and broad, Attack Simulator will begin to offer simulated attacks made through other attack vectors as it moves from preview to GA. Attack Simulator will help raise user awareness and effectiveness at spotting attacks from all the common attack vectors.
Microsoft 365 threat protection
Microsoft has heavily invested in helping secure our customers for many years by building security in our products from the ground up. In the last few years, as the level of cybercrime has increased, we have also increased our efforts and focus on developing and continuously updating advanced security solutions to protect customers from a wide variety of threats and types of attack. In this ransomware scenario, you see as an example, our continued focus on security which provides end users ultimate protection from modern threats, while giving administrators a powerful set of tools to help protect, detect, respond and even educate against these threats. Threat protection is only one key aspect of Microsoft 365. Learn more about Microsoft 365 and understand how it can help your organization through its digital transformation journey. Additionally, follow the links below to learn more about the Microsoft 365 threat protections services and experience them by starting a trial.
- Securing the modern workplace with Microsoft 365 threat protection part 1
- Securing the modern workplace with Microsoft 365 threat protection part 2
- Securing the modern workplace with Microsoft 365 threat protection part 3
- Office 365 E5 (includes Exchange Online Protection, Office 365 Advanced Threat Protection, and Office 365 Threat Intelligence)
- Windows Defender Advanced Threat Protection
- Azure Advanced Threat Protection
- Azure Security Center
- Microsoft Cloud App Security
- Azure Active Directory