Overwhelmed by overchoice at RSA Conference 2018

April 25th, 2018 No comments

As over 500 companies vied for mindshare at this years RSA conference – a cacophony of vendors pitching thousands of products from brightly colored booths – it reminded me of how challenging it was for me to separate signal from noise when I was managing global networks. And the rapid growth of vendors and solutions in the past few years makes me wonder how overwhelming the choice must seem for CISOs today.

This challenge extends well beyond the show floor of RSA. Security Operations Center (SOC) analysts parse through thousands to even millions of alerts per day working as quickly as possible to investigate them and determine which ones represent real threats. Enterprises need tools that can help them identify and contain threats quickly, but the SOC analyst dilemma of too many alerts is echoed on the show floor. There are just too many vendor and solution choices to pick from. This phenomenon known as overchoice leads to paralysis, obstructing our ability make confident choices and seek timely guidance. Psychologists have long studied this construct and found that along with paralysis, the presence of too many options can even push people into decisions that work against their best interests.

As more than 50,000 RSA attendees worked their way across the conference center floor, I watched as they encountered an endless array of ever-changing acronyms, software, and hardware to address problems they probably didnt even know they had. In the quest to create and name the next generation of most innovative solutions, new categories and acronyms abound from SIM to SEM to SOAR, and AV to EPP to EDR. Unfortunately, these new solutions can come so fast that the features may fuzz into buzzword bingo for attendees. With IoT and the intelligent edge, there are new security scenarios for enterprises to solve for. With that come new categories of security, and new offerings flood the market. Enterprise professionals are left fighting an uphill battle across a foggy landscape.

There is a way to address all this complexity. It starts with you and your enterprise. As the person who knows your enterprise best, you are positioned to drive the decision-making process based on real-world scenarios and everyday learnings.

Vendors often try to identify problems, solve them, and hope someone needs the solutions. But every enterprise is unique, and not all threats are prioritized evenly across the board. If CISOs can assess enterprise-wide learnings and lean on the vendors to interpret and understand real-world issues, a more coherent strategy and product should emerge.

Of course, its not always easy for enterprise CISOs to understand and prioritize their needs. If this is the case in your enterprise, third-party consultants can help assess your current security posture and forge an action plan for optimization. Once a plan is created, the buyer should drive the process and avoid unnecessary distractions that lead to evaluating dozens of options and trying to understand where the puzzle pieces fit together. CISOs can also lean on the vendor to help interpret and understand the enterprises defined needs once they understand their needs and have prioritized them.

To better facilitate this approach, first ask, “What is the business problem Im trying to solve? For example: Retail organizations may want to enhance their online store to include customer intelligence to provide a better customer experience. What type of privacy security will be required to do this? Will there be compliance requirements to do this? If general themes emerge rather than more nuanced security gaps, CISOs can use a known framework, like the NIST Cybersecurity Framework. Its a useful tool for managing cybersecurity outcomes, and it covers all the verticals of cybersecurity, making it easier to adopt and join with other frameworks you might also need to incorporate in your security program.

Once you have a solid grasp of the enterprise security requirements, start to look for solutions that specifically meet those needs. Once the business problems are identified and the researching of solutions takes place, youll bump into those pervasive acronyms again. Dont get sucked in – resist the urge to solve for every potential problem vendors are trying to solve for. Focus on the vendors whose solutions specifically address your enterprises problems and meet your requirements. Ask your peers for their own firsthand experience. Ask them which solutions have or haven’t worked for them. You can even ask vendors for references to speak with.

Once promising vendor solutions emerge, confirm that the solution will solve your enterprises problem. Get proof that it will – which doesnt necessarily equate to knowing every single mathematical detail about the algorithms used in a solutions ML engine or reviewing each line of code. But it does mean seeing the solution in action. Demo and test-drive it, preferably in your own environment. This approach is about the buyer driving the process, and staying engaged. Like most things related to our safety and security, the more engagement, the better the outcome.

These are active times in cybersecurity. The great news is a lot of innovative, smart, and motivated companies are working hard to build intelligent solutions to thwart cyberattacks. But were all at risk of paralysis from overchoice. Stay on target by focusing on your business problems and needs, and demand that vendors cut through the buzz to focus on proving they can deliver results. See what Microsoft presented and our latest security innovations at the RSA Conference.

Categories: RSA Conference Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 1

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

The roots of Microsoft 365 threat protection

Over the next few weeks, well introduce you to Microsoft 365s threat protection services and demonstrate how Microsoft 365s threat protection leverages strength of signal, integration, machine learning and AI to help secure the modern workplace from a ransomware attack. Previously, we showcased how Office 365 helps mitigate modern phishing attacks. Microsoft 365 threat protection goes even further, providing robust protection, detection, and response capabilities across an organizations entire attack surface. For those not aware, Microsoft 365 was introduced at last years Microsoft Inspire conference, to provide an intelligent, integrated, and secure solution for the modern workplace, combining the benefits of Microsofts flagship Windows, Office 365, and Enterprise Mobility Suite (EMS) platforms. Figure 1 shows the services which are part of Microsoft 365 threat protection and jointly help secure the modern workplace so organizations can initiate and drive their digital transformation.

Figure 1. The Microsoft 365 threat protection security services

Microsoft is committed to a security first mindset

Microsoft has always been securing products and platforms to protect our customers who rely on our software and cloud services. Our security focus is essential to meet the 24/7 business cycle demands and helps ensure our customers rarely experience downtime from a security event. Microsoft invests $1B+ annually on security, employs 3500+ security professionals, and has built several strong ecosystem partnerships. As the modern workplace grows in complexity, Microsoft continues building and enhancing its security capabilities to help our customers stay ahead of modern threats. Microsoft itself is one of the worlds largest enterprises and uses the same security products to protect our organization that we offer our customers.

The Microsoft Intelligent Security Graph

For our teams at Microsoft (both in operations and development), security really begins with the Microsoft Intelligent Security Graph. It is the platform that powers Microsoft security products and services by using advanced analytics to link threat intelligence and security signals from Microsoft and partners to identify and mitigate cyberthreats. Intelligence in the Intelligent Security Graph comes from consumer and commercial services that Microsoft operates on a global scale, such as Windows, Office 365, and Azure as shown in figure 2. At Microsoft, we have massive depth and breadth of intelligence. Across our global services, each month we scan 400 billion email messages for phishing and malware, process 450 billion authentications, execute more than 18 billion web page scans, and scan more than 1.2 billion devices for threats, nearly 2.6 billion monthly unique file scans, and more than 200 cloud services. Importantly, this data always goes through strict privacy and compliance boundaries before being used for security.

Figure 2. Microsofts Global Threat Intelligence is one of the largest in industry

Signal from the graph is analyzed using a combination of Microsofts industry leading artificial intelligence and machine learning capabilities coupled with the expertise of security researchers, analysts, hunters, and engineers across the company to quickly identify attacks and emerging trends so that we can evolve the immediate detections and capabilities of Microsoft 365. All our security capabilities leverage the graph, including the threat protection services comprised of Windows Defender Advanced Threat Protection (WDATP), Office 365 Advanced Threat protection (ATP), Office 365 Threat Intelligence, Microsoft Cloud App Security, Azure Security Center, and the newly launched Azure Advanced Threat Protection (Azure ATP).

These threat protection services also share threat signal with each other through the graph and this signal sharing enables each service to leverage threat data from not only the threats blocked by that service but also threat in the entire threat landscape. While this post uses the example of a sophisticated ransomware attack, customers who leverage the entire Microsoft 365 threat protection stack will have near real-time protection from many types of new and unknown threats (e.g. 0-days, advanced phishing, advanced malware, etc) for their device ecosystem, Office 365 ecosystem, and cloud, on-premises, or hybrid infrastructures by leveraging the Intelligent Security Graph.

Microsoft 365 threat protection

The modern workplace is exposed to the rapid evolution of cyber threats, from individual threats, to sophisticated organizational breaches, to rapid cyberattacks. With the growing complexity of the modern workplace, the attack surface has rapidly expanded, to a point where no single service can adequately protect an organization. To address this, we focused on developing different services that specialize on the main threat vectors and then integrating them together via the Intelligent Security Graph. The modern workplace is composed of employee identities, enterprise applications and data, devices, and infrastructure. Microsoft 365 threat protection helps mitigate advanced threats from each of these potential threat vectors providing an end to end, holistic solution securing an organizations entire attack surface enabling:

  • Protection against advanced threats such as 0-days, targeted phishing, ransomware, and others
  • Detection when a breach has occurred, who has been breached, what data has been compromised
  • Response remediate from an attack and return the organization to a no threat state
  • Education end users on how to react or respond to different types of threats

While most security solutions do not include an educational component, we have seen that many of our customers now help educate their end users on how to react and behave in the event of a cyberattack. To help address this important aspect of security, we now offer tools that can help educate end users. While the majority of attacks are still initiated via email, 2017s most destructive attacks, NotPetya and WannaCry, were not email based. One of the benefits of Microsoft 365 threat protection is seamless integration that enables rapid transfer of information across platforms and services to help ensure all attack surfaces are quickly secured no matter where a threat originates. Over the next few weeks, we will cover Microsoft 365 and how to enable (1) Protection (2) Detection (3) Response and Education. Next week, well demonstrate how Microsoft 365 threat protection helps organizations protect an enterprise from a ransomware attack.

Categories: Uncategorized Tags:

Teaming up in the war on tech support scams

(Editors note: Erik Wahlstrom spoke about the far-reaching impact of tech support scams and the need for industry-wide cooperation in his RSA Conference 2018 talk Tech Scams: Its Time to Release the Hounds.)


Social engineering attacks like tech support scams are so common because theyre so effective. Cybercriminals want to bilk users money. They can spend a great deal of time and energy attacking the security of a devicebrute-force passwords, develop custom and sophisticated malware, and hunt down vulnerabilities to exploit. Or they can save themselves the trouble and convince users to freely give up access to their devices and sensitive information.

Microsoft has built the most secure version of its platform in Windows 10. Core OS technologies like virtualization-based security, kernel-based mitigations, and the Windows Defender ATP stack of security defenses make it much more difficult for exploits, malware, and other threats to infect devices. Every day, machine learning and artificial intelligence in Windows Defender ATP protect millions of devices from malware outbreaks and cyberattacks. In many cases, customers may not even know they were protected. Windows 10 S, a special configuration of Windows 10, takes this even further by only running apps from the Microsoft Store, effectively preventing the vast majority of attacks.

Protect yourself from tech support scams

  • Note that Microsoft does not send unsolicited email messages or make unsolicited phone calls to request for personal or financial information, or fix your computer.
  • Remember, Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you.
  • Dont call the number in pop-ups. Microsofts error and warning messages never include a phone number.

The Windows 10 security stack greatly increases the cost for attackers. Many cybercriminals instead choose to target the humans in front of the PCs. It can sometimes be easier to convince users to willingly share their passwords, account info, or to install hazardous apps onto their device than to develop malware and steal info unnoticed.

Scammers continue to capitalize on the proven effectiveness of social engineering to perpetrate tech support scams. These scams are designed to trick users into believing their devices are compromised or broken. They do this to scare or coerce victims into purchasing unnecessary support services.

To help protect customers from scammers, we continue to enhance antivirus, email, URL blocking, and browser security solutions. However, given the scale and complexity of tech support scams, how can the security industry at large work together to deal a major blow to this enduring threat?

Still a growing global problem

In 2017, Microsoft Customer Support Services received 153,000 reports from customers who encountered or fell victim to tech support scams, a 24% growth from the previous year. These reports came from 183 countries, indicating a global problem.

Approximately 15% of these customers lost money in the scam, costing them on average between $200 and $400. In some cases, victims pay a lot more. In December 2017, Microsoft received a report of a scammer emptying a bank account of 89,000 during a tech support scam in the Netherlands.

Tech support scams reported to Microsoft

In a 2016 survey sponsored by Microsoft, two in three respondents reported experiencing some form of tech support scam in the previous 12 months, with nearly one in ten losing money.

However, as with many social engineering attacks, its tricky to put an absolute number to the problem. The figures above represent reports to Microsoft. The problem is so much bigger, given that tech support scams target customers of various other devices, platforms, or software.

