What is Open Hack?
The Microsoft E5 Open Hack challenge is a collaborative team based learning experience, designed to increase security competence in solving real-world cybersecurity risks using Microsoft Defender Advanced Threat Protection and Microsoft Cloud App Security solutions.
Scenario for the Hack:
A company dealing with a multi-month intrusion from an assumed state-sponsored attacker and that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers.
Their systems were seen being used as jumping-off points for digital fishing expeditions.
Note: Microsoft Office 365 deployed to all 15,000 employees
Customer is currently managing Identities using Azure AD and asset & patch management via Intune.
Our Objective:
Help Contoso leverage existing or add-on Microsoft security solutions to improve the security posture and achieve the below objectives:
Secure the boundaries of Contoso Electronics to ensure no further access / data leaks out of the organization.
Hunt & Mitigate any adversary currently present inside the organization to ensure Contoso Electronics is further not leveraged as platform of attack.
Our Approach:
- Analyse the alerts triggered when MDATP detected anomalous and suspicious activities.
- Identify devices and users impacted. Take actions such as isolating the device or assigning the incident to the appropriate incident handler.
- Download the payload/evidence for further analysis.
- Suggest steps to remediate and reduce attack surface.
- Discover shadow apps used in environment using MCAS and Microsoft Defender for Endpoint, their usage patterns and the risk associated to it.
- Analyse the shadow apps used in organization laptops using corporate or public network.
- Identify the usage patterns and risks associated to the shadow apps, with the option to sanction or un-sanction them.
- Identify Oauth apps and revoke access if required
- Recommended security checks to avoid data leakage and access to corporate resources from un-registered and non-compliant devices
Proposed Solution:
- Apart from Azure AD & Intune, leverage other M365 solutions for IAM, MDM & MAM, windows management, UEBA, classification and Rights management for files across O365, secure mails, secure endpoints, controlling and safeguard all channels for data leak, providing secure access to cloud apps and data leakage through cloud.
- Enabling native integration across all platforms and correlation which gives actionable insights.
- Use secure score to compare your security posture with peers in the industry. Understand the gaps in your security infrastructure and use the remediation steps suggested by Microsoft
- Use security and compliance dashboards to understand adoption of M365 solutions.
- Use assessment template which contain the controls and action data needed to track compliance with regulations, standards, and policies.