Azure Backup offers several mechanisms to protect against ransomware

The start of a new year is the perfect time to reassess your security strategy and tactics especially when looking back at the new levels of ransomwares reach and damage in 2017.

Its no secret that ransomware attacks are increasing. In fact, a business is hit with ransomware every 40 seconds. If ransomware does get a hold of your data, you can pay a large amount of money hoping that you will get your data back. The alternative is to not pay anything and begin your recovery process. Whether you pay the ransom or not, your enterprise loses time and resources dealing with the aftermath. Microsoft invests in several ways to help you mitigate the effects of ransomware.

For example, in the Windows 10 Fall Creators Update, Windows Defender Exploit Guard has a feature that prevents unauthorized access to important files. The feature, controlled folder access, works with Windows Defender Advanced Threat Protection. All applications are assessed, which includes any executable file, including .exe, .scr, .dll files and others, and determineif they are malicious or safe. If an application is determined to be malicious or suspicious, it will not be allowed to make any changes to any files in a protected folder. In cases of ransomware, this helps protect files from attempted encryption by the malware. As malware becomes increasingly more sophisticated, older platforms are much more susceptible to ransomware attacks. Windows 10 has several defenses against ransomware that could help in case of a future attack.

One area to reconsider is your current backup policy and the potential outcomes to your business if your backup data is compromised by ransomware.

With Azure Backup, we are changing the ransomware story. You, not ransomware, are in control of your data. Azure Backup gives you three ways you can proactively protect your data in Azure and on-premises from ransomware. The first step is to back up your data. You need to back up virtual machines running in Azure and on-premises virtual machines, physical services, and files to Azure. If your on-premises data is compromised, youll have several copies of your data in Azure. This gives you the flexibly to restore your data back to a specific period in time and keep your business moving forward.

Next, you can set up a six-digit PIN directly from the Azure portal as an additional layer of protection for your Azure Backups. Only users with valid Azure credentials can then create and receive this security PIN required to be entered before any backup operation is performed.

Finally, Azure Backup provides just-in-time notifications to alert you to potential ransomware attacks. If a suspicious activity is attempted with your backups, a notification is immediately sent to you to get involved before ransomware has the chance.

If you are an IT professional, you can get started today by creating a free Azure Backup account. For more information on how Azure Backup protects against ransomware, check out our interactive infographic.

Microsoft is committed to helping you protect against and respond to evolving attacks. To learn more about other Microsoft security solutions, visit https://www.microsoft.com/secure.


  • Kaspersky Security Bulletin 2016

Categories: Uncategorized Tags:

How to disrupt attacks caused by social engineering

This post is authored by Milad Aslaner, Senior Program Manager, Windows & Devices Group.

A decade ago, most cyber-attacks started with a piece of malware or a complex method to directly attack the infrastructure of a company. But this picture has changed and today all it takes is a sophisticated e-mail phishing for an identity.

Figure 1: Trying to identify a loophole in the complex infrastructure

Digitalization is happening and there is no way around it. Its a necessity for all industries and a natural evolutionary step in society. Its not about when or if digital transformation is happening, but how. Our Microsoft security approach is targeted to enable a secure digital transformation. We achieve that by enabling our customers to protect, detect and respond to cybercrime.

The art of social engineering is nothing new itself and was already present in the age where broadband connections didnt even exist. At that time, we used to call these kinds of threat actors not hackers but con men. Frank Abagnale, Senior Consultant at Abagnale & Associates once said In the old days, a con man would be good looking, suave, well dressed, well-spoken and presented themselves really well. Those days are gone because it’s not necessary. The people committing these crimes are doing them from hundreds of miles away.

Threat actor groups such as STRONTIUM are nothing else than a group of modern con men. They follow the same approach as traditional con men, but they do it in the digital world. They prefer this approach because it has become easier to send a sophisticated phishing email than to find a new loophole or vulnerability allowing them to access critical infrastructure directly.

Figure 2: Example of a STRONTIUM phishing email

Keith A. Rhodes, Chief Technologist at the U.S. General Account Office says, There’s always the technical way to break into a network but sometimes it’s easier to go through the people in the company. You just fool them into giving up their own security.”

According to the Verizon data breach investigation report from 2016, 30 percent of phishing emails were opened. It took a recipient an average of only 40 seconds to open the email and an additional 45 seconds to also open the malicious attachment. 89 percent of all phishing emails were sent by organized crime syndicates and 9 percent by state-sponsored threat actors.

Figure 3: Verizon Data Breach Report 2016

The weakest link remains the human. But while some could argue and say the user is to blame, the reality is that many of the targeted phishing emails are so sophisticated that it is impossible for the average user to notice the difference between a malicious and a legitimate email.

Figure 4: Example phishing emails that look legitimate at first look

Preparing a phishing email can take only a few minutes. First, the threat actors crawl social and professional networks and find as much personal information about the victim as possible. This could include organizational charts, sample corporate documents, common email headlines, pictures of the employee badge and more. There are professional tools available that pull much of this information from public or leaked databases. In fact, if needed, the threat actor can purchase the information from the dark web. For example, one million compromised email and passwords can be traded for approximately $25, bank account logins can be traded for $1 per account, and social security numbers cost approximately $3, including birth date verification. Second, the threat actor prepares an e-mail template that will look familiar to the recipient, such as for example a password reset email, and lastly, they will send it to the user.

Social engineering has become a very powerful way for many threat actors and depending on the objective of the threat actors they either leverage computer-based, mobile-based, or human-based social engineering.

Figure 5: Stages of a phishing attack

  • Phase 1: Threat actor targets employee(s) via phishing campaign
  • Phase 2: An employee opens the attack email which allows the threat actor access to load the malicious payload or compromise the user identity
  • Phase 3: The workstation is compromised, threat actor persists malware, threat actor gathers credentials
  • Phase 4: Threat actors use stolen credentials to move laterally and gain unsolicited access and compromise key infrastructure elements
  • Phase 5: Threat actors exfiltrate PII and other sensitive business data

The built-in functionality of Enterprise Mobility + Security, Windows 10, Office 365, and Microsoft Azure enables organizations to disrupt these attacks. Below is a visualization allowing you to quickly understand which functionality helps in which phase:

Today, the entry level for threat actors to launch a cyber-attack is very low, therefore, it is critical that cybersecurity is a CEO matter. Organizations need to move away from We have a firewall, anti-virus, and disk encryption technology so we are secure mentality to a cyber-attacks will happen, therefore we can no longer only focus on building walls but also become able to detect and responds breaches quickly mindset. Assuming breach is key. It doesnt matter how large or in which industry an organization is, every company has data that can be valuable for a threat actor or in some cases even a nation-state.

A consistent approach to information security is critical in today’s world. It includes having the right incident response processes in place, technologies that help protect, detect and respond cyber-attacks and lastly IT and end-user readiness.

For more information about Microsoft security products and solutions, as well as resources to help you with your security strategy, visit https://www.microsoft.com/secure.

Categories: Uncategorized Tags:

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017

January 10th, 2018 No comments

Adopting reliable attack methods and techniques borrowed from more evolved threat types, ransomware attained new levels of reach and damage in 2017. The following trends characterize the ransomware narrative in the past year:

  • Three global outbreaks showed the force of ransomware in making real-world impact, affecting corporate networks and bringing down critical services like hospitals, transportation, and traffic systems
  • Three million unique computers encountered ransomware; millions more saw downloader trojans, exploits, emails, websites and other components of the ransomware kill chain
  • New attack vectors, including compromised supply chain, exploits, phishing emails, and documents taking advantage of the DDE feature in Office were used to deliver ransomware
  • More than 120 new ransomware families, plus countless variants of established families and less prevalent ransomware caught by heuristic and generic detections, emerged from a thriving cybercriminal enterprise powered by ransomware-as-a-service

The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices. Considering that Windows 10 has a much larger install base than Windows 7, this difference in ransomware encounter rate is significant.

Figure 1. Ransomware encounter rates on Windows 7 and Windows 10 devices. Encounter rate refers to the percentage of computers running the OS version with Microsoft real-time security that blocked or detected ransomware.

The data shows that attackers are targeting Windows 7. Given todays modern threats, older platforms can be infiltrated more easily because these platforms dont have the advanced built-in end-to-end defense stack available on Windows 10. Continuous enhancements further make Windows 10 more resilient to ransomware and other types of attack.

Windows 10: Multi-layer defense against ransomware attacks

The year 2017 saw three global ransomware outbreaks driven by multiple propagation and infection techniques that are not necessarily new but not typically observed in ransomware. While there are technologies available on Windows 7 to mitigate attacks, Windows 10s comprehensive set of platform mitigations and next-generation technologies cover these attack methods. Additionally, Windows 10 S, which is a configuration of Windows 10 thats streamlined for security and performance, locks down devices against ransomware outbreaks and other threats.

In May, WannaCry (Ransom:Win32/WannaCrypt) caused the first global ransomware outbreak. It used EternalBlue, an exploit for a previously fixed SMBv1 vulnerability, to infect computers and spread across networks at speeds never before observed in ransomware.

On Windows 7, Windows AppLocker and antimalware solutions like Microsoft Security Essentials and System Center Endpoint Protection (SCEP) can block the infection process. However, because WannaCry used an exploit to spread and infect devices, networks with vulnerable Windows 7 devices fell victim. The WannaCry outbreak highlighted the importance of keeping platforms and software up-to-date, especially with critical security patches.

