Among the many security tools and products Microsoft provides, there are a number of mechanisms that are built into the operating systems and enterprise software. Yet, in practice, cybersecurity specialists are often unable to use these tools to the fullest or even to prioritize their use. The cyber kill chain model1 is a way of systematizing the use of security tools and mechanisms in an in-house enterprise environment to disrupt a cyberattack as quickly as possible.
Cybersecurity Toolbox
The scope of an in-house enterprise IT environment includes technologies such as:
- Active Directory Domain Services (AD DS)—On-premises
- Server operating systems—Windows Servers 2016 and higher
- Client operating systems—Windows 10
- Email servers—Exchange Server 2016 and higher
Of note, a cloud environment requires the use of different Microsoft materials.2, 3, 4
Microsoft security tools and built-in mechanisms can be categorized into two groups. The first group includes passive (detection) tools that can discover and issue notifications about suspicious activities or cybersecurity incidents. The second group comprises active tools that can prevent or block intrusions, reduce a cyberthreat surface area, correct actions or objects (e.g., isolate, move), or compensate (e.g., complicate access conditions, require additional actions). The results of matching the tools to the cyber kill chain steps are shown in figure 1.
Most of the security tools can be managed by Group Policy (one of the main management tools for the Microsoft domain environment) or PowerShell cmdlets (a set of a command-line shells,5 a scripting language and a configuration management framework) and can be used by Microsoft Sentinel,6 Microsoft Endpoint Manager7 and Microsoft Advanced Threat Analytics.8 The top three activities to enable include:
- Credentials protection functionality because it is key to IT infrastructure
- Windows Defender functionality (especially if it is the single antivirus/host F\firewall/endpoint detection and response tool for hosts) because it is a core security tool
- Logging because of its ability for timely detection and further response
Of course, this list of tools and mechanisms can be expanded and modified. Each specific IT infrastructure requires testing and audit modes for proposed security tools and mechanisms, taking into account business risk and tasks.
Each specific IT infrastructure requires testing and audit modes for proposed security tools and mechanisms, taking into account business risk and tasks.
Recovery Capacity
In some circumstances, it is not possible to identify and contain a cybersecurity incident in a timely manner, and damage is done (e.g., data or systems are compromised). It is essential to have a backup plan for such cases.
In general, there are two options:
- Restore security tool settings to default to reset to the software setting.
- Recover gold images (actual backup copy) using native backup features or external systems.
After completing these steps, reconfiguration should be performed, taking into account vulnerabilities exploited by the cybersecurity incident.
Conclusion
There are different mechanisms and tools built into operating systems and enterprise software. Using the cyber kill chain model allows practitioners to prioritize the most important ones for their organization based on time and budget resources. The competent and timely application of these tools allows organizations to protect their data and system performance. There is no silver bullet; organizations must check and tune every mechanism and tool in their IT infrastructure, taking into account business risk and tasks, and their support and maintenance capabilities.
The competent and timely application of these tools allows organizations to protect their data and system performance.
Endnotes
1 Hutchins, E.; M. Cloppert; R. Amin; Intelligence Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin Corporation, USA, January 2011, https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/ cyber/LM-White-Paper-Intel-Driven-Defense.pdf
2 Elyashar, G.; “Protect Your Google Cloud Workloads With Microsoft Defender for Cloud,” Microsoft Defender for Cloud Blog, 23 February 2022, https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/protect-your-google-cloud-workloads-with-microsoft-defender-for/ba-p/3073360
3 Soseman, M.; “Cyber Kill Chain and Microsoft Security Products,” YouTube, 8 June 2020, https://www.youtube.com/watch?v=6bEteZQIFM8
4 Trull, J.; “Disrupting the Kill Chain,” Microsoft Security, 28 November 2016, https://www.microsoft.com/security/blog/2016/11/28/disrupting-the-kill-chain/
5 Microsoft, “What is PowerShell?” 16 February 2022, https://docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.2
6 Microsoft, “What Is Microsoft Sentinel?” 21 December 2021, https://docs.microsoft.com/en-us/azure/sentinel/overview
7 Microsoft, “Microsoft Endpoint Manager,” https://docs.microsoft.com/en-us/azure/sentinel/overview
8 Microsoft, “What Is Advanced Threat Analytics?” 23 November 2021, https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata
Aleksandr Kuznetcov, Ph.D., CISM, CISSP
Is the architecture team leader of RT-Solar. He has more than 15 years of experience in information security within Asia, the Commonwealth of Independent States and Russia, including security information and event management (SIEM) and security operations center (SOC) responsibilities. He is a subject matter expert and manager of hundreds of projects and the author of dozens of published works, and he has given many presentations on his areas of expertise.