Archive

Archive for June, 2020

The psychology of social engineering—the “soft” side of cybercrime

June 30th, 2020 No comments

Forty-eight percent of people will exchange their password for a piece of chocolate,[1] 91 percent of cyberattacks begin with a simple phish,[2] and two out of three people have experienced a tech support scam in the past 12 months.[3] What do all of these have in common? They make use of social engineering: when an attacker preys on our human nature in order to defraud. Also in common, these small, very human actions have led to billions of dollars of loss to global business.

People are by nature social. Our decision making is highly influenced by others. We are also overloaded with information and look to shortcuts to save time. This is why social engineering is so effective. In this blog, I’ll share the psychology behind Cialdini’s Six Principles of Persuasion to show how they help lure employees and customers into social engineering hacks. And I’ll provide some tips for using those principles to create a social engineering resistant culture.

Dr. Robert Cialdini is Regents’ Professor Emeritus of Psychology and Marketing at Arizona State University and founder of Influence at Work. He has spent his entire career studying what makes people say “Yes” to requests. From that research he developed Six Principles of Persuasion: Reciprocity, Scarcity, Authority, Consistency, Liking, and Consensus. So let’s take a look at how each of these principles is used in social engineering campaigns and how you can turn them around for good.

Reciprocity

People are inclined to be fair. In fact, receiving a gift triggers a neurological response in the areas of the brain associated with decision-making. If my friend buys me lunch on Friday, I will feel obliged to buy her lunch the next time we go out. Social psychologists have shown that if people receive a holiday card from a stranger, 20 percent will send one back.[4] And providing a mint at the end of a meal can increase tipping by 18-21 percent.

How reciprocity is used in phishing: You can see evidence of the Principle of Reciprocity in phishing campaigns and other scams. For example, an attacker may send an email that includes a free coupon and then ask the user to sign up for an account.

Leveraging reciprocity to reduce phishing: According to Dr. Cialdini, the lesson of “the Principle of Reciprocity is to be the first to give...” Many organizations pay for lunch to get people to come to trainings, but you may also consider giving away gift certificates for coffee or a fun T-shirt. If the gift is personal and unexpected, it’s even more effective. After you give, ask people to commit to your security principles. Many will feel compelled to do so.

Scarcity

Why do so many travel websites tell you when there are only a few remaining flights or rooms? The Principle of Scarcity. It’s human nature to place a higher value on something that is in limited supply. In one experiment, college students judged cookies more appealing if there were fewer in the jar.[5] Even more appealing? When an abundant supply of cookies was later reduced to scarcity.

How scarcity is used in phishing: Attackers take advantage of our desire for things that seem scarce by putting time limits on offers in emails. Or, in another common tactic, they tell people that their account will deactivate in 24 hours if they don’t click on a link to get it resolved.

Leveraging scarcity to reduce phishing: You can leverage scarcity to engage people in security behaviors too. For example, consider giving a prize to the first 100 people who enable multi-factor authentication.

Authority

People tend to follow the lead of credible experts. Doctors (think Dr. Fauci), teachers, bosses, and political leaders, among others, have huge sway over people’s actions and behaviors. If you’ve heard of the Milgram study,[6] you may be familiar with this concept. In that study an experimenter convinced volunteers to deliver increasingly more severe shocks to a “learner” who didn’t answer questions correctly. Fortunately, the learner was an actor who pretended to feel pain, when in reality there were no shocks delivered. However, it does show you how powerful the Principle of Authority is.

How authority is used in phishing: Using authority figures to trick users is very common and quite effective. Bad actors spoof the Chief Executive Officer (CEO) to demand that the Chief Financial Officer (CFO) wire money quickly in some spear phishing campaigns. When combined with urgency, people are often afraid to say no to their boss.

Leveraging authority to reduce phishing: You can use people’s natural trust of authority figures in your security program. For example, have senior managers make a statement about how important security is.

Consistency

Most people value integrity. We admire honesty and reliability in others, and we try to practice it in our own lives. This is what drives the Principle of Consistency. People are motivated to remain consistent with prior statements or actions. If I tell you that I value the outdoors, I won’t want to be caught throwing litter in a park. One study found that if you ask people to commit to environmentally friendly behavior when they check into a hotel, they will be 25 percent more likely to reuse their towel.[7]

How consistency is used in phishing: Scammers take advantage of people’s desire to be consistent by asking for something small in an initial email and then asking for more later.

Leveraging consistency to reduce phishing: One way to employ the Principle of Consistency in your security program is to ask staff to commit to security. Even more powerful? Have them do it in writing.

Liking

It probably won’t surprise you to learn that people are more likely to say yes to someone they like. If a friend asks for help, I want to say yes, but it’s easier to say no to stranger. But even a stranger can be persuasive if they are perceived as nice. In the raffle experiment, people were more likely to buy raffle tickets if the person selling the tickets brought them a soda, and less likely if the person only bought themselves a soda.[8]

How liking is used in phishing: When bad actors spoof or hack an individual’s email account and then send a phishing email to that person’s contacts, they are using the Principle of Liking. They are hoping that one of the hacking victim’s friends won’t spend much time scrutinizing the email content and will just act because the like the “sender.”

