Detecting Nobelium Activity with Microsoft Cloud Security Tools
Work with Microsoft and the community to prepare.
The recent Nobelium email phishing campaign has been in the news a lot lately because of the threat that it poses to organizations world over. A single user clicking on the malicious link could result in a sophisticated breach where C2 servers take control of devices in your environment.
In this blog, we will go over what organizations using Microsoft cloud security products can do to prepare for Nobelium phishing email campaigns. We will also discuss what the implementation would look like if you were to attempt to add these controls to your existing detections.
Use Defender for Endpoint and Office 365
Defender for Endpoint and Office 365 have both been updated to detect many of the common signs of a Nobelium email campaign. Defender for Office 365 is constantly being updated to detect the latest types of phishing emails and Defender for Endpoint is being updated constantly to detect the most recent infiltration tactics on your endpoints.
Follow Threat Analytics Recommended Configurations
Threat analytics is one of the features included with Microsoft 365 Defender that gives users insights into the latest threats that Microsoft security researchers have been identifying. By selecting a threat like Nobelium, you will get to see detailed information and specific recommendations for how to prepare your environment for that threat.
Enable Built-In Microsoft Sentinel Analytic Rules
Microsoft Sentinel is constantly getting new analytics that detect the most recent threats that Microsoft customers are facing. There are 4 analytic rules available that do both pre-incident detections and look for the most recent IOCs associated with Nobelium.
Use Community Detections
The cybersecurity community is full of passionate people that constantly create useful security features like detections and response options. Sources like SOC prime have many Nobelium detection options that the security researchers may have missed. If you would like to convert the analytics to something that can be used in Microsoft cloud security products see our blog on adding 3rd party analytics.
Keep an Updated List of IOCs
Having an updated list of IOCs is especially important for the recent Nobelium incidents because the types of approaches are constantly changing. Microsoft cloud security tools are maintaining an updated list of IOCs and Microsoft made a public list of IOCs in their security blog that you can use to update your organization’s IOC lists.
Have Security Researchers Learn from Other Incidents
If your organization is large enough to justify having a security researcher on staff or if you have a security team member that is especially passionate, you can have them monitor recent Nobelium incidents to see if there is anything you can learn from them. If another organization got hit there is a sizable chance you could use what they have discovered to improve your organization’s resilience in the face of a Nobelium incident.
We will continue to share best practices and lessons learned in future posts on detecting and managing ongoing threats in customer environments. It is always concerning when new threats surface, but fortunately there is a robust security infrastructure to help with incident management.
In closing, consider these three questions when preparing for incidents like Nobelium in your organization:
- Do we have detections available that can identify newer incident types like Nobelium?
- Are there procedures in place that we can use to respond to an incident like this?
- How can we leverage the resources available online to help with our incident management?