Windows 10 was not at risk from the WannaCry attack. Windows 10 has security technologies that can block the WannaCry ransomware and its spreading mechanism. Built-in exploit mitigations on Windows 10 (KASLR, NX HAL, and PAGE POOL), as well as kCFG (control-flow guard for kernel) and HVCI (kernel code-integrity), make Windows 10 much more difficult to exploit.

Figure 2. Windows 7 and Windows 10 platform defenses against WannaCry

In June, Petya (Ransom:Win32/Petya.B) used the same exploit that gave WannaCry its spreading capabilities, and added more propagation and infection methods to give birth to arguably the most complex ransomware in 2017. Petyas initial infection vector was a compromised software supply chain, but the ransomware quickly spread using the EternalBlue and EternalRomance exploits, as well as a module for lateral movement using stolen credentials.

On Windows 7, Windows AppLocker can stop Petya from infecting the device. If a Windows 7 device is fully patched, Petyas exploitation behavior did not work. However, Petya also stole credentials, which it then used to spread across networks. Once running on a Windows 7 device, only an up-to-date antivirus that had protection in place at zero hour could stop Petya from encrypting files or tampering with the master boot record (MBR).

On the other hand, on Windows 10, Petya had more layers of defenses to overcome. Apart from Windows AppLocker, Windows Defender Application Control can block Petyas entry vector (i.e., compromised software updater running an untrusted binary), as well as the propagation techniques that used untrusted DLLs. Windows 10s built-in exploit mitigations can further protect Windows 10 devices from the Petya exploit. Credential Guard can prevent Petya from stealing credentials from local security authority subsystem service (LSASS), helping curb the ransomwares propagation technique. Meanwhile, Windows Defender System Guard (Secure Boot) can stop the MBR modified by Petya from being loaded at boot time, preventing the ransomware from causing damage to the master file table (MFT).

Figure 3. Windows 7 and Windows 10 platform defenses against Petya

In October, another sophisticated ransomware reared its ugly head: Bad Rabbit ransomware (Ransom:Win32/Tibbar.A) infected devices by posing as an Adobe Flash installer available for download on compromised websites. Similar to WannaCry and Petya, Bad Rabbit had spreading capabilities, albeit more traditional: it used a hardcoded list of user names and passwords. Like Petya, it can also render infected devices unbootable, because, in addition to encrypting files, it also encrypted entire disks.

On Windows 7 devices, several security solutions technologies can block the download and installation of the ransomware, but protecting the device from the damaging payload and from infecting other computers in the network can be tricky.

With Windows 10, however, in addition to stronger defense at the infection vector, corporate networks were safer from this damaging threat because several technologies are available to stop or detect Bad Rabbits attempt to spread across networks using exploits or hardcoded user names and passwords.

More importantly, during the Bad Rabbit outbreak, detonation-based machine learning models in Windows Defender AV cloud protection service, with no human intervention, correctly classified the malware 14 minutes after the very first encounter. The said detonation-based ML models are a part of several layers of machine learning and artificial intelligence technologies that evaluate files in order to reach a verdict on suspected malware. Using this layered approach, Windows Defender AV protected Windows 10 devices with cloud protection enabled from Bad Rabbit within minutes of the outbreak.

Figure 4. Windows 7 and Windows 10 platform defenses against Bad Rabbit

As these outbreaks demonstrated, ransomware has indeed become a highly complex threat that can be expected to continue evolving in 2018 and beyond. The multiple layers of next-generation security technologies on Windows 10 are designed to disrupt the attack methods that we have previously seen in highly specialized malware but now also see in ransomware.

Ransomware protection on Windows 10

For end users, the dreaded ransom note announces that ransomware has already taken their files hostage: documents, precious photos and videos, and other important files encrypted. On Windows 10 Fall Creators Update, a new feature helps stop ransomware from accessing important files in real-time, even if it manages to infect the computer. When enabled, Controlled folder access locks down folders, allowing only authorized apps to access files.

Controlled folder access, however, is but one layer of defense. Ransomware and other threats from the web can be blocked by Microsoft Edge, whose exploit mitigation and sandbox features make it a very secure browser. Microsoft Edge significantly improves web security by using Windows Defender SmartScreens reputation-based blocking of malicious downloads and by opening pages within low-privilege app containers.

Windows Defender Antivirus also continues to enhance defense against threats like ransomware. Its advanced generic and heuristic techniques and layered machine learning models help catch both common and rare ransomware families. Windows Defender AV can detect and block most malware, including never-before-seen ransomware, using generics and heuristics, local ML models, and metadata-based ML models in the cloud. In rare cases that a threat slips past these layers of protection, Windows Defender AV can protect patient zero in real-time using analysis-based ML models, as demonstrated in a real-life case scenario where a customer was protected from a very new Spora ransomware in a matter of seconds. In even rarer cases of inconclusive initial classification, additional automated analysis and ML models can still protect customers within minutes, as what happened during the Bad Rabbit outbreak.

Windows 10 S locks down devices from unauthorized content by working exclusively with apps from the Windows Store and by using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common entry points for ransomware and other threats.

Reducing the attack surface for ransomware and other threats in corporate networks

For enterprises and small businesses, the impact of ransomware is graver. Losing access to files can mean disrupted operations. Big enterprise networks, including critical infrastructures, fell victim to ransomware outbreaks. The modern enterprise network is under constant assault by attackers and needs to be defended on all fronts.

Windows Defender Exploit Guard locks down devices against a wide variety of attack vectors. Its host intrusion prevention capabilities include the following components, which block behaviors commonly used in malware attacks:

  • Attack Surface Reduction (ASR) is a set of controls that blocks common ransomware entry points: Office-, script-, and email-based threats that download and install ransomware; ASR can also protect from emerging exploits like DDEDownloader, which has been used to distribute ransomware
  • Network protection uses Windows Defender SmartScreen to block outbound connections to untrusted hosts, such as when trojan downloaders connect to a malicious server to obtain ransomware payloads
  • Controlled folder access blocks ransomware and other untrusted processes from accessing protected folders and encrypting files in those folders
  • Exploit protection (replacing EMET) provides mitigation against a broad set of exploit techniques that are now being used by ransomware authors

Additionally, the industry-best browser security in Microsoft Edge is enhanced by Windows Defender Application Guard, which brings Azure cloud grade isolation and security segmentation to Windows applications. This hardware isolation-level capability provides one of the highest levels of protection against zero-day exploits, unpatched vulnerabilities, and web-based malware.

For emails, Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers against ransomware attacks that begin with email. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Integrated security for enterprises

Windows Defender Advanced Threat Protection allows SecOps personnel to stop the spread of ransomware through timely detection of ransomware activity in the network. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware attack kill-chain, enabling SecOps to promptly investigate and respond to ransomware attacks.

With Windows 10 Fall Creators Update, Windows Defender ATP was expanded to include seamless integration across the entire Windows protection stack, including Windows Defender Exploit Guard, Windows Defender Application Guard, and Windows Defender AV. This integration is designed to provide a single pane of glass for a seamless security management experience.

With all of these security technologies, Microsoft has built the most secure Windows version ever with Windows 10. While the threat landscape will continue to evolve in 2018 and beyond, we dont stop innovating and investing in security solutions that continue to harden Windows 10 against attacks. The twice-per-year feature update release cycle reflects our commitment to innovate and to make it easier to disrupt successful attack techniques with new protection features. Upgrading to Windows 10 not only means decreased risk; it also means access to advanced, multi-layered defense against ransomware and other types of modern attacks.

 

Tanmay Ganacharya (@tanmayg)
Principal Group Manager, Windows Defender Research

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

January 9th, 2018 No comments

Last week the technology industry and many of our customers learned of new vulnerabilities in the hardware chips that power phones, PCs and servers. We (and others in the industry) had learned of this vulnerability under nondisclosure agreement several months ago and immediately began developing engineering mitigations and updating our cloud infrastructure. In this blog, Ill describe the discovered vulnerabilities as clearly as I can, discuss what customers can do to help keep themselves safe, and share what weve learned so far about performance impacts.

What Are the New Vulnerabilities?

On Wednesday, Jan. 3, security researchers publicly detailed three potential vulnerabilities named Meltdown and Spectre. Several blogs have tried to explain these vulnerabilities further a clear description can be found via Stratechery.

On a phone or a PC, this means malicious software could exploit the silicon vulnerability to access information in one software program from another. These attacks extend into browsers where malicious JavaScript deployed through a webpage or advertisement could access information (such as a legal document or financial information) across the system in another running software program or browser tab. In an environment where multiple servers are sharing capabilities (such as exists in some cloud services configurations), these vulnerabilities could mean it is possible for someone to access information in one virtual machine from another.

What Steps Should I Take to Help Protect My System?

Currently three exploits have been demonstrated as technically possible. In partnership with our silicon partners, we have mitigated those through changes to Windows and silicon microcode.

Exploited Vulnerability CVE Exploit
Name
Public Vulnerability Name Windows Changes Silicon Microcode Update ALSO Required on Host
Spectre 2017-5753 Variant 1 Bounds Check Bypass Compiler change; recompiled binaries now part of Windows Updates

Edge & IE11 hardened to prevent exploit from JavaScript

No
Spectre 2017-5715 Variant 2 Branch Target Injection Calling new CPU instructions to eliminate branch speculation in risky situations Yes
Meltdown 2017-5754 Variant 3 Rogue Data Cache Load Isolate kernel and user mode page tables No

 

Because Windows clients interact with untrusted code in many ways, including browsing webpages with advertisements and downloading apps, our recommendation is to protect all systems with Windows Updates and silicon microcode updates.