An organized cybercriminal enterprise

Tech support scams come in several forms, but they share a common attack plan:

Scammers initiate these social engineering attacks in many ways, including:

  • Scam websites that use various tactics including browser dialog traps, fake antivirus detecting fake threats, and fake full-screen error messages. Scammers lead potential victims to these websites through ads, search results, typosquatting and other fraudulent mechanisms.
  • Email campaigns that use phishing-like techniques to trick recipients into clicking URLs or opening malicious attachments
  • Malware thats installed on computers to make system changes and display fake error messages
  • Unsolicited phone calls (also known as cold calls), which are telemarketing calls from scammers that pretend to be from a vendors support team

The complete attack chain shows that these attacks lead to the same goal of getting customers in contact with a call center. Once connected, a fake technician (an experienced scammer) convinces the victim of a problem with their device. They often scare victims with urgent problems requiring immediate action. They instruct victims to install remote administration tools (RATs), which provide the scammers access to and control over the device.

tech support scams attack chain

From this point on, scammers can make changes to the device or point out common non-critical errors, and present these as problems. For example, scammers are known to use Event Viewer to show errors or netstat to show connections to foreign IP addresses. The scammers then attempt to make the sale. With control of the device, scammers can make a compelling case about errors in the device and pressure the victim to pay.

An industry-wide problem requires industry-wide action

The tech support scam problem is far-reaching. Its impact spans various platforms, devices, software, services. Examples include:

  • Tech support scams targeting specific platforms like Windows, macOS, iOS, and Android
  • Tech support scam websites that imply a formal relationship or some sort of approval by well-known vendors
  • Fake malware detection from programs or websites that mimic various antivirus solutions
  • Customized tech support scams that tailor messages and techniques based on geography, OS, browser, or ISP

As in many forms of social engineering attacks, customer education is key. There are tell-tale signs: normal error and warning messages should not have phone numbers, most vendors dont make unsolicited phone calls to fix a device, etc. To help protect and educate Microsoft customers, we have published blogs, websites, videos, and social media campaigns on the latest tech support scam trends and tactics. We have also empowered customers to report tech support scams.

Beyond customer education, the scale and complexity of tech support scams require cooperation and broad partnerships across the industry. The Microsoft Digital Crimes Unit (DCU) works with law enforcement and other agencies to crack down on scammers.

We have further built partnerships across the ecosystem to make a significant dent on this issue:

  • Web hosting providers, which can take down verified tech support scam websites
  • Telecom networks, which can block tech support scam phone numbers
  • Browser developers, who can continuously thwart tech support scam tactics and block tech support scam websites
  • Antivirus solutions, which can detect tech support scam malware
  • Financial networks, who can help protects customers from fraudulent transactions
  • Law enforcement agencies, who can go after the crooks

We seek to continue expanding and enriching these partnerships. While we continue to help protect customers through a hardened platform and increasingly better security solutions, we believe its high time for the industry to come together and put an end to the tech support scam problem. Together, we can make our customers lives easier and safer.



Erik Wahlstrom
Windows Defender Research Project Manager



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Introducing Windows Defender System Guard runtime attestation

At Microsoft, we want users to be in control of their devices, including knowing the security health of these devices. If important security features should fail, users should be aware. Windows Defender System Guard runtime attestation, a new Windows platform security technology, fills this need.

In Windows 10 Fall Creators Update, we reorganized all system integrity features into Windows Defender System Guard. This move allowed us to continually make significant innovations in platform security. Windows Defender System Guard runtime attestation, which is built into the core Windows operating system, will soon be delivered in all editions of Windows. Windows Defender System Guard runtime attestation, like Credential Guard, takes advantage of the same hardware-rooted security technologies in virtualization-based security (VBS) to mitigate attacks in software.

Security technologies are targeted by exploits that attempt to run in the same domain of trust. For example, privileged processes are designed to provide a certain degree of isolation (at least in respect to code and data) from regular user-mode processes. The NT kernel determines whether a process is protected based on certain values held in the executive process object. Tampering with these values via a kernel exploit or with a driver (e.g., Mimikatz) can effectively disable process protection. Moving the security decision related to tampering to a separate domain of trust increases complexity for attackers.

Runtime attestation can help in many scenarios, including:

  • Providing supplementary signals for endpoint detection and response (EDR) and antivirus vendors (including full integration with the Windows Defender Advanced Threat Protection stack)
  • Detecting artifacts of kernel tampering, rootkits, and exploits
  • Protected game anti-cheat scenarios (for example, detection of process-protection bypasses that can lead to game-state modification)
  • Sensitive transactions (banking apps, trading platforms)
  • Conditional access (enabling and enhancing device security-based access policies)

With the next update to Windows 10, we are implementing the first phase of Windows Defender System Guard runtime attestation, laying the groundwork for future innovation in this area. This includes developing new OS features to support efforts to move towards a future where violations of security promises are observable and effectively communicated in the event of a full system compromise, such as through a kernel-level exploit.

Attestation and establishing trust

To introduce Windows Defender System Guard runtime attestation on a technical level, its best to begin at the most visible layer: a client API that will eventually be exposed to a relying party. (Note: We share details of the general design as its currently architected; final implementation may differ.)

We are working towards providing an API that relying parties can use to attest to the state of the device at a point in time. The API returns a runtime report that details the claims that Windows Defender System Guard runtime attestation makes about the security posture of the system. These claims include assertions, which are runtime measurements of sensitive system properties.

For the runtime report to have any significant meaning, it must be generated in a fashion that provides reasonable resistance against tampering. This gives rise to the following basic component requirements:

  1. Runtime report generation must be isolated from an attacker
  2. This isolation must be attestable
  3. The runtime report must be cryptographically signed in a manner that is irreproducible outside the isolated environment

Enter VBS enclaves. Were not going to describe these enclaves in-depth here, but its prudent to give some context. On a device with virtual secure mode (VSM) enabled, virtualization extensions of the underlying Instruction Set Architecture (ISA) are employed to logically divide the system into two (theoretically, more) separate worlds: the normal world running the NT kernel that were all familiar with and a separate secure world running a Secure Kernel (SK). We call these two logical levels of separation Virtual Trust Levels (VTLs), in this case NT being VTL-0 and SK being VTL-1.

VBS enclaves enable what can be thought of as a siloed part of a normal world VTL-0 user-mode process. All code and data in this silo live in VTL-1. Transactions in and out of an enclave are done via a well-defined API backed by VSL calls (the mechanism that NT and SK use to communicate). The result of this intricacy is that, as of Windows Fall Creators Update (1709), it is possible to execute code and hold data within an enclave such that the entire VTL-0 normal world both user-mode and kernel-mode cannot directly act upon the siloed code and data while executing and held within the enclave (in VTL-1).

From the VBS enclave, the runtime attestation component can observe and attest to a set of security properties contained in a report. For example, an app could ask Windows Defender System Guard to measure the security of the system from the hardware-backed enclave and return a report. The details in this report can be used by the app to decide whether it performs a sensitive financial transaction or display personal information.

VBS enclaves can also expose an enclave attestation report signed by a VBS-specific signing key. If Windows Defender System Guard can obtain proof that the host system is running with VSM active, it can use this proof together with a signed session report to ensure that the particular enclave is running.

As for the signature of the runtime report itself, an asymmetrical public-private key pair is generated within the enclave. The public key is signed by the Windows Defender System Guard attestation service backend to create a session certificate. In addition, the Windows Defender System Guard attestation service backend produces a signed session report containing details about the machine. These details include boot security properties, including whether the machine booted with Secure boot enabled, to ensure that the core operating system has not been jailbroken or tampered with. Finally, runtime reports are signed locally by the paired private key, which never leaves the enclave. The runtime and session reports can be verified by relying parties with little effort by verifying the report signatures against the session certificate and then ensuring that the certificate is validly signed, rooted in the relevant Microsoft CA.

Establishing the trust necessary to guarantee that the runtime report is authentic, therefore, requires the following:

  • Attesting to the boot state of the machine: the OS, hypervisor, and Secure Kernel (SK) binaries must be signed by Microsoft and configured according to a secure policy
  • Binding trust between the TPM and the health of the hypervisor to allow trust in the Measured Boot Log
  • Extracting the VSM IDKs from the Measured Boot Log and using these to verify the VBS enclave signature
  • Backend verification of the above and signing of the public component of an ephemeral key-pair generated within the enclave with a trusted CA to issue a session certificate
  • Signing of the runtime report with the ephemeral private key

Networking calls between the enclave and the Windows Defender System Guard attestation service are made from VTL-0. However, the design of the attestation protocol ensures that it is resilient against tampering even over untrusted transport mechanisms.

Numerous underlying technologies are required before the chain of trust described above can be sufficiently established. To inform a relying party to the level of trust in the runtime report that they can expect on any particular configuration, a security level is assigned to each Windows Defender System Guard attestation service-signed session report. The security level reflects the underlying technologies enabled on the platform and attributes a level of trust based on the capabilities of the platform. We are mapping the enablement of various security technologies to security levels, and we will share this when the API is published for third-party use. The highest level of trust is likely to require the following features, at the very least:

  • VBS-capable hardware + OEM configuration
  • Dynamic root-of-trust measurements at boot
  • Secure boot to verify hypervisor, NT, SK images
  • Secure policy ensuring:

    • Hypervisor-protected code integrity (HVCI)-enforced kernel mode code integrity (KMCI)
    • Test-signing is disabled
    • Kernel debugging is disabled


Now that we have explained the trusted report component, let us discuss the contents of the runtime report.

The security level exposed in the session report is an important and interesting metric in and of itself. However, Windows Defender System Guard can provide so much more specifically in respect to runtime measurement of system security posture.

We call this runtime measurement component the assertion engine. The idea is to continually measure assert system integrity at runtime, with the security level attesting to security posture at boot.

Some caveats:

  • The assertion engine was designed with the ideal system configuration in mind (i.e., a system configuration with the highest security level)

    • Business needs require Windows Defender System Guard runtime attestation to function on systems even with the lowest security level; Windows Defender System Guard runtime attestation makes no guarantees in this scenario and can act as a signal for other security products on non-locked down editions of Windows

  • When running the ideal configuration, non-ROP kernel-mode code execution is difficult due to hypervisor-protected code integrity (HVCI)-enforced kernel mode code integrity (KMCI); in this scenario:

    • Data corruption attacks are more likely
    • It can be assumed that it’s difficult to tamper with any required kernel-mode agents in non-racing scenarios
    • The runtime assertions are therefore targeted at attacks that can reasonably be performed under the most restrictive attack conditions

  • We are working to limitations of (current) operating system design

    • We have a deep partnership with other teams in Microsoft and we are work in tandem to improve System Guard runtime attestation and core kernel security features. In the current version of the OS, we rely on NT kernel thread management and the Secure Kernel primitives provided to us.

Windows Defender System Guard runtime attestation architecture

High-level overview of Windows Defender System Guard runtime attestation architecture

Architecturally, the solution is collectively referred to as the Windows Defender System Guard runtime monitor and consists of the following client-side components:

  • The VTL-1 assertion engine itself
  • A VTL-0 kernel-mode agent
  • A VTL-0 process we call the broker to host the assertion engine

To rapidly respond to threats, we opted for a dynamic scripting approach that will allow us to frequently release updates going forward. We chose an open-source library that met our requirements for maturity, footprint, and performance. This scripting component forms the core of the assertion engine that executes in VTL-1 (if available).

Running arbitrary logic in this engine wouldnt be very useful if it couldnt interact with the system in any way. For the engine to perform useful work, we provide native helpers in the form of assists. These assists are executed in VTL-0 either by the broker service or by a Kernel-mode agent.

In the next update to Windows, assertion logic is delivered in-band (within the signed engine DLL itself). At some point in the future, these scripts will be delivered out-of-band. This is a core part of the design. It enables us to immediately respond to security events (for example, the discovery of new attack invariants) without the need for delivering a component update via servicing. Apps and services can take advantage of this attestation technology to ensure that the system is free from tampering and that critical processes are running as expected. This hardware-rooted proof-of-health can then be used to identify compromised machines or gate access to critical cloud services. Runtime attestation serves as a platform for a wide variety of advanced security applications.

