Microsoft Office 365—Do you have a false sense of cloud security?

August 11th, 2020 No comments

Through difficult times, some adversaries will find opportunities and COVID-19 has proven to be a ripe opportunity for them to target a new, expanding, remote workforce. While these threats morph and evolve, Microsoft’s Detection and Response Team (DART) finds ways to endure and help organizations become more resilient

Cloud environments are continuously being put to the test during this challenging period. DART has seen various security configurations in our customers’ cloud tenants. The one commonality:  administrators flip the switch on a few security tasks without genuinely understanding the process and procedures needed to ensure everything works as designed and consequently create gaps in defenses and opportunities for attackers to circumvent security controls. When it comes to defense-in-depth, these controls must work in concert with one another.

Three measures you should employ to improve the security of your cloud environment

This post describes three security measures you should employ for your Azure AD/Office 365 environment when first setting up a new tenant, or when tightening the reins on a well-established tenant.

  1. Create an emergency Global Administration account.
  2. Enable Multi-factor Authentication (MFA).
  3. Block legacy authentication.

1. Create an emergency Global Administrator account

An emergency Global Administrator account, also known as a “Break Glass Account”, is critical to the overall security posture of your tenant, and it prevents you from being accidentally locked out of your Azure Active Directory (Azure AD). Think about the consequences of your administrators getting locked out; you cannot sign in, activate users, assign licenses, or validate the actions happening in your tenant. Emergency access accounts are highly privileged and not assigned to specific users. These accounts must be excluded from your current security controls, and must have compensatory controls. These controls might include the following:

  • Only allowing the “Break Glass Account” to log in from a particular IP address range.
  • Implementing detection controls like enhanced alerting and/or monitoring the use of these accounts.

Use of emergency access accounts should be limited to true emergencies, when standard administrative accounts cannot be used. For detailed information, please see  https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access.

2. Enable Multi-Factor Authentication (MFA)

Enabling MFA seems straightforward, right? Sadly, even today, it isn’t. You allow the Conditional Access Policy for the enablement of MFA, but for the sake of convenience,  permit exclusions to these policies, such as not enabling MFA for the Global Administrators or any of the other O365 workload (Exchange, SharePoint, OneDrive) Administrators and continue to enable Basic/Legacy Authentication. As a result, you now host an ineffective policy that puts your organization at tremendous risk. For detailed information, please see  https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa.

Real-World Scenario—A large company enabled MFA for all global administrators. Unbeknownst to the rest of the team, a user modified the policy to exclude a global administrator account. This user’s act put the company at considerable risk; the account was eventually compromised using a trivial Password Spray attack. It is bad enough when a standard user with no elevated privileges is compromised— Global Administrator accounts have access to all of Azure AD and Office 365, so when this account was affected, the organization’s entire tenant was compromised. Monitoring and alerting for the implementation of persistence mechanisms, such as the creation of a new mailbox forwarding rule, would have also triggered a security alert and a full incident response investigation of the modified tenant. This incident also could have been easily avoided by merely monitoring and alerting for the creation of Global Administrator accounts and any changes to these accounts. The threat actor has leveraged all these techniques to essentially gain and maintain access to the organization’s tenant to achieve their mission objective for data exposure and exfiltration.

3. Block Legacy Authentication

Legacy authentication refers to protocols that use basic authentication, such as Exchange Web Services (EWS), POP, SMTP, IMAP, and MAPI. These protocols cannot enforce any type of second-factor authentication (e.g., MFA), which makes them a popular entry point for bad actors. As such, for MFA to be useful, you also need to block legacy authentication.

There are still risks once you’ve disabled legacy authentication and enabled MFA. From an operational standpoint, understanding the implications of disabling legacy authentication is critical. You could disrupt essential workflows and disrupt access to applications not written to support modern authentication (including dated Outlook clients).

So, what can you do? Identify which users and applications are currently using legacy authentication in your tenant via Azure AD Sign-in logs. Configure exclusions for applications that cannot be modified to support modern authentication. Also, ensure you configure the policies granularly for more robust security configurations, such as only allowing specific users and a particular IP range to use legacy authentication. This way, you can make access to legacy authentication more stringent where you must use it, and you can block legacy authentication in other scenarios. Configure your conditional access policy to be in a report-only mode to ensure you understand what will happen when you flip on the policy. For more information, please see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication.

Bricks laid, next: the mortar

There is a multitude of adversary tactics and techniques for the infiltration of a cloud environment. Based on DART’s observations from the frontlines, implementing these three security controls will help ensure the front and back doors to your organization’s cloud environment remain locked. DART recommends assessing these vulnerability points regularly so that when a real threat strikes, your defense-in-depth approach of technical controls, detection-in-depth, and monitoring and alerts will prepare your staff to jump into action quickly.

In an upcoming blog post, we’ll dive into what we like to call the “Easy Button” approach to security defaults. These pre-configured security settings help defend your organization against frequent identity-related attacks, such as password spray, replay, and phishing, and provide additional mortar towards the security foundation of your cloud environment.

Want to learn more about DART (Detection and Response Team)? Read our past blog posts here.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Office 365—Do you have a false sense of cloud security? appeared first on Microsoft Security.

Microsoft Office 365—Do you have a false sense of cloud security?

August 11th, 2020 No comments

Through difficult times, some adversaries will find opportunities and COVID-19 has proven to be a ripe opportunity for them to target a new, expanding, remote workforce. While these threats morph and evolve, Microsoft’s Detection and Response Team (DART) finds ways to endure and help organizations become more resilient

Cloud environments are continuously being put to the test during this challenging period. DART has seen various security configurations in our customers’ cloud tenants. The one commonality:  administrators flip the switch on a few security tasks without genuinely understanding the process and procedures needed to ensure everything works as designed and consequently create gaps in defenses and opportunities for attackers to circumvent security controls. When it comes to defense-in-depth, these controls must work in concert with one another.

Three measures you should employ to improve the security of your cloud environment

This post describes three security measures you should employ for your Azure AD/Office 365 environment when first setting up a new tenant, or when tightening the reins on a well-established tenant.

  1. Create an emergency Global Administration account.
  2. Enable Multi-factor Authentication (MFA).
  3. Block legacy authentication.

1. Create an emergency Global Administrator account

An emergency Global Administrator account, also known as a “Break Glass Account”, is critical to the overall security posture of your tenant, and it prevents you from being accidentally locked out of your Azure Active Directory (Azure AD). Think about the consequences of your administrators getting locked out; you cannot sign in, activate users, assign licenses, or validate the actions happening in your tenant. Emergency access accounts are highly privileged and not assigned to specific users. These accounts must be excluded from your current security controls, and must have compensatory controls. These controls might include the following:

  • Only allowing the “Break Glass Account” to log in from a particular IP address range.
  • Implementing detection controls like enhanced alerting and/or monitoring the use of these accounts.

Use of emergency access accounts should be limited to true emergencies, when standard administrative accounts cannot be used. For detailed information, please see  https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access.

2. Enable Multi-Factor Authentication (MFA)

Enabling MFA seems straightforward, right? Sadly, even today, it isn’t. You allow the Conditional Access Policy for the enablement of MFA, but for the sake of convenience,  permit exclusions to these policies, such as not enabling MFA for the Global Administrators or any of the other O365 workload (Exchange, SharePoint, OneDrive) Administrators and continue to enable Basic/Legacy Authentication. As a result, you now host an ineffective policy that puts your organization at tremendous risk. For detailed information, please see  https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa.

Real-World Scenario—A large company enabled MFA for all global administrators. Unbeknownst to the rest of the team, a user modified the policy to exclude a global administrator account. This user’s act put the company at considerable risk; the account was eventually compromised using a trivial Password Spray attack. It is bad enough when a standard user with no elevated privileges is compromised— Global Administrator accounts have access to all of Azure AD and Office 365, so when this account was affected, the organization’s entire tenant was compromised. Monitoring and alerting for the implementation of persistence mechanisms, such as the creation of a new mailbox forwarding rule, would have also triggered a security alert and a full incident response investigation of the modified tenant. This incident also could have been easily avoided by merely monitoring and alerting for the creation of Global Administrator accounts and any changes to these accounts. The threat actor has leveraged all these techniques to essentially gain and maintain access to the organization’s tenant to achieve their mission objective for data exposure and exfiltration.

3. Block Legacy Authentication

Legacy authentication refers to protocols that use basic authentication, such as Exchange Web Services (EWS), POP, SMTP, IMAP, and MAPI. These protocols cannot enforce any type of second-factor authentication (e.g., MFA), which makes them a popular entry point for bad actors. As such, for MFA to be useful, you also need to block legacy authentication.

There are still risks once you’ve disabled legacy authentication and enabled MFA. From an operational standpoint, understanding the implications of disabling legacy authentication is critical. You could disrupt essential workflows and disrupt access to applications not written to support modern authentication (including dated Outlook clients).

So, what can you do? Identify which users and applications are currently using legacy authentication in your tenant via Azure AD Sign-in logs. Configure exclusions for applications that cannot be modified to support modern authentication. Also, ensure you configure the policies granularly for more robust security configurations, such as only allowing specific users and a particular IP range to use legacy authentication. This way, you can make access to legacy authentication more stringent where you must use it, and you can block legacy authentication in other scenarios. Configure your conditional access policy to be in a report-only mode to ensure you understand what will happen when you flip on the policy. For more information, please see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication.

Bricks laid, next: the mortar

There is a multitude of adversary tactics and techniques for the infiltration of a cloud environment. Based on DART’s observations from the frontlines, implementing these three security controls will help ensure the front and back doors to your organization’s cloud environment remain locked. DART recommends assessing these vulnerability points regularly so that when a real threat strikes, your defense-in-depth approach of technical controls, detection-in-depth, and monitoring and alerts will prepare your staff to jump into action quickly.

In an upcoming blog post, we’ll dive into what we like to call the “Easy Button” approach to security defaults. These pre-configured security settings help defend your organization against frequent identity-related attacks, such as password spray, replay, and phishing, and provide additional mortar towards the security foundation of your cloud environment.

Want to learn more about DART (Detection and Response Team)? Read our past blog posts here.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Office 365—Do you have a false sense of cloud security? appeared first on Microsoft Security.

How to organize your security team: The evolution of cybersecurity roles and responsibilities

August 6th, 2020 No comments

Digital transformation, cloud computing, and a sophisticated threat landscape are forcing everyone to rethink the functions of each role on their security teams, from Chief Information Security Officers (CISOs) to practitioners.

With billions of people around the globe working from home, changes to the daily practice of cybersecurity are accelerating. Organizations are shifting from defending a traditional network perimeter (keeping business assets in a safe place) to more effective zero trust strategies (protect users, data, and business assets where they are). This transformation brings technology changes and also opens up questions of what people’s roles and responsibilities will look like in this new world.