For Windows Server, administrators should ensure they have mitigations in place at the physical server level to ensure they can isolate virtualized workloads running on the server. For on-premises servers, this can be done by applying the appropriate microcode update to the physical server, and if you are running using Hyper-V updating it using our recent Windows Update release. If you are running on Azure, you do not need to take any steps to achieve virtualized isolation as we have already applied infrastructure updates to all servers in Azure that ensure your workloads are isolated from other customers running in our cloud. This means that other customers running on Azure cannot attack your VMs or applications using these vulnerabilities.

Windows Server customers, running either on-premises or in the cloud, also need to evaluate whether to apply additional security mitigations within each of their Windows Server VM guest or physical instances. These mitigations are needed when you are running untrusted code within your Windows Server instances (for example, you allow one of your customers to upload a binary or code snippet that you then run within your Windows Server instance) and you want to isolate the application binary or code to ensure it cant access memory within the Windows Server instance that it should not have access to. You do not need to apply these mitigations to isolate your Windows Server VMs from other VMs on a virtualized server, as they are instead only needed to isolate untrusted code running within a specific Windows Server instance.

We currently support 45 editions of Windows. Patches for 41 of them are available now through Windows Update. We expect the remaining editions to be patched soon. We are maintaining a table of editions and update schedule in our Windows customer guidance article.

Silicon microcode is distributed by the silicon vendor to the system OEM, which then decides to release it to customers. Some system OEMs use Windows Update to distribute such microcode, others use their own update systems. We are maintaining a table of system microcode update information here. Surface will be updated through Windows Update starting today.

 

Guidance on how to check and enable or disable these mitigations can be found here:

Performance

One of the questions for all these fixes is the impact they could have on the performance of both PCs and servers. It is important to note that many of the benchmarks published so far do not include both OS and silicon updates. Were performing our own sets of benchmarks and will publish them when complete, but I also want to note that we are simultaneously working on further refining our work to tune performance. In general, our experience is that Variant 1 and Variant 3 mitigations have minimal performance impact, while Variant 2 remediation, including OS and microcode, has a performance impact.

Here is the summary of what we have found so far:

  • With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we dont expect most users to notice a change because these percentages are reflected in milliseconds.
  • With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
  • With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
  • Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.

For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel. We will publish data on benchmark performance in the weeks ahead.

Conclusion

As you can tell, there is a lot to this topic of side-channel attack methods. A new exploit like this requires our entire industry to work together to find the best possible solutions for our customers. The security of the systems our customers depend upon and enjoy is a top priority for us. Were also committed to being as transparent and factual as possible to help our customers make the best possible decisions for their devices and the systems that run organizations around the world. Thats why weve chosen to provide more context and information today and why we released updates and remediations as quickly as we could on Jan. 3. Our commitment to delivering the technology you depend upon, and in optimizing performance where we can, continues around the clock and we will continue to communicate as we learn more.

-Terry

Categories: Uncategorized Tags:

Application fuzzing in the era of Machine Learning and AI

January 3rd, 2018 No comments

Proactively testing software for bugs is not new. The earliest examples date back to the 1950s with the term fuzzing. Fuzzing as we now refer to it is the injection of random inputs and commands into applications. It made its debut quite literally on a dark and stormy night in 1988. Since then, application fuzzing has become a staple of the secure software development lifecycle (SDLC), and according to Gartner*, security testing is growing faster than any other security market, as AST solutions adapt to new development methodologies and increased application complexity.

We believe there is good reason for this. The overall security risk profile of applications has grown in lockstep with accelerated software development and application complexity. Hackers are also aware of the increased vulnerabilities and, as the recent Equifax breach highlights, the application layer is highly targeted. Despite this, the security and development groups within organizations cannot find easy alignment to implement application fuzzing.

While DevOps is transforming the speed at which applications are created, tested, and integrated with IT, that same efficiency hampers the ability to mitigate identified security risks and vulnerabilities, without impacting business priorities. This is exactly the promise that machine learning, artificial intelligence (AI), and the use of deep neural networks (DNN) are expected to deliver on in evolved software vulnerability testing.

Most customers I talk to see AI as a natural next step given that most software testing for bugs and vulnerabilities is either manual or prone to false positives. With practically every security product claiming to be machine learning and AI-enabled, it can be hard to understand which offerings can deliver real value over current approaches.

Adoption of the latest techniques for application security testing doesnt mean CISOs must become experts in machine learning. Companies like Microsoft are using the on-demand storage and computing power of the cloud, combined with experience in software development and data science, to build security vulnerability mitigation tools that embed this expertise in existing systems for developing, testing, and releasing code. It is important, however, to understand your existing environment, application inventory, and testing methodologies to capture tangible savings in cost and time. For many organizations, application testing relies on tools that use business logic and common coding techniques. These are notoriously error-prone and devoid of security expertise. For this latter reason, some firms turn to penetration testing experts and professional services. This can be a costly, manual approach to mitigation that lengthens software shipping cycles.

Use cases

Modern application security testing that is continuous and integrated with DevOps and SecOps can be transformative for business agility and security risk management. Consider these key use cases and whether your organization has embedded application security testing for each:

  • Digital Transformation moving applications to the cloud creates the need to re-establish security controls and monitoring. Fuzzing can uncover errors and missed opportunities to shore up defenses. Automated and integrated fuzzing can further preserve expedited software shipping cycles and business agility.
  • Securing the Supply Chain Open Source Software (OSS) and 3rd party applications are a common vector of attack, as we saw with Petya, so a testing regimen is a core part of a plan to manage 3rd party risk.
  • Risk Detection whether building, maintaining, or refactoring applications on premises, the process and risk profile have become highly dynamic.Organizations need to be proactive to uncover bugs, holes and configuration errors on a continuous basis to meet both internal and regulatory risk management mandates.

Platform leverage

Of course, software development and testing are about more than just tools. The process to communicate risks to all stakeholders, and to act, is where the real benefit materializes. A barrier to effective application security testing is the highly siloed way that testing and remediation are conducted. Development waits for IT and security professionals to implement the changesslowing deployment and time to market. Legacy application security testing is ready for disruption and the built-in approach can deliver long-awaited efficiency in the development and deployment pipeline. Digital transformation, supply chain security, and risk detection all benefit from speed and agility. Lets consider the DevOps and SecOps workflows possible on a Microsoft-based application security testing framework:

  • DevOps Continuous fuzzing built into the DevOps pipeline identifies bugs and feeds them to the continuous integration and deployment environment (i.e. Visual Studio Team Services and Team Foundation Server). Developers and stakeholders are uniformly advised of risky code and provided the option of running additional Azure-based fuzzing techniques. For apps in production that are found to be running risky code, IT pros can mitigate risks by using PowerShell and Group Policy (GPO) to enable the features of Windows Defender Exploit Guard. While the apps continue to run, the attack surface can be reduced, and connection scenarios which increase risk are blocked. This gives teams time to develop and implement mitigations without having to take the applications entirely offline.
  • SecOps – Azure-hosted containers and VMs, as well as on-premise machines, are scanned for risky applications and code including OSS. The results inform Microsofts various desktop, mobile, and server threat protection regimes, including application whitelisting. Endpoints can be scanned for the presence of the risky code and administrators are informed through Azure Security Center. Mitigations can also be deployed to block those applications implicated and enforce conditional access through Azure Active Directory.

Cloud and AI

Machine learning and artificial intelligence are not new, but the relatively recent availability of graphics processing units (GPUs) have brought their potential to mainstream by enabling faster (parallel) processing of large amounts of data. Our recently announced Microsoft Risk Detection (MSRD) service is a showcase of the power of the cloud and AI to evolve fuzz testing. In fact, Microsofts award winning work in a specialized area of AI called constraint solving has been 10 years in the making and was used to produce the worlds first white-box fuzzer.

A key to effective application security testing is the inputs or seeds used to establish code paths and bring about crashes and bug discovery. These inputs can be static and predetermined, or in the case of MSRD, dynamic and mutated by training algorithms to generate relevant variations based on previous runs. While AI and constraint solving are used to tune the reasoning for finding bugs, Azure Resource Manager dynamically scales the required compute up or down creating a fuzzing lab that is right-sized for the customers requirement. The Azure based approach also gives customers choices in running multiple fuzzers, in addition to Microsofts own, so the customer gets value from several different methods of fuzzing.

The future

For Microsoft, application security testing is fundamental to a secure digital transformation. MSRD for Windows and Linux workloads is yet another example of our commitment to building security into every aspect of our platform. While our AI-based application fuzzing is unique, Microsoft Research is already upping the ante with a new project for neural fuzzing. Deep neural networks are an instantiation of machine learning that model the human brain. Their application can improve how MSRD identifies fuzzing locations and the strategies and parameters used. Integration with our security offerings is in the initial phases, and by folding in more capabilities over time we remove the walls between IT, developers, and security, making near real-time risk mitigation a reality. This is the kind of disruption that, as a platform company, Microsoft uniquely brings to application security testing for our customers and serves as further testament for the power of built-in.


* Gartner: Magic Quadrant for Application Security Testing published: 28 February 2017 ID: G00290926

Categories: Uncategorized Tags:

How Microsoft tools and partners support GDPR compliance

This post is authored by Daniel Grabski,Executive Security Advisor, Microsoft Enterprise Cybersecurity Group.