We believe that we can significantly raise the bar for security on locked-down platforms with modern hardware and appropriate security policies. In a world where direct privileged code-execution is difficult, we think that attacks will increasingly leverage data corruption. Transient changes are also a challenge in the current model. However, future innovations will make achieving persistence harder, making transient malicious changes more difficult. The idea is to continually elevate defense across the entire Windows 10 security stack, thereby pushing attackers into a corner where system changes affecting security posture are detectable. One can think of runtime attestation as being more about detecting minute symptoms that can indicate an attack rather than looking for flashing signals.

We are very excited about this technology because of its potential for making significant leaps in platform security. Theres a lot more about Windows Defender System Guard runtime attestation that we did not cover in this blog, for example, the detailed design itself and where we see this technology going. Stay tuned.



David Kaplan (@depletionmode), Windows Defender ATP Research Team
Adam Zabrocki (@Adam_pi3), Windows Offensive Security Research Team
Rafael Goncalves, Enterprise & Security



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Connect to the Intelligent Security Graph using a new API

Most organizations deal with high volumes of security data and have dozens of security solutions in their enterprise, making the task of integrating various products and services daunting and complex. The cost, time, and resources necessary to connect systems, enable correlation of alerts, and provide access to contextual data is extremely high. These challenges hinder the ability for organizations to move quickly when detecting and remediating threats in a world of fast-moving, disruptive attacks.

By connecting security data and systems, we can gain an advantage over todays adversaries. At Microsoft, our security products are powered by the Intelligent Security Graph which synthesizes massive amounts of threat intelligence and security signals from across Microsoft products, services, and partners using advanced analytics to identify and mitigate cyberthreats. This week at the RSA conference, we announced the public preview of a Security API that empowers customers and partners to build on the Intelligent Security Graph. By connecting security solutions and integrating with existing workflows, alerts and contextual information from multiple solutions can be easily consolidated and correlated to inform threat detection, and actions can be taken to streamline incident response. The unified API will make these connections easier by providing a standard interface and uniform schema to integrate and correlate security alerts from multiple sources, enrich investigations with contextual data, and automate security operations for greater efficiency.

The Security API is part of the Microsoft Graph, which is a unified rest API for integrating data and intelligence from Microsoft products and services. Using Microsoft Graph, developers can rapidly build solutions that authenticate once and use a single API call to access or act on security insights from multiple security solutions. Additional value is uncovered when you explore the other Microsoft Graph entities (Office 365, Azure Active Directory, Intune, and more) to tie business context with your security insights.

This public preview supports API access of Alerts from Azure Security Center and Azure Active Directory Identity Protection with Intune and Azure Information Protection coming soon. We are also announcing support for high volume streaming of alerts to a SIEM through Security API integration with Azure Monitor. This will enable seamless ingestion of alerts from multiple sources directly into a SIEM. Over the coming months, well add many more Microsoft and partner security solutions integrations as data providers. We will also add new capabilities that unlock new security context through Security Inventory and take Actions to automation security operations through the same Security API.

Enabling ecosystem partners

The Security API opens up new possibilities for integration partners to build with the Intelligent Security Graph. Partners can not only consume security insights from the Graph but they can allow their alerts, context, and automation to be enabled in the Graph at peer level with integrated Microsoft products. By forming a connected, extended ecosystem of security technologies, Microsoft and partners can deliver better protections for our customers. Some partners have already onboarded to the Security APIs and many other integrations are in progress:


Anomali integrates with the Security API to correlate alerts from Microsoft Graph with threat intelligence, providing earlier detection and response to cyber threats.

The Security Graph API allows us to receive not only actionable alert information but allows security analysts to pivot and enrich alerts with asset and user information. Colby DeRodeff, Co-founder and Chief Strategy Officer of Anomali


Palo Alto Networks can enrich alerts from Microsoft Graph Security with threat intelligence speeding up detection and prevention of cyberattacks for our shared customers.

The adoption of public clouds is accelerating, but so is the threat level to the applications and data inside organizations. Todays announcement of the Microsoft Graph Security API sets the stage for expanding the built-in security features we can offer our joint customers and to help organizations safely embrace the cloud. Andy Horwitz, Vice President, Business and Corporate Development, Palo Alto Networks


PwC uses alerts and context from Microsoft Graph in its Secure Terrain solution to deliver improved visibility and protection.

The integration with Secure Terrain offers users a streamlined way to investigate Microsoft Graph alerts in the context of the broader enterprise and perform threat hunting investigations. Christopher Morris, Principal at PricewaterhouseCoopers

Building intelligent security applications

Customers, managed service providers, and technology partners, can leverage the Security APIs to build and integrate a variety of applications. Some examples include:

  • Custom security dashboards. Surface rich alerts in your custom Security Operations Center dashboards streamline alerts and add contextual information about related entities
  • Security operations tools. Manage alerts in your ticketing, security or IT management system keep alert status and assignments in sync, automate common tasks
  • Threat protection solutions. Correlate alerts and contextual information for improved detections, take action on threats block an IP on firewall or run an AV scan
  • Other applications. Add security functionality to non-security applications HR, financial, and healthcare apps

Get started today:

Join us at the Microsoft booth, N3501 in the north expo hall, at RSA Conference 2018 in San Francisco. Youll get the chance to speak to experts and see how our partners are using the API.

To learn more and get started today with using the Microsoft Graph Security API, check out the following resources:

Categories: Uncategorized Tags:

Tapping the intelligent cloud to make security better and easier

April 16th, 2018 No comments

There has been a distinct shift in my conversations with customers over the last year. Most have gone from asking can we still keep our assets secure as we adopt cloud services?, to declaring, we are adopting cloud services in order to improve our security posture. The driving factor is generally a realization that a cloud services provider can invest more in security, do the job better, and just make life simpler for overburdened enterprise IT and SecOps teams. This idea of making sound security practices easier to implement is a big part of our strategy. Today were announcing several new technologies and programs that build on our unique cloud and intelligence capabilities to make it easier for enterprises to secure their assets from the cloud to the edge.

The first step in protecting people and data from todays dynamic threat landscape is accepting reality. Its time for us as an industry to recognize that the cloud holds so much promise for helping us solve security problems that we should consider the use of cloud-based intelligence a security imperativenot just for workloads deployed in the cloud, but also for improving security of endpoints.

We recently released the 23rd edition of our Security Intelligence Report. The trends it uncovers helps us see why the cloud is becoming a security imperative. Threats are increasingly automated and destructive. No one organization can amass the resources and intelligence to defend against these fast-moving threats. We have to tap into the power of the cloud, and of artificial intelligence, in order to muster the defenses required.

One of the most powerful examples of cloud-based artificial intelligence accelerating Microsofts own security innovation is the Microsoft Intelligent Security Graph. Our Intelligent Security Graph uses advanced analytics to link threat intelligence and security signals from Microsoft and partners and continues to increase in variety and volume of signal. For example, we see the threat landscape through the lens of the 18 billion web pages that Bing scans, the 400 billion emails that are analyzed for spam and malware, and the 5 billion distinct malicious threats that Windows Defender ATP protects our customers against each month.

Artificial intelligence gets better as it is trained with more signal from more diverse sources. Today, we are announcing the preview of a new unified security API in the Microsoft Graph, which allows our technology partners to easily integrate with Microsoft solutions and tap into the power of the Intelligent Security Graph.

The Intelligent Security Graph comes to life through our platform investments, where it connects our security solutions to improve protection, detection, and response. Microsoft invests more than $1 billion in cybersecurity R&D annually, to build new security innovations into Windows, Azure, and Microsoft 365. Today we are announcing new capabilities to help our customers improve their protection against threats and, when attacked, detect and respond more quickly. We are working with partners across the industry to better integrate solutions for our customers.

Improving protection

A fundamental concern for many IT teams is the struggle to know the true security posture of the organization: are all the necessary controls in place? Have all updates been applied? Is everything configured correctly? More importantly, its hard to know what the next steps should be to improve security. Today we are announcing the availability of Microsoft Secure Score, which gives the IT administrator a combined view of security readiness across a broad swath of the digital estatefrom Office 365 services to endpoint devices.

To get around properly configured protection, attackers often focus on deceiving end users with phishing and social engineering techniques. We have made a number of advances in our Office 365 ATP anti-phishing protection recently, and now we are adding Attack Simulator for Office 365 Threat Intelligence in Microsoft 365, so IT teams can train users to guard against phishing.

Information is the beating heart of any company, and the target of most attacks. It’s also a regulatory focus, especially with the new EU GDPR enforcement date rapidly approaching. In February, we announced a set of Microsoft 365 updates to help our customers manage compliance and protect information. As we near the GDPR enforcement date, today we are announcing several new tools and capabilities that help you respond to GDPR obligations with the Microsoft Cloud. Read more about them later today on the Office 365 blog.

Speeding up detection and response

Of course, no protection strategy can be 100% effective. Savvy customers are improving their detection and response capabilities to prepare for the inevitable breach. The Conditional Access capability built into Microsoft 365 has helped many of our customers dramatically improve their protection for tens of millions of employees, by assessing the risk of each request for access to a system, an application, or data, in real time. That risk level informs how much access is granted, according to policy set by IT.

We are extending Conditional Access to factor in post-breach response. New conditions based on continual assessment of endpoint healthnot just a one-time check of configurationenable our customers to restrict or deny access to resources if the device from which the request originates has been compromised by an attack. This new capability is in preview and will be generally available in the next Windows 10 update. Rapid detection and recovery remain out of reach for many of our customers because the specialized skills required to hunt down and eliminate adversaries are in high demand but short supply. To help IT focus its strained resources on the most important issues, we are announcing the general availability of automated remediation as part of Windows Defender ATP in the next Windows 10 update. With this new capability, Windows Defender ATP can automatically apply common remediations, freeing up the experts to work on more difficult recovery tasks.

Our work on detection and response extends to Microsoft Azure as well. As our customers embrace the cloud, Azure Security Center is a key tool that helps them simplify hybrid cloud security and keep pace with ever-evolving threats. Several new capabilities will be available with Security Center this week that help to identify and mitigate vulnerabilities proactively and detect new threats quickly. With the integration of Windows Defender ATP in preview, customers can get all the benefits of advanced threat protection for Windows servers in Azure Security Center.

Working across the industry

Customers who use Microsoft 365 have been taking advantage of increasingly robust tools to protect Office documents and e-mails wherever they go inside and outside the organization. Today we are extending these capabilities to our technology partners with the release of the Azure Information Protection SDK.

The benefits we can all gain from applying cloud intelligence to security problems are tremendous, but can only be fully realized if we work together across the industry. Nearly every customer I speak to has a dozen or more different security solutions in place. Each of those solutions plays a critical role in protecting the organizationand each has valuable contextual information that would help make the others more effective at protecting customers. Today we are announcing the Microsoft Intelligent Security Association, a group of technology providers who have integrated their solutions with Microsoft products to provide customers better protection, detection, and response. Anomali, Check Point, Forcepoint, Palo Alto Networks, and Ziften are among the solution providers working with us. Together, we can bring more signals from more sources to bearwhich helps our customers detect and respond to threats faster.

We also continue to work with a broad coalition of technology partners in the FIDO Alliance to address one of the most fundamental issues in security today: Identity and access management. Our analysis indicates that cloud-based user account attacks are up more than 300% over the past year. Passwords are the weakest link, and they are a source of frustration for users. Today we are announcing an important step in our work to lead the industry toward a future without passwords: support for the FIDO 2.0 standard in the next Windows 10 update. Millions of Windows 10 users already have the ability to sign in to Windows without a password using Windows Hello making authentication stronger and easier. With FIDO 2.0 support, users can take that same password-free authentication experience to any Windows 10 device managed by their organization.

The evolution of the intelligent edge

At Microsoft, we believe the intelligent cloud and intelligent edge will shape the next phase of innovation. The rise of Internet of Things deployments amplifies security challenges, because many devices lack the tools to manage updates or detect and respond to attacks. Building on research done by Microsoft AI and Research, and on decades of Microsoft experience and expertise in silicon, software, and cloud security, today we are announcing the preview of Azure Sphere. Azure Sphere extends our reach to the outer regions of the intelligent edge, enabling us to serve and secure an entirely new category of devices — the billions of MCU powered devices that are built and deployed each year.