At the same time, continuous delivery models are requiring security teams to engage more closely during business planning and application development to effectively manage cyber risks (vs. the traditional ‘arms-length’ security approaches). This requires security professionals to better understand the business context and to collaborate more closely with stakeholders outside of security.

In this new world, traditional job descriptions and security tools won’t set your team up for success. Leaders must create role clarity in this transformation to help their teams navigate uncertainty. This will reduce distractions and stress, as well as help people focus on the important tasks that make the whole team shine.

While each organization and each person will have a unique journey, we have seen common patterns for successfully transforming roles and responsibilities. To help security leaders and practitioners plan for this transformation, Microsoft has defined common security functions, how they are evolving, and key relationships. In this blog, we’ll provide a summary of our recommendations to help you get started.

Security roles must evolve to confront today’s challenges

Security functions represent the human portion of a cybersecurity system. They are the tasks and duties that members of your team perform to help secure the organization. Depending on your company size and culture, individuals may be responsible for a single function or multiple functions; in some cases, multiple people might be assigned to a single function as a team.

High performing security teams understand their individual roles, but also see themselves as a larger team working together to defend against adversaries (see Figure 1). The following functions represent a fully populated enterprise security team, which may be aspirational for some organizations. Organizations often need to prioritize where to invest first based on their risk profile, available resources, and needs.

An image showing each function works as part of a whole security team, within the organization, which is part of a larger security community defending against the same adversaries.

Figure 1: Each function works as part of a whole security team within the organization, which is part of a larger security community defending against the same adversaries.

Policy and standards

This team develops, approves, and publishes security policy and standards to guide security decisions within the organization and inspire change. This team must take into account cloud platforms, DevOps processes and tools, and relevant regulations, among other factors. Read more about security policy and standards function.

Security operations center (SOC)

A security operations center (SOC) detects, responds to, and remediates active attacks on enterprise assets. SOCs are currently undergoing significant change, including an elevation of the function to business risk management, changes in the types of metrics tracked, new technologies, and a greater emphasis on threat hunting. Read more about the SOC function.

Security architecture

Security architecture translates the organization’s business and assurance goals into a security vision, providing documentation and diagrams to guide technical security decisions. A modern architecture function needs to consider continuous delivery, identity-centric security solutions for cloud assets, cloud-based security solutions, and more. Read more about the security architecture function.

Security compliance management

The objective of cloud security compliance management is to ensure that the organization is compliant with regulatory requirements and internal policies. As you modernize this function, consider the role that cloud providers play in compliance status, how you link compliance to risk management, and cloud-based compliance tools. Read more about the security compliance management function.

People security

People security protects the organization from inadvertent human mistakes and malicious insider actions. The cloud and changing threat landscape require this function to consider how to effectively engage employees in security, organizational culture change, and identification of insider threats. Read more about the people security function.

Application security and DevSecOps

The objective of application security and DevSecOps is to integrate security assurances into development processes and custom line of business applications.

Cloud services and APIs have enabled a faster delivery cadence and influenced the creation of the DevOps team model, driving a number of changes. The biggest change we see is the integration of security into the development process, which requires culture and process adjustments as each specialty adopt the best of each other’s culture. This function must also adopt an agile mindset and stay up to date on new tools and technologies. Read more about the application security and DevSecOps function.

Data security

The main objective for a data security team is to provide security protections and monitoring for sensitive enterprise data in any format or location. New regulations and data loss prevention models are influencing the evolution of this function, and the sheer volume of data being stored on numerous devices and cloud services has also had a significant impact. Read more about the data security function.

Infrastructure and endpoint security

The infrastructure and endpoint security function is responsible for security protection to the data center infrastructure, network components, and user endpoint devices. Software-defined datacenters and other cloud technologies are helping solve longstanding data center security challenges, and cloud services are transforming the security of user endpoint devices. Read more about the infrastructure and endpoint security function.

Identity and keys

The main objective of a security team working on identity management, is to provide authentication and authorization of humans, services, devices, and applications. Key and certification management provides secure distribution and access to key material for cryptographic operations (which often support similar outcomes as identity management).

One of the big changes is that identity and key/certification management disciplines are coming closer together as they both provide assurances on the identity of entities and enable secure communications. This function also plays a significant role in modernizing security by establishing an identity-based perimeter that is a keystone of a zero-trust access control strategy. Read more about the identity and keys function.

Threat intelligence

Security threat intelligence provides context and actionable insights on active attacks and potential threats to empower organizational leaders and security teams to make better (data-driven) decisions. Threat intelligence usually grows from a technical scope into servicing the larger organization with strategic, tactical, and operational (technical) threat intelligence. Read more about the threat intelligence function.

Posture management

Posture management builds on existing functions like vulnerability management and focuses on continuously monitoring and improving the security posture of the organization. Posture management is typically one of the largest changes because it supports decisions in many other functions using information that only recently became available because of the heavy instrumentation of cloud technology. This function includes zero-trust based access controls, real-time risk scoring, threat and vulnerability management, and threat modeling, among others. Read more about the posture management function.

Incident preparation

The primary objective for the incident preparation function is to build process maturity and muscle memory for responding to major incidents throughout the organization, including security teams, executive leadership, and many others outside of security. These practice exercises have become powerful tools to ensure stakeholders are informed and familiar with their role in a major security incident. Read more about the incident preparation function.

Looking forward

In the beginning of the journey, clarity is critical to shine a light on the path forward and the journey ahead. As you walk the path, healthy doses of empathy and continuous learning are key to maintaining forward momentum. Organizations should invest in both formal training and supporting self-directed exploration to ensure people get the knowledge they need and have the confidence to take the risks required to transform.

In addition to the cloud security functions guidance, Microsoft has also invested in training and documentation to help with your journey—see the CISO Workshop, Microsoft Security Best Practices,  recommendations for defining a security strategy, and security documentation site.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to organize your security team: The evolution of cybersecurity roles and responsibilities appeared first on Microsoft Security.

Zero Trust: From security option to business imperative overnight

August 6th, 2020 No comments

Not long ago when I spoke with customers about Zero Trust, our conversations focused on discussing the principles, defining scope, or sharing our own IT organization’s journey. Zero Trust was something interesting to learn about, and most organizations were very much in the exploratory phase. As COVID-19 forced organizations across the world to send their workforce home, organizations rapidly focused on Zero Trust approaches to alleviate challenges of enabling and securing remote work. Using Zero Trust to secure users, data, and devices (wherever they may be) has changed from optional to a business imperative overnight.

Companies found that traditional security models required bringing users and data to ‘safe’ network places, which doesn’t scale and doesn’t provide the needed visibility. Employees are getting their work done any way they can– using personal devices, sharing data through new services, and collaborating outside the confines of traditional protections of the corporate network. Earlier adopters of Zero Trust approaches were able to adapt quickly, but many others instantly faced an expanded attack surface area and new security challenges they were not fully prepared for.

At Microsoft, we have been helping customers navigate these challenges by sharing our learnings and building controls, tools, and practices to enable daily application of Zero Trust principles. We have been focusing on providing organization quick wins that close critical gaps today and laying a strong foundation of Zero Trust expertise and technology to build on in the future.

Today and in my presentation at Blackhat 2020, I’d like to share some insights we’ve learned through this journey to help you with yours:

1. Start with strong authentication

Many customers I meet with share that trying to figure out where to start their Zero Trust journey is a major challenge. I always recommend starting with multi-factor authentication (MFA). Verifying a user’s identity with strong authentication before granting them access to corporate resources is the most effective step to quickly improve security. Our studies have shown that accounts secured with MFA are 99.9% less likely to be compromised. Strong authentication not strengthens your overall security posture and minimizes risk, it lays a strong foundation to build on—such as securely connecting employees to apps with single sign-on (SSO) experiences, controlling access to resources with adaptive access policies, and more.

2. Endpoint visibility is critical and getting more challenging

In a Zero Trust security model, we want to have visibility into any and all endpoints accessing the corporate network so we can only allow healthy and compliant devices to access corporate resources. Device security posture and compliance should be used in your access policies to restrict access from vulnerable and compromised devices. This not only helps strengthen security and minimize risk, but also enables you to improve your employees’ productivity by supporting more device types and experiences. In a recent Microsoft study, more than 50% of organizations reported seeing a greater variety of endpoint platforms because of supporting remote work.

3. Apps and data are primary attack surfaces

With employees increasingly accessing corporate data on new devices and collaborating in new ways, most security teams are seeing that their application and data security tools aren’t giving them the visibility and control they need. This de facto expansion of the enterprise attack surface makes it critical to discover the cloud apps in use, assess them for risk, and apply policy controls to ensure that data isn’t leaking through these applications. Finally, make sure the sensitive data in these apps is protected wherever it travels or lives by automatically classifying, labeling, and applying protection to files.

3. Integrated solutions are more critical than ever

CISOs reported in a recent Microsoft study that Threat Protection is now a higher priority for them. With an increasing attack surface area and velocity, integrated threat protection solutions can now share signals across detection, prevention, investigation, and response. While most organizations already use threat protection tools, most don’t share signals or support end-to-end workflows. Because most attacks involve multiple users, endpoints, app, data, and networks, it’s imperative for tools to work together to deliver streamlined experience and end-to-end automation. Look for opportunities to integrate your threat protection solutions to remove manual tasks, process friction, and the morael issues they generate.

5. Zero Trust improves end-user experience

Security leaders are often challenged to balance security and a more streamlined end-user experience. Fortunately, Zero Trust enables both at the same time because security is built around the users and business assets, rather than the other way around. Instead of users signing in multiple times, dealing with VPN bandwidth constraints, and working only from corporate devices, Zero Trust enables users to access their content and apps from virtually any device and location securely.

To listen to my presentation on Zero Trust at Blackhat register here. Check out the Microsoft Zero Trust Maturity Model vision paper (click to download) detailing the core principles of Zero Trust, and our maturity model, which breaks down the top-level requirements across each of the six foundational elements.

We’re also publishing deployment guides for each of the foundational elements.  Read the latest guides for IdentitiesDevices, and Networking. Look out for additional guides in the Microsoft Security blog.

Learn more about Zero Trust and Microsoft Security.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurityfor the latest news and updates on cybersecurity.

 

The post Zero Trust: From security option to business imperative overnight appeared first on Microsoft Security.

Afternoon Cyber Tea: Revisiting social engineering: The human threat to cybersecurity

August 5th, 2020 No comments

Most of us know ‘Improv’ through film, theatre, music or even live comedy. It may surprise you to learn that the skills required for improvisational performance art, can also make you a good hacker? In cybersecurity, while quite a bit of focus is on the technology that our adversaries use, we must not forget that most cybersecurity attacks start with a non-technical, social engineering campaign—and they can be incredibly sophisticated. It is how attackers were able to pivot quickly and leverage COVID themed lures wreak havoc during the onset of the global pandemic. To dig into how social attacks like these are executed, and why they work time and again, I spoke with Rachel Tobac on a recent episode Afternoon Cyber Tea with Ann Johnson.