As an Executive Security Advisor for enterprises in Europe and the Middle East, I regularly engage with Chief Information Security Officers (CISOs), Chief Information Officers (CIOs) and Data Protection Officers (DPOs) to discuss their thoughts and concerns regarding the General Data Protection Regulation, or GDPR. In my last post about GDPR, I focused on how GDPR is driving the agenda of CISOs. This post will present resources to address these concerns.

Some common questions are How can Microsoft help our customers to be compliant with GDPR? and, Does Microsoft have tools and services to support the GDPR journey? Another is, How can I engage current investments in Microsoft technology to address GDPR requirements?

To help answer these, I will address the following:

  • GDPR benchmark assessment tool
  • Microsoft partners & GDPR
  • Microsoft Compliance Manager
  • New features in Azure Information Protection

Tools for CISOs

There are tools available that can ease kick-off activities for CISOs, CIOs, and DPOs. These tools can help them better understand their GDPR compliance, including which areas are most important to be improved.

  • To begin, Microsoft offers a free GDPR benchmark assessment tool which is available online to any business or organization.The assessment questions are designed to assist our customers to identify technologies and steps that can be implemented to simplify GDPR compliance efforts. It is also a tool allowing increased visibility and understanding of features available in Microsoft technologies that may already be available in existing infrastructures. The tool can reveal what already exists and what is not addressed to support each GDPR journey. As an outcome of the assessment, a full report is sentan example of which is shown here.

Image 1: GDPR benchmarking tool

As an example, see below the mapping to the first question in the Assessment. This is based on how Microsoft technology can support requirements about collection, storage, and usage of personal data; it is necessary to first identify the personal data currently held.

  • Azure Data Catalog provides a service in which many common data sources can be registered, tagged, and searched for personal data. Azure Search allows our customers to locate data across user-defined indexes. It is also possible to search for user accounts in Azure Active Directory. For example, CISOs can use the Azure Data Catalog portal to remove preview data from registered data assets and delete data assets from the catalog:

Image 2: Azure Data Catalogue

  • Dynamics 365 provides multiple methods to search for personal data within records such as Advanced Find, Quick Find, Relevance Search, and Filters. These functions each enable the identification of personal data.
  • Office 365 includes powerful tools to identify personal data across Exchange Online, SharePoint Online, OneDrive for Business, and Skype for Business environments. Content Search allows queries for personal data using relevant keywords, file properties, or built-in templates. Advanced eDiscovery identifies relevant data faster, and with better precision, than traditional keyword searches by finding near-duplicate files, reconstructing email threads, and identifying key themes and data relationships. Image 3 illustrates the common workflow for managing and using eDiscovery cases in the Security & Compliance Center and Advanced eDiscovery.

Image 3: Security & Compliance Center and Advanced eDiscovery

  • Windows 10 and Windows Server 2016 have tools to locate personal data, including PowerShell, which can find data housed in local and connected storage, as well as search for files and items by file name, properties, and full-text contents for some common file and data types.

A sample outcome, based on one of the questions regarding GDPR requirements, as shown in Image 4.

Image 4: example of the GDPR requirements mapped with features in the Microsoft platform

Resources for CISOs

Microsofts approach to GDPR relies heavily on working together with partners. Therefore, we built a broader version of the GDPR benchmarking tool available to customers through the extensive Microsoft Partner Network. The tool provides an in-depth analysis of an organizations readiness and offers actionable guidance on how to prepare for compliance, including how Microsoft products and features can help simplify the journey.

The Microsoft GDPR Detailed Assessmentis intended to be used by Microsoft partners who are assisting customers to assess where they are on their journey to GDPR readiness. The GDPR Detailed Assessment is accompanied by supporting materials to assist our partners in facilitating customer assessments.

In a nutshell, the GDPR Detailed Assessment is a three-step process where Microsoft partners engage with customers to assess their overall GDPR maturity. Image 5 below presents a high-level overview of the steps.

Image 5

The duration for the partner engagement is expected to last 3-4 weeks, while the total effort is estimated to be 10 to 20 hours, depending on the complexity of the organization and the number of participants as you can see below.

Image 6: Duration of the engagement

The Microsoft GDPR Detailed Assessment is intended for use by Microsoft partners to assess their customers overall GDPR maturity. It is not offered as a GDPR compliance attestation. Customers are responsible to ensure their own GDPR compliance and are advised to consult their legal and compliance teams for guidance. This tool is intended to highlight resources that can be used by partners to support a customers journey towards GDPR compliance.

We are all aware that achieving organizational compliance may be challenging. It is hard to stay up-to-date with all the regulations that matter to organizations and to define and implement controls with limited in-house capability.

To address these challenges, Microsoft announced a new compliance solution to help organizations meet data protection and regulatory standards more easily when using Microsoft cloud services Compliance Manager. The preview program, available today, addresses compliance management challenges and:

  • Enables real-time risk assessment on Microsoft cloud services
  • Provides actionable insights to improve data protection capabilities
  • Simplifies compliance processes through built-in control management and audit-ready reporting tools

Image 7 shows a dashboard summary illustrating a compliance posture against the data protection regulatory requirements that matter when using Microsoft cloud services. The dashboard summarizes Microsofts and your performance on control implementation on various data protection standards and regulations, including GDPR, ISO 27001, and ISO 27018.

Image 7: Compliance Manager dashboard

Having a holistic view is just the beginning. Use the rich insights available in Compliance Manager to go deeper to understand what should be done and improved. Each Microsoft-managed control illuminates the implementation and testing details, test date, and results. The tool provides recommended actions with step-by-step guidance. It aides better understanding of how to use the Microsoft cloud features to efficiently implement the controls managed by your organization. Image 8 shows an example of the insight provided by the tool.

Image 8: Information to help you improve your data protection capabilities

During the recentMicrosoft Ignite conference, Microsoft announced Azure Information Protection scanner. The feature is now available in public preview. This will help to manage and protect significant on-premise data and help prepare our customers and partners for regulations such as GDPR.

We released Azure Information Protection (AIP) to provide the ability to define a data classification taxonomy and apply those business rules to emails and documents. This feature is critical to protecting the data correctly throughout the lifecycle, regardless of where it is stored or shared.

We receive a lot of questions about how Microsoft can help to discover, label, and protect existing files to ensure all sensitive information is appropriately managed. The AIP scanner can:

  • Discover sensitive data that is stored in existing repositories when planning data-migration projects to cloud storage, to ensure toxic data remains in place.
  • Locate data that includes personal data and learn where it is stored to meet regulatory and compliance needs
  • Leverage existing metadata that was applied to files using other solutions

I encourage you to enroll for the preview version of Azure Information Protection scanner and to continue to grow your knowledge about how Microsoft is addressing GDPR and general security with these helpful resources:


About the author:

Daniel Grabski is a 20-year veteran of the IT industry, currently serving as an Executive Security Advisor for organizations in Europe, the Middle East, and Africa with Microsoft Enterprise Cybersecurity Group. In this role he focuses on enterprises, partners, public sector customers and critical infrastructure stakeholders delivering strategic security expertise, advising on cybersecurity solutions and services needed to build and maintain secure and resilient ICT infrastructure.

Categories: Uncategorized Tags:

How public-private partnerships can combat cyber adversaries

December 13th, 2017 No comments

For several years now, policymakers and practitioners from governments, CERTs, and the security industry have been speaking about the importance of public-private partnerships as an essential part of combating cyber threats. It is impossible to attend a security conference without a keynote presenter talking about it. In fact, these conferences increasingly include sessions or entire tracks dedicated to the topic. During the three conferences Ive attended since Junetwo US Department of Defense symposia, and NATOs annual Information Symposium in Belgium, the message has been consistent: public-private information-sharing is crucial to combat cyber adversaries and protect users and systems.

Unfortunately, we stink at it. Information-sharing is the Charlie Brown football of cyber: we keep running toward it only to fall flat on our backs as attackers continually pursue us. Just wait til next year. Its become easier to talk about the need to improve information-sharing than to actually make it work, and its now the technology industrys convenient crutch. Why? Because no one owns it, so no one is accountable. I suspect we each have our own definition of what information-sharing means, and of what success looks like. Without a sharp vision, can we really expect it to happen?

So, what can be done?

First, some good news: the security industry wants to do this–to partner with governments and CERTs. So, when we talk about it at conferences, or when a humble security advisor in Redmond blogs about it, its because we are committed to finding a solution. Microsoft recently hosted BlueHat, where hundreds of malware hunters, threat analysts, reverse engineers, and product developers from the industry put aside competitive priorities to exchange ideas and build partnerships. In my ten years with Microsoft, Ive directly participated in and led information-sharing initiatives that we established for the very purpose of advancing information assurance and protecting cyberspace. In fact, in 2013, Microsoft created a single legal and programmatic framework to address this issue, the Government Security Program.

For the partnership to work, it is important to understand and anticipate the requirements and needs of government agencies. For example, we need to consider cyber threat information, YARA rules, attacker campaign details, IP address, host, network traffic, and the like.

What can governments and CERTs do to better partner with industry?