Its an exciting time to be working in security. We are joining forces with other security solution providers and using the cloud to our customers advantage. Together, we can turn the tide against attackers. We are at the RSA Conference this week, and looking forward to discussing these new capabilities with you. Visit Microsoft.com/RSA to learn where you can find us.


Categories: RSA Conference Tags:

Microsoft to deliver new products and strategies for security innovation at 2018 RSA Conference

At the 2018 RSA Conference, our senior leaders will dissect modern cyber defense strategies, and reveal new products to detect and block cyber attacks when they happen. Our objective is to arm business, government and consumers with deeply integrated intelligence and threat protection capabilities across platforms and products. To this end, we have much to share, joining tech giants and top security leaders and pioneers to expand the frontlines of cyber defense.

The theme of this years RSA Conference is Now Matters, a nod to the pressure and urgency to protect governments, economies, and nearly half of the worlds population who connects to the Internet. Microsoft President Brad Smith keynotes a valuable session, The Price of Cyber Warfare, detailing a new reality that emerged for people and infrastructure from the WannaCry and Not Petya attacks.

In addition to the keynote, several of our senior leaders will host the following industry leading sessions:

Within these sessions, we will preview our new products and strategies, dive into IoT, and explore commercial scenarios that touch the gig economy.

Join us at booth 3501 in the North Expo which will be stocked with rich content and product experts to help answer your questions, including anything from our recently released Microsoft Security Intelligence Report. The booth schedule is also loaded with engaging demo stations showcasing identity and access management, information protection, threat protection, security management, GDPR and compliance solutions, and Intelligent Security Graph. Were also holding a variety of presentations on key topics in our booth, such as:

  • Windows Defender ATP Unified platform for endpoint security
  • Anti-phish Technologies to Protect Your Office 365 Environment
  • Our Journey to a World without Passwords with Windows Hello
  • Secure IaaS Deployments Using Microsoft Azure Security Center
  • Simplify Compliance with Compliance Manager

Stop by our booth 3501 in the North Expo any time to view to these demos and presentations or visit Microsoft.com/rsa to help plan your conference schedule. Be sure to check back on the Microsoft Secure blog to get more information on the Microsoft announcements as they take place and for post RSA content.

Categories: Uncategorized Tags:

Join Microsoft for a security in a day workshop

Let’s talk about an integrated security experience. Many of our customers are in various stages of cybersecurity maturity:


  • Firefighting
  • No formal security program


  • Point solutions/tools for basic controls
  • Pockets of expertise


  • Aligned to frameworks
  • Documented controls
  • Begins to integrate signals for faster response


  • Intelligence driven response and recovery
  • Organization wide emphasis
  • C-suite sponsorship


  • Continuous improvement through innovation
  • Aims to be predictive
  • Trusted intel sharing

But what is the goal at the end of the day as you move up the maturity model? Some people may say “to be secure.” The problem with that is there is no checkbox for “you are secure.” So, the question customers must ask themselves is, am I secure enough? If you look at the security model and say, no, I’m not mature enough, I’m not predictive enough – how can I improve that? Then there is almost a limitless number of investments you can make into security. But how do you know where to invest and what is the real strategy behind those investments?

One of the frameworks you can take up is to switch the question from a defender’s dilemma and into an attacker’s dilemma and ruin the attackers, economic model. There are a few components you can put together to drive that outcome.

Break the known attack playbook

To decide where to make the investments, you can try to be predictive and see what some of the known attack playbooks (e.g. phishing, ransomware) are in use and break them down. Take a look at the opportunities to disrupt those plays. Can you identify what that play is and how to disrupt it? Different plays require different options so that you can proactively take the time to raise the cost to the attacker.

Agile response & recovery

If the attacker gets past the first line of defense, have a next line of defense thats ready. Assume breach as an approach to thinking like the attacker. As you start to proactively identify what is the targeted asset, what is the threat to your company? What are the attack vectors your company is most vulnerable to? What are the trends you are seeing? You can then start to answer how to set up your response and recovery against those playbooks in an intelligent and holistic way.

Eliminate other attack vectors

This can be done as you’re able to over time or you can pivot very quickly towards future attacks. The better you get at the first two pieces, the more components you have in play to make up the puzzle to get here. Nobody really knows what those other attack vectors may be, but to be very solid in breaking the known attack playbook and agile response and recovery will help set you up for success, because similar components may be used.

Where do I start?

We have a series of Security in a Day Workshops in April and June (schedule for June coming soon) at our local Microsoft Technology Centers where you can spend the day digging into different risk profiles and learn how to strategize your move up the maturity model. Our Microsoft Security partners will cover the why, the how, and strategies to dig into the attack profiles and how to mitigate those risks so that you can build your integrated security experience. Find a local event near you or click on the link down below:

Chicago April 11th, 2018
Reston April 11th, 2018
New York April 12th, 2018
Bellevue April 12th, 2018
Philadelphia, April 17th, 2018
San Francisco, April 18th, 2018
Irvine, April 26th, 2018

Categories: Uncategorized Tags:

Investing in the right innovation

April 10th, 2018 No comments

RSA is around the corner which means tens of thousands of people will descend on Moscone Center in San Francisco, CA. Hundreds of innovative young companies will look for customers, props, and capital (especially at the Early Stage Expo!). Venture capitalists will look for opportunities to invest and find the next $1B IPO. Larger companies may well search for IP to complement larger platforms. CISOs will show up looking for solutions to todays problems, with an eye toward tomorrows, and ask two key questions: What in this expo hall will help me better protect my company? And, what can I take OUT of my portfolio in exchange?

Considering this, I contacted several VC and tech sector colleagues to test an assertion in my most recent blog, which stated that perhaps the kind of innovation were likely to see at RSA can offer too much of a good thing when it comes to CISOs priorities. Is the market ready for all this innovation? Are there enough dollars available? Is the innovation meeting CISOs real needs?

Looking at the exhibitor list, and searching by core topic, its going to be exciting, yet challenging, to determine which companies are truly innovating and competitive in these crowded marketplaces. A quick look also tells us where most of the attention is, and where it isnt. The Analytics, Intelligence and Response, and Machine Learning categories turn up hundreds of companies, as expected due to all the financial support into, and buzz around, these fields. We should expect to see many claims of best-in-class cyber defense products. However, I suspect there is growing skepticism about vendors claims to have the best ML/AI-driven 0-day finder. I encourage vendors to be prepared to articulate the real true capabilities of the ML and AI engines that drive your solutions: By what standards can we evaluate the strength of algorithms and engines? Can they scale, integrate into, and play nice with a customers existing toolset? No doubt, ML and AI will continue to improve and become more central to security, but early innovations here have probably created what one contact called a swarm effect that has promoted the rise of duplicative technologies. Vendors should also be aware there are probably too many companies chasing too few CISO dollars, and there is bound to be consolidation. On the investor side, I suspect ML/AI fatigue is setting in. A few VCs have said theyre pretty much done putting money into this area until it shakes out.

Perhaps CISOs can nudge the security and investor communities into using ML and AI to develop more foundational preventative solutions. These might include more secure-by-design hardware and software architectures, self-aware and self-healing systems, and smart-configuration and smart-patching solutions. One CTO colleague relayed that hes seen excellent presentations and proposals on self-healing computational models and systems, but unfortunately few VC-funded companies are moving beyond research into development and commercialization, partly because so much attention is on APT-hunting shiny objects. Until the community is incentivized to move into these areas, the current assume breach detect-and-respond model will dominate how cybersecurity is practiced and commercialized.

As another example, look at blockchain and cryptocurrency, two leading-edge investment areas. Is commensurate work being done to update the underlying cryptographic algorithms and protocols that date back to 1982? Quantum-resilient crypto and homomorphic encryption technologies are areas that probably havent received the level of financial support they deserve, outside of DARPA or other government programs.

Getting back to CISOs priorities, the consistent theme was how to make the best use of people and existing tools:

  • Training: This CBT/CET Gartner market will reach $7.2B by 2019. We know that were facing a shortage of up to 2M qualified cyber professionals. Unfortunately, this years conference doesnt seem to reflect the market opportunity or interest in addressing such core challenges. I queried the Human Element and Professional Development topics in the RSA exhibitor list and turned up only 57 and 19 companies, respectively, with booth presence this year. I hope at least their booths are crowded and that they succeed. We need more innovation in people. Machines will have to do more and more of the work but in the end, people deploy, monitor, and interact with the technology that is protecting their systems. We must be more innovative in how we train people and encourage others to join the field. The better we can train personnel to more effectively monitor and improve the performance of their cyber systems, the more we can create a virtuous loop that combines trained people continuously optimizing the abilities of the machines that will be required to handle more of the configuration, deployment, monitoring, detection, and remediation workloads.
  • ROI: We need to invest more in tools that help CISOs use their existing tools better. One VC colleague pointed to a recent investment his firm made in a company whose solution measures the effectiveness of third-party security tool implementation. Whos watching the watchers? IMHO, a very clever example of the type of virtuous cyber loop we could create. Another VC contact uses the analogy of the industry delivering too many cyber drugs to treat the same symptoms; what his firm wants to see is investment in more doctors and nurses to more effectively administer the treatment, get to root cause, and save the patient.

I support many public sector CISO teams in the US and Europe. What do I think theyll be looking for at RSA? With an eye on ML/AI innovation, I think theyll be just as interested in tools that offer improvements to the messy hygiene work of security: automated and self-learning configuration, inventory analysis and update management tools, and for anything that helps their people improve how they manage their responsibilities. Given uncertain budgeting and the continual need to maintain and adhere to compliance mandates, theyll also look for solutions that help improve and speed up the path to staying as green as possible on a scorecard. Perhaps the excitement around advanced sciences and big data will dominate the RSA agenda, but I expect and encourage CISOs to push innovators for solutions that get to the core of their day to day challenges.

If youre an investor, or if youre an innovator looking for what could be next years breakout opportunity, think about investing in the people who will deliver on your goals.

Categories: Uncategorized Tags:

Security baselines should underpin efforts to manage cybersecurity risk across sectors

This post is authored byAngela McKay, Director of Cybersecurity Policy and Amanda Craig, Senior Cybersecurity Strategist, CELA.

Organizations are leveraging technology to transform their operations, products, and services, and governments are increasingly focusing on how to enable such dynamic change while also managing risks to their critical infrastructure, economies, and societies. Across sectors and regions, theyre developing, updating, and gathering feedback on cybersecurity policies and legislation, aiming to build resiliency into their nations approaches to digital transformation.

Industry and governments must collaborate to build a more resilient ecosystem. In sharing lessons learned from operating across diverse environments, global companies can accelerate efforts to protect global infrastructure and technology. Similarly, by leveraging lessons learned through not only their own experiences but also those of industry, governments can ensure their efforts to enhance resiliency are both practicable and effective. This mutual collaboration through public-private partnerships can help to drive meaningful outcomes, which will continue to be critical to improving collective cybersecurity defense and responding to evolving threats.

On March 27, 2018, Microsoft demonstrated its commitment to this mission by joining with five other companies to launch the Coalition to Reduce Cyber Risk (CR2), a global, cross-sector group that will partner with governments to advance cyber risk management. Collaboration with leaders from other sectors and regions will highlight how cybersecurity impacts the global, interdependent economy. It will also provide unique insights as CR2 contributes to governments efforts.

Today, we are further pursuing this mission by publishing a whitepaper on the role of security baselines, a set of foundational activities through which organizations can advance cyber risk management. We advocate for baselines that engage executives and embed flexibility, enabling organizations security capabilities and investments to evolve with rapidly changing threats. We also advocate for baselines that are applicable across sectors and regions.

Cross-sector, globally relevant security baselines are increasingly essential because they address the reality that interdependencies between sectors and regions are significant and growing, fuelled by regional and global economic integration and by the horizontal growth of technology across previously unrelated vertical sectors. Todays cybersecurity threats, risk mitigations, and infrastructure operations are unlikely to be confined to just one sector or region, creating a need for interoperability across sectoral approaches and jurisdictions.