Rachel Tobac is the CEO of SocialProof Security and a white-hat hacker, who advises organizations on how to harden their defenses against social engineering. Her study of neuroscience and Improv have given her deep insight into how bad actors use social psychology to convince people to break policy. I really appreciate how she is able to break down the steps in a typical social engineering campaign to illustrate how people get tricked.

In our conversation, we also talked about why not all social engineering campaigns feel “phishy.” Hackers are so good at doing research and building rapport that the interaction often feels legitimate to their targets. However, there are techniques you can use, like multi-factor authentication and two-factor communication, to reduce your risk. We also discussed emerging threats, like deep fake videos, attacks on critical infrastructure, and how social engineering techniques could be used against driverless cars. To learn why you should take social engineering seriously and how to protect your organization, listen to Afternoon Cyber Tea with Ann Johnson: Revisiting social engineering: The human threat to cybersecurity on Apple Podcasts or Podcast One.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, Internet of Things (IoT), and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts — You can also download the episode by clicking the Episode Website link.
  • Podcast One — Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page — Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To find out more information on Microsoft Security Solutions visit our website. In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Revisiting social engineering: The human threat to cybersecurity appeared first on Microsoft Security.

Associate Microsoft and Pradeo to manage and secure Android Enterprise mobile devices

August 5th, 2020 No comments

Want to learn more on how Android Enterprise works with existing mobility management and security solutions? This article will explain how Android Enterprise fits in a standard mobile ecosystem made of Microsoft Endpoint Manager solution and Pradeo Security Mobile Threat Defense.

Android Enterprise arrived like a call to action in the era of mobility. Even though it has its roots in Android 5.0 (Lollipop) launched in 2014, it comes now as a mandatory feature on all Android 10 devices when managed with an Enterprise Mobility Management solution.

Android Enterprise integrates smoothly into Microsoft Endpoint Manager to empower its capabilities and complements with Pradeo Security Mobile Threat Defense to ensure a full real-time protection.

To get a clear understanding on what to expect from Android Enterprise, we will firstly detail its DNA to then extend to its complementariness into the mobile landscape.

The homogenization of management capabilities as Android Enterprise DNA

To interact with devices, Unified Endpoint Management (UEM) solutions used to rely on manufacturers APIs implemented on top of the Android system and bringing a lot of inconsistency from one device to another. To reduce the hassle, Google created a native bundle of APIs enabled for all Android devices, regardless of the manufacturer. This homogenization of management across devices comes along with two key benefits being the creation of a containerized work/personal profile on the device and a managed Google Play store with work-approved applications.

Let’s dive a bit more into the different setup modes of work and personal profiles.

An image for the different setup modes of work and personal profiles.

The first mode from left to right called “BYOD” (acronym for Bring Your Own Device) refers to devices personally owned by the collaborators, but which are also used in a corporate context. The core principle in this configuration is that the device is not managed by the company and a containerized area is created for work activities (files, applications…). Therefore, the personal environment masters the device and the company only has control over the work profile.

The second hybrid mode takes the opposing view to BYOD configuration. Here, the work profile masters the whole device and the work/life separation lies in a personal sub-area. This configuration is usually known as COPE standing for Corporate Owned Personally Enabled.

In both COPE and BYOD modes, the separation consists in isolating work/life files, applications, and resources (messages, contacts, call logs…).

The Corporate Owned Business Only (COBO) configuration depicts a device fully managed by the company and strictly aimed for work. Thus, there is no dedicated area for personal activities and the enterprise has a complete view on the device.

Lastly, kiosk-managed devices also referred as COSU (Corporate Owned/Single Use) stick to COBO configuration where the work profile is locked down to only enable a targeted usage.

With these four specific types of configuration, organizations are free to have more or less control over the user device. With an ever-growing BYOD landscape, companies can decide to let employees work on their personal devices, while still having control over the work profile.

Ultimately, this containerization capability, already available in UEMs for some time, simplifies and unifies Android management but doesn’t really add a structuring security piece. At the same time, the managed Google Play store reflects the legacy mobile application management functionality delivered by UEMs.

Therefore, when implementing Microsoft Endpoint Point Manager, administrators will have to determine in which mode they will manage their corporate fleet. To add a layer of security on top of the combo Android Enterprise/Microsoft Endpoint Manager, they will have to pair it with a security layer like Pradeo Security Mobile Threat Defense.

Additional security awareness

Setting up a work/life separation as a data privacy measure adds an extra level of security. This should not be considered as a security gate. The exposure of corporate data through various setup modes needs extra consideration.

Network and device criteria apply for the entire device and a Man-In-The-Middle threat or a root/jailbreak exploit will injure the work profile the same way. Looking at applications, if validating the security level of applications prior to their distribution to the work area is a must-have, the assessment of on-device applications is not to forget. By downloading an application from the store either on the work or personal profile, corporate data are exposed to malware (screen logger, keylogger…) and intrusive or leaky applications (e.g.: exfiltrating contacts…) that could hit from one profile to the other.

In sum, the same security posture requires to be taken to protect Android Enterprise mobile devices as any other device.

Associate Microsoft and Pradeo to manage and secure Android Enterprise mobile devices

Pradeo and Microsoft’s long-lasting partnership aims at bringing security on top of devices management and fully applies in an Android Enterprise environment. The collaboration between the companies covers the two following use cases:

  • Agentless application vetting: Pradeo Security solution directly plugs in Microsoft Endpoint Manager (including Microsoft Intune) to retrieve the list of applications installed on the fleet and assess the security level of devices.
  • On-device security: the installation of the Pradeo Security agent on devices provides a 360° security coverage and real-time remediation.

Android Enterprise represents a core add-on to the Android framework homogenizing the management of devices across manufacturers and concretizing the undeniable work/life hybrid usage. If Android Enterprise capabilities draw the path of device administration, it does not however provide corporate tailored security, and this is the pitfall to be avoided when implementing it. Like any other device (Android, iOS), Android Enterprise must fall under the company security policy and benefit from real-time threat defense to ensure the protection of corporate data. Microsoft and Pradeo combine their capabilities to provide a thorough and dynamic security posture to Microsoft Endpoint Manager users and protect all the devices of the mobile fleet.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Associate Microsoft and Pradeo to manage and secure Android Enterprise mobile devices appeared first on Microsoft Security.

Congratulations to the MSRC’s 2020 Most Valuable Security Researchers

August 5th, 2020 No comments

Today we announce our Most Valuable Security Researchers for 2020! The MSRC Researcher Recognition program is an integral aspect of recognizing the ongoing partnerships with our community of talented security researchers who report through Coordinated Vulnerability Disclosure (CVD). These recognitions run throughout specific periods of the year and provide regular opportunities to recognize those who …

Congratulations to the MSRC’s 2020 Most Valuable Security Researchers Read More »

The post Congratulations to the MSRC’s 2020 Most Valuable Security Researchers appeared first on Microsoft Security Response Center.

Security baseline (FINAL): Windows 10 and Windows Server, version 2004

August 4th, 2020 No comments

We are pleased to announce the final release of the security configuration baseline settings for Windows 10 and Windows Server version 2004.


 


Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize and implement as appropriate.  If you have questions or issues, please let us know via the Security Baseline Community.


 


This Windows 10 feature update brings very few new policy settings, which we list in the accompanying documentation. Only one new policy meets the criteria for inclusion in the security baseline (described below), and we are removing one setting from the baseline. There are two additional policies we are not including in the baseline because of compatibility concerns, but which you may want to consider for your organization.


 


LDAP Channel Binding Requirements (Policy updated)


 


In the Windows Server version 1809 Domain Controller baseline we created and enabled a new custom MS Security Guide setting called Extended Protection for LDAP Authentication (Domain Controllers only) based on the values provided here. This setting is now provided as part of Windows and no longer requires a custom ADMX. An announcement was made in March of this year and now all supported Active Directory domain controllers can configure this policy. The value will remain the same in our baseline, but the setting has moved to the new location. We are deprecating our custom setting. The new setting location is: Security Settings\Local Policies\Security Options\Domain controller: LDAP server channel binding token requirements.


 


Note: this new policy requires the March 10, 2020 security update. (We assume that, as security conscious baselines users, you are patching!) Details of that patch are here.


 


Microsoft Defender Antivirus File Hash (Worth considering)


 


Microsoft Defender Antivirus continues to enable new features to better protect consumers and enterprises alike. As part of this journey Windows has a new setting to compute file hashes for every executable file that is scanned, if it wasn’t previously computed. You can find this new setting here: Computer Configurations\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature.


 


You should consider using this feature to improve blocking for custom indicators in Microsoft Defender Advanced Threat Protection (MDATP). This new feature forces the engine to compute the full file hash for all executable files that are scanned. This can have a performance cost, which we minimize by only generating hashes on first sight. The scenarios where you may want to test more thoroughly for performance include devices where you frequently create new executable content (for example, developers) or where you install or update applications extremely frequently.


 


Because this setting is less helpful for customers who are not using MDATP, we have not added it to the baseline, but we felt it was potentially impactful enough to call out. If you chose to enable this setting, we recommend throttling the deployment to ensure you measure the impact on your users’ machines.


 


Account Password Length (Worth considering)


 


In the Windows 10 1903 security baselines we announced the removal of the account password expiration policy. We continue to invest in improving this experience. With Windows 10 2004, two new security settings have been added for password policies: ‘Minimum password length audit’ and ‘Relax minimum password length limits’. These new settings can be found under Account Policies\Password Policy.


 


Previously, you could not require passwords/phrases greater than 14 characters. Now you can! Being able to require a length of more than 14 characters (maximum of 128) can help better secure your environment until you can fully implement a multi-factor authentication strategy. Our vision remains unchanged in achieving a password-less future, but we also recognize that this takes time to fully implement across both your users and your existing applications and systems.


 


You should be cautious with this new setting because it can potentially cause compatibility issues with existing systems and processes. That’s why we introduced the ‘Minimum password length audit’ setting, so you can see what will happen if you increase your password/phrase length. With auditing you can set your limit anywhere between 1 and 128. Three new events are also created as part of this setting and will be logged as new SAM events in the System event log: one event for awareness, one for configuration, and one for error.


 


This setting will not be added to the baseline as the minimum password length should be audited before broad enforcement due to the risk of application compatibility issues. However, we urge organizations to consider these two settings. Additional details about these new settings will be found here, once the new article get published in the coming days.