Leveraging liking to reduce phishing: To be more persuasive with your staff, cultivate an “internal consulting” mindset. Be friendly and build relationships, so that people want to say yes when you ask them to change their behavior.

Consensus

When people are uncertain, they look to others to help them formulate an opinion. Even when they are confident of their beliefs, consensus opinions can be very persuasive. This can be seen in the light dot experiment. In this study, individuals were asked how much a (stationary) dot of light was moving. It appeared to move due to autokinetic effect. Days later, the subjects were divided into groups. Despite very different earlier estimates, responses “normalized” to the broader group. If brought back to provide an individual estimate, individuals continued to provide the group estimate.[9]

How consensus is used in phishing: Adversaries exploit cultural trends. For example, when there is a natural disaster, there are often several illegitimate organizations posing as a charity to elicit donations.

Leveraging consensus to reduce phishing: Highlight positive security behaviors among other employees or report favorable statistics that indicate most people are complying with a security policy.

The more complex life becomes, the more likely humans will rely on cognitive shortcuts to make decisions. Educate your employees on how the Cialdini’s Six Principles of Persuasion can be used to trick them. Try implementing the principles in your own communication and training programs to improve compliance. Over time, you can build a culture that is less likely to fall for social engineering campaigns.

Watch “The psychology of social engineering: the soft side of cybercrime” presentation at InfoSec World v2020.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter.

[1] Trick with treat – Reciprocity increases the willingness to communicate personal data, Happ, Melzer, Steffgen, https://dl.acm.org/citation.cfm?id=2950731
[2] 2016 Enterprise Phishing Susceptibility and Resiliency Report, https://phishme.com/enterprise-phishing-susceptibility-report
[3] Microsoft Global Survey on Tech Support Scams, https://mscorpmedia.azureedge.net/mscorpmedia/2016/10/Microsoft_Infographic_final.pdf
[4] Kunz, Phillip R; Woolcott, Michael (1976-09-01). “Season’s greetings: From my status to yours.” Social Science Research. 5 (3): 269–278
[5] Worchel, Stephen; Lee, Jerry; Adewole, Akanbi (1975). “Effects of supply and demand on ratings of object value.” Journal of Personality and Social Psychology. 32 (5): 906–914.
[6] Milgram, Stanley (1963). “Behavioral Study of Obedience.” Journal of Abnormal and Social Psychology. 67(4): 371–8.
[7] Commitment and Behavior Change: Evidence from the Field Katie Baca-Motes, Amber Brown, Ayelet Gneezy, Elizabeth A. Keenan, Leif D. Nelson Journal of Consumer Research, Volume 39, Issue 5, 1 February 2013, Pages 1070–1084
[8] Regan, Dennis T. (1971-11-01). “Effects of a favor and liking on compliance.” Journal of Experimental Social Psychology. 7 (6): 627–639.
[9] Sherif, M (1935). “A study of some social factors in perception.” Archives of Psychology. 27: 187.

The post The psychology of social engineering—the “soft” side of cybercrime appeared first on Microsoft Security.

Best security, compliance, and privacy practices for the rapid deployment of publicly facing Microsoft Power Apps intake forms

June 29th, 2020 No comments

With the dawn of the COVID-19 pandemic, state and federal agencies around the globe were looking at ways to modernize data intake for social services recipients. The government of a country of about 40 million citizens reached out to Microsoft and asked us to assist in this endeavor. Going paperless eliminates waiting in line at an agency office, and lowers the chance of COVID-19 transmission. The ability to make requests or apply for federal or local assistance online makes the process safer and more efficient, as once data is collected citizens should start receiving funds more accurately and quickly.

Security is a major concern of not only major governments but of other entities using Microsoft Power App intake forms. Organizations and agencies needed to be certain that Microsoft Power App intake forms could not be used to collect data from large, sensitive databases containing personal information like names, addresses, Social Security or national security identification numbers, telephone numbers, or bank account information for direct deposit. If internet-facing forms collect personal information, and are not securely implemented, bad actors can use those forms to cleverly gain access to millions—if not billions—of personal records.

We authored this white paper specifically for those agencies and organizations who are transforming data intake to partially or 100-percent paperless. Microsoft wants to ensure that customers are implementing our technologies with the most secure approach possible, and adhering to compliance with all data privacy laws. Microsoft is also making recommendations in the white paper regarding the best way to implement the NIST Cybersecurity Framework in order to identify, protect, detect, respond, and recover from cybersecurity attacks.

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Best security, compliance, and privacy practices for the rapid deployment of publicly facing Microsoft Power Apps intake forms appeared first on Microsoft Security.

Lessons learned from the Microsoft SOC—Part 3d: Zen and the art of threat hunting

June 25th, 2020 No comments

An image of a black male developer at work in an Enterprise office workspace.

Threat hunting is a powerful way for the SOC to reduce organizational risk, but it’s commonly portrayed and seen as a complex and mysterious art form for deep experts only, which can be counterproductive. In this and the next blog we will shed light on this important function and recommend simple ways to get immediate and meaningful value out of threat hunting.

