How MDTI Helps Power Security Copilot

Today's cybersecurity challenges mandate that security teams invest more in high-quality to understand the mechanics of sophisticated attacks led by cybercriminals, nation-state actors, and others. With the introduction of Microsoft Security Copilot, security professionals can use Generative to quickly understand the full scope of attacks, anticipate the next steps of an ongoing campaign, and drive an optimal security plan for their organizations – all amid the intense, challenging time during an attack. 

This blog post will delve into Security Copilot, focusing on the strategic utilization of Microsoft Defender (MDTI), a comprehensive product designed to enhance triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows. It will explore how this integral part of Copilot can be effectively harnessed to facilitate comprehensive understanding, investigation, and maneuvering through threat intelligence. 

Improved understanding of the threat landscape 

A critical aspect of any security analyst's work is keeping up to date with the latest developments in the threat landscape. Security Copilot allows users to make simple requests known as prompts to learn about threat actors, tools, indicators of compromise (IoCs), and threat intelligence related to their organization's security incidents and alerts.

Prompts can ask almost anything of MDTI's data and content, e.g., “Tell me more about the Threat actor Silk Typhoon” or “Write a tailored prompt book (a predefined set of typical follow-up questions) about [security incident] and respond to it. The answers returned from prompts are always up to date with the latest threat intelligence information from MDTI, including IoCs, data from mass collection and analysis, intelligence articles, Intel Profiles (vulnerabilities, threat actors, threat tooling], and guidance. This critical information, delivered instantly and in context, adds to the ability to enable different Security Personas to defend at machine speed and scale. 

Below, are three important scenarios the MDTI plugin on Microsoft Security Copilot helps teams with:

Approach Context
The Reactive approach  Emphasizes investigations and enhancing threat intelligence enrichment and additional context for the entities involved in the incident.
The Proactive approach  Emphasizing the ability to detect and address threats targeting organizations like mine. It uses threat intelligence to prioritize incidents, trace possible intrusions, and expedite mitigation of misconfigurations and vulnerable software, while simultaneously assessing the organization's impact and posture against specific threats. This will offer actionable insights for investigation and enhancement, as well as mapping attacker infrastructure.
Keeping up with the latest threat intelligence Trends Detecting emerging threats by analyzing articles and trends, and subsequently disseminating relevant threat data.

The following is a sample prompt from Security Copilot asking about a threat actor:

leveraging securoty copilot.png

Figure: Leveraging Security Copilot to gain information on a threat Actor.

Quickly pivot and focus on relevant threat intelligence

While investigating, IoCs often require context and information about their relation to additional data points. With Security Copilot, this is simplified. Questions like “Show me indicators related to this article” or “What web components are associated with 185.82.217.3” make pivoting and focusing on the threat intelligence relevant to the investigation easy:

summarizethreatintels1.gif

Figure: Prompt leading to Show indicators related to an article

The following is a sample prompt of an investigation spawning from an indicator:

Spawningfromindicator.gifFigure: short demo of an investigation spawning from an indicator based on Threat intelligence

Correlating threat Intelligence to incidents and alerts

With Security Copilot, getting this additional context is now at your fingertips with a simple reference to the incident (e.g., “Show me threat intelligence information for incident ID 29088”). From this starting point, you can now find additional indicators directly derived from this attack or even threat intelligence for zero-day attacks, which might not have existed at the time of the alert but can now be correlated to an actor:

incidentthreatintel.gif

 Figure: Short Demo of prompt related to an incident and leveraging threat intelligence

How to Enable MDTI in Copilot 

It's easy – just go to “manage plugins” (bottom left in Copilot) and enable “Microsoft Defender Threat Intelligence.” The Microsoft Defender Threat Intelligence Plugin is integral to the Security Copilot Solution offered during its Early Access Program (EAP).

Request for Access 

To start taking advantage of the integration of MDTI with Security Copilot, reach out to your sales representative to get more details on early access qualifications.

Sign up here to receive updates on Security Copilot and the use of in security. 

Learn More about MDTI

Whether you are just kick-starting a threat intelligence program or looking to augment your existing threat intelligence toolset, the MDTI free version can add critical context to your existing security investigations, keep your organization informed on current threats through leading research and intel profiles, provide crucial brand intelligence, and help you to collect powerful threat intelligence associated with your organization or others in your industry. To learn more about how you and your organization can leverage MDTI, watch our overview video and follow our “Become an MDTI Ninja” training path today. Also, find out about other MDTI innovations launching at Microsoft Ignite

 

This article was originally published by Microsoft's Defender Threat Intelligence Blog. You can find the original article here.