 


(NOTE: As of the today the link is not yet live, we are actively working to ensure it gets posted soon!)


 


As a reminder, length alone is not always the best predictor of password strength, so we strongly recommend considering solutions such as the on-premise Azure Active Directory Password Protection which does sub-string matching using a dictionary of known weak terms, and rejects passwords that don’t meet a certain score.


 


Turn on Behavior Monitoring (Policy removed)


 


In keeping with our principals of criteria for baseline inclusion we have found that the following setting does not need to be enforced; there is no UI path to the setting, you must be a privileged account to make the change, lastly we do not feel a mis-informed Admin would change this setting.  Based on these principals we are removing Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoring


 


Tooling updates


 


Finally, we do have some enhancements for LGPO and Policy Analyzer coming very shortly after this release! We will go into more details on these enhancements in a future blog post!


 


Baseline criteria


 


We follow a streamlined and efficient approach to baseline definition when compared with the baselines we published before Windows 10. The foundation of that approach is essentially:



  • The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.

  • A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate.

  • A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:


    • If a non-administrator can set an insecure state, enforce the default.

    • If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.



For further illustration, see the “Why aren’t we enforcing more defaults?” section in this blog post.


 


As always, please let us know your thoughts by commenting on this post.

Categories: Uncategorized Tags:

CISO Stressbusters: Post #4: 4 tips for running a highly effective security operation

August 4th, 2020 No comments

Rebecca Wynn, Global CISO & Chief Privacy Officer (CISO) of (24)7.ai, shares her advice for relieving stress in today’s CISO Stressbuster post.

In many organizations, CISO is held accountable for security breaches, yet they don’t have control over all the decisions and systems that impact cyber risks. They need to continuously prove that they are making the company safer while persuading others to change behaviors.

Building a security culture can be stressful, but it helps if people know they can count on you. As a senior information and security risk officer who has served as a CISO at several technology companies, I’ve learned that one way to increase influence is to get things done. Running a tight ship helps you prove value and gain allies. In the fourth blog in the CISO Stressbuster series, I’ve outlined four tips that will help you build a highly effective security organization.

1. Cultivate your team

The most important part of your security operation is your people. A strong team that works well together will help you deliver on your goals and prove the value of cybersecurity to the board. To ensure your team has the right skills for your organization, start by identifying your strengths and weaknesses. For example, you may need people with more experience in cloud or automation technologies. It’s also essential to think about diversity. People with different backgrounds help you avoid group-think and generate new ideas.

Training and apprenticeship programs are a great way to build skills within your existing staff. When done well, you can encourage a continuous learning culture that keeps people engaged. This is incredibly valuable because it isn’t just CISOs who are stressed. Our teams are also under a lot of pressure. Helping them grow and acquire new skills can reduce burnout.

You won’t be able to fulfill all your needs with training, but it can be challenging to find senior people with specialized backgrounds. When you do need to fill a new position, be intentional about which skills are required and which can be trained. Expand your criteria to include people with non-traditional backgrounds who can offer new insights. To encourage participation from everyone, build an inclusive culture.

2. Be a good fiduciary with your budget

Whether you work at a huge enterprise or a startup, there will always be a limit to your budget. Make smart investments to stretch those dollars farther. A great example is software and cloud services. There are many great security products available, but if they don’t work well with your current solutions, you may not get as much value out of them. Find ways to expand the usage of existing products. Make sure new tools align with your long-term strategy and that teams are well trained. Audit your technology regularly and stop paying for services that no longer meet your needs.

Strategic staffing decisions can also help you do more with your budget. For highly specialized skills or irregular tasks, it can sometimes be more efficient to outsource. On the other hand, you may need to invest in your own team to prepare for a changing business climate, such as hiring analysts with cloud expertise.

Demonstrating a proven track record of managing your budget well, builds trust with the board and other executives. This gives you more credibility when you ask for increases in the future.

3. Measure metrics that matter

Your goal as a CISO is to improve the security of the company by effectively managing cybersecurity risk. To evaluate how well you are doing, you need to track the right metrics. The number of tickets opened and closed each month won’t tell you much, but the context of those tickets can.

Set up reporting that will help you measure how well your team and tools are protecting the organization. Some possible examples include:

  • Time to remediate (TTR) an incident allows you to track how long attackers have access to your resources.
  • Number of users with privileged access will help you keep the number of people who can access sensitive information as low as possible.
  • Number of systems with vulnerabilities can help you ensure they are regularly patched.
  • Number of unidentified devices on the network.
  • Number of staff who have completed security awareness training.

4. Adapt your communication for your audience

Making things happen as a CISO requires that you influence others. Whether that is encouraging different behavior from your team, persuading the board to approve a budget increase, or convincing other business leaders to take security seriously, communication is key.

Effective communication starts with good relationships. When I first join a company, I immediately work on building partnerships with other business leaders. If they have issues with the security team, I work on getting those ironed out. This paves the way for me to have conversations about how we can work together to improve security.

As you work with colleagues to make progress on security objectives, it helps to be agile. Listen during meetings to try to understand what’s working and what’s not. Flex your language depending on who’s in the room. When people understand how they will benefit from security, they are more likely to get on board.

Looking ahead

Safeguarding your company against cyber threats is rewarding work, but it also comes with a lot of pressure. To help you manage the stress, the CISO Stressbusters blog series will feature advice from CISOs from a variety of different companies and industries. Stay tuned for the next CISO Stressbuster post for more advice from others in the trenches.

Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles?  What works for you? Please reach out to Diana Kelley on LinkedIn if you’re interested in being interviewed for one of our upcoming posts.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 

The post CISO Stressbusters: Post #4: 4 tips for running a highly effective security operation appeared first on Microsoft Security.

Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards

August 4th, 2020 No comments

Security researchers are a vital component of the cybersecurity ecosystem that safeguards every facet of digital life and commerce. The researchers who devote time to uncovering and reporting security issues before adversaries can exploit them have earned our collective respect and gratitude. The security landscape is constantly changing with emerging technology and new threats. By …

Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards Read More »

The post Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards appeared first on Microsoft Security Response Center.

Microsoft Joins Open Source Security Foundation

August 3rd, 2020 No comments

Microsoft has invested in the security of open-source software for many years and today I’m excited to share that Microsoft is joining industry partners to create the Open Source Security Foundation (OpenSSF), a new cross-industry collaboration hosted at the Linux Foundation. The OpenSSF brings together work from the Linux Foundation-initiated Core Infrastructure Initiative (CII), the GitHub-initiated Open Source Security Coalition (OSSC), and other open-source security efforts to improve the security of open-source software by building a broader community, targeted initiatives, and best practices. Microsoft is proud to be a founding member alongside GitHub, Google, IBM, JPMC, NCC Group, OWASP Foundation, and Red Hat.

Open-source software is core to nearly every company’s technology strategy and securing it is an essential part of securing the supply chain for all, including our own. With the ubiquity of open source software, attackers are currently exploiting vulnerabilities across a wide range of critical services and infrastructure, including utilities, medical equipment, transportation, government systems, traditional software, cloud services, hardware, and IoT.

Open-source software is inherently community-driven and as such, there is no central authority responsible for quality and maintenance.  Because source code can be copied and cloned, versioning and dependencies are particularly complex. Open-source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware. Given the complexity and communal nature of open source software, building better security must also be a community-driven process.

Microsoft has been involved in several open-source security initiatives over the years and we are looking forward to bringing these together under the umbrella of the OpenSSF. For example, we have been actively working with OSSC in four primary areas:

Identifying Security Threats to Open Source Projects

Helping developers to better understand the security threats that exist in the open-source software ecosystem and how those threats impact specific open source projects.

Security Tooling

Providing the best security tools for open source developers, making them universally accessible and creating a space where members can collaborate to improve upon existing security tooling and develop new ones to suit the needs of the broader open source community.

Security Best Practices

Providing open-source developers with best practice recommendations, and with an easy way to learn and apply them. Additionally, we have been focused on ensuring best practices to be widely distributed to open source developers and will leverage an effective learning platform to do so.

Vulnerability Disclosure

Creating an open-source software ecosystem where the time to fix a vulnerability and deploy that fix across the ecosystem is measured in minutes, not months.

We are looking forward to participating in future OpenSSF efforts including securing critical open source projects (assurance, response), developer identity, and bounty programs for open-source security bugs.

We are excited and honored to be advancing the work with the OSSC into the OpenSSF and we look forward to the many improvements that will be developed as a part of this foundation with the open-source community.

To learn more and to participate, please join us at: https://openssf.org and on GitHub at https://github.com/ossf.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Joins Open Source Security Foundation appeared first on Microsoft Security.

Microsoft Joins Open Source Security Foundation

August 3rd, 2020 No comments

Microsoft has invested in the security of open source software for many years and today I’m excited to share that Microsoft is joining industry partners to create the Open Source Security Foundation (OpenSSF), a new cross-industry collaboration hosted at the Linux Foundation. The OpenSSF brings together work from the Linux Foundation-initiated Core Infrastructure Initiative (CII), …

Microsoft Joins Open Source Security Foundation Read More »

The post Microsoft Joins Open Source Security Foundation appeared first on Microsoft Security Response Center.

Categories: Linux, Open Source, OpenSSF, security Tags:

Black Hat 2020: See you in the Cloud!

July 30th, 2020 No comments

It hardly feels like summer without the annual trip to Las Vegas for Black Hat USA. With this year’s event being totally cloud based, we won’t have the chance to catch up with security researchers, industry partners, and customers in person, an opportunity we look forward to every year. We’ll still be there though, and …

Black Hat 2020: See you in the Cloud! Read More »

The post Black Hat 2020: See you in the Cloud! appeared first on Microsoft Security Response Center.

Inside Microsoft Threat Protection: Solving cross-domain security incidents through the power of correlation analytics

July 29th, 2020 No comments

In theory, a cyberattack can be disrupted at every phase of the attack chain. In reality, however, defense stack boundaries should overlap in order to be effective. When a threat comes via email, for example, even with good security solutions in place, organizations must assume that the threat may slip past email defenses, reach the target recipient, and further compromise endpoints and identities. While defenses on endpoints and identities could successfully tackle the attack in isolation, coordinating signals across protection components significantly increases the ability of these solutions to block and mitigate.

Microsoft Threat Protection takes this approach and delivers coordinated defense that binds together multiple solutions in the Microsoft 365 security portfolio. Microsoft Threat Protection continuously and seamlessly scours endpoints, email and docs, cloud app, and identity activities for suspicious signals. Through deep correlation logic, Microsoft Threat Protection automatically finds links between related signals across domains. It connects related existing alerts and generates additional alerts where suspicious events that could otherwise be missed can be detected. We call these correlated entities incidents.