There are some existing examples of cross-sector, globally relevant security baselines that engage executives and embed flexibility in risk management. In particular, the recently published ISO/IEC 27103 is relevant across sectors and geographies, based on risk management principles, and grounded in a flexible approach. Specifically, it integrates an outcomes-focused approach with controls-based ISO/IEC references that are supported globally and used by different sectors.

Governments that are cognizant of sectoral and geographic interdependencies while developing or updating security baselines could make progress in managing risk while supporting growth within their domestic infrastructure and economy. In addition, governments that engage technology providers, business leaders, critical infrastructure operators, and civil society organizations while developing or updating baselines will have more seamless implementation of cybersecurity policies.

Through CR2 and in direct engagements, we look forward to the opportunity to continue to partner with governments, others in industry, and other stakeholders to build or update security baselines. In our experience, around the world, cybersecurity policies built through partnerships are likely to operate more consistently and predictably, not only helping cybersecurity but also giving businesses, innovators, and citizens the confidence they need to make the most of technology and innovation.

Categories: Uncategorized Tags:

Announcing: new British Standard for cyber risk and resilience

April 4th, 2018 No comments

Technology is an integral part of the fabric of everyday life. There is almost no organization that does not rely on digital services in some way in order to survive. The opportunity that technology provides also brings with it more vulnerabilities and threats as organizations and data become more connected and available. This trend results in a common gap found in the decision-making process at large organizations. Often information security and cybersecurity have been viewed as a function of IT and therefore, the information security departments have been managed outside of normal business decision-making processes. This is an approach we no longer have the luxury of indulging.

Organizations need a holistic approach to implement digital transformation projects to safeguard their security. This involves focusing on both the opportunity and the threat of any change. To do this effectively the accountability for cyber risk and resilience needs to sit firmly with executive management and the governing body. However, a skills gap exists at this level with many governing body members having started their careers before the internet era. Even when willing to adopt responsibility for building a cyber resilient organization, senior executives are often confused by the technical language that risk management and cybersecurity professionals speak. As well, they may also encourage cybersecurity professionals to speak directly to the board. Therefore, we also need to equip board members with the tools to ask the right questions and ensure the correct levels of risk to build cyber resilient organizations.

That is why, nearly two years ago, the BSI Risk Management Committee started working to develop new guidance aimed at helping executive leadership better understand and manage the technology risks to their organizations. I was asked to lead a group of government executives, regulators, professional bodies and technical experts with a goal of directly addressing the realities and challenges of managing cyber risk in a digital world. This goal led us to draft the new British Standard BS31111. The standard aims to provide guidance to enterprise organizations regarding cyber risk and resilience, and to address the gap in IT decision making.

The standard includes:

  1. Parameters to build concrete guidelines into governing bodies
  2. Identification of areas of focus an organization should have in order to build a cyber resilient enterprise
  3. Assessment questions management can ask to challenge the organization regarding how it is building cyber resilience into the business

Cyber risk and resilience needs to be driven from the top of the organization to ensure that the right culture is set across all business decision making. Executive management must ensure that there is a clear risk and resilience strategy set across the organization, as well as ensuring that there is a strong management structure in place that details the responsibilities and expectations of everyone to maintain security. As Microsofts own CEO Satya Nadella has said, Cybersecurity is like going to the gym. You cant get better by watching others, youve got to get there every day. Satyas comments underline the reasoning behind this standard, emphasizing the need to build cyber resilience into day to day operations and not treat it as a standalone project or program.

Engaging with risk management and cyber resilience principles can be complicated and it is easy to get bogged down by technical jargon. To help, we created a visual (figure 1) intended to illustrate the areas required to develop cyber resilience and the key responsibilities of the board.

Source:BS3111:2018 Figure 1

Key tenets:

  • The responsibility of any Board of Directors is to clearly set the direction of business activity. They ultimately sign off on major decisions and investments and need to ensure that activity is sustainable for the business.
  • Executive management and the governing body are mostly responsible for the roof and foundation, with oversight on the activity of the pillars. Any building is only as good as its foundation and the same is true for building cyber resilience.

The importance of culture for security

Without a strong culture of security, it is easy for decisions to be made that expose an organization. Many of the major breaches witnessed in recent years can be traced back to a lack of ownership and leadership regarding the need for strong cybersecurity measures across the organization, along with ill-informed investment decisions. The executive management and members of the board need to clearly focus on the benefits of any digital investment AND the level of security outcomes required to support that investment. Hopefully, the new British Standard BS31111 will provide best practice aims and expectations for the responsibility and accountability of boards and executive leadership to drive change.

The publication of the standard is only the first step. It will be important to promote the need for every organization to safeguard their enterprise and their customers, more than we do today. Many boards and governing bodies are becoming more cyber aware and understanding their need to build cyber risk into their decision making. This publication aims to enable leadership teams and boards to build awareness and decision-making protocols across the organization.

In my short tenure with Microsoft, I have already witnessed a strong internal security culture, focused on building resilient and secure cloud platforms. I look forward to working with my customers to help them develop their own cyber resilient foundations and cultures, ensuring that Microsofts capabilities support them in that endeavor.

Sin serves as Executive Security Advisor for the UK at Microsoft and has worked in the Information Security industry for over 20 years. Sin is a highly requested public speaker and has regularly been on national radio and television including the BBC and Sky News talking about security issues. Sin was appointed an MBE by the Queen in the New Years Honours List for 2018 for services to Cyber Security.

Categories: Uncategorized Tags:

Hunting down Dofoil with Windows Defender ATP

Dofoil is a sophisticated threat that attempted to install coin miner malware on hundreds of thousands of computers in March, 2018. In previous blog posts we detailed how behavior monitoring and machine learning in Windows Defender AV protected customers from a massive Dofoil outbreak that we traced back to a software update poisoning campaign several weeks prior. Notably, customers of Windows 10 S, a special Windows 10 configuration that provides streamlined Microsoft-verified security, were not affected by the Dofoil outbreak.

In this blog post, we will expound on Dofoils anti-debugging and anti-analysis tactics, and demonstrate how the rich detection libraries of Windows Defender Advanced Threat Protection and Windows Defender Exploit Guard can help during investigation.

We found that Dofoil was designed to be elusive to analysis. It checks its environment and stops running in virtual machine environments. It also checks for various analysis tools and kills them right away. This can make malware analysis and assessment challenging.

The following diagram shows the multi-stage malware execution process, which includes checks for traits of analysis environments during some stages.

Figure 1. Dofoil multi-stage shellcode and payload execution flow

The table below describes the purpose of each stage. The first five stages have at least one or two different techniques that can deter dynamic or static malware analysis.

1. Obfuscated wrapper code Anti-heuristics


2. Bootstrap module Performs self-process hollowing to load the next module
3. Anti-debugging module Performs anti-debugging operation
4. Trojan downloader module Performs system environment checks

Performs anti-VM operation

Injects itself to explorer.exe through process hollowing

5. Trojan downloader module in explorer.exe Contacts C&C server to download trojan and run it using process hollowing technique
6. Payload downloader module in explorer.exe Contacts C&C server to download the main payload
7. Trojan module Steals credentials from various application settings and sends stolen into to the C&C server over HTTP channel
8. CoinMiner.D Mines digital currencies

Table 1. Dofoil’s multi-stage modules

Initial stages

The first three stages (i.e., obfuscated wrapper code, bootstrap module, anti-debugging module) use the following techniques to avoid analysis and identification.

Benign code insertion Inserts a huge benign code block to confuse heuristics and manual inspection
Anti-emulation Enumerates an arbitrary registry key (HKEY_CLASSES_ROOT\Interface\{3050F557-98B5-11CF-BB82-00AA00BDCE0B}) and compares the data with an expected value (DispHTMLCurrentStyle) to check if the malware runs inside an emulator
Self-process hollowing Uses the process hollowing technique on the current process, making analysis extra difficult due to the altered code mapping
Debugger checks Checks for debuggers, and modifies code to crash. This can add additional layer of confusion to researchers, who are bound to investigate the cause of the crashes. It checks for the PEB.BeingDebugged and PEB.NtGlobalFlag fields in the PEB structure. For example, PEB.BeingDebugged is set to 1 and PEB.NtGlobalFlag is set to FLG_HEAP_ENABLE_TAIL_CHECK|FLG_HEAP_ENABLE_FREE_CHECK| FLG_HEAP_VALIDATE_PARAMETERS when a debugger is attached to the process.

Table 2. Anti-analysis techniques

The first stage contains some benign-looking code before the actual malicious code. This can give the executable a harmless appearance. It can also make the emulation of the code difficult because emulating various API calls that are not present in many malware codes can be challenging.

The first-stage code also performs a registry key enumeration to make sure it has the expected value. When all checks are passed, it decodes the second-stage shellcode and runs it on the allocated memory. This shellcode un-maps the original main modules memory, and then decodes the third-stage shellcode into that memory this is known as a self-process hollowing technique.

Figure 2. Self-modification based on PEB.BeingDebugged value

Windows Defender ATPs process tree can help with investigation by exposing these anti-debugging techniques.

Figure 3. Windows Defender ATP process tree showing anti-debugging techniques

Trojan downloader module

The trojan downloader module performs various environment checks, including virtual environment and analysis tool checks, before downloading the payload.

Check module name Checks if the main executable name contains the string “sample”
Check volume serial Checks if current volume serial number is 0xCD1A40 or 0x70144646
Check modules Checks the presence of DLLs related to debuggers
Check disk-related registry keys Checks the value of the registry key HKLM\System\CurrentControlSet\Services\Disk\Enum against well-known disk name patterns for virtual machines (qemu, virtual, vmware, xen, ffffcce24)
Process check Checks running processes and kills those with processes names associated with analysis tools (procexp.exe, procexp64.exe, procmon.exe, procmon64.exe, tcpview.exe, wireshark.exe, processhacker.exe, ollydbg.exe, idaq.exe, x32dbg.exe)
Windows class name check Checks the current Windows class names and exits when some well-known names are found (Autoruns, PROCEXPL, PROCMON_WINDOW_CLASS, TCPViewClass, ProcessHacker, OllyDbg, WinDbgFrameClass)

Table 3. Anti-analysis techniqueof Dofoil’s trojan downloader module

The list of target process names and Windows class names exist in custom checksum form. The checksum algorithm looks like the following:

Figure 4. Shift and XOR custom checksum algorithm

The purpose of this checksum is to prevent malware researchers from quickly figuring out what analysis tools it detects, making analysis more time-consuming.

Autoruns 0x0E5C1C5D
TCPViewClass 0x1D4F5C43
ProcessHacker 0x571A415E
OllyDbg 0x4108161D
WinDbgFrameClass 0x054E1905
procexp.exe 0x19195C02
procexp64.exe 0x1C0E041D
procmon.exe 0x06185D0B
procmon64.exe 0x1D07120A
tcpview.exe 0x060B5118
wireshark.exe 0x550E1E0D
processhacker.exe 0x51565C47
ollydbg.exe 0x04114C14
x32dbg.exe 0x5F4E5C04
idaq.exe 0x14585A12

Table 4. String checksum table used for process names and Windows class names

Process hollowing

Dofoil heavily uses the process hollowing technique. Its main target for process hollowing is explorer.exe. The Dofoil shellcode launches a new instance of explorer.exe, allocates shellcode in heap region, and then modifies the entry point code to jump into the shellcode. This way, the malware avoids using CreateRemoteThread API, but can still achieve code injection.

Figure 5. Modification of explorer.exe entry point code

Windows Defender ATP can detect the process hollowing behavior with advanced memory signals. The following process tree shows that the malware injects itself into explorer.exe using the process hollowing technique.

Figure 6. Windows Defender ATP alert process tree showing the first process hollowing

When the shellcode downloads another layer of payload, it spawns another explorer.exe to inject the payload into using process hollowing. Windows Defender ATP can save analysis time on these cases by pinpointing the malicious actions, eliminating the need for guessing what these newly spawned Windows system processes are doing.