  • Be flexible, especially on the terms. Communicate. Prioritize. In my experience, the mean-time-to-signature for a government to negotiate an info-sharing agreement with Microsoft is between six months and THREE YEARS.
  • Prioritize information sharing. If this is already a priority, close the gap. I fear governments attorneys are not sufficiently aware of how important the agreements are to their constituents. The information-sharing agreements may well be non-traditional agreements, but if information-sharing is truly a priority, lets standardize and expedite the agreements. Start by reading the 6 Nov Department of Homeland Security OIG report, DHS Can Improve Cyber Threat Information-Sharing document.
  • Develop and share with industry partners a plan to show how government agencies will consume and use our data. Let industry help government and CERTs improve our collective ROI. Before asking for data, lets ensure it will be impactful.
  • Develop KPIs to measure whether an information-sharing initiative is making a difference, quantitative or qualitative. In industry, we could do a better job at this, as we generally assume that were providing information for the right reason. However, I frequently question whether our efforts make a real difference. Whether we look for mean-time-to-detection improvements or other metrics, this is an area for improvement.
  • Commit to feedback. Public-private information-sharing implies two-way communication. Understand that more companies are making feedback a criterion to justify continuing investment in these not-for-profit engagements. Feedback helps us justify up the chain the efficacy of efforts that we know are important. It also improves two-way trust and contributes to a virtuous cycle of more and closer information-sharing. At Microsoft, we require structured feedback as the price of entry for a few of our programs.
  • Balance interests in understanding todays and tomorrows threats with an equal commitment to lock down what is currently owned.(My favorite) Information-sharing usually includes going after threat actors and understanding whats coming next. Thats important, but in an assume compromise environment, we need to continue to hammer on the basics:

    • Patch.If an integrator or on-site provider indicates patching and upgrading will break an application, and if that is used as an excuse not to patch, that is a problem. Authoritative third-parties such as US-CERT, SANS, and others recommend a 48- to 72-hour patch cycle. Review www.microsoft.com/secure to learn more.

      • Review www.microsoft.com/sdl to learn more about tackling this issue even earlier in the IT development cycle, and how to have important conversations with contractors, subcontractors,and ISVs in the software and services supply chain.

    • Reduce administrative privilege. This is especially important for contractor or vendor accounts. Up to 90 percent of breaches come from credential compromise. This is largely caused by a lack of, or obsolete, administrative, physical and technical controls to sensitive assets. Basic information-sharing demands that we focus on this. Here is guidance regarding securing access.

Ultimately, we in the industry can better serve governments and CERTs by incentivizing migrations to newer platforms which offer more built-in security; and that are more securely developed. As we think about improving information-sharing, lets be clear that this includes not only sharing technical details about threats and actors but also guidance on making governments fundamentally more secure on newer and more secure technologies.

 

Categories: Uncategorized Tags:

4053440 – Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields – Version: 2.0

Revision Note: V2.0 (December 12, 2017): Microsoft has released an update for all supported editions of Microsoft Word that allows users to set the functionality of the DDE protocol based on their environment. For more information and to download the update, see ADV170021.
Summary: Microsoft is releasing this security advisory to provide information regarding security settings for Microsoft Office applications. This advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange (DDE) fields.

Categories: Uncategorized Tags:

4056318 – Guidance for securing AD DS account used by Azure AD Connect for directory synchronization – Version: 1.0

Revision Note: V1.0 (December 12, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information regarding security settings for the AD DS (Active Directory Domain Services) account used by Azure AD Connect for directory synchronization. This advisory also provides guidance on what on-premises AD administrators can do to ensure that the account is properly secured.

Categories: Uncategorized Tags:

4053440 – Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields – Version: 2.0

Revision Note: V2.0 (December 12, 2017): Microsoft has released an update for all supported editions of Microsoft Word that allows users to set the functionality of the DDE protocol based on their environment. For more information and to download the update, see ADV170021.
Summary: Microsoft is releasing this security advisory to provide information regarding security settings for Microsoft Office applications. This advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange (DDE) fields.

Categories: Uncategorized Tags:

4056318 – Guidance for securing AD DS account used by Azure AD Connect for directory synchronization – Version: 1.0

Revision Note: V1.0 (December 12, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information regarding security settings for the AD DS (Active Directory Domain Services) account used by Azure AD Connect for directory synchronization. This advisory also provides guidance on what on-premises AD administrators can do to ensure that the account is properly secured.

Categories: Uncategorized Tags:

Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks

November 21st, 2017 No comments

The Office 365 Threat Research team has seen an uptick in the use of Office exploits in attacks across various industry sectors in recent months. In this blog, we will review several of these exploits, including a group of Office moniker exploits that attackers have used in targeted as well as crimeware attacks. We will also describe the payloads associated with these exploits andhighlight our research into a particularly sophisticated piece of malware. Finally, we will demonstrate how Office 365 Advanced Threat Protection, Windows Defender Advanced Threat Protection, and Windows Defender Exploit Guard protect customers from these exploits.

Exploit attacks in Fall 2017

The discovery and public availability of a few Office exploits in the last six months led to these exploits gaining popularity among crimeware and targeted attackers alike. While crimeware attackers stick to payloads like ransomware and info stealers to attain financial gain or information theft, more sophisticated attackers clearly distinguish themselves by using advanced and multi-stage implants.

The Office 365 Threat Research team has been closely monitoring these attacks. The Microsoft Threat Intelligence Center (MSTIC) backs up our threat research with premium threat intelligence services that we use to correlate and track attacks and the threat actors behind them.

CVE-2017-0199

CVE-2017-0199 is a remote code execution (RCE) vulnerability in Microsoft Office allows a remote attacker to take control of a vulnerable machine if the user chooses to ignore protected view warning message. The vulnerability, which is a logic bug in the URL moniker that executes the HTA content using the htafile OLE object, was fixed in April 2017 security updates.

Figure 1. CVE-2017-0199 exploit code

Ever since FireEye blogged about the vulnerability, we have identified numerous attacks using this exploit. The original exploit was used in limited targeted attacks, but soon after, commodity crimeware started picking them up from the publicly available exploit generator toolkits. As shown in Figure 2, the creator and lastModifiedBy attributes help identify the use of such toolkits in generating exploit documents.

Figure 2. Exploit kit identifier

A slight variation of this exploit, this time in script moniker, was also released. When activated, this exploit can launch scriptlets (which consist of HTML code and script) hosted on a remote server. A proof-of-concept (PoC) made publicly available used a Microsoft PowerPoint Slideshow (PPSX) file to activate the script moniker and execute a remote code, as shown in Figure 3.

Figure 3. PPSX activation for script moniker

CVE-2017-8570

The July 2017 security update from Microsoft included a fix for another variation of the CVE-2017-0199 exploit, CVE-2017-8570, which was discovered in URL moniker that, similar to HTA files, can launch scriptlets hosted on a remote server. Even though the vulnerability was not exploited as zero-day, the public availability of exploit toolkit created a wave of malicious PPSX attachments.

CVE-2017-8759

In September 2017, FireEye discovered another exploit used in targeted attacks. The CVE-2017-8759 exploit takes advantage of a code injection vulnerability in .Net Framework while parsing WSDL definition using SOAP moniker. The vulnerability was fixed in the September 2017 security update. The original exploit used an HTA file similar to CVE-2017-0199 to execute the attacker code in vulnerable machines. This exploit piqued our interest because it delivered one of the most complex and multiple VM-layered malware, FinFisher, whose techniques we discuss in the succeeding section.

The CVE-2017-8759 exploit soon got ported to PPSX file. Figure 4 below shows an example of the exploit.

Figure 4. CVE-2017-8759 exploit

CVE-2017-11826

Finally, onSeptember 28,2017, Qihoo 360 identified an RTF file in targeted attacks that exploited a memory corruption vulnerability in Microsoft Office. The vulnerability exists in the way Office parses objects within nested Office tags and was fixed in the October 2017 security update. The forced address space layout randomization (ASLR) prevented the exploit from running in Office 2013 and above. Figure 5 shows the nested tags from the original exploit that led to the bug.

Figure 5. CVE-2017-11826 exploit

Payloads

Except for the memory, corruption exploit CVE-2017-11826, the exploits discussed in this blog pull the malware payload from remote locations, which could make it difficult for antivirus and sandboxes to reliably detect these exploits. Additionally, the public availability of scripts that generate exploit templates could make it challenging for incident responders.

As cited above, these exploits were used in both commodity and targeted attacks. Attackers attempt to bypass AV engine defenses using different obfuscation techniques. Here are some of the obfuscation techniques used in attacks that we recently analyzed:

  • Attackers used HLFL as element type in the malicious RTF attachment. This element is not supported in RTF official specification but serves as an effective obfuscation for static detections.

  • Similarly, we have seen attackers using ATNREF and MEQARR elements in malicious RTF attachments.

In most of the attacks we analyzed, the exploits used PowerShell to download and execute malware payloads, which are usually crimeware samples like ransomware or info stealers.

Figure 6. PowerShell payload from the HTA file

However, every now and then, we stumble upon an interesting piece of malware that particularly catches our attention. One such malware is Wingbird, also known as FinFisher, which was used in one of the targeted attacks using the CVE-2017-8759 exploit.

WingBird (also known as FinFisher)

Wingbird is an advanced piece of malware that shares characteristics with a government-grade commercial surveillance software, FinFisher. The activity group NEODYMIUM is known to use this malware in their attack campaigns.

The group behind WingBird has proven to be highly capable of using zero-day exploits in their attacks, as mentioned in our previous blog post on CVE-2017-8759. So far, we have seen the group use the exploits below in campaigns. These are mostly in line with the findings of Kaspersky Labs, which they documented in a blog:

  • CVE-2015-5119 (Adobe Flash)
  • CVE-2016-4117 (Adobe Flash)
  • CVE-2017-8759 (Microsoft Office)
  • CVE-2017-11292 (Adobe Flash)

The interesting part of this malware is the use of spaghetti code, multiple virtual machines, and lots of anti-debug and anti-analysis techniques. Due to the complexity of the threat, it could take analysts some time to completely unravel its functionality. Heres a summary of interesting tidbits, which we will expand in an upcoming detailed report on Wingbird.

