Beyond the Endpoint: Detect and Disrupt User Account Attacks

By: Chris Carlson, VP of Product Management

“What’s in a name?” For Shakespeare, it’s the start of a famous soliloquy in a play about blossoming love. For cybersecurity professionals – if that name is a compromised user account leading to administrative privileges – it’s the start of an attack vector that’s been difficult to detect, disrupt, or contain.

Successful attacks against user accounts requires novel approaches different from how adversaries have executed campaigns using traditional malware or vulnerability exploitation. Rooted in social engineering techniques (which requires finesse, design, and psychology to pull off), adversaries are improving their skills and recent breach data confirms this growing attack vector.

According to Ponemon Institute Cybersecurity in the Remote Work Era: A Global Risk Report, credential theft and social engineering or phishing are the most frequent attacks that organizations have been faced. As a metric, 60% of mid-sized businesses (250 – 5,000 employees) that have asked their employees to work remotely experienced a cyberattack. Of those, 56% experienced credential theft and 45% experience social engineering such as phishing.

Verizon’s numbers are similar from their 2021 Data Breach Investigations Report where 61% of all breaches involve credentials, whether they are stolen via social engineering or hacked using brute force.

As cyber defender teams add additional security technologies beyond the endpoint to detect attacks against user accounts, the additional volume of alerts (many still being false positives!) creates an exponential burden on these teams to investigate each and every alert. Even missing one successful credential attack can lead to data compromise.

Further compounding this problem, adversaries have multiple attack vectors to steal, harvest, and misuse user account credentials which severely limits how endpoint-oriented response actions can fully disrupt an active misuse of a stolen user credential across authentication sources and cloud applications.

New Critical Start MDR Enhancements

I’m thrilled to describe the new capabilities developed by Critical Start to extend our Managed Detection and Response services to support Microsoft 365 Defender’s user account attacks and credential misuse detection alerts.  These capabilities go beyond the endpoint to detect user attacks against authentication sources, applications, and attempts at credential harvesting.

More importantly, we’ve developed additional direct-action Responses to disrupt user account attacks that hides the complexity and effort in responding quickly enough. While other MDR providers may only give recommended actions for the user to take – which puts the burden on the customer to perform the response across multiple Microsoft consoles – Critical Start has natively integrated our web interface and MobileSOC mobile application with Microsoft 365 Defender APIs to create a single interface to perform manual and automated response actions.

As one customer told us, this turns a “2am problem into a 9am problem” enabling the analyst to disrupt and contain the attack with a click of a button as soon as the attack occurs then having time to assess the scope and restore later.

With these new capabilities, plus our existing support for Microsoft Defender for Endpoint, we give a rich set of detection and response actions across multiple user account attack vectors.

• Attacks Against Cloud Applications: Adversaries that gain access to an organization’s cloud applications find themselves with access to the entire organization’s sensitive data. Critical Start leverages Microsoft Azure Active Directory and Defender for Cloud Apps to detect suspicious login behavior and identify compromise accounts. New manual and automated response actions include disabling a user account, forcing a logout and expiring sessions, and enforcing password changes.
• Brute Force Attacks: When unable to gain access to an organization’s data through stolen or purchased credentials, adversaries will attempt to break in via brute force attacks with weak passwords. When this occurs, Critical Start’s platform automates investigating alerts and elevates legitimate threats to the Critical Start SOC analysts for investigation. Response actions leverage the new manual and automated response actions include disabling a user account, forcing a logout and expiring sessions, and enforcing password changes.
• Credential Harvesting through Email Phishing: One of the leading attack vectors, Critical Start detects multiple steps in credential harvesting attacks from Microsoft Defender for Office, such as real phishing emails and malicious links. Critical Start provides courses of response action to disrupt the chain and flag user accounts as potentially compromised.

Empowering Employees and Security Awareness Teams to Defend against Phishing Attacks

One of the best defenses against email phishing attacks is to harness the combined visibility of all employees in your organization. Security Awareness Training programs spend a lot of time, effort, and cost to educate employees to identify and report suspicious emails. Simulated phishing exercises is a good start, but ultimately you want to track how your employees are interacting with real-world emails, regardless of the positive or negative verdict.

In this new release, Critical Start integrates with the native Microsoft Outlook “Report Message” button (in the Protection tab) to receive, analyze, validate Microsoft’s own verdict, and produce a final verdict to detect true email phishing attacks.

To close to loop to on user reported emails, Critical Start adds an optional capability for our platform to send an email (configured from your own domain and email address) with customized subject and body to the user informing them of the outcome of the investigation, whether a positive or negative verdict.  Not only will this feedback encourage those users that are reporting messages to continue this good security hygiene, but security awareness teams can also adjust their training to encourage more employee engagement from those users that many not be participating.

Critical Start customers with Microsoft 365 Defender now can harness more value from their Microsoft security suite investment and extend their defenses protect against user account attack vectors.

For more information on these new capabilities of the Critical Start Managed Detection and Response service, visit our page and register for our webinar on April 26th.