Figure 7. Windows Defender ATP alert process tree showing the second process hollowing

The process hollowing behavior can be detected through Exploit protection in Windows Defender Exploit Guard. This can be done by enabling the Export Address Filter (EAF) mitigation against explorer.exe. The detection happens when the shellcode goes through the export addresses of the modules to find the export address of the LoadLibraryA and GetProcAddress functions.

Figure 8. Export Address Filter (EAF) event exposed in Event viewer

Windows Defender Exploit Guard events are also exposed in the Windows Defender ATP portal:

Figure 9. Windows Defender ATP view of the Windows Defender Exploit Guard event

Adding Windows Defender Exploit Guard EAF audit/block policy to common system processes like explorer.exe, cmd.exe, or verclsid.exe can be useful in finding and blocking process hollowing or process injection techniques commonly used by malware. This policy can impact third-party apps that may behave like shellcode, so we recommend testing Windows Defender Exploit Guard with audit mode enabled before enforcement.

Command-and-control (C&C) and NameCoin domains

Dofoils C&C connection is very cautious. The trojan code first tries to connect to well-known web pages and verifies that the malware has proper and real Internet connection, not simulated as in test environments. After it makes sure it has a real Internet connection, the malware makes HTTP connections to the actual C&C servers.

Figure 10. Access to known servers to confirm Internet connectivity

The malware uses NameCoin domain name servers. NameCoin is a decentralized name server system that provides extra privacy backed by blockchain technology. Except for the fact that the DNS client needs to use specific sets of NameCoin DNS servers, the overall operation is very similar to a normal DNS query. Because NameCoin uses blockchain technology, you can query the history of the domain name changes through blocks.

Figure 11. Malicious hostname DNS entry changes over time (https://namecha.in/name/d/vrubl)

Windows Defender ATP can provide visibility into the malwares network activities. The following alert process tree shows the malwares .bit domain resolution activity and, after that, the connections to the resolved C&C servers. You can also view other activities from the executable, for example, its connections to other servers using SMTP ports.

Figure 12. Windows Defender ATP alert process tree showing C&C server connection through NameCoin server name resolution

The Windows Defender ATP advanced hunting feature, which is currently in preview, can be used to hunt down more malware samples that possibly abuse NameCoin servers. For example, the following query will let you view recent connections observed in the network. This can lead to extra insights on other threats that use the same NameCoin servers.

Figure 13. Advanced hunting for other threats using the same NameCoin servers

The purpose of using NameCoin is to prevent easy sinkholing of the domains. Because there are no central authorities on the NameCoin domain name records, it is not possible for the authorities to change the domain record. Also, malware abusing NameCoin servers use massive numbers of NameCoin DNS servers to make full shutdown of those servers very difficult.


Dofoil is a very evasive malware. It has various system environment checks and tests Internet connectivity to make sure it runs on real machines, not in analysis environments or virtual machines. This can make the analysis time-consuming and can mislead malware analysis systems.

In attacks like the Dofoil outbreak, Windows Defender Advanced Threat Protection (Windows Defender ATP) can help network defenders analyze the timeline from the victim machine and get rich information on process execution flow, C&C connections, and process hollowing activities. Windows Defender ATP can be used as an analysis platform with fine-tuned visibility into system activities when set up in a lab environment. This can save time and resource during malware investigation.

In addition, Windows Defender Exploit Guard can be useful in finding malicious shellcodes that traverse export address tables. Windows Defender Exploit Guard can be an excellent tool for finding and blocking malware and exploit activities.

Windows Defender Exploit Guard events are surfaced in the Windows Defender ATP portal, which integrates protections from other Microsoft solutions, including Windows Defender AV and Windows Defender Application Guard. This integrated security management experience makes Windows Defender ATP a comprehensive solution for detecting and responding to a wide range of malicious activities across the network.

Windows 10 S, a special configuration of Windows 10, locks down devices against Dofoil and other attacks by working exclusively with apps from the Microsoft Store and using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common malware entry points.

To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.



Matt Oh, Stefan Sellmer, Jonathan Bar Or, Mark Wodrich
Windows Defender ATP Research



Indicators of compromise (IoCs)















C&C server:


Related .bit domains (updated in same block as C&C server):




NameCoin servers used by Dofoil:



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.



Take these steps to stay safe from counterfeit software and fraudulent subscriptions

This post is authored by Matt Lundy, Assistant General Counsel, Microsoft.

Software piracy and fraudulent subscriptions are serious, industry-wide problems affecting consumers and organizations around the world.

In 2016, 39 percent of all software installed on computers was not properly licensed, according to a survey conducted by BSA and The Software Alliance. And each year, tens of thousands of people report to Microsoft that they bought software that they later learned was counterfeit.

What can appear to be a too-good-to-be-true deal for a reputable software program, can in fact be a counterfeit copy or a fraudulent subscription. In many cases, such illegitimate software downloads may also be riddled with malware including computer viruses, Trojan horses, spyware, or even botware, designed to damage your computer, destroy your data, compromise your security, or steal your identity. And in the world of cloud computing, where many applications are often delivered as a subscription service, consumers could be unwittingly sending payments to cybercriminals, unaware that cybercriminals selling fraudulent subscriptions will not provide needed administrative support.

Curbing the proliferation of software piracy

Cybercriminals are always looking for ways to trick consumers and the outcome can be costly. According to report released by the Ponemon Institute in 2017, the average cost of cybercrime globally climbed to $11.7M per organization, a staggering 62 percent increase over the last five years. And a recent Juniper Research report, Cybercrime & the Internet of Threats 2017, states that “the estimated cost to the global economy as a result of cybercrime is projected to be $8 trillion by 2022.

How do cybercriminals deceive consumers? There are many ways. One common technique is to set up a fake website that falsely claims the software subscriptions or copies offered for sale on the site are legitimate. Sophisticated cybercriminals go to great lengths to make their websites look authentic to trick consumers into buying fraudulent subscriptions or counterfeit software.

For decades, through partnerships with industry, governments, and other agencies, Microsoft has been working to fight software counterfeiting and to protect consumers from the dangers posed by this and other types of cybercrime. Today, Microsofts Digital Crimes Unit (DCU), a unique group of cybercrime-fighting investigators, analysts, and lawyers, works globally to detect and prevent fraud targeting our customers. Our priority is to protect our customers and help create a secure experience for everyone. One of the key ways we do this is to work with law enforcement and other organizations to bring the perpetrators of cybercrime to justice.

In addition to the innovative technology and legal strategies that the Microsoft DCU uses to combat counterfeit products and fraudulent subscriptions globally, the company also aims to raise awareness of this issue among consumers and help protect them from the risks associated with counterfeit software and fraudulent subscriptions.

Protect yourself from software piracy and fraud

While software companies and law enforcement are working to curb cybercriminals ability to counterfeit and sell software and services, consumers can help protect themselves by remaining vigilant and only purchasing through legitimate sources. In addition, if you do come across illegitimate sources or you discover you have inadvertently purchased suspect counterfeit Microsoft software, report your experiences to Microsoft.

Here are a few useful Microsoft resources to help you protect yourself from inadvertently purchasing counterfeit software or fraudulent software subscriptions as well as resources in case you think you may have done so:


Categories: Uncategorized Tags:

Working towards a more diverse future in security

March 28th, 2018 No comments

Last year I embarked on an exercise to examine diversity in cybersecurity. As one full year has passed, I decided to revisit this topic and the ongoing challenges of recruiting AND retaining diverse talent in the cybersecurity field. This past year saw the #MeToo movement in the spotlight, and while womens issues were brought to the forefront, there are still opportunities to improve. I want to share new learnings based on my experiences this year and as an update to my earlier post, How to solve the diversity problem in security.

Two personal interactions that are top of mind reinforced my belief there is much work to be done. If you follow me on Twitter (@ajohnsocyber) I commented on both at the time they occurred. In one instance, I was interviewing a candidate for a role in my organization. We were discussing MFA, and he felt the need to stop me, educate and inform me of the error of my thinking. I dont claim to be a subject matter expert about all topics related to cybersecurityno one could bebut I know a fair bit about MFA. His dismissive tone and attitude certainly did not set the right tone of an interview. The second incident occurred whilst I was presenting to a large group of customers. A male colleague interrupted me to say, What she meant to say was. Actually, what I meant to say was exactly what I said but thank you for that moment of classic mansplaining. You see, no matter your rank, role, position or expertise, there are still those who choose to minimize your knowledge, expertise or experience. While I cannot definitively say these two incidents occurred because I am a woman, I can tell you the candidate feedback from male interviewees was not the same, and the man in question did not interrupt male speakers at the same event where he interrupted me.

So, as I revisit this blog post for 2018, I also want to highlight some really positive events of the past 12 months. Microsoft believes in diversity 365 days a year, and we demonstrate it with solid actions. I am inspired not only by the women leaders in our organization, but also by our strong male allies who advocate for recruiting and promoting diverse talent. We simply cannot accomplish this work without the support of male allies. I am fortunate, at Microsoft, to actively and frequently work with a large group of well-known security professionals including many talented women. I look forward to meeting and working with many more who are surely part of this company now or who will be compelled to join. We continue to invest in talent that challenges the way we think, talent that changes the organization, talent that truly embraces the learn it all, not know it all culture our CEO Satya Nadella has built.

So, whilst as an industry we have a long road ahead of us to fully embrace diversity, we have planted the seeds. In my thirty years in tech, I have never felt the energy or seen this level of commitment and passion toward inclusion. I am proud to be part of the solution and fully committed to helping steer the ship.

Categories: Uncategorized Tags:

Filling the gaps in international law is essential to making cyberspace a safer place

March 27th, 2018 No comments

A month ago, on the sidelines of the Munich Security Conference, Microsoft organized an expert workshop to discuss gaps in international law as it applies to cyberspace. We were fortunate enough to bring together twenty leading stakeholders, including international legal experts, United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE) delegates, diplomats, and non-governmental organizations (NGOs). Together, we looked at the current situation in cybersecurity norms and international law, and we discussed possible paths forward. What emerged was a significant consensus on both the need to restructure cybersecurity discussions globally and the necessity of implementing the 2015 UNGGE report.

Gaps in international law were the focus for discussion and, although there were several areas of concern that were identified on the basis of recent cyberattacks, the most significant challenge was seen as being structural: the lack of an international organization or other venue for addressing the cyber threat landscape of today and tomorrow.

The challenge of the cyber threat landscape is not simply that it is always evolving, nor that it is continually extending its reach into the day-to-day existence of citizens, businesses, and governments. The greatest challenge is that when it comes to dealing with cyber threats the world currently lacks:

  • A place where victims of nation-state or state-sponsored cyberattacks are able to go to get help after an incident has occurred;
  • A standing body or registry that enables ongoing learning about the known threats to people and infrastructure, as well as their corresponding responses;
  • A common basis for judging not just if international law has been violated but how;
  • A consistent basis for the use of international law in prevention of cyberattacks and for enforcement of law following such attacks.

In other words, the world lacks a common space for finding out the facts about cyberattacks, for learning from others, for interpreting laws and for agreeing who did what to whom. That last point, the attribution of responsibility for cyberattacks, fundamentally underpins the concept of applying international law to cyberspace: if we cannot know who is responsible for a cyberattack we cannot hold them to account.

It may be unrealistic to expect a single silver bullet organization for all aspects of the problem. Nonetheless, there were many at the workshop and, indeed, across the Munich Security Conference who agreed in broad terms that not having some kind of international, non-governmental platform focused on cyberspace (enabling best practice, exchanging information, examining the forensics around the attacks) will undermine future efforts to protect civilians in cyberspace.

Certainly, there are other things that also need to be done to protect civilians and civilian infrastructure from cyberattack by states. Rolling out the 2015 UNGGEs proposed norms of state behavior is one such thing because it will help governments manage the real politick of holding each other to account. The recent case of Sergei Skripal shows that even when there is a will to act, the options for constraining a sovereign state are comparatively limited. Even an incremental improvement in state behavior in cyberspace through applying the 2015 UNGGE suggestions would be a positive step, therefore. After all, today states are choosing not to invoke international law following cyberattacks, perhaps because there is uncertainty about those laws or perhaps because there is a belief that doing so will neither prevent future attacks nor result in any kind of remediation.