The Wingbird malware goes through many stages of execution and has at least four VMs protecting the malware code. The first few stages are loaders that can probe if it is being run in virtualized or debugged environments. We found at least 12 different checks to evade the malwares execution in these environments. The most effective ones are:

  • Sandbox environment checks

    • Checks if the malware is executed under the root folder of a drive
    • Checks if the malware file is readable from an external source and if execution path contains the MD5 of its own contents

  • Fingerprinting check

    • Checks if the machine GUID, Windows product ID, and system Bios are from well-known sources

  • VM detection

    • Checks if the machine hardware IDs are VmBus in case of HyperV, or VEN_15AD in case of VMware, etc.

  • Debugger detection

    • Detects debugger and tries to kill it using undocumented APIs and information classes (specifically ThreadHideFromDebugger, ProcessDebugPort, ProcessDebugObjectHandle)

The latter stages act as an installation program that drops the following files on the disk and installs the malware based on the startup command received from the previous stage:

  • [randomName].cab –Encrypted configuration file
  • setup.cab – The last PE code section of the setup module; content still unknown
  • d3d9.dll –Malware loader used on system with restricted privileges; the module is protected by a VM
  • aepic.dll (or other name) – Malware loader used on admin privileged systems; executed from (and injected into) a faked service; protected by a VM
  • msvcr90.dll – Malware loader DLL injected into explorer.exe or winlogon.exe process; protected by a VM
  • [randomName].7z – Encrypted network plugin, used to spy the victim network communications
  • wsecedit.rar – Main malware dropped executable, protected by a VM

In the sample we analyzed, the command was 3, which led the malware to create a global event, 0x0A7F1FFAB12BB2, and drop malware components under a folder located in %ProgramData%, or in the %APPDATA% folder. If the malware is running with restricted privileges, the persistence is achieved by setting the RUN key with the value below. The name of the key is taken from the encrypted configuration file.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: “{Random value taken from config file}”
With data: “C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\PROGRAMDATA\AUDITAPP\D3D9.DLL, CONTROL_RUN”

If the startup command is 2, the malware copies explorer.exe in the local installation directory, renames d3d9.dll to uxtheme.dll, and creates a new explorer.exe process that loads the malware DLL in memory using the DLL sideloading technique.

All of Wingbirds plugins are stored in its resource section and provide the malware various capabilities, including stealing sensitive information, spying on internet connection, or even diverting SSL connections.

Given the complex nature of the threat, we will provide more detailed analysis of the Wingbird protection mechanism and capabilities in an upcoming blog post.

Detecting Office exploit attacks with Office 365 ATP and Windows Defender Suite

Microsoft Office 365 Advanced Threat Protection blocks attacks that use these exploits based on the detection of malicious behaviors. Office 365 ATP helps secure mailboxes against email attack by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. SecOps personnel can see ATP behavioral detections like below in Office 365s Threat Explorer page:

Figure 7. Office 365 ATP detection

Customers using Windows Defender Advanced Threat Protection can also see multiple alerts raised based on the activities performed by the exploit on compromised machines. Windows Defender Advanced ATP is a post-breach solution that alerts SecOps personnel about hostile activity. Windows Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect attacks.

Figure 8. Windows Defender ATP alert

In addition, enterprises can block malicious documents using Windows Defender Exploit Guard, which is part of the defense-in-depth protection in Windows 10 Fall Creators Update. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo!).

Figure 9. Windows Defender Exploit Guard detection

Crimeware and targeted activity groups are always on the lookout for attack vectors to infiltrate systems and networks and deploy different kinds of payloads, from commodity to advanced implants. These attack vectors include Office exploits, which we observed in multiple attack campaigns. The availability of open-source and off-the-shelf exploit builders helps drive this trend.

AtMicrosoft, we dont stop working to protect our customers mailboxes. Our global network of expert research teams continuously monitors the threat landscape for new malware campaigns, exploits, and attack methods. Our end-to-end defense suite includes Office 365 ATP, Windows Defender ATP, and Windows Defender Exploit Guard, among others, which work together to provide a holistic protection for individuals and enterprises.

Categories: cybersecurity Tags:

Minimize cybersecurity risk with Software Asset Management

This post is authored by Patam Chantaruck, General Manager of Worldwide Software Asset Management & Compliance.

By 2021, worldwide cybercrime damage is expected to reach $6 trilliondouble what it cost businesses in 2015. Unapproved apps, unmanaged devices, poor password protection, and other security issues are leaving far too many organizations vulnerable to attack. And as organizations embrace digital transformation, it becomes increasingly urgent for them to increase control over their IT infrastructures and reduce security risks.

The question is: where to start?

Driving greater security through software asset management

Software asset management (SAM) is a set of proven IT practices that unites people, processes, and technology to control and optimize the use of software across an organization. SAM is designed to help you control costs, manage business and legal risks, optimize licensing investments, and align IT investments with business needs.

Effective SAM can identify discrepancies between software licenses owned and deployed, thus providing insights into software usage. These insights are then used to devise upgrade plans for each software release that will optimize license use, ensure worthwhile software investments, save money, reduce security risks associated with software piracy, and promote good corporate governance, including management effectiveness and transparency.

Introducing the Microsoft SAM cybersecurity engagement

At Microsoft, we take SAM a step further with our cybersecurity engagement. This comprehensive analysis of your cybersecurity infrastructureincluding your current software deployment, usage, and licensing datahelps to ensure that you have the right processes in place to minimize cyber-risk. Through this engagement we also provide prescriptive cybersecurity guidance and best practices, freeing your organization to focus on innovation instead of protection.

A Microsoft SAM cybersecurity engagement will help you:

  • Minimize data loss, fraud, and employee downtime
  • Save money combatting cyberattacks and increasing efficiencies
  • Securely manage software assets and promote reliable cybersecurity practices
  • Build a resilient IT infrastructure that can quickly respond to threats
  • Ensure that you have a secure and effective defense against attacks

What IDC has to say about SAM

IDC has identified SAM as a key component to securing infrastructure and battling cyberattacks and predicts that an increasing number of organizations will rely on SAM practices to reduce risks. Below is a direct quote from The Business Value of Software Asset Management:

Cyberattacks often take advantage of the high vulnerability of end-of-life (EOL) IT systems and/or software that have ceased to receive product updates and security patches from vendor sources. Understanding risk impact is challenging when there is limited or no understanding of where the assets reside and precisely how the assets support the business. To that end, SAM initiatives enable organizations to quickly discover how many devices and applications are in the environment, along with their location and their warranty status, which can significantly reduce unnecessary cost, waste, and cybersecurity risks. Establishing a comprehensive asset management program provides a common source of record, which enables IT to carry out more timely security patches and identify security threats sooner as well as better respond to software audits. Therefore, asset management should be viewed holistically as an essential component of an effective IT infrastructure, service, and cybersecurity management program.

How SAM helped a sugar manufacturer reduce security risks

Here is one example of how Microsoft SAM for cybersecurity is helping customers around the world.

Ranking as the fourth largest sugar manufacturer in the world, Mitr Phol Group wanted to achieve effective SAM and reduce security risks. They moved away from decentralized IT systems to a more consolidated structure, centralizing the organizations software deployments and management. To further increase the value of their established SAM processes, they became the first company in Thailand to conduct SAM for cybersecurity. As a result, they were able to identify and remediate system vulnerabilities and mitigate security risks and threat impacts while protecting their sensitive data.

SAM should be a key part of your security strategy. And Microsoft can help. To learn more, visit www.microsoft.com/sam to hear how other customers are benefiting. Find a SAM partner near you to help you establish Software Asset Management practice.

Categories: Uncategorized Tags:

#AVGater vulnerability does not affect Windows Defender Antivirus, MSE, or SCEP

On November 10, 2017, a vulnerability called #AVGater was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file.

Windows Defender Antivirus and other Microsoft antimalware products, including System Center Endpoint Protection (SCEP) and Microsoft Security Essentials (MSE), are not affected by this vulnerability.

This vulnerability can be exploited to restore files that have been detected and quarantined by an antivirus product. To exploit this, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder.

This is a relatively old attack vector. By design, Microsoft antimalware products, including Windows Defender Antivirus, have never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine. This is part of the built-in protections against this and other known user-account permissions vulnerabilities.

Read more about Windows Defender Antivirus and the rest of our Windows Defender protection products at the following links:

 

*Edited 11/17/2017 to include other Microsoft antimalware products

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Detecting reflective DLL loading with Windows Defender ATP

November 13th, 2017 No comments

Today’s attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In recent blogs we described how attackers use basic cross-process migration or advanced techniques like atom bombing and process hollowing to avoid detection.

Reflective Dynamic-Link Library (DLL) loading, which can load a DLL into a process memory without using the Windows loader, is another method used by attackers.

In-memory DLL loading was first described in 2004 by Skape and JT, who illustrated how one can patch the Windows loader to load DLLs from memory instead of from disk. In 2008, Stephen Fewer of Harmony Security introduced the reflective DLL loading process that loads a DLL into a process without being registered with the process. Modern attacks now use this technique to avoid detection.

Reflective DLL loading isnt trivialit requires writing the DLL into memory and then resolving its imports and/or relocating it. To reflectively load DLLs, one needs to author ones own custom loader.

