Threat Intelligence and External Attack Surface Management

Earlier this month, Microsoft announced two new products in the Microsoft cloud Security stack. The products are:

  • Defender Threat Intelligence (MDTI).
  • Microsoft Defender External Attack Surface Management (MD EASM).

These products are part of the larger Microsoft Defender ecosystem. In this article, I discuss each product and use cases, and share my thoughts on the usefulness of the products after doing some initial tests with the products.

Threat Intelligence

In August 2021, Microsoft acquired RiskIQ, a company specializing in Threat Intelligence with an excellent reputation in the larger security industry. This acquisition was interesting because RiskIQ was a well-regarded company, and many security practitioners (including myself) wanted to know how Microsoft would integrate RiskIQ technology within their stack.

We now know that Microsoft is using RiskIQ as the basis for a new product called Microsoft Defender Threat Intelligence (MDTI). This product has two distinct use cases:

  1. Providing information about known attack groups and the indicators (file hashes, IP addresses, and domains) associated with those groups as well as general information about potential attacks and what to look out for.
  2. Giving administrators access to a large database containing detailed information about the threat intelligence indicators (such as IP reputation and information). Microsoft mentions that this will combine data from both RiskIQ and MSTIC, the Microsoft Response team which handles billions of signals each day. The sheer scale of the data available to Microsoft could give MDTI an advantage (think about all the telemetry coming from Windows devices).

While browsing through the product, knowing more about attack groups sounds intriguing as it can be interesting to find out more about current attacks. A recent example is the Confluence vulnerability which affected many organizations. By using the information from MDTI, you can identify the typical attack signals of an exploitation and focus on these. But this reminds me of ‘Threat Analytics, a feature of Microsoft 365 Defender. While Threat Analytics is a part of the larger Microsoft 365 Defender stack, it serves the same purpose as MDTI.

A database containing information about attack indicators such as Talos or VirusTotal is useful to have, but the current implementation is too limited after trialing the product. It seems like most of the IP addresses I tested with MDTI miss basic information and don’t provide the same value as other products. On multiple occasions, I used malicious IPs as identified by VirusTotal to see that the address’s reputation in MDTI was empty.

From the limited information available at the time of writing, it seems that Microsoft has two different tiers for MDTI: a free tier and a premium tier. The only tier available now is the free one. I hope that the amount of data will increase and that Microsoft will create a native integration between MDTI and other products within the Microsoft Security stack, specifically, integrations with Microsoft Sentinel and Microsoft 365 Defender.

While I had high hopes for this product as the integration comes through a strong acquisition, I am a bit disappointed about the current capabilities and integration. While Microsoft is tight-lipped about the premium tier, you can see a yearly license for MDTI Premium listed at $ 45,000 in the Microsoft 365 Admin Center. Only time will tell if that high price is worth it, as we don’t know what features Microsoft includes in the premium tier. While the MDTI license cost might seem high, it is in line with other security vendors with comparable features. An important feature for me is native integration with the current security stack, meaning it is integrated into the security portal and shares data natively to other products.

External Attack Surface Management

Microsoft Defender External Attack Surface Management focuses on internet-connected assets and attempts to identify vulnerabilities in such devices. The product does not limit itself to Azure resources, but to all resources, even those which may even be unknown to the company (also known as shadow IT). It scans the internet based on parameters provided by the IT admin, including domains, email addresses, and ASN numbers.

According to Microsoft’s description, MD EASM should also scan different components and code within an application. In theory, it should be able to identify if an asset is vulnerable to Log4J for example, which surprised the IT Pro community last year and left teams scrambling as they had no idea how to mitigate the problem.

MD EASM is deployed through the Azure portal but is only available in a limited set of Azure regions. From my testing, the discovery process is cumbersome, slow, and feels underwhelming, but this could be because Microsoft is still rolling out the underlying services.

We now have three ways to identify vulnerabilities within the Microsoft Security stack:

  1. Microsoft Defender Vulnerability Management
    1. The product is deeply integrated into the Microsoft Defender for Endpoint stack to identify vulnerabilities on desktop, mobile operating systems, and network devices. MDVM uses MDE sensors to collect data and create an inventory for current vulnerabilities.
  2. Microsoft Defender for IOT
    1. A relatively new product (from the CyberX acquisition), focusing on both OT and IOT products (all network-connected devices, mostly Linux based) and generates alerts for suspicious activity and vulnerabilities.
  3. Microsoft Defender External Attack Surface Management
    1. The newest product to the Security stack, focusing on internet-connected assets.

Although each product has a distinct use case, they all aim to identify vulnerabilities within an environment. MD EASM covers an aspect (going beyond the current Operating System support from MDMV) that was previously not covered by another product, but it creates ‘just another portal’. The end goal should be to have a single pane of glass of all vulnerabilities across an environment, which is not possible now.

It’s also important to note that MD EASM is licensed per monitored assets. This puts security administrators in control as they can decide what needs to be monitored. Details on pricing can be found on the Azure Calculator. Current costs are at 0.011 $ per monitored asset per day. This translates to about 0.33 $ per month.

Looking ahead

Although the new products cover a useful vertical within the Microsoft security stack. I feel like Microsoft released these products too soon. They lack proper integration into the current security stack (single pane of glass and synchronization of data to Microsoft Sentinel and Defender) and are not as feature-rich as anticipated. My expectations were high, as the original products from which these features emerged are highly regarded. However, I have high hopes for these products, as they both originate from technology acquired from companies with a solid reputation. Going forward, I will keep a close eye on the updates Microsoft releases for both MD EASM and MDTI.

Cybersecurity Risk Management for Active Directory

Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.

About the Author

Thijs Lecomte

Thijs is a security consultant out of Belgium, working at The Collective, an MSSP with a Microsoft-focused Security Operations Center. His work consists out of leading the SOC team and implementing Microsoft Security solutions (such as Microsoft Sentinel and Defender) as a consultant. He is an MVP in the Security category and is a regular speaker at events and user groups. His best-known publication is as co-author of the 'Microsoft 365 Security for the IT Pro' ebook.

Leave a Reply