Our last article reviewed how Microsoft Defender can be used for a Cloud based deployment in Azure.  In this article, we examine how it can be used for identity purposes, which is very much a hot button topic today.

What Is Microsoft Defender?

Defender for Identity used to be called Azure Advanced Threat Protection, or Azure ATP.  Rather than depending upon other network security tools, it allows you to configure Azure Active Directory to provide the warnings and alerts about any malicious activity that is transpiring in your Cloud environment.  In a way, it can be considered as a SIEM, but much more powerful.  For example, it contains of the following characteristics:

  • It also supports the DevSecOps team if your organization has one.
  • It makes use of learning-based analytics to monitor and analyze all kinds of network behavior across the lines of communications.
  • It provides for a much greater level of protection for your user groups and profiles that you create in Active Directory.
  • It makes use of the so called “Kill Chain” to track down and mitigate any threat variants which are inbound.
  • Unlike most other tools, it also provides recommendations as to how to track suspicious behavior that should be triaged in clear, concise terms.

How It Uses Behavior Analytics

Microsoft Defender makes use of both AI and ML built in platforms to analyze the flow of information and data all across your network infrastructure.  It pays very careful attention to all of the rights, privileges, and permissions that have been assigned to each and every employee in your company.  From here, a baseline is then created, based on what is deemed to be a normal level of activity.

It also provides insights as to any Insider Attacks that could be originating in the internal environment of your company.  Another strategic advantage that Microsoft Defender has is that it keeps an eye over any domain controllers that you have implemented in your business.  This makes it possible to keep an eye on each and every wireless, whether it is BYOD (Bring Your Own Device) or company issued.

Reduction In The Attack Surface

Misconfigurations in a Cloud based environment is still a persistent problem.  The primary reason for this is that many organizations still rely upon the default settings  – instead, it must be configured to your own security requirements.  To help out with this, Defender even provides a list of recommendations as to how you should get away from the default settings by examining what kinds of assets you already have in your Cloud environment.

It also possesses another unique feature called “Lateral Movement Paths”.  Many Cyberattackers now move in this kind of fashion across your IT infrastructure, so now you can get a visualization as to where they have been and observe any project paths of movement for the future. It can even give you a snapshot view as to where the Cyberattacker could be lurking at the present time, thus giving your IT Security team extra ammunition to exfiltrate them out.  Finally, most communications today are encrypted automatically, without giving a second thought to it.  But then of course, you may have an employee that has accidentally disabled encryption, and instead is sending it in cleartext.  Microsoft Defender keeps close tabs on this, and alerts you if this situation actually happens.

The Kill Chain

As mentioned earlier in this article, Microsoft Defender makes use of what is known as the Kill Chain.  Here is the process of how it actually uses it:

  1. The Reconnaissance Phase:

This is where the Cyberattacker scopes your environment, both externally and internally.  They are typically looking for the following items:

  • Username/password combinations.
  • The profiles and groups a certain employee belongs to in the Active Directory.
  • Any IP addresses assigned to the wireless devices and shared resources the employee might be using.

It can locate the Cyberattacker that is engaged in any or all of the above activities.

  1. Detecting lateral movements:

Defender for Identity can scope for even the remotest chances that a lateral movement by the Cyberattacker could be happening by using the following, sophisticated tools:

  • Pass the ticket;
  • Pass the hash;
  • Overpass the hash.
  1. Domain Dominance:

Remote Code Execution (RCEs) is a big problem today.  This is where the Cyberattacker installs a malicious payload in your Cloud deployment, and controls it from very far away, perhaps even in a different country.  Defender for Identity has now become advanced enough it can detect this kind of threat, and literally “kill it” in real time, automatically before any further damage is caused.


Overall, this article has looked at some of the key features of Defender For Identity.  If you have any questions, please contact us today.