However, attackers are still motivated to not use the Windows loader, as most legitimate applications would, for two reasons:

  1. Unlike when using the Windows loader (which is invoked by calling the LoadLibrary function), reflectively loading a DLL doesnt require the DLL to reside on disk. As such, an attacker can exploit a process, map the DLL into memory, and then reflectively load DLL without first saving on the disk.
  2. Because its not saved on the disk, a library that is loaded this way may not be readily visible without forensic analysis (e.g., inspecting whether executable memory has content resembling executable code).

Instrumentation and detection

A crucial aspect of reflectively loading a DLL is to have executable memory available for the DLL code. This can be accomplished by taking existing memory and changing its protection flags or by allocating new executable memory. Memory procured for DLL code is the primary signal we use to identify reflective DLL loading.

In Windows 10 Creators Update, we instrumented function calls related to procuring executable memory, namely VirtualAlloc and VirtualProtect, which generate signals for Windows Defender Advanced Threat Protection (Windows Defender ATP). Based on this instrumentation, weve built a model that detects reflective DLL loading in a broad range of high-risk processes, for example, browsers and productivity software.

The model takes a two-pronged approach, as illustrated in Figure 1:

  1. First, the model learns about the normal allocations of a process. As a simplified example, we observe that a process like Winword.exe allocates page-aligned executable memory of size 4,000 and particular execution characteristics. Only a select few threads within the Winword process allocate memory in this way.
  2. Second, we find that a process associated with malicious activity (e.g., executing a malicious macro or exploit) allocates executable memory that deviates from the normal behavior.

Figure 1. Memory allocations observed by a process running normally vs. allocations observed during malicious activity

This model shows that we can use memory events as the primary signal for detecting reflective DLL loading. In our real model, we incorporate a broad set of other features, such as allocation size, allocation history, thread information, allocation flags, etc. We also consider the fact that application behavior varies greatly because of other factors like plugins, so we add other behavioral signals like network connection behavior to increase the effectiveness of our detection.

Detecting reflective DLL Loading

Lets show how Windows Defender ATP can detect reflective DLL loading used with a common technique in modern threats: social engineering. In this attack, the target victim opens a Microsoft Word document from a file share. The victim is tricked into running a macro like the code shown in Figure 2. (Note: A variety of mechanisms allow customers to mitigate this kind attack at the onset; in addition, several upcoming Office security features further protect from this attack.)

Figure 2. Malicious macro

When the macro code runs, the Microsoft Word process reaches out to the command-and-control (C&C) server specified by the attacker, and receives the content of the DLL to be reflectively loaded. Once the DLL is reflectively loaded, it connects to the C&C and provides command line access to the victim machine.

Note that the DLL is not part of the original document and does not ever touch the disk. Other than the initial document with the small macro snippet, the rest of the attack happens in memory. Memory forensics reveals that there are several larger RWX sections mapped into the Microsoft Word process without a corresponding DLL, as shown in Figure 3. These are the memory sections where the reflectively loaded DLL resides.

Figure 3. Large RWX memory sections in Microsoft Word process upon opening malicious document and executing malicious macro

Windows Defender ATP identifies the memory allocations as abnormal and raises an alert, as shown in Figure 4. As you can see (Figure 4), Windows Defender ATP provides context on the document, along with information on command-and-control communication, which can allow security operations personnel to assess the scope of the attack and start containing the breach.

Figure 4. Example alert on WDATP

Microsoft Office 365 Advanced Threat Protection protects customers against similar attacks dynamic behavior matching. In attacks like this, SecOps personnel would see an Office 365 ATP behavioral detection like that shown in Figure 5 in Office 365s Threat Explorer page.

Figure 5. Example Office 365 ATP detection

Conclusion: Windows Defender ATP uncovers in-memory attacks

Windows 10 continues to strengthen defense capabilities against the full range of modern attacks. In this blog post, we illustrated how Windows Defender ATP detects the reflective DLL loading technique. Security operations personnel can use the alerts in Windows Defender ATP to quickly identify and respond to attacks in corporate networks.

Windows Defender Advanced ATP is a post-breach solution that alerts SecOps personnel about hostile activity. Windows Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect the invariant techniques used in attacks. Enhanced instrumentation and detection capabilities in Windows Defender ATP can better expose covert attacks.

Windows Defender ATP also provides detailed event timelines and other contextual information that SecOps teams can use to understand attacks and quickly respond. The improved functionality in Windows Defender ATP enables them to isolate the victim machine and protect the rest of the network.

For more information about Windows Defender ATP, check out its features and capabilities and read about why a post-breach detection approach is a key component of any enterprise security strategy. Windows Defender ATP is built into the core of Windows 10 Enterprise and can be evaluated free of charge.

 

Christian Seifert

Windows Defender ATP Research

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

A decade inside Microsoft Security

November 9th, 2017 No comments

Ten years ago, I walked onto Microsofts Redmond campus to take a role on a team that partnered with governments and CERTs on cybersecurity. Id just left a meaningful career in US federal government service because I thought it would be fascinating to experience first-hand the security challenges and innovation from the perspective of the IT industry, especially within Microsoft, given its presence around the US federal government. I fully expected to spend a year or two in Microsoft and then resume my federal career with useful IT industry perspectives on security. Two days after I started, Popular Sciences annual Ten worst jobs in science survey came out, and I was surprised to see Microsoft Security Grunt in sixth place. Though the article was tongue-in-cheek, saluting those who take on tough challenges, the fact that we made this ignominious list certainly made me wonder if Id made a huge mistake.

I spent much of my first few years hearing from government and enterprise executives that Microsoft was part of the security problem. Working with so many hard-working engineers, researchers, security architects, threat hunters, and developers trying to tackle these increasingly complex challenges, I disagreed. But, we all recognized that we needed to do more to defend the ecosystem, and to better articulate our efforts. Wed been investing in security well before 2007, notably with the Trustworthy Computing Initiative and Security Development Lifecycle, and we continue to invest heavily in technologies and people – we now employ over 3,500 people in security across the company. I rarely hear anymore that we are perceived as a security liability, but our work isnt done. Ten years later, Im still here, busier than ever, delaying my long-expected return to federal service, helping enterprise CISOs secure their environments, their users, and their data.

Complexity vs. security

Is it possible, however, that our industrys investments in security have created another problem – that of complexity? Have we innovated our way into a more challenging situation? My fellow security advisors at Microsoft have shared customer frustrations over the growing security vendor presence in their environments. While these different technologies may solve specific requirements, in doing so, they create a management headache. Twice this week in Redmond, CISOs from large manufacturers challenged me to help them better understand security capabilities they already owned from Microsoft, but werent aware of. They sought to use this discovery process to identify opportunities to rationalize their security vendor presence. As one CISO said, Just help me simplify all of this.

There is a large ecosystem of very capable and innovative professionals delivering solutions into a vibrant and crowded security marketplace. With all of this IP, how can we best help CISOs use important innovation while reducing complexity in their environments? And, can we help them maximize value from their investments without sacrificing security and performance?

Best-of-suite capabilities

Large enterprises may employ up to 100 vendors technologies to handle different security functions. Different vendors may handle identity and access management, data loss prevention, key management, service management, cloud application security, and so on. Many companies are now turning to machine learning and user behavior technologies. Many claim best of breed or best in class, capabilities and there is impressive innovation in the marketplace. Recognizing this, we have made acquisition a part of Microsofts security strategy – since 2013 weve acquired companies like Aorato, Secure Islands, Adallom, and most recently Hexadite.

Microsofts experience as a large global enterprise is similar to our enterprise customers. Weve been working to rationalize the 100+ different security providers in our infrastructure to help us better manage our external dependencies and more efficiently manage budgets. Weve been moving toward a default policy of Microsoft first security technology where possible in our environment. Doing so helps us standardize on newer and familiar technologies that complement each other.

That said, whether we build or buy, our focus is to deliver an overall best in suite approach to help customers deploy, maintain, monitor, and protect our enterprise products and services as securely as possible. We are investing heavily in the Intelligent Security Graph. It leverages our vast security intelligence, connects and correlates information, and uses advanced analytics to help detect and respond to threats faster. If you are already working with Microsoft to advance your productivity and collaboration needs by deploying Windows 10, Office 365, Azure, or other core enterprise services, you should make better use of these investments and reduce dependency on third-party solutions by taking advantage of built-in monitoring and detection capabilities in these solutions. A best-of-suite approach also lowers the costs and complexity of administering a security program, e.g. making vendor assessments and procurement easier, reducing training and learning curves, and standardizing on common dashboards.

Reducing complexity also requires that we make our security technologies easy to acquire and use. Here are some interesting examples of how our various offerings connect to each other and have built-in capabilities:

  • The Windows Defender Advanced Threat Protection(ATP) offer seamlessly integrates with O365 ATP to provide more visibility into adversary activity against devices and mailboxes, and to give your security teams more control over these resources. Watch this great video to learn more about the services integration. Windows Defender ATP monitors behaviors on a device and sends alerts on suspicious activities. The console provides your security team with the ability to perform one-click actions such as isolating a machine, collecting a forensics package, and stopping and quarantining files. You can then track the kill chain into your O365 environment if a suspicious file on the device arrived via email. Once in O365 ATP, you can quarantine the email, detonate a potentially malicious payload, block the traffic from your environment, and identify other users who may have been targeted.
  • Azure Information Protection provides built-in capabilities to classify and label data, apply rights-management protections (that follows the data object) and gives data owners and admins visibility into, and control over, where that data goes and whether recipients attempt to violate policy.

