Today's cybersecurity challenges mandate that security teams invest more in high-quality threat intelligence to understand the mechanics of sophisticated attacks led by cybercriminals, nation-state actors, and others. With the introduction of Microsoft Security Copilot, security professionals can use Generative AI to quickly understand the full scope of attacks, anticipate the next steps of an ongoing campaign, and drive an optimal security plan for their organizations – all amid the intense, challenging time during an attack.
This blog post will delve into Security Copilot, focusing on the strategic utilization of Microsoft Defender Threat Intelligence (MDTI), a comprehensive threat intelligence product designed to enhance triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows. It will explore how this integral part of Copilot can be effectively harnessed to facilitate comprehensive understanding, investigation, and maneuvering through threat intelligence.
Improved understanding of the threat landscape
A critical aspect of any security analyst's work is keeping up to date with the latest developments in the threat landscape. Security Copilot allows users to make simple requests known as prompts to learn about threat actors, tools, indicators of compromise (IoCs), and threat intelligence related to their organization's security incidents and alerts.
Prompts can ask almost anything of MDTI's data and content, e.g., “Tell me more about the Threat actor Silk Typhoon” or “Write a tailored prompt book (a predefined set of typical follow-up questions) about [security incident] and how to respond to it. The answers returned from prompts are always up to date with the latest threat intelligence information from MDTI, including IoCs, data from mass collection and analysis, intelligence articles, Intel Profiles (vulnerabilities, threat actors, threat tooling], and guidance. This critical information, delivered instantly and in context, adds to the ability to enable different Security Personas to defend at machine speed and scale.
Below, are three important scenarios the MDTI plugin on Microsoft Security Copilot helps teams with:
The Reactive approach
Emphasizes investigations and enhancing threat intelligence enrichment and additional context for the entities involved in the incident.
The Proactive approach
Emphasizing the ability to detect and address threats targeting organizations like mine. It uses threat intelligence to prioritize incidents, trace possible intrusions, and expedite mitigation of misconfigurations and vulnerable software, while simultaneously assessing the organization's impact and posture against specific threats. This will offer actionable insights for investigation and enhancement, as well as mapping attacker infrastructure.
Keeping up with the latest threat intelligence Trends
Detecting emerging threats by analyzing articles and trends, and subsequently disseminating relevant threat data.
The following is a sample prompt from Security Copilot asking about a threat actor:
Figure: Leveraging Security Copilot to gain information on a threat Actor.
Quickly pivot and focus on relevant threat intelligence
While investigating, IoCs often require context and information about their relation to additional data points. With Security Copilot, this is simplified. Questions like “Show me indicators related to this article” or “What web components are associated with 188.8.131.52” make pivoting and focusing on the threat intelligence relevant to the investigation easy:
Figure: Prompt leading to Show indicators related to an article
The following is a sample prompt of an investigation spawning from an indicator:
Figure: short demo of an investigation spawning from an indicator based on Threat intelligence
Correlating threat Intelligence to incidents and alerts
With Security Copilot, getting this additional context is now at your fingertips with a simple reference to the incident (e.g., “Show me threat intelligence information for incident ID 29088”). From this starting point, you can now find additional indicators directly derived from this attack or even threat intelligence for zero-day attacks, which might not have existed at the time of the alert but can now be correlated to an actor:
Figure: Short Demo of prompt related to an incident and leveraging threat intelligence
How to Enable MDTI in Copilot
It's easy – just go to “manage plugins” (bottom left in Copilot) and enable “Microsoft Defender Threat Intelligence.” The Microsoft Defender Threat Intelligence Plugin is integral to the Security Copilot Solution offered during its Early Access Program (EAP).
Request for Access
To start taking advantage of the integration of MDTI with Security Copilot, reach out to your sales representative to get more details on early access qualifications.
Learn More about MDTI
Whether you are just kick-starting a threat intelligence program or looking to augment your existing threat intelligence toolset, the MDTI free version can add critical context to your existing security investigations, keep your organization informed on current threats through leading research and intel profiles, provide crucial brand intelligence, and help you to collect powerful threat intelligence associated with your organization or others in your industry. To learn more about how you and your organization can leverage MDTI, watch our overview video and follow our “Become an MDTI Ninja” training path today. Also, find out about other MDTI innovations launching at Microsoft Ignite.