The workshop was a very valuable opportunity for Microsoft, and for me personally. By bringing governments, civil society, technical experts and business people together, it fostered exactly the kind of multi-stakeholder discussion that the future of cyberspace depends upon. The outputs of that discussion, especially the general view that a non-governmental international organization is needed, are something that my colleagues and I will certainly look to build on in the coming months. Furthermore, I am hopeful that such an organization will emerge, with time, and that there will be a genuine interest and impetus amongst the public and private sectors to use it. If they do so, they will help to make international law stronger in cyberspace, even in the face of state-sponsored cyberattacks. If that happens then the world will have taken an important step towards making cyberspace a safer and more stable place.

Categories: Uncategorized Tags:

Why Windows Defender Antivirus is the most deployed in the enterprise

Statistics about the success and sophistication of malware can be daunting. The following figure is no different: Approximately 96% of all malware is polymorphic meaning that it is only experienced by a single user and device before it is replaced with yet another malware variant. This is because in most cases malware is caught nearly as fast as its created, so malware creators continually evolve to try and stay ahead. Data like this hammer home how important it is to have security solutions in place that are as agile and innovative as the attacks.

The type of security solution needed has a complex job: It must protect users from hundreds of thousands of new threats every day and then it must learn and grow to stay ahead of the next wave of attacks. The solution cannot just react to the latest threats; it must be able to predict and prevent malware infections.

Over the last year, weve talked about how were investing in new innovations to address this challenging threat landscape, what weve delivered, and how it will change the dynamics. Today, I want to share the results of our new antivirus capabilities in Windows Defender Advanced Threat Protection (ATP) which are genuinely incredible because they will directly benefit the work you are doing.

Currently, our antivirus capabilities on Windows 10 are repeatedly earning top scores on independent tests, often outperforming the competition. This performance is the result of a complete redesign of our security solution.

Whats more, this same technology is available for our Windows 7 customers as well, so that they can remain secure during their transition to Windows 10.

It started back in 2015

Weve been working to make our antivirus capabilities increasingly more effective, and in 2015 our results in two major independent tests (AV-Comparatives and AV-TEST) began to improve dramatically. As you can see in the chart below, beginning in March 2015 our scores on AV-TEST began to rise rapidly, and, over the course of the next five months, we moved from scores averaging 85% on their Prevalence Test to (or near) 100%. Since then, weve maintained those types of scores consistently. Our scores on AV-Comparatives experienced a very similar spike, trajectory, and results.

In December 2017, we reached another milestone on AV-TEST, where we achieved a perfect score across both the Prevalence and Real-World based tests. Previously we had only scored a perfect 100% on one of the two tests for a given month. The following chart from the AV-TEST site shows our scores from November and December 2017 on Windows 7. These same scores are also applicable to Windows 10, which shares the same technology (and more).

For AV-Comparatives, we recently achieved another important quality milestone: For five consecutive months we detected all malware samples. Our previous best was four consecutive months. The AV-Comparatives chart below shows our February 2018 results where we scored a perfect 100% block rate.

While independent antivirus tests are one indicator of a security solutions capabilities and protections, its important to understand that this is only one part of a complete quality assessment.

For example, in the case of Windows Defender ATP (which integrates our antivirus capabilities and the whole Windows security stack), our customers have a much larger set of protection features none of which are factored into the tests. These features provide additional layers of protection that help prevent malware from getting onto devices in the first place. These features include the following:

If organizations like AV-Comparatives and AV-TEST performed complete security stack tests (i.e., testing against the complete endpoint protection solution) the results would often tell a very different story. For example, in November, we scored a 98.9% based on a single file miss on the Real-World test. The good news, however, is that we would have scored 100% if either Windows Defender Application Guard or Application Control was enabled.

How did we achieve these results?

The short answer is that we completely redesigned our antivirus solutions for both Windows 7 and Windows 10 from the ground up.

To do this, we moved away from using a static signature-based engine that couldnt scale due to its dependence on constant input from researchers. Weve now moved to a model that uses predictive technologies, machine learning, applied science, and artificial intelligence to detect and stop malware at first sight. We described the use of these technologies in our recent posts on Emotet and BadRabbit, as well as the recent Dofoil outbreak. These are the types of approaches that can be very successful against the ongoing avalanche of malware threats.

Because of these changes, our antivirus solution can now block malware using local and cloud-based machine learning models, combined with behavior, heuristic, and generic-based detections on the client. We can block nearly all of it at first sight and in milliseconds!

This is incredible.

Weve also designed our antivirus solution to work in both online and offline scenarios. When connected to the cloud, its fed real-time intelligence from the Intelligent Security Graph. For offline scenarios, the latest dynamic intelligence from the Graph is provisioned to the endpoint regularly throughout the day.

Weve also built our solution to defend against the new wave of fileless attacks, like Petya and WannaCry. To read more about how we protect against these attacks, check out the blog post Now you see me: Exposing fileless malware.

What this means to you

Each of these milestones is great, but the thing that makes us the most excited here at Microsoft is very simple: Customer adoption.

Right now, we are seeing big growth in enterprise environments our across all of our platforms:

  • 18% of Windows 7 and Windows 8 devices are using our antivirus solution
  • Over 50% of Windows 10 devices are using our antivirus solution

These are awesome numbers and proof that customers trust Windows security. What we are seeing is that as organizations are moving to Windows 10 they are also moving to our antivirus as their preferred solution. With our antivirus solution being used on more than 50% percent of the Windows 10 PCs deployed in commercial organizations, it is now the most commonly used antivirus solution in commercial organizations on that platform. This usage is in commercial customers of all sizes from small and medium-sized businesses to the largest enterprise organizations.

Over the past couple of months Ive shared this data with multiple customers, and often Im asked why weve seen such a positive increase. The answer is simple:

  1. Our antivirus capabilities are a fantastic solution! The test results above really speak for themselves. With five months of top scores that beat some of our biggest competitors, you can be confident that our solution can protect you from the most advanced threats.
  2. Our solution is both easier and operationally cheaper to maintain than others. Most enterprise customers use Config Manager for PC management of Windows 7 and Windows 10 security features, including antivirus. With Windows 10, the antivirus capabilities are built directly into the operating system and theres nothing to deploy. Windows 7 didnt include antivirus capabilities by default, but it can be deployed and configured in Config Manager. Now organizations do not have to maintain two infrastructures one for PC management and another for antivirus. Several years ago, our Microsoft IT department retired the separate global infrastructure that was used to manage Microsofts antivirus solution and now you can too! With our solution theres less to maintain and secure.
  3. Our solution enables IT to be more agile. On Windows 10 theres no agent security is built into the platform. When a new update of Windows 10 is released, you dont need to wait for a 3rd party to certify and support it; instead, you have full support and compatibility on day one. This means that new releases of Windows and all the latest security technologies can be deployed faster. This allows you to get current, stay current, and be more secure.
  4. Our solution offers a better user experience. Its designed to work behind the scenes in a way that is unobtrusive to end users and minimizes power consumption. This means longer battery life and everyone wants more battery life!

While weve made excellent progress with our antivirus solution, Im even more excited about the protection and management capabilities we will deliver to our customers in the near future. In the meantime, one of the best ways to evaluate our antivirus capabilities is when you run it with Windows Defender ATP. With Windows Defender ATP, the power of the Windows security stack provides preventative protection, detects attacks and zero-day exploits, and gives you centralized management for your end-to-end security lifecycle.

Sign up to try Windows Defender ATP for yourself!


Accelerate your security deployment with FastTrack for Microsoft 365

This blog is part of a series that responds to common questions we receive from customers about Microsoft 365 Security and Enterprise Mobility + Security. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Inpart one of this series, we outlined Tips for getting started on your security deployment.

Microsoft has a service designed specifically to help you deploy and drive adoption of Microsoft Security across your organization: FastTrack for Microsoft 365.

FastTrack is included with your subscription and gives you access to Microsoft engineers and managers in 13 different languages to support your deployments. With more than 40,000 new customers deployed, FastTrack has experience and best practices that can really help make your deployment smoother as our customer success stories can attest. FastTrack follows a proven and highly recommended modelcomprised of stages for envisioning, deploying and driving adoptionthat can be applied to any point of your deployment journey.

FastTrack also has a track record of success with customers:

  • 38 percent reduction in time to onboard
  • 3.5x increase in active usage
  • 67 percent increase satisfaction

We saw what Microsoft was putting into Intune and saw that it could protect our data while helping us remain productive, and that it would grow with our future needs. And the other thing was the magnitude of positive experience and support from the FastTrack Center.
– Willem Bagchus: Messaging and Collaboration Specialist, United Bank


We’re thrilled with what we are hearing from customers and learning through FastTrack. Here’s a sampling of some of the best practices FastTrack has developed for driving a successful deployment of Microsoft Security:

  1. Take time at the outset to envision your success: Know your goals and key scenarios you want to enable, familiarize yourself with the products, map key stakeholders, and influencers, tackle quick wins, build a communications plan, and remember the end user.
  2. Deploy and realize your vision thoughtfully: Test and pilot thoroughly, have a migration strategy, and get experts to help with the tough questions.
  3. Drive adoption across your organization with great communications: Hold launch events, provide trainings, encourage ongoing engagement and thoroughly communicate the changes (and how users can get started) through assets like an FAQ, posters, brown bags, etc.

Of course, there are far too many tips, nuances, and best practices to list hereyoull get far more when you reach out to the FastTrack team directly.

To recap, Microsoft 365 Security, including Office 365, Windows 10 and EMS, is a critical part of your organizational security strategy and FastTrack for Microsoft 365 provides the optimum deployment and adoption support. Get started on your journey today with a request for assistance from the FastTrack security page.

Categories: Uncategorized Tags:

Microsoft Security Intelligence Report volume 23 is now available

As security incidents and events keep making headlines, Microsoft is committed to helping our customers and the rest of the security community to make sense of the risks and offer recommendations. Old and new malware continues to get propagated through massive botnets, attackers are increasing focus on easier attack methods such as phishing, and ransomware attacks have evolved to be more rapid and destructive. The latest Microsoft Security Intelligence Report, which is now available for download at www.microsoft.com/sir, dives deep into each of these key themes and offers insight into additional threat intelligence.

The report, which is based on Microsofts analysis of on-premises systems and cloud services, focuses on threat trends since February 2017. Anonymous data sources for the report come from consumer and commercial on-premises systems and cloud services that Microsoft operates on a global scale, such as Windows, Bing, Office 365, and Azure. At Microsoft, we have massive depth and breadth of intelligence. Across these services, each month we scan 400 billion email messages for phishing and malware, process 450 billion authentications, execute more than 18 billion web page scans, and scan more than 1.2 billion devices for threats.

Here are three key themes from the report:

Botnets continue to impact millions of computers globally.
In November 2017, as part of a public/private global partnership, Microsoft disrupted the command-and-control infrastructure of one of the largest malware operations in the world the Gamarue botnet. Microsoft analyzed over 44,000 malware samples, which uncovered the botnets sprawling infrastructure, and discovered that Gamarue distributed over 80 different malware families. The top three malware classes distributed by the Gamarue botnet were ransomware, trojans, and backdoors. The disruption resulted in a 30% drop in infected devices in just a three month-period.

Easy marks methods like phishing are commonly used by cybercriminals.
As software vendors incorporate stronger security measures into their products, it is becoming more expensive for hackers to successfully penetrate software. By contrast, it is easier and less costly to trick a user into clicking a malicious link or opening a phishing email. In 2017 we saw low-hanging fruit methods being used such as phishing — to trick users into handing over credentials and other sensitive information. In fact, phishing was the top threat vector for Office 365-based threats during the second half of 2017. Other low-hanging fruit for attackers are poorly secured cloud apps. In our research, we found that 79% of SaaS storage apps and 86% of SaaS collaboration apps do not encrypt data both at rest and in transit.

Ransomware remains a force to be reckoned with.
Money is ultimately what drives cybercriminals, so extorting cryptocurrency and other payments by threatening potential victims with the loss of their data remains an attractive strategy. During 2017, three global ransomware outbreaksWannaCrypt, Petya/NotPetya, and BadRabbitaffected corporate networks and impacted hospitals, transportation, and traffic systems. We found that the region with the greatest number of ransomware encounters was Asia. The ransomware attacks observed last year were very destructive and moved at an incredibly rapid pace. Because of the automated propagation techniques, they infected computers faster than any human could respond and they left most victims without access to their files indefinitely.

A key insight in the report is that these threats are interrelated. For example, ransomware was one of the most prominent types of malware distributed by the Gamarue botnet. Another example is that cybercriminals are attempting to take advantage of legitimate platform features to attach a ‘weaponized’ document (for example, a Microsoft Office document) containing ransomware in a phishing email.

What can be done in the enterprise? Following standard information security practices, such as keeping software and security solutions up-to-date, is important. The proliferation of low-cost attack methods such as social engineering is a reminder of the importance of security awareness training for employees to keep them apprised of latest phishing techniques. The report covers more detailed recommendations.

Research and engineering teams from Windows Defender, Office, Azure, Bing, the Microsoft Digital Crimes Unit, and others generously contributed their findings and insights to this Security Intelligence Report. You can download it today at www.microsoft.com/sir.

Finally, tune into our webcast on April 10, 2018 at 10am PDT: Microsoft Security Intelligence Report Volume 23Breaking Botnets and Wrestling Ransomware, where well do a deep dive on the insights from the Security Intelligence Report and discuss recommendations on how to protect your organization. Register today.

For our perspectives on additional trending threats and topics, check out the Microsoft Secure Blog, and the Microsoft Security site to learn about Microsoft’s enterprise cybersecurity solutions.

Categories: Uncategorized Tags:

Sharing research and discoveries at PWN2OWN

The annual PWN2OWN exploit contest at the CanSecWest conference in Vancouver, British Columbia, Canada, brings together some of the top security talent from across the globe in a friendly competition. For the participants, these events are a platform to demonstrate world-class skills and vie for significant cash prizes. For companies like Microsoft, where we have a large number of teams focused on security, contests like this provide an additional avenue for external input from researchers. It is this community collaboration that led us to partner with Trend Micro/ZDI to sponsor this years contest.

Microsoft regularly leverages input from the community using programs such as bug bounties and the BlueHat prize in a relentless pursuit to improve the security of our products and expand our understanding of the latest threats.

Exploit contests are great opportunities as it allows Microsoft engineers to exchange ideas face-to-face with the community. This includes intricate details such as attack approaches, techniques used, and opportunities for improvement against similar attacks. While bug bounty programs focus on vulnerabilities, contests like PWN2OWN focus on exploit chains which typically are only seen in real attacks. The opportunity to understand exploits without impact to customers is invaluable. Microsoft has used this to drive security innovations into the platform and in products like Microsoft Edge. Microsoft sponsored several competition targets running the latest Windows Insider preview builds for on Microsoft Surface devices to help direct the community to gain insight into some of our most important areas. None of the competition targets running the latest Windows insider previewer were successfully exploited by contestants.

To demonstrate the effectiveness of this partnership, Microsoft provided an overview of some of the mitigations influenced by offensive security research community in a recent blackhat presentation.

These innovations include:

  • Windows Defender Application Guard which uses virtualization security to protect against kernel-based sandbox attacks
  • Control Flow Guard (CFG) and Microsoft Edges JIT and code integrity protection, which mitigates many of the common techniques leveraged in past competitions
  • Microsoft Edges improved sandbox, which reduces previous attack surface by 90%

We believe this engagement with researchers has resulted in durable, real-world protection for customers. As an example, Microsoft Edge has still not been impacted by a zero-day exploit in the wild. In addition, this years PWN2OWN entries were not able to escape the Windows Defender Application Guard isolation protection.

Engaging with the research community and creating platforms for transparent information sharing across the wider defender community is a key part of Microsofts strategy to keep customers safe. We will continue to push for deeper collaboration through future events and programs.

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Categories: cybersecurity, Windows, Windows 10 Tags:

Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak

On March 7, we reported that a massive Dofoil campaign attempted to install malicious cryptocurrency miners on hundreds of thousands of computers. Windows Defender Antivirus, with its behavior monitoring, machine learning technologies, and layered approach to security detected and blocked the attack within milliseconds.Windows 10 S, a special configuration of Windows 10 providing Microsoft-verified security, was not vulnerable to this attack.

Immediately upon discovering the attack, we looked into the source of the huge volume of infection attempts. Traditionally, Dofoil (also known as Smoke Loader) is distributed in multiple ways, including spam email and exploit kits. In the outbreak, which began in March 6, a pattern stood out: most of the malicious files were written by a process called mediaget.exe.

This process is related to MediaGet, a BitTorrent client that we classify as potentially unwanted application (PUA). MediaGet is often used by people looking to download programs or media from websites with dubious reputation. Downloading through peer-to-peer file-sharing apps like this can increase the risk of downloading malware.

During the outbreak, however, Dofoil didnt seem to be coming from torrent downloads. We didnt see similar patterns in other file-sharing apps. The process mediaget.exe always wrote the Dofoil samples to the %TEMP% folder using the file name my.dat. The most common source of infection was the file %LOCALAPPDATA%\MediaGet2\mediaget.exe (SHA-1: 3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c).

Tracing the infection timeline

Our continued investigation on the Dofoil outbreak revealed that the March 6 campaign was a carefully planned attack with initial groundwork dating back to mid-February. To set the stage for the outbreak, attackers performed an update poisoning campaign that installed a trojanized version of MediaGet on computers. The following timeline shows the major events related to the Dofoil outbreak.

Figure 1.MediaGet-related malware outbreak timeline (all dates in UTC).

MediaGet update poisoning

The update poisoning campaign that eventually led to the outbreak is described in the following diagram. A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability.

Figure 2. Update poisoning flow

The malicious update process is recorded by Windows Defender ATP. The following alert process tree shows the original mediaget.exe dropping the poisoned signed update.exe.

Figure 3. Windows Defender ATP detection of malicious update process

Poisoned update.exe

The dropped update.exe is a packaged InnoSetup SFX which has an embedded trojanized mediaget.exe, update.exe. When run, it drops a trojanized unsigned version of mediaget.exe.

Figure 4.Certificate information of the poisoned update.exe

Update.exe is signed by a third-party developer company completely unrelated with MediaGet and probably also victim of this plot; update.exe was code signed with a different cert just to pass the signing requirement verification as seen in the original mediaget.exe. The update code will check the certificate information to verify whether it is valid and signed. If it is signed, it will check that the hash value matches the value retrieved from the hash server located in mediaget.com infrastructure. The figure below shows a code snippet that checks for valid signatures on the downloaded update.exe.

Figure 5. mediaget.exe update code

Trojanized mediaget.exe

The trojanized mediaget.exe file, detected by Windows Defender AV as Trojan:Win32/Modimer.A, shows the same functionality as the original one, but it is not signed by any parties and has additional backdoor functionality. This malicious binary has 98% similarity to the original, clean MediaGet binary. The following PE information shows the different PDB information and its file path left in the executable.

Figure 6. PDB path comparison of signed and trojanized executable

When the malware starts, it builds a list of command-and-control (C&C) servers.

Figure 7. C&C server list

One notable detail about the embedded C&C list is that the TLD .bit is not an ICANN-sanctioned TLD and is supported via NameCoin infrastructure. NameCoin is a distributed name server system that adopts the concept of blockchain model and provides anonymous domains. Since .bit domains cant be resolved by ordinary DNS servers, the malware embeds a list of 71 IPv4 addresses that serve as NameCoin DNS servers.

The malware then uses these NameCoin servers to perform DNS lookups of the .bit domains. From this point these names are in the machine’s DNS cache and future lookups will be resolved without needing to specify the NameCoin DNS servers.

The first contact to the C&C server starts one hour after the program starts.

Figure 8. C&C connection start timer

The malware picks one of the four C&C servers at random and resolves the address using NameCoin if its a .bit domain. It uses HTTP for command-and-control communication.

Figure 9. C&C server connection

The backdoor code collects system information and sends them to the C&C server through POST request.

Figure 10. System information

The C&C server sends back various commands to the client. The following response shows the HASH, IDLE, and OK commands. The IDLE command makes the process wait a certain time, indicated in seconds (for example, 7200 seconds = 2 hours), before contacting C&C server again.

Figure 11. C&C commands

One of the backdoor commands is a RUN command that retrieves a URL from the C&C server command string. The malware then downloads a file from the URL, saves it as %TEMP%\my.dat, and runs it.

Figure 12. RUN command processing code

This RUN command was used for the distribution of the Dofoil malware starting March 1 and the malware outbreak on March 6. Windows Defender ATP alert process tree shows the malicious mediaget.exe communicating with goshan.online, one of the identified C&C servers. It then drops and runs my.dat (Dofoil), which eventually leads to the CoinMiner component.

Figure 13.Dofoil, CoinMiner download and execution flow

Figure 14. Windows Defender ATP alert process tree

The malware campaign used Dofoil to deliver CoinMiner, which attempted to use the victims computer resources to mine cryptocurrencies for the attackers. The Dofoil variant used in the attack showed advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Windows Defender ATP can detect these behaviors across the infection chain.

Figure 15. Windows Defender ATP detection for Dofoils process hollowing behavior

We have shared details we uncovered in our investigation with MediaGets developers to aid in their analysis of the incident.

We have shared details of the malicious use of code-signing certificate used in update.exe (thumbprint: 5022EFCA9E0A9022AB0CA6031A78F66528848568) with the certificate owner.

Real-time defense against malware outbreaks

The Dofoil outbreak on March 6, which was built on prior groundwork, exemplifies the kind of multi-stage malware attacks that are fast-becoming commonplace. Commodity cybercrime threats are adopting sophisticated methods that are traditionally associated with more advanced cyberattacks. Windows Defender Advanced Threat Protection (Windows Defender ATP) provides the suite of next-gen defenses that protect customers against a wide range of attacks in real-time.

Windows Defender AV enterprise customers who have enabled the potentially unwanted application (PUA) protection feature were protected from the trojanized MediaGet software that was identified as the infection source of the March 6 outbreak.

Windows Defender AV protected customers from the Dofoil outbreak at the onset. Behavior-based detection technologies flagged Dofoils unusual persistence mechanism and immediately sent a signal to the cloud protection service, where multiple machine learning models blocked most instances at first sight.

In our in-depth analysis of the outbreak, we also demonstrated that the rich detection libraries in Windows Defender ATP flagged Dofoils malicious behaviors throughout the entire infection process. These behaviors include code injection, evasion methods, and dropping a coin mining component. Security operations can use Windows Defender ATP to detect and respond to outbreaks. Windows Defender ATP also integrates protections from Windows Defender AV, Windows Defender Exploit Guard, and Windows Defender Application Guard, providing a seamless security management experience.

For enhanced security against Dofoil and others similar coin miners, Microsoft recommends Windows 10 S. Windows 10 S exclusively runs apps from the Microsoft Store, effectively blocking malware and applications from unverified sources. Windows 10 S users were not affected by this Dofoil campaign.

Windows Defender Research

Indicators of compromise (IOCs)

File name SHA-1 Description Signer Signing date Detection name
mediaget.exe 1038d32974969a1cc7a79c3fc7b7a5ab8d14fd3e Offical mediaget.exe executable GLOBAL MICROTRADING PTE. LTD. 2:04 PM 10/27/2017 PUA:Win32/MediaGet
mediaget.exe 4f31a397a0f2d8ba25fdfd76e0dfc6a0b30dabd5 Offical mediaget.exe executable GLOBAL MICROTRADING PTE. LTD. 4:24 PM 10/18/2017 PUA:Win32/MediaGet
update.exe 513a1624b47a4bca15f2f32457153482bedda640 Trojanized updater executable DEVELTEC SERVICES SA DE CV N/A Trojan:Win32/Modimer.A
mediaget.exe 3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c,
Trojanized mediaget.exe executable Not signed N/A Trojan:Win32/Modimer.A
my.dat d84d6ec10694f76c56f6b7367ab56ea1f743d284 Dropped malicious executable TrojanDownloader:Win32/Dofoil.AB
wuauclt.exe 88eba5d205d85c39ced484a3aa7241302fd815e3 Dropped CoinMiner Trojan:Win32/CoinMiner.D

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.