How Microsoft Threat Protection’s advanced correlation make SOC analysts’ work easier and more efficient

Microsoft Threat Protection’s incident creation logic combines AI technology and our security experts’ collective domain knowledge, and builds on broad optics to provide comprehensive coverage. These correlations align with the MITRE ATT&CK framework over a unified schema of attack entities, enabling Microsoft Threat Protection to automatically connect the dots between seemingly unrelated signals.

Incidents ensure that elements otherwise spread across various portals and queues are presented in a single coherent view, helping security operations centers (SOC) in important ways. First, they reduce the SOC’s workload: incidents automatically collect and correlate isolated alerts and other related security events, so analysts have fewer, more comprehensive work items in their queue. Second, SOC analysts can analyze related alerts, affected assets, and other evidence together, reducing the need for manual correlation and making it easier and faster to understand the complete attack story and take informed actions.

Attack sprawl illustrated

The level of sophistication of today’s threats, including nation-state level attacks and human operated ransomware, highlight why coordinated defense is critical in ensuring that organizations are protected.

To illustrate how Microsoft Threat Protection protects against such sophisticated attacks, we asked our security research team to simulate an end-to-end attack chain across multiple domains, based on techniques we observed in actual investigations.

Their attack starts with a spear-phishing email targeting a specific user. The email contains a link that, when clicked, leads to the download of a malicious .lnk file that stages the Meterpreter payload. With their malicious code running on the target device, the attackers perform reconnaissance to understand which users have signed into the device and which other devices these users have access to. For example, in this case, they find the credentials of an IT helpdesk team member. Impersonating this IT helpdesk team member via overpass-the-hash, the attackers are able to move laterally to a second device.

On the second device, they steal the user’s web credentials, which they use to remotely access the user’s cloud apps like OneDrive or SharePoint. This allows the attackers to insert a malicious macro into an existing online Word document, which they then deploy in a lateral phishing attack by distributing links to the malicious document to other users in the organization.

Diagram showing an attack chain involving attack sprawl and techniques like overpass-the-hash

Figure 1. Our attack case scenario showing the initial access through spear-phishing and lateral movement through overpass-the-hash attack

When we ran this attack in our simulation environment, Microsoft Threat Protection was able to track attacker activities as they accessed the target organization, established foothold, and moved across the network. Then, invoking advanced correlation, Microsoft Threat Protection automatically collected all signals, alerts, and relevant entities into a single comprehensive incident representing the whole attack:

Screenshot of the incidents view in Microsoft security center

Figure 2. Incident showing the full attack chain and affected entities

Initial access: Correlating email, identity, and endpoint signals

Let’s look behind the scenes to understand how Microsoft Threat Protection connects the dots in such an attack.

When the target of the initial spear-phishing email clicks the URL in the email, a malicious .lnk file is downloaded and run on the device. In such a scenario, Office 365 Advanced Threat Protection (ATP) flags both the email and the URL as malicious and raises an alert. Normally, SOC analysts would analyze this alert, extract attacker indicators such as the malicious URL, manually search for all devices where this malicious URL was clicked, then take remediation actions on those devices.

Microsoft Threat Protection automates this process and saves time. The intelligence behind Microsoft Threat Protection correlations combines Office 365 ATP signals, Microsoft Defender ATP events, and Azure Active Directory (Azure AD) identity data to find the relevant malicious URL click activity on affected devices, even before SOC analysts starts looking at the alert. The automatic correlation of email, identity, and endpoint signals across on-premises and cloud entities raises the alert “Suspicious URL clicked”. Through this correlation-driven alert, Microsoft Threat Protection helps the SOC to expand their understanding of the attack using all relevant pieces of evidence and automate the search for compromised devices.

Screenshot of Microsoft security center showing list of alerts and highlighting the correlation-driven alert "Suspicious URL clicked"

Figure 3. Microsoft Threat Protection correlation-driven alert “Suspicious URL clicked”

Lateral movement: Correlating overpass-the-hash attack on one device and suspicious sign-in on another

So we’ve seen how automatic correlation allows Microsoft Threat Protection to uncover attacker activity related to initial access. The same capability exposes the next stages in the attack chain: credential theft and lateral movement.

Diagram showing an attack chain and showing correlation of cross-domain signals

Figure 4. Attack scenario showing alerts raised by correlation of cross-domain signals

In the next stage, the attackers use the overpass-the-hash method, a well-known impersonation technique. They control one device in the network where a domain user, like the IT helpdesk team member, is currently signed in. They then harvest NTLM credentials stored on the device to obtain a Kerberos ticket on the user’s behalf. The Kerberos ticket is a valid ticket that’s encrypted with the credentials of the domain user, allowing the attackers to pretend to be that user and access all resources that the user can access. Once attackers obtain credentials for a user with high privileges, they use the stolen credentials to sign in to other devices and move laterally.

In such cases, Azure ATP raises an alert on the suspicious Kerberos ticket, pointing to a potential overpass-the-hash attack. What would SOC analysts do at this point when investigating an overpass-the-hash alert? They would probably start enumerating all the users who signed in to the compromised device. They would also enumerate all other sign-ins for these users and further activities propagating to other devices in the network, all while mentally building an attack graph.

Saving precious time and eliminating manual work, Microsoft Threat Protection determines that the lateral movement activity is related to the earlier initial access. As a result, Microsoft Threat Protection correlates this activity, as well as users and devices involved, into the same incident, exposing other related activities and surfacing them as additional alerts in the same incident.

Screenshot of Microsoft security center showing list of alerts and highlighting the correlation-driven alert "Successful logon using potentially stolen credentials"

Figure 5. Correlating the overpass-the-hash alert

Microsoft Threat Protection also finds related sign-in events following the overpass-the-hash attack to trace the footprint of the impersonated user and surfaces alerts for malicious sign-ins made by the attacker. This allows Microsoft Threat Protection to elevate a series of raw sign-in events (which, when considered on their own, may lack context for detection) to alerts. The correlation-driven alert “Successful logon using potentially stolen credentials” instantly flags the compromised endpoints and pinpoints the start of the malicious activity in the timeline.

Screenshot of Microsoft security center showing correlation-driven alerts that determine that start of the attack

Figure 6. Correlation-driven alert can help determine the start of the attack

Lateral phishing: Correlating email, cloud, and device data

Using the breadth and depth of information available from the incident, SOC analysts can further expand their investigation. The Go hunt action allows SOC analysts to run an exhaustive, predefined query to hunt for relevant or similar threats and malicious activities from endpoints to the cloud, whether issued from inside the network or outside organizational boundaries.

Screenshot of Microsoft security center showing the Go hunt action

Figure 7. Generating a hunting query with a single click

 In this attack scenario, the query that Go hunt auto-generates instantly reveals suspicious OneDrive activity: while the user is operating from Great Britain, somebody from Sweden with the same account name seems to have downloaded a .docx file and replaced it with a similar file with .doc extension, indicating the insertion of the malicious macro.

Screenshot of Microsoft security center showing results of the Go hunt query, which reveals additional suspicious acitivity

Figure  8. “Go hunt” on the compromised user reveals suspicious activity

SOCs can further follow the propagation of the replaced file using an additional hunting query that combines email, OneDrive, and device data to find more affected users and devices, allowing SOC analysts to assess if additional compromise occurred and to take remediation actions. In our next blog post, we’ll provide more details about the investigation and hunting aspects of this scenario.

Conclusion: Connecting the dots and enriching incidents with more signals that tell the story

In this blog we demonstrated Microsoft Threat Protection’s unique ability to correlate signals across email and docs, devices, identities, and cloud apps, and present attack evidence in a unified form. Incidents significantly improve SOC efficiency by eliminating the need to use different portals and manually finding and connecting events, as well as enabling investigation and comprehensive response to attacks. The incident view shows alerts, affected entities, and related activities from across Microsoft 365 security solutions in a unified view.

Automatic correlations enrich incidents by consolidating relevant events and raising new alerts on malicious activities that couldn’t be flagged by any individual product on its own. These correlations paint a seamless attack story across perimeters by building an attack graph that SOC analysts can follow, starting with the earliest initial access.

Diagram showing automatic correlation of signals and alerts across domains

Figure 9. Automatic correlation across domains

Microsoft Threat Protection harnesses the power of Microsoft 365 security products to deliver unparalleled coordinated defense that detects, correlates, blocks, remediates, and prevents attacks across an organization’s Microsoft 365 environment. Existing Microsoft 365 licenses provide access to Microsoft Threat Protection features in Microsoft 365 security center without additional cost. To start using Microsoft Threat Protection, go to security.microsoft.com.

Learn how Microsoft Threat Protection can help your organization to stop attacks with coordinated defense. Read these blog posts in the Inside Microsoft Threat Protection series:

 

Stefan Sellmer, Tali Ash, Tal Maor

Microsoft Threat Protection Team

 

The post Inside Microsoft Threat Protection: Solving cross-domain security incidents through the power of correlation analytics appeared first on Microsoft Security.

Empower your analysts to reduce burnout in your security operations center

July 28th, 2020 No comments

Effective cybersecurity starts with a skilled and empowered team. In a world with more remote workers and an evolving threat landscape, you need creative problem solvers defending your organization. Unfortunately, many traditional security organizations operate in a way that discourages growth, leading to burnout and high turnover.

Sixty-six percent of IT professionals say they have considered finding a new job with less stress. Fifty-one percent are even willing to take a pay cut. And the average tenure of a cybersecurity analyst is only one to three years. Even if stressed employees don’t quit, they may become cynical or lose focus, putting your organization at risk. Given the huge talent shortage—estimated between one and three million cybersecurity professionals—it’s critical to understand some of the factors that lead to burnout, so you can grow and retain your team. In this blog, I’ll provide insights into what drives burnout and walk through recommendations for using automation, training, and metrics to build a more effective security organization.

Burnout in the security operations center

Burnout starts with a vicious cycle. Because management has a limited budget, they staff many of their positions with entry-level roles. Security organizations are inherently risk-averse, so managers are reticent to give low-skilled roles decision-making authority. Security professionals in such an environment have few opportunities to use creative problem-solving skills, limiting the opportunity for them to grow their skills. If their skills don’t grow, they don’t advance and neither does the organization.

This cycle was documented in 2015, when Usenix studied burnout in a security operations center (SOC). By embedding an anthropologically trained computer science graduate in a SOC for 6 months, researchers identified four key areas that interact with each other to contribute to job satisfaction:

  • Skills: To effectively do their job, people need to know how to use security tools where they work. They also need to understand the security landscape and how it is changing.
  • Empowerment: Autonomy plays a major role in boosting morale.
  • Creativity: People often confront challenges that they haven’t seen before or that don’t map onto the SOC playbook. To uncover novel approaches they need to think outside the box, but creativity suffers when there is a lack of variation in operational tasks.
  • Growth: Growth is when a security analyst gains intellectual capacity. There is a strong connection between creativity and growth.

