Newsletter June 2024

Published on: June 2, 2024

Hi,

To begin with I have decided that the bi-weekly newsletter will change to a monthly newsletter. As most of you know, I create my own blogs as well, but the bi-weekly newsletter took me a lot of time. So I had not had enough time for my own blogs and all other things like running, something with work-life balance.

Reviewing about 200 items every two weeks and creating the newsletter takes a lot of time. So I decided to change the interval to a monthly newsletter. Hopefully, I will have more time to write my own blogs again and have a better work-life balance.

Besides that, the community has created a lot of content. For this newsletter, I reviewed about 463 items, I selected 45 community blogs and 5 videos. I also highlighted the following items:

  • Largest ever operation against botnets hits dropper malware ecosystem
  • Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL
  • Microsoft will require MFA for all Azure users
  • SC-400 study guide

Thank you for subscribing and reading the EndpointCave security newsletter.

I feel honored that you have joined me on this journey! My goal is to deliver valuable security content directly to you and your inbox.

But I need your help as well, do you have any valuable content that needs to be shared with the community? Did you create a security blog post or did you find a security-related news item that needs to be mentioned in my upcoming newsletters?

Please send me a message. You can contact me on X (Twitter) or LinkedIn.

Enjoy

Highlights

Largest ever operation against botnets hits dropper malware ecosystem

Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem. The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software. Following the action days, eight fugitives linked to these criminal activities, wanted by Germany, will be added to Europe’s Most Wanted list on 30 May 2024. The individuals are wanted for their involvement in serious cybercrime activities.

More information about operation endgame can be found here

Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL

The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations. Anyone is free to use the queries.

More information about this repo can be found here

Microsoft will require MFA for all Azure users

  • Scope: All users signing into Azure portal, CLI, PowerShell, or Terraform to administer Azure resources are within the scope of this enforcement.
  • Impact on end users: Students, guest users and other end-users will only be affected if they are signing into Azure portal, CLI, PowerShell or Terraform to administer Azure resources. This enforcement policy does not extend to apps, websites or services hosted on Azure. The authentication policy for those will still be controlled by the app, website or service owners.
  • Exclusions: Service principals, managed identities, workload identities and similar token-based accounts used for automation are excluded. Microsoft is still gathering customer input for certain scenarios such as break-glass accounts and other special recovery processes.
  • MFA Methods: All supported MFA methods are available for you to use.
  • Exceptions: While there will be no opt-out, an exception process will be provided for cases where no workaround is available. Details for the exception process will be shared via official notifications.
  • Timeline: Beginning July 2024, a gradual rollout of this enforcement for portal only will commence. Once we have completed the rollout for portal, a similar gradual rollout will start for CLI, PowerShell and Terraform. We understand the impact this enforcement could have on automated scripts using user identities and thus are prioritizing enforcement for Azure portal to provide additional time to adapt if needed.
  • Communication: Microsoft will send detailed information and timelines through official emails and notifications with advanced notice to ensure customers are well informed and prepared. The purpose of this blog post was to generate awareness about this upcoming change and help you prepare for transition to multi factor authentication.

More information about this update can be found here

SC-400 study guide

Harri Jaakkonen has created an SC-400 study guide with 17 sections all very well explained. So if you want to start with Purview this is your go-to guide.

More information about this study guide can be found here

Security topics to watch

KQL Cafe | Session 23 | Guest: Henning Rauch | April 2024

In this video, Henning Rauch, Nikolaus Pohle, Alex Verboon, and Gianni Castaldi will talk about KQL. If you are working or want to learn KQL this is your favorite channel on YouTube. KQL cafe is a community to make the world a better place with KQL.

Click here to view the video on YouTube

You should be aware of these default settings!!

In your tenant, there are several configuration settings which makes you wonder why anyone would put them as default. Per-Torben Sørensen made a quick video where he shows some of the settings he thinks are very important that you are aware of. This is of course not a complete list and he doesn’t claim that these settings should always be modified. But they should be reviewed and considered changed.

The video goes through some settings:

  • Entra ID User settings
  • Entra ID Guest user settings
  • Entra ID Group settings
  • Entra ID Device settings
  • Microsoft Teams meeting policy

Click here to view the video on YouTube

PASSKEYS – What they are, why we want them and how to use them!

In this video, John Savill will explore what passkeys are, what is attractive about them for organizations and users, and then how to enable their use along with the user experience.

Looking for content on a particular topic? Search the channel. If he has something it will be there!

Click here to view the video on YouTube

How to Set Up Microsoft Entra ID Protection

In this video, Microsoft will learn how to deploy Microsoft Entra ID Protection by configuring risk-based policies (user risk and sign-in risk) in your organization. You will also learn best practices on how to gradually roll out these policies and MFA registration in your organization.

Click here to view the video on YouTube

External Authentication Methods (Public Preview)

In this video, Rio Hindle will delve into the world of External Authentication Methods (EAM) and how they streamline Multifactor Authentication (MFA) for Microsoft Entra ID users.

External Authentication Methods offer users the flexibility to select an external provider to fulfill MFA requirements, ensuring enhanced security without compromising convenience. Whether it’s meeting MFA requirements from Conditional Access policies, Identity Protection sign-in risk policies, or Privileged Identity Management, EAM provides a robust solution.

Click here to view the video on YouTube

Selected security blogs

This is the end of this newsletter. Thank you for reading the Endpoint Security newsletter, I hope you have found valuable content that you can use.

Do you have any feedback? Please feel free to share your thoughts and suggestions with me for future editions. Any valuable content of blogs that I need to monitor or share.  Please send me a message. You can contact me on X (Twitter) or LinkedIn.

Kind Regards,

René Laas – MVP
EndpointCave

Subscribe or follow me

DON’T MISS A BEAT

Receive the monthly newsletter directly in your mailbox

Followon XSubscribeto RSS Feed

Latest blog posts