Thousands of companies around the world are innovating, competing, and partnering to defeat adversaries and to secure the computing ecosystem. No single company can do it all. But by making it as convenient as possible for you to acquire and deploy technologies that integrate, communicate and complement each other, we believe we can offer a best-of-suite benefit to help secure users, devices, apps, data, and infrastructure. Visit https://www.microsoft.com/secure to learn about our solutions and reach out to your local Microsoft representative to learn more about compelling security technologies that you may already own. For additional information, and to stay on top of our investments in security, bookmark this Microsoft Secure blog.


Mark McIntyre, CISSP, is an Executive Security Advisor (ESA) in the Microsoft Enterprise and Cybersecurity Group. Mark works with global public sector and commercial enterprises, helping them transform their businesses while protecting data and assets by moving securely to the Cloud. As an ESA, Mark supports CISOs and their teams with cybersecurity reviews and planning. He also helps them understand Microsofts perspectives on the evolving cyber threat landscape and how Microsoft defends its enterprise, employees and users around the world.

Categories: Uncategorized Tags:

4053440 – Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields – Version: 1.0

Revision Note: V1.0 (November 8, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information regarding security settings for Microsoft Office applications. This advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange (DDE) fields.

Categories: Uncategorized Tags:

4053440 – Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields – Version: 1.0

Revision Note: V1.0 (November 8, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information regarding security settings for Microsoft Office applications. This advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange (DDE) fields.

Categories: Uncategorized Tags:

Defending against ransomware using system design

This post is authored by Michael Melone, Principal Cybersecurity Consultant, Enterprise Cybersecurity Group.

Earlier this year, the world experienced a new and highly-destructive type of ransomware. The novel aspects of WannaCry and Petya were not skills as ransomware, but the combination of commonplace ransomware tactics paired with worm capability to improve propagation.

WannaCry achieved its saturation primarily through exploiting a discovered and patched vulnerability in a common Windows service. The vulnerability (MS17-010) impacted the Windows Server service which enables communication between computers using the SMB protocol. Machines infected by WannaCry propagate by connecting to a nearby unpatched machine, performing the exploit, and executing the malware. Execution of the exploit did not require authentication, thus enabling infection of any unpatched machine.

Petya took this worming functionality one step further and additionally introduced credential theft and impersonation as a form of worming capability. These techniques target single sign-on technologies, such as traditional domain membership. This added capability specifically targeted enterprise environments and enabled the malware to use a single unpatched endpoint to springboard into the network, then used active sessions on the machine to infect other machines regardless of patch level. To an enterprise, a single unpatched endpoint paired with poor credential hygiene could be used to enable propagation throughout the enterprise.

Most impersonation and credential theft attacks are possible only when malware obtains local administrator or equivalent authorization to the operating system. For Petya, this would mean successful exploitation of MS17-010, or running under the context of a user with local administrator authorization.

Measuring the value of a user account

To a hacker, an infected or stolen identity is measurable in two ways: the breadth of computers that trust and grant authorization to the account and the level of authorization granted upon successful authentication. Since encryption can be performed by any user account, ransomware benefits most when it infects an account which can convey write authorization to a large amount of data.

In most cases (thus far), the data sought out by ransomware has been either local files or those accessible over a network attached share data which can be accessed by the malware using out-of-the-box operating system interfaces. As such, data encrypted by most ransomware includes files in the users profile, home directory, or on shared directories where the user has access and write authorization.

In the case of WannaCry, the identity used by the ransomware was SYSTEM an effectively unrestricted account from an authorization perspective. Running as SYSTEM, WannaCry had authorization to encrypt any file on the infected machine.

Petyas encryption mechanism required the ability to overwrite the boot sector of the hard drive to invoke its encryption mechanism. The malware then creates a scheduled task to restart the machine at least 10 minutes later to perform the encryption. The offline encryption mechanism prevented destruction of network files by Petya.

Infected machines and worms

Pivoting our focus to the worm aspect of these ransomware variants, the value of an infected host to a hacker is measurable in two ways: the quantity of newly accessible targets resulting from infection and the data which now becomes available because of the infection. Malware with worming capability focuses on widespread propagation, thus machines which can access new targets are highly valuable.

To both WannaCry and Petya, a newly infected system offered a means to access previously inaccessible machines. For WannaCry, any potential new targets needed to be vulnerable to MS17-010. Vulnerability gave both malware variants SYSTEM-level authority, thus enabling successful execution of their payload.

Additionally, in the case of Petya, any machine having reusable credentials in memory furthered its ability to propagate. Petya searches for active sessions on an infected machine and tries to use the session to infect machines which may not have been vulnerable to MS17-010. As a result, a single vulnerable endpoint may expose a reusable administrative credential usable to infect potential targets which grant that credential a necessary level of authorization.

Codifying the vulnerability

To defend against a ransomware application with worm capability we need to target the following areas:

  • Ransomware

    • Reduce the authorization level of users relative to the operating system of an infected machine
    • Perform backups or versioning of files to prevent loss of data due to encryption, deletion, or corruption
    • Limit authorization to delete or tamper with the data backups

  • Worms

    • Reduce the ability for an infected host to access a potential infection target
    • Reduce the number of remotely exploitable vulnerabilities that provide remote code execution
    • Reduce exposure of reusable credentials relative to the likelihood of a host to compromise

Resolving Concerns through design

Many of the risks associated with ransomware and worm malware can be alleviated through systems design. Referring to our now codified list of vulnerabilities, we know that our solution must:

  • Limit the number (and value) of potential targets that an infected machine can contact
  • Limit exposure of reusable credentials that grant administrative authorization to potential victim machines
  • Prevent infected identities from damaging or destroying data
  • Limit unnecessary risk exposure to servers housing data

Windows 10, BYOD, and Azure AD Join

Windows 10 offers a new management model that differs significantly from traditional domain joined machines. Azure Active Directory joined machines can still convey identity to organizational resources; however, the machine itself does not trust domain credentials. This design prevents reusable accounts from exposure to workstations, thus protecting the confidentiality of the credential. Additionally, this limits the impact of a compromised domain account since Azure AD joined machines will not trust the identity.

Another benefit of Windows 10 with Azure AD is the ability to move workstations outside of the firewall, thus reducing the number of potential targets once infection occurs. Moving endpoints outside the firewall reduces the impact of any workstation threat by reducing the benefits normally gained by compromising a machine within the corporate firewall. As a result, this design exposes fewer server ports to potentially compromised endpoints, thus limiting the attack surface and reducing the likelihood of worm propagation.

Moving workstations outside of the firewall offers added security for the workstation as well. Migrating to a BYOD architecture can enable a more stringent client firewall policy, which in turn reduces the number of services exposed to other hosts, and thus improves the machines defense against worms and other inbound attacks.

Additionally, most organizations use many laptops which often connect from untrusted locations outside the firewall. While outside of the firewall, these machines can connect to untrusted sources, become infected, then bring the infection inside the firewall next time it is able to connect to the internal network. This causes confusion when trying to identify the initial infection during an incident response, and potentially exposes the internal network to unnecessary risk.

Consider migration file shares to OneDrive or Office365

Migrating data from traditional file shares into a solution such as SharePoint or OneDrive can limit the impact of a ransomware attack. Data stored in these technologies can enforce version control, thus potentially simplifying recovery. To further protect this data, limit the number of SharePoint users who had administrative authority to the site to prevent emptying of the recycle bin.

Ensure resilient backups

When an attack occurs, it is crucial to ensure ransomware cannot destroy data backups. Although convenient, online data backups may be subject to destruction during an attack. Depending on design, an online backup solution may trust a stolen reusable single sign-on credential to enable deletion or encryption of backup data. If this occurs, backups may be rendered unusable during the attack.

To prevent against this, consider Azure Cloud Backup a secure off-site backup solution. Azure Cloud Backup is managed through the Azure Portal which can be configured to require separate authentication, to include multi-factor authentication. Volumes used to store backup data reside in Azure and cannot be initialized or overwritten using on-premises domain credentials.

Closing

Windows 10 and BYOD architecture offers significant defense against a variety of cyberattacks, to include worms and ransomware. This article covers only some of the protections that Windows 10 offers against credential theft, bootkits, rootkits, and other malware techniques employed by this class of highly destructive malware.

To better defend your organization against future malware outbreaks:

Categories: Uncategorized Tags:

Learn from leading cybersecurity experts

More than 170K technology and business leaders from across the world depend on Microsofts Modern Workplace monthly webcast to shed new light on business challenges related to technology. Over the past four years, Modern Workplace has had the worlds leading experts share their advice on technology topics, such as security, including CISOs, Chief Privacy Officers, Cyber Intelligence Advisors, and Chief Digital Officers. Just in the past year, Modern Workplace security episodes included:

These episodes include more than just security checklists and basicsthey go into depth around the decisions business leaders are faced with every day. In the episode on data privacy, Hillery Nye, Chief Privacy Officer at Glympse, explained how the startup company made a very conscious decision to not collect data that it could have easily gathered from its real-time location sharing app. The company collects customer data and uses it for very specific purposes, but it never stores or sells that data. The company may have given up some opportunities to monetize its customer data, but Nye feels that the company gains even more by being a responsible corporate citizen and establishing a reputation for privacy. She discussed how a companys brand is affected by its privacy policies, and how businesses can better align their privacy policies with business strategy for long term success.

The Modern Workplace series has been nominated for four regional Emmy awards because of its creative presentation of diverse perspectives and insights. To learn more about how technology can help drive your business, check out the Modern Workplace episodes on-demand today!

Categories: Uncategorized Tags: