Critical Start launches enhanced capabilities for Microsoft 365 Defender to detect user account attacks
Critical Start introduced capabilities around Managed Detection and Response (MDR) services for the Microsoft 365 Defender security suite that protect against phishing, brute force, and cloud application attacks on user credentials.
Other MDR providers offer recommendations, while the Critical Start SOC responds on behalf of the customer to stop user account attacks that are often a precursor to a breach.
These enhanced capabilities allow customers to extend existing defenses and prevent breaches stemming from user account-based attacks. Figures and analysis from the 2021 Verizon Data Breach Investigations Report (DBIR) reveal that “credentials remain one of the most sought-after data types”, continuing a trend noted in previous iterations of the report. Since cyber-criminals are continuing to focus their attacks on credentials that will allow them to stay hidden as they access networks rather than hacking the networks themselves, users need to be able to quickly detect and easily take action to disrupt these attacks.
“By adding threat detection and response capabilities for credential and user account attacks into our MDR platform, Critical Start goes beyond the endpoint to protect against one of the most common attack vectors involved in the majority of breaches,” said Chris Carlson, vice president of product at Critical Start. “This new expansion of capabilities was developed in direct response from customers that MDR providers need to go beyond giving recommendations for action and swiftly respond to stop attacks in progress. Critical Start now grants our customers the ability to improve their organizations’ security postures as well as their overall readiness to face off against credential-based attacks.”
With the combined power of Critical Start’s existing MDR services and the Microsoft security suite, alerts can be brought in from multiple Microsoft systems, including user-reported email phishing attempts, Azure Active Directory identity alerts and alerts triggered by anonymous login IPs to business applications running from Defender for Cloud Apps.
The expanded offering allows for optimized detection and response for different kinds of attacks that could result in users’ account becoming compromised, including in the following use cases:
- Credential harvesting through email phishing: Multiple steps in credential harvesting attacks, such as real phishing emails and malicious links, are detected. Critical Start provides courses of action to disrupt the chain and update potentially compromised user accounts.
- Attacks against cloud applications: Adversaries that gain access to an organization’s cloud applications find themselves with access to the entire organization’s sensitive data. Critical Start’s Zero Trust Analytics Platform (ZTAP) automates investigating alerts from Microsoft 365 Defender suite products and elevates any real threats to the Critical Start SOC analysts for investigation. Critical Start can also provide responses for potentially stolen credentials including disabling an account, forcing a logout and enforcing password changes.
- Brute force attacks: When unable to gain access to an organization’s data through stolen or purchased credentials, adversaries will attempt to break in via brute force attacks with weak passwords. When this occurs, Critical Start’s platform automates investigating alerts from Microsoft 365 Defender suite products and elevates legitimate threats to the Critical Start SOC analysts for investigation. Critical Start can also provide responses for potentially stolen credentials including disabling an account, forcing a logout and enforcing password changes.
- Security awareness training to defend against phishing attacks: Critical Start adds additional email phishing analysis in combination with Microsoft’s native capabilities, further supporting security awareness training by enabling a positive feedback loop informing employees of the outcome of the reported email.