Image of the Human Capital Cycle

Graphic from A Human Capital Model for Mitigating Security Analyst Burnout, USENIX Association, 2015.

To combat the vicious cycle of burnout, you need to create a positive connection between these four areas and turn it into a virtuous cycle. Strategic investments in growth, automation, and metrics can make a real difference without requiring you to rewrite roles. Many of these recommendations have been implemented in the Microsoft SOC, resulting in a high-performing culture. I also believe you can expand these learnings to your entire security organization, who may also be dealing with stress related to remote work and COVID-19.

Create a continuous learning culture

Managers are understandably wary about giving too much decision-making authority to junior employees with limited skills, but if you give them no opportunities to try new ideas they won’t improve. Look for lower-risk opportunities for Tier One analysts to think outside set procedures. They may periodically make mistakes, but if you foster a culture of continuous learning and a growth mindset they will gain new skills from the experience.

To advance skills on your team, it’s also important to invest in training. The threat landscape changes so rapidly that even your most senior analysts will need to dedicate time to stay up to date. The Microsoft SOC focuses its training on the following competencies:

  • Technical tools/capabilities.
  • Our organization (mission and assets being protected).
  • Attackers (motivations, tools, techniques, habits, etc.).

Not all training should be formal. Most managers hire junior employees with the hope that they will learn on the job, but you need to create an environment that facilitates that. An apprenticeship model provides growth opportunities for both junior and senior members of your team.

Support operational efficiency with automation

At Microsoft, we believe the best use of artificial intelligence and automation is to support humans—not replace them. In the SOC, technology can reduce repetitive tasks so that people can focus on more complex threats and analysis. This allows defenders to use human intelligence to proactively hunt for adversaries that got past the first line of defense. Your organization will be more secure, and analysts can engage in interesting challenges.

Solutions like Microsoft Threat Protection can reduce some of the tedium involved in correlating threats across domains. Microsoft Threat Protection orchestrates across emails, endpoints, identity, and applications to automatically block attacks or prioritize incidents for analysts to pursue.

Azure Sentinel, a cloud-native SIEM, uses machine learning algorithms to reduce alert fatigue. Azure Sentinel can help identify complex, multi-stage attacks by using a probabilistic kill chain to combine low fidelity signals into a few actionable alerts.

It isn’t enough to apply machine learning to today’s monotonous challenges. Engage your team in active reflection and continuous improvement so they can finetune automation, playbooks, and other operations as circumstances change.

Track metrics that encourage growth

Every good SOC needs to track its progress to prove its value to the organization, make necessary improvements, and build the case for budgets. But don’t let your metrics become just another checklist. Measure data that is motivational to analysts and reflects the successes of the SOC. It’s also important to allocate the tracking of metrics to the right team members. For example, managers rather than analysts should be responsible for mapping metrics to budgets.

The Microsoft SOC tracks the following metrics:

Time to acknowledgment: For any alert that has a track record of 90 percent true positive, Microsoft tracks how long between when an alert starts “blinking” and when an analyst starts the investigation.

Time to remediate: Microsoft tracks how long it takes to remediate an incident, so we can determine if we are reducing the time that attackers have access to our environment.

Incidents remediated manually and via automation: To evaluate the effectiveness of our automation technology and to ensure we are appropriately staffed, we track how many incidents we remediate via automation versus manual effort.

Escalations between tiers: We also track issues that are remediated through tiers to accurately capture the amount of work that is happening at each tier. For example, if an incident gets escalated from Tier One to Tier Two, we don’t want to fully attribute the work to Tier Two or we may end up understaffing Tier One.

As organizations continue to confront the COVID-19 pandemic and eventually move beyond it, many security teams will be asked to do more with less. A continuous learning culture that uses automation and metrics to encourage growth will help you build a creative, problem-solving culture that is able to master new skills.

Read more about Microsoft Threat Protection.

Find out about Azure Sentinel.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Empower your analysts to reduce burnout in your security operations center appeared first on Microsoft Security.

Guiding principles of our identity strategy: staying ahead of evolving customer needs

July 27th, 2020 No comments

Last June, when I shared the 5 principles driving a customer-obsessed identity strategy at Microsoft, many of you had embraced the idea of a boundaryless environment, but relatively few had implemented it in practice. A global pandemic made remote access essential and forced many of you to accelerate your digital transformation plans.

The new reality requires not only supporting secure remote productivity and collaboration, but also other remote operations, such as onboarding, offboarding, and training employees. And this reality will continue for the near future. According to our most recent Work Life Index, 71 percent of employees and managers (Information Workers) reported a desire to continue working from home at least part-time post-pandemic.

Your experiences and insights have helped shape the investments we’re making in our identity services for the coming year and beyond. Today, I’m sharing with you the updated set of guiding principles we’re following to deliver a secure and scalable identity solution that’s seamless for your end-users.

Secure adaptive access

An identity system that is secure from the ground up continues to drive our product investments. In a recent survey of over 500 security executives, achieving a high level of protection without impeding user productivity was rated the number one challenge. Using risk-based Conditional Access policies in Azure AD, you can protect sensitive data with minimal friction to your end-users. This combines the power of Identity Protection with Conditional Access to only prompt users when the sign-in is considered risky. 

To enhance identity security, we’re investing in compromise prevention technologies such as security defaults, attack blocking, and password protection, as well as reputation and anti-abuse systems. Security mechanisms like end-user notifications and in-line interrupts can help everyone defend themselves from malicious actors. Every day, our data scientists and investigators evaluate the threat and log data to gather real-world insights, so they can adjust our machine learning algorithms to recognize and protect our customers from the latest threats.   

Our product and ecosystem investments are guided by embracing Zero Trust security strategy as our worldview. We build Azure AD on the principles of Zero Trust to make implementing this model across your entire digital estate achievable at scale. 

Seamless user experiences

When your employees need to get things done, delivering a great user experience is essential. Employees who interact directly with customers, patients, and citizens need tools that are simple to learn and use. Because an easy, fast sign-in experience can make all the difference for your users—and your Help Desk—we’re continuing our investments in Firstline Worker scenarios to address the challenges they face, for example, by providing seamless handoffs of shared mobile devices and enhancing tools and workflows for managers. 

We’ve seen more interest than ever in minimizing the use of passwords and eliminating them completely. We continue our commitment to identity standards that help scale the technology and make it more useful and accessible for everyone. We’re also developing easy-to-use self-service options for end-users, such as managing security information, requesting access to apps and groups, and getting automatic recommendations for approved applications based on what peers are using most.  

Your customers, business partners, and suppliers also deserve a great, consumer-grade sign-in and collaboration experience. With the External Identities feature in Azure AD, we are investing in making it easier for organizations and developers to secure, manage, and build apps that connect with different users outside your organization.  

We’re also looking ahead to technologies that respect everyone’s privacy, such as decentralized identity systems and verifiable credentials, that can verify information about an individual without requiring another username and password. Verifiable credentials are based on open standards from W3C and leverage the OIDC protocol, so you will be able to incorporate them into your existing systems. 

Unified identity management

It’s hard to scale and manage security when you have overlapping products from multiple vendors that need to work together. You have a portfolio of on-premises and cloud-based applications that you need to manage and provide secure access to your users. We are simplifying these experiences in Azure AD, making it easier to manage all your applications for all your users in a single place. We’re also consolidating our APIs into Microsoft Graph to unify programmatic access to and management of data across workloads in Microsoft 365, including Azure AD. 

By embracing open standards, we can help you more easily manage and secure your hybrid environment. We’re working with partners like Box and Workday to further deepen our product integrations and streamline identity processes. Azure AD is pre-integrated with thousands of SaaS applications, and more to come, so you can provide users one set of credentials for secure access to any applicationWe are continuing to extend capabilities in Azure AD so that you can migrate access for all your applications to be managed the cloud. 

Simplified identity governance

While having the ability to control access requests, approvals, and privileges in a timely and efficient manner is key, traditional identity governance and privileged access management solutions can be cumbersome and inflexible. This is true particularly now that these workflows are more often done remotely than in person. Providing every user access to the apps and files they need should be as simple as defining access packages and group assignments upfront. Onboarding and offboarding employees then become easy with an automated solution connected to your HR system. 

We want to help more companies adopt these scenarios and incorporate our machine learning technology in Azure AD to provide better recommendations and alerts in response to unusual behavior or too many unnecessary privileges. Our goal is for these capabilities to span both employee and external identity scenarios, built in the cloud for maximum benefit. This will help strengthen your overall security, efficiency, and compliance.  

The last several months have been a whirlwind for all of us. We’re in it with you, committed to helping you on your digital transformation journey. Whatever happens, you can be sure that we’ll continue to listen to your feedback and input, so we can evolve our engineering priorities and principles to help you stay ahead and prepare for what comes next. Thank you for your continued trust!   

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Guiding principles of our identity strategy: staying ahead of evolving customer needs appeared first on Microsoft Security.

Updates to the Windows Insider Preview Bounty Program

July 24th, 2020 No comments

Partnering with the research community is an important part of Microsoft’s holistic approach to defending against security threats. Bounty programs are one part of this partnership, designed to encourage and reward vulnerability research focused on the highest impact to customer security. The Windows Insider Preview (WIP) Bounty Program is a key program for Microsoft and …

Updates to the Windows Insider Preview Bounty Program Read More »

The post Updates to the Windows Insider Preview Bounty Program appeared first on Microsoft Security Response Center.

Afternoon Cyber Tea: Peak, Plateau, or Plummet? Cyber security trends that are here to stay and how to detect and recover from ransomware attacks

July 23rd, 2020 No comments

The rapidity of change in the cyberthreat landscape can be daunting for today’s cyber defense teams. Just as they perfect the ability to block one attack method, adversaries change their approach. Tools like artificial intelligence and machine learning allow us to pivot quickly, however, knowing what cyber trends are real and which are hype can be the difference between success or struggle. To help you figure where to focus your resources, Kevin Beaumont joined me on Afternoon Cyber Tea.

Kevin is a thought leader on incident detection and response. His experience running Security Operations Centers (SOC) has given him great insight into both the tactics used by attackers and how to create effective cyber teams. While our discussion took place before he joined Microsoft, his insights remain of great value as we look at how current cyber trends will evolve past the pandemic.

In this episode, he shares his cyber experience on everything from the role ransomware plays in the monetization of cybercrime, to what attack vectors may Peak, Plateau, or Plummet, and which trends that are here to stay.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, Internet of Things (IoT), and other emerging tech. As we work on how to help empower every person and organization on the planet achieve more, we must look at how we combine our security learnings with examining how today’s cybersecurity investments will shape our industry and impact tomorrow’s cybersecurity reality.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts—You can also download the episode by clicking the Episode Website link.
  • Podcast One—Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page—Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Peak, Plateau, or Plummet? Cyber security trends that are here to stay and how to detect and recover from ransomware attacks appeared first on Microsoft Security.