This is the seventh blog in the Lessons learned from the Microsoft SOC series designed to share our approach and experience from the front lines of our security operations center (SOC) protecting Microsoft, and our Detection and Response Team (DART) helping our customers with their incidents. For a visual depiction of our SOC philosophy, download our Minutes Matter poster.

Before we dive in, let’s clarify the definition of “threat hunting.”  There are various disciplines and processes that contribute to the successful proactive discovery of threat actor operations. For example, our Hunting Team works with threat intelligence to help shape and guide their efforts, but our threat intelligence teams are not “threat hunters.”  When we use the term “threat hunting,” we are talking about the process of experienced analysts proactively and iteratively searching through the environment to find attacker operations that have evaded other detections.

Hunting is a complement to reactive processes, alerts, and detections, and enables you to proactively get ahead of attackers. What sets hunting apart from reactive activities is the proactive nature of it, where hunters spend extended focus time thinking through issues, identifying trends and patterns, and getting a bigger picture perspective.

A successful hunting program is not purely proactive however as it requires continuously balancing attention between reactive efforts and proactive efforts. Threat hunters will still need to maintain a connection to the reactive side to keep their skills sharp and fresh and keep attuned to trends in the alert queue. They will also need to jump in to help with major incidents at a moment’s notice to help put out the fire. The amount of time available for proactive activities will depend heavily on whether or not you have a full-time or part-time hunting mission.

Our SOC approaches threat hunting by applying our analysts to different types of threat hunting tasks:

1. Proactive adversary research and threat hunting

This is what most of our threat hunters spend the majority of their time doing. The team searches through a variety of sources including alerts, external indicators of compromise and other sources. The team primarily works to build and refine structured hypotheses of what the attackers may do based on threat intelligence (TI), unusual observations in the environment, and their own experience. In practice, this type of threat hunting includes:

  • Proactive search through the data (queries or manual review).
  • Proactive development of hypotheses based on TI and other sources.

2. Red and purple teaming

Some of our threat hunters work with red teams who simulate attacks and others who conduct authorized penetration testing against our environment. This is a rotating duty for our threat hunters and typically involves purple teaming, where both red and blue teams work to do their jobs and learn from each other. Each activity is followed up by fully transparent reviews that capture lessons learned which are shared throughout the SOC, with product engineering teams, and with other security teams in the company.

3. Incidents and escalations

Proactive hunters aren’t sequestered somewhere away from the watch floor. They are co-located with reactive analysts; they frequently check in with each other, share what they are working on, share interesting findings/observations, and generally maintain situational awareness of current operations. Threat hunters aren’t necessarily assigned to this task full time; they may simply remain flexible and jump in to help when needed.

These are not isolated functions— the members of these teams work in the same facility and frequently check in with each other, share what they are working on, and share interesting findings/observations.

What makes a good threat hunter?

While any high performing analyst has good technical skills, a threat hunter must be able to see past technical data and tools to attackers’ actions, motivations, and ideas. They need to have a “fingertip feel” (sometimes referred to as Fingerspitzengefühl), which is a natural sense of what is normal and abnormal in security data and the environment. Threat hunters can recognize when an alert (or cluster of alerts/logs) seem different or out of place.

One way to think about the qualities that make up a good threat hunter is to look at the Three F’s.

Functionality

This is technical knowledge and competency of investigating and remediating incidents. Security analysts (including threat hunters) should be proficient with the security tools, general flow of investigation and remediation, and the types technologies commonly deployed in enterprise environments.

Familiarity

This is “know thyself” and “know thy enemy” and includes familiarity with your organization’s specific environment and familiarity with attacker tactics, techniques, and procedures (TTPs). Attacker familiarity starts with understanding common adversary behaviors and then grows into a deeper sense of specific adversaries (including technologies, processes, playbooks, business priorities and mission, industry, and typical threat patterns). Familiarity also includes the relationships threat hunters develop with the people in your organization, and their roles/responsibilities. Familiarity with your organization is highly valued for analysts on investigation teams, and critical for effective threat hunting.

Flexibility

Flexibility is a highly valued attribute of any analyst role, but it is absolutely required for a threat hunter. Flexibility is a mindset of being adaptable in what you may do every day and how you do it. This manifests in how you understand problems, process information, and pursue solutions. This mindset comes from within each person and is reflected in almost everything they do.

Where any threat analyst (or threat hunter) can take a particular alert or event and run it into the ground, a good threat hunter will take a step back and look at a collection of data, alerts or events. Threat hunters must be inquisitive and unrelentingly curious about things—to the point that it bugs them if they don’t have a clear understanding of something. Instead of just answering a question, threat hunters are constantly trying to ask better questions of the data, coming up with creative new angles to answer them, and seeing what new questions they raise. Threat hunting also requires humility, to be able to quickly admit your mistakes so you can rapidly re-enter learning mode.

Threat hunting tooling

Threat hunting naturally pulls in a wide variety of tools, but our team has grown to prefer a few of the Microsoft tools whose design they have