Microsoft launched today a new service that provides Microsoft Defender Advanced Threat Protection (ATP) customers a straightforward way of communicating with its real-world threat analysts during a security incident. The Experts on Demand feature is now available to everyone as part of the Microsoft Threat Experts threat hunting service.
The Microsoft Threat Experts offering was unveiled in February of this year as a Microsoft 365 feature. That service was meant to to detect threats and help customers ask for advice from a threat expert through a button in Windows Defender ATP. With the new feature, security departments within an organization can consult a threat analyst when they receive alerts about serious attacks such as a dangerous kernel device, for example.
The new feature can be accessed from the Microsoft Defender Security Center app in the Actions drop down menu. Through this service, Microsoft's security analysts can provide security operations teams with guidance and insights to "understand, prevent, and respond to complex threats in their environments."
The targeted attack notifications feature, another Microsoft Threat Experts capability, is designed to notify organizations about critical threats against their networks in a timely manner. This notification includes information on the timeline, scope of breach, and the methods of intrusion.
Dustin Duran, Principal Group Manager at Microsoft Defender ATP Research, described in a blog post how the new ATP endpoint protection capabilities helped one of its customers spot a malicious file in a single machine and found indications of a new campaign from an advanced adversary that targeted it. Then, the organization's security team consulted with Microsoft Threat Experts, which, in turn, validated the security team's findings. Finally, it was found that the "initial malware infection was the result of a weak security control" which granted users unrestricted administrator privilege.