Seeing the big picture: Deep learning-based fusion of behavior signals for threat detection

July 23rd, 2020 No comments

The application of deep learning and other machine learning methods to threat detection on endpoints, email and docs, apps, and identities drives a significant piece of the coordinated defense delivered by Microsoft Threat Protection. Within each domain as well as across domains, machine learning plays a critical role in analyzing and correlating massive amounts of data to detect increasingly evasive threats and build a complete picture of attacks.

On endpoints, Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) detects malware and malicious activities using various types of signals that span endpoint and network behaviors. Signals are aggregated and processed by heuristics and machine learning models in the cloud. In many cases, the detection of a particular type of behavior, such as registry modification or a PowerShell command, by a single heuristic or machine learning model is sufficient to create an alert.

Detecting more sophisticated threats and malicious behaviors considers a broader view and is significantly enhanced by fusion of signals occurring at different times. For example, an isolated event of file creation is generally not a very good indication of malicious activity, but when augmented with an observation that a scheduled task is created with the same dropped file, and combined with other signals, the file creation event becomes a significant indicator of malicious activity. To build a layer for these kinds of abstractions, Microsoft researchers instrumented new types of signals that aggregate individual signals and create behavior-based detections that can expose more advanced malicious behavior.

In this blog, we describe an application of deep learning, a category of machine learning algorithms, to the fusion of various behavior detections into a decision-making model. Since its deployment, this deep learning model has contributed to the detection of many sophisticated attacks and malware campaigns. As an example, the model uncovered a new variant of the Bondat worm that attempts to turn affected machines into zombies for a botnet. Bondat is known for using its network of zombie machines to hack websites or even perform cryptocurrency mining. This new version spreads using USB devices and then, once on a machine, achieves a fileless persistence. We share more technical details about this attack in latter sections, but first we describe the detection technology that caught it.

Powerful, high-precision classification model for wide-ranging data

Identifying and detecting malicious activities within massive amounts of data processed by Microsoft Defender ATP require smart automation methods and AI. Machine learning classifiers digest large volumes of historical data and apply automatically extracted insights to score each new data point as malicious or benign. Machine learning-based models may look at, for example, registry activity and produce a probability score, which indicates the probability of the registry write being associated with malicious activity. To tie everything together, behaviors are structured into virtual process trees, and all signals associated with each process tree are aggregated and used for detecting malicious activity.

With virtual process trees and signals of different types associated to these trees, there’s still large amounts of data and noisy signals to sift through. Since each signal occurs in the context of a process tree, it’s necessary to fuse these signals in the chronological order of execution within the process tree. Data ordered this way requires a powerful model to classify malicious vs. benign trees.

Our solution comprises several deep learning building blocks such as Convolutional Neural Networks (CNNs) and Long Short-Term Memory Recurrent Neural Networks (LSTM-RNN). The neural network can take behavior signals that occur chronologically in the process tree and treat each batch of signals as a sequence of events. These sequences can be collected and classified by the neural network with high precision and detection coverage.

Behavior-based and machine learning-based signals

Microsoft Defender ATP researchers instrument a wide range of behavior-based signals. For example, a signal can be for creating an entry in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

A folder and executable file name added to this location automatically runs after the machine starts. This generates persistence on the machine and hence can be considered an indicator of compromise (IoC). Nevertheless, this IoC is generally not enough to generate detection because legitimate programs also use this mechanism.

Another example of behavior-based signal is service start activity. A program that starts a service through the command line using legitimate tools like net.exe is not considered a suspicious activity. However, starting a service created earlier by the same process tree to obtain persistence is an IoC.

On the other hand, machine learning-based models look at and produce signals on different pivots of a possible attack vector. For example, a machine learning model trained on historical data to discern between benign and malicious command lines will produce a score for each processed command line.

Consider the following command line:

 cmd /c taskkill /f /im someprocess.exe

This line implies that taskill.exe is evoked by cmd.exe to terminate a process with a particular name. While the command itself is not necessarily malicious, the machine learning model may be able to recognize suspicious patterns in the name of the process being terminated, and provide a maliciousness probability, which is aggregated with other signals in the process tree. The result is a sequence of events during a certain period of time for each virtual process tree.

The next step is to use a machine learning model to classify this sequence of events.

Data modeling

The sequences of events described in the previous sections can be represented in several different ways to then be fed into machine learning models.

The first and simple way is to construct a “dictionary” of all possible events, and to assign a unique identifier (index) to each event in the dictionary. This way, a sequence of events is represented by a vector, where each slot constitutes the number of occurrences (or other related measure) for an event type in the sequence.

For example, if all possible events in the system are X,Y, and Z, a sequence of events “X,Z,X,X” is represented by the vector [3, 0, 1], implying that it contains three events of type X, no events of type Y, and a single event of type Z. This representation scheme, widely known as “bag-of-words”,  is suitable for traditional machine learning models and has been used for a long time by machine learning practitioners. A limitation of the bag-of-words representation is that any information about the order of events in the sequence is lost.

The second representation scheme is chronological. Figure 1 shows a typical process tree: Process A raises an event X at time t1, Process B raises an event Z at time t2, D raises X at time t3, and E raises X at time t4. Now the entire sequence “X,Z,X,X”  (or [1,3,1,1] replacing events by their dictionary indices) is given to the machine learning model.

Diagram showing process tree

Figure 1. Sample process tree

In threat detection, the order of occurrence of different events is important information for the accurate detection of malicious activity. Therefore, it’s desirable to employ a representation scheme that preserves the order of events, as well as machine learning models that are capable of consuming such ordered data. This capability can be found in the deep learning models described in the next section.

Deep CNN-BiLSTM

Deep learning has shown great promise in sequential tasks in natural language processing like sentiment analysis and speech recognition. Microsoft Defender ATP uses deep learning for detecting various attacker techniques, including malicious PowerShell.

For the classification of signal sequences, we use a Deep Neural Network that combines two types of building blocks (layers): Convolutional Neural Networks (CNN) and Bidirectional Long Short-Term Memory Recurrent Neural Networks (BiLSTM-RNN).

CNNs are used in many tasks relating to spatial inputs such as images, audio, and natural language. A key property of CNNs is the ability to compress a wide-field view of the input into high-level features.  When using CNNs in image classification, high-level features mean parts of or entire objects that the network can recognize. In our use case, we want to model long sequences of signals within the process tree to create high-level and localized features for the next layer of the network. These features could represent sequences of signals that appear together within the data, for example, create and run a file, or save a file and create a registry entry to run the file the next time the machine starts. Features created by the CNN layers are easier to digest for the ensuing LSTM layer because of this compression and featurization.

LSTM deep learning layers are famous for results in sentence classification, translation, speech recognition, sentiment analysis, and other sequence modeling tasks. Bidirectional LSTM combine two layers of LSTMs that process the sequence in opposite directions.

The combination of the two types of neural networks stacked one on top of the other has shown to be very effective and can classify long sequences of hundreds of items and more. The final model is a combination of several layers: one embedding layer, two CNNs, and a single BiLSTM. The input to this model is a sequence of hundreds of integers representing the signals associated with a single process tree during a unit of time. Figure 2 shows the architecture of our model.

Diagram showing layers of the CNN BiLSTM model

Figure 2. CNN-BiLSTM model

Since the number of possible signals in the system is very high, input sequences are passed through an embedding layer that compresses high-dimensional inputs into low-dimensional vectors that can be processed by the network. In addition, similar signals get a similar vector in lower dimensional space, which helps with the final classification.

Initial layers of the network create increasingly high-level features, and the final layer performs sequence classification. The output of the final layer is a score between 0 and 1 that indicates the probability of the sequence of signals being malicious. This score is used in combination with other models to predict if the process tree is malicious.

Catching real-world threats

Microsoft Defender ATP’s endpoint detection and response capabilities use this Deep CNN-BiLSTM model to catch and raise alerts on real-world threats. As mentioned, one notable attack that this model uncovered is a new variant of the Bondat worm, which was seen propagating in several organizations through USB devices.

Diagram showing the Bondat attack chain

Figure 3. Bondat malware attack chain

Even with an arguably inefficient propagation method, the malware could persist in an organization as users continue to use infected USB devices. For example, the malware was observed in hundreds of machines in one organization. Although we detected the attack during the infection period, it continued spreading until all malicious USB drives were collected. Figure 4 shows the infection timeline.

Column chart showing daily encounters of the Bondat malware in one organization

Figure 4. Timeline of encounters within a single organization within a period of 5 months showing reinfection through USB devices

The attack drops a JavaScript payload, which it runs directly in memory using wscript.exe. The JavaScript payload uses a randomly generated filename as a way to evade detections. However, Antimalware Scan Interface (AMSI) exposes malicious script behaviors.

To spread via USB devices, the malware leverages WMI to query the machine’s disks by calling “SELECT * FROM Win32_DiskDrive”. When it finds a match for “/usb” (see Figure 5), it copies the JavaScript payload to the USB device and creates a batch file on the USB device’s root folder. The said batch file contains the execution command for the payload. As part of its social engineering technique to trick users into running the malware in the removable device, it creates a LNK file on the USB pointing to the batch file.

Screenshot of malware code showing infection technique

Figure 5. Infection technique

The malware terminates processes related to antivirus software or debugging tools. For Microsoft Defender ATP customers, tamper protection prevents the malware from doing this. Notably, after terminating a process, the malware pops up a window that imitates a Windows error message to make it appear like the process crashed (See figure 6).

Screenshot of malware code showing infection technique

Figure 6. Evasion technique

The malware communicates with a remote command-and-control (C2) server by implementing a web client (MSXML). Each request is encrypted with RC4 using a randomly generated key, which is sent within the “PHPSESSID” cookie value to allow attackers to decrypt the payload within the POST body.

Every request sends information about the machine and its state following the output of the previously executed command. The response is saved to disk and then parsed to extract commands within an HTML comment tag. The first five characters from the payload are used as key to decrypt the data, and the commands are executed using the eval() method. Figures 7 and 8 show the C2 communication and HTML comment eval technique.

Once the command is parsed and evaluated by the JavaScript engine, any code can be executed on an affected machine, for example, download other payloads, steal sensitive info, and exfiltrate stolen data. For this Bondat campaign, the malware runs coin mining or coordinated distributed denial of service (DDoS) attacks.

