As hackers get more daring and attacks more sophisticated, organizations need to continuously look at how they can enhance their security protocols. Concerning statistics show that the cost of cybercrime, already well into the trillions, could surpass $23 trillion by 2027.

Faced with the reality that cybercrime is unquestionably on the rise, a proactive approach is now necessary to lessen the risk of attack. One of the best ways to achieve that is by utilizing the indicators that Microsoft Defender for Endpoint has.

By using these, IT admins can preemptively block malicious entities and prevent them from accessing the organization’s resources. With this in mind, the focus for this blog will be to provide you with detailed information concerning indicators.

Explaining Microsoft Defender for Endpoint Indicators

Indicators provide IT administrators with certain data that can help identify individuals with nefarious intentions. This data can enable organizations to pinpoint malicious IP addresses, untrusted certificates, suspicious URLs, and more. Moreover, an organization can then set up its indicators accordingly thereby enabling a proactive approach to dealing with threats.

In Microsoft Defender for Endpoint, the indicators operate by applying specific rules to endpoint devices. These rules will use predetermined criteria to govern whether or not devices allow or block certain types of activity. A good example of this would be blocking all traffic to and from IP addresses that have been determined to be carrying out malicious activities.

Importance of Indicators

Indicators play a major role in improving organizational security by enabling businesses to take a proactive approach and block malicious actors before they can do any damage. And if an incident does occur, indicators will help you to quickly identify threats and implement a swift response. Additionally, using indicators allows you to customize your security to effectively meet the specific needs of your organization.

These tools are invaluable for intercepting attacks. Once it has been determined that an attack is ongoing, the malicious entities can be immediately blocked therefore limiting the impact from affecting the entire organization.

Types of Indicators with Microsoft Defender for Endpoint

In this section, we’re going to look at four types of indicators that Microsoft Defender for Endpoint supports. These indicators are essential for responding to different threats.

IP ADDRESS INDICATORS

This type is used for preventing access to IP addresses suspected of malicious activities. Once a specific IP address has been determined, an action is implemented that blocks all devices within an organization from connecting to that IP address. To do this, you need to navigate to Microsoft 365 Defender portal > Settings > Indicators. Next, you’ll need to add a new indicator and then select IP Address. With this done, you can now set up the action as Block and specify devices affected.

URL AND DOMAIN INDICATORS

These indicators are used to block access to malicious domains and phishing sites. After you’ve specified the URL concerned, you can then implement an action blocking all devices within your organization from connecting to that particular URL. Microsoft Defender for DNS is recommended if you want to have DNS-level protection.

FILE HASH INDICATORS

These will enable you to block access to known malicious files based on their hash (MD5, SHA-1, or SHA-256). You can use Advanced Hunting in Microsoft Defender or third-party threat intelligence sources to get the necessary file hashes.

CERTIFICATE INDICATORS

With this fourth type, you can block executables signed by untrusted certificates.

How to Set Up Microsoft Defender for Endpoint Indicators

The process of setting up indicators is not an overly complicated one. You start by navigating to the Microsoft 365 Defender portal where you need to sign in with your administrator account. Following this, you can then begin creating an indicator.

CREATION PROCESS

• Head over to Settings > Indicators.
• Click on Add Indicator.
• Select the type of indicator required.
• Provide the necessary information:
• Indicator Type: IP Address, URL, File Hash, or Certificate.
• Action: Block or Allow
• Scope: Specify which devices/groups will be affected by the action to be performed.
• Expiration Date: Provide an expiration date for temporary indicators (this is optional).
• Description: For documentation purposes, a description will be required.

COMPLETING THE PROCESS

After you’ve completed the creation process, you can click Create to save the indicator. You’ll also have the capability to monitor the indicator’s impact by taking advantage of Reports and Advanced Hunting. Advanced Hunting offers a powerful, query-based tool that helps you track threats and evaluate how effectively the indicators are working. Hunting works best if you use filters to get more specific results, as well as if you save and reuse queries during the monitoring processes.

Using Indicators Effectively

Like most other apps and services, you can’t set up indicators once and forget about them. You need to constantly review them and update them when necessary so your security remains strong.

As already mentioned, some indicators are temporary and so you need to remember to set expiration dates for these so that you avoid cluttering your environment. Not only that, but you should ensure that indicators are targeting the specific devices or groups they are created for.

Furthermore, IT admins should continuously evaluate the information obtained from Advanced Hunting and reports so that they are always aware of whether or not the indicators are performing to expectations. And then to enhance your security posture even more, you can combine indicators with Conditional Access policies for better results.

Wrap up

The staggering figures that we hear being thrown around when discussing cybercrime are almost beyond belief. But, the reports about cybercrime provide a lot of insights that enable organizations to take the necessary steps to improve their security. Leveraging the indicators available in Microsoft Defender for Endpoint goes a long way in securing your network and reducing the risk of attack. If applied correctly and used as recommended, indicators can be some of the best tools in an organization’s cybersecurity arsenal.