Figure 7. C2 communication

Figure 8. Eval technique (parsing commands from html comment)

The malware’s activities triggered several signals throughout the attack chain. The deep learning model inspected these signals and the sequence with which they occurred, and determined that the process tree was malicious, raising an alert:

  1. Persistence – The malware copies itself into the Startup folder and drops a .lnk file pointing to the malware copy that opens when the computer starts
  2. Renaming a known operating system tool – The malware renames exe into a random filename
  3. Dropping a file with the same filename as legitimate tools – The malware impersonates legitimate system tools by dropping a file with a similar name to a known tool.
  4. Suspicious command line – The malware tries to delete itself from previous location using a command line executed by a process spawned by exe
  5. Suspicious script content – Obfuscated JavaScript payload used to hide the attacker’s intentions
  6. Suspicious network communication – The malware connects to the domain legitville[.]com

Conclusion

Modeling a process tree, given different signals that happen at different times, is a complex task. It requires powerful models that can remember long sequences and still be able to generalize well enough to churn out high-quality detections. The Deep CNN-BiLSTM model we discussed in this blog is a powerful technology that helps Microsoft Defender ATP achieve this task. Today, this deep learning-based solution contributes to Microsoft Defender ATP’s capability to detect evolving threats like Bondat.

Microsoft Defender ATP raises alerts for these deep learning-driven detections, enabling security operations teams to respond to attacks using Microsoft Defender ATP’s other capabilities, like threat and vulnerability management, attack surface reduction, next-generation protection, automated investigation and response, and Microsoft Threat Experts. Notably, these alerts inform behavioral blocking and containment capabilities, which add another layer of protection by blocking threats if they somehow manage to start running on machines.

The impact of deep learning-based protections on endpoints accrues to the broader Microsoft Threat Protection (MTP), which combines endpoint signals with threat data from email and docs, identities, and apps to provide cross-domain visibility. MTP harnesses the power of Microsoft 365 security products to deliver unparalleled coordinated defense that detects, blocks, remediates, and prevents attacks across an organization’s Microsoft 365 environment. Through machine learning and AI technologies like the deep-learning model we discussed in this blog, MTP automatically analyzes cross-domain data to build a complete picture of each attack, eliminating the need for security operations centers (SOC) to manually build and track the end-to-end attack chain and relevant details. MTP correlates and consolidates attack evidence into incidents, so SOCs can save time and focus on critical tasks like expanding investigations and proacting threat hunting.

 

Arie Agranonik, Shay Kels, Guy Arazi

Microsoft Defender ATP Research Team

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Threat Protection and Microsoft Defender ATP tech communities.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Seeing the big picture: Deep learning-based fusion of behavior signals for threat detection appeared first on Microsoft Security.

Preventing data loss and mitigating risk in today’s remote work environment

July 21st, 2020 No comments

The shift to remote work over the past few months has increased the need for organizations to re-evaluate their security and risk management practices. With employees accessing corporate data at times on home computers or sharing and collaborating in new ways, organizations could be at greater risk for data leak or other risks.

To help companies with the visibility they need and better protect their data, we are announcing several new capabilities across Microsoft 365 and Azure, including:

  • New Microsoft Endpoint Data Loss Prevention solution in public preview.
  • New features in public preview for Insider Risk Management and Communication Compliance in Microsoft 365.
  • New third-party data connectors in Microsoft Azure Sentinel.
  • New Double Key Encryption for Microsoft 365 in public preview.

Read on to get more information about all these new security and compliance features rolling out starting today.

Announcing Microsoft Endpoint Data Loss Prevention (DLP)

Having the right data protection and governance approach is critical to not only addressing regulatory compliance and privacy, but also to mitigating data leak and risk. Microsoft Information Protection helps you to identify your data and ensure you have the right data classification in place to properly protect and govern that data, which enables you to apply data loss prevention (DLP) to enforce policies against that data. Data Loss Prevention solutions help prevent data leaks and provide context-based policy enforcement for data at rest, in use, and in motion on-premises and in the cloud. Microsoft 365 already includes built-in data loss prevention capabilities in Microsoft Teams, SharePoint, Exchange, and OneDrive, as well as for third-party cloud apps with Microsoft Cloud App Security.

Today we are excited to announce that we are now extending data loss prevention to the endpoint with the public preview of the new Microsoft Endpoint Data Loss Prevention (DLP). Endpoint DLP builds on the labeling and classification in Microsoft Information Protection and extends the existing DLP capabilities in Microsoft 365, helping you to meet compliance requirements and protect sensitive information on endpoints.

Built into Windows 10, Microsoft Edge, and the Office apps, Endpoint DLP provides data-centric protection for sensitive information without the need for an additional agent, enabling you to prevent risky or inappropriate sharing, transfer, or use of sensitive data in accordance with your organization’s policies. For example, organizations can now prevent copying sensitive content to USB drives or print sensitive documents.  The sensitive content labeling integration ensures consistency across all data types and reduces false positive and false negatives within DLP. Microsoft Edge works with Endpoint DLP to extend visibility and control into third-party cloud apps and services. Also, because Endpoint DLP builds on the existing DLP capabilities in Microsoft 365, you immediately get insights when sensitive data is accessed and shared directly from the Activity Explorer in the Microsoft 365 compliance center.

An image showing how you can manage your data loss prevention policies across Microsoft 365 from one location – the Microsoft 365 compliance center.

Figure 1: You can manage your data loss prevention policies across Microsoft 365 from one location – the Microsoft 365 compliance center.

The Microsoft 365 Compliance Center also now provides a single, integrated console to manage DLP policies across Microsoft 365, including endpoints.  The public preview of Endpoint DLP will begin rolling out today. For more information, check out the Tech Community blog.

New features to help you to address insider risk and code of conduct violations

Remote work, while keeping employees healthy during this time, also increases the distractions end users face, such as shared home workspaces and remote learning for children. According to the SEI CERT institute, user distractions are the cause for many accidental and non-malicious insider risks. The current environment has also significantly increased stressors such as potential job loss or safety concerns, creating the potential for increased inadvertent or malicious leaks.

Today we are pleased to announce the public preview of several new features that further enhance the rich set of detection and remediation capabilities available in Insider Risk Management and Communication Compliance in Microsoft 365.

Insider Risk Management

While having broad visibility into signals from end-user activities, actions, or communications are important, when it comes to effectively identifying the risks, the quality of signals also matters. In this release, we are significantly expanding the quality of signals that Insider Risk Management reasons over to intelligently flag potentially risky behavior. New categories include expanded Windows 10 signals (e.g., files copied to a USB or transferred to a network share), integration with Microsoft Defender ATP for endpoint security signals, more native signals from across Microsoft 365 (including Microsoft Teams, SharePoint, and Exchange), and enhancements to our native HR connector.

We are also introducing new security policy violation and data leak policy templates to help you to get started quickly and identify an even broader variety of risks.

Finally, we are also increasing integration to help you to take more action on the risks you identify. For example, integration with ServiceNow’s solution provides the ability for Insider Risk Management case managers to directly create ServiceNow tickets for incident managers. In addition, we are also onboarding Insider Risk Management alerts to the Office 365 Activity Management API, which contains information such as alert severity and status (active, investigating, resolved, dismissed). These alerts can then be consumed by security incident event management (SIEM) systems like Azure Sentinel to take further actions such as disabling user access or linking back to Insider Risk Management for further investigation.

For more information on these new features, check out the Tech Community blog.

Communication Compliance

As we embraced the shift to remote work, the volume of communications sent over collaboration platforms has reached an all-time high. Diversity, equity, and inclusion are now center stage. These new scenarios not only heighten a company’s risk exposure from insiders, but also highlight the need to support employees in these challenging times.

Communication Compliance in Microsoft 365 helps organizations to intelligently detect regulatory compliance and code of conduct violations within an organization’s communications, such as workplace threats and harassment, and take quick remediation efforts on policy violations.

Starting to roll out today, Communication Compliance will introduce enhanced insights to make the review process simpler and less time consuming, through intelligent pattern detection to prioritize alerts of repeat offenders, through a global feedback loop to improve our detection algorithms, and through rich reporting capabilities. New features also include additional third-party connectors to extend the capabilities to sources like Bloomberg Message data, ICE Chat data, and more. Additionally, the solution will see improved remediation actions through Microsoft Teams integration, such as the ability to remove messages from the Teams channel.

You can find more information about these new features in the Tech Community blog.

New partner connectors in Microsoft Azure Sentinel

Microsoft Azure Sentinel is a powerful Security Incident and Event Management (SIEM) solution that can help you collect security data across your entire hybrid organization from devices, users, apps, servers, and any cloud. Using these data sources you can build a more complete picture of the threats that your organization faces, conduct deep threat hunts across your environment, and use the power of automation and orchestration in the cloud to help free up your security analysts to focus on their highest-value tasks.

Today we are announcing several new third-party connectors across Azure Sentinel to simplify getting security insights across many leading solutions and partners, including networks, firewalls, endpoint protection, and vulnerability management.

These connectors, which offer sample queries and dashboards, will help collect security data easily and provide security insights immediately.

An image of new partner connectors provide greater visibility into external threats.

Figure 2: New partner connectors provide greater visibility into external threats.

Some of the new partner connectors include Symantec, Qualys, and Perimeter 81. You can see the full list of new connectors and learn more in our Tech Community blog.

Introducing Double Key Encryption for Microsoft 365

In today’s environment, the success of any organization is contingent upon its ability to drive productivity through information sharing while maintaining data privacy and regulatory compliance. Regulations, particularly in the financial services sector, often contain specialized requirements for certain data, which specifies that an organization must control their encryption key.  Typically, a very small percentage of a customer’s data falls into this category, but it is important for our customers to care for that specific data correctly.

To address that regulatory and unique need for some organizations, today we are pleased to announce the public preview of Double Key Encryption for Microsoft 365, which allows you to protect your most confidential data while maintaining full control of your encryption key. Double Key Encryption for Microsoft 365 uses two keys to protect your data, with one key in your control and the second in Microsoft’s control. To view the data, one must have access to both keys. Since Microsoft can access only one key, your data and key are unavailable to Microsoft, helping to ensure the privacy and security of your data.

With Double Key Encryption for Microsoft 365, you not only hold your own key, but this capability also helps you to address many regulatory compliance requirements, easily deploy the reference implementation, and enjoy a consistent labeling experience across your data estate. For more information, check out the Tech Community blog.

Get started today

Endpoint Data Loss Prevention, Insider Risk Management, Communication Compliance, and Double Key Encryption are rolling out in public preview starting today and are a part of Microsoft 365 E5. If you don’t have Microsoft 365 E5, you can get started with a trial today.

In addition, to learn more about the rest of the Microsoft 365 product updates being announced today, check out the Microsoft 365 blog from Jared Spataro.

You can also learn more about how you can modernize your SIEM with Azure Sentinel. 

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Preventing data loss and mitigating risk in today’s remote work environment appeared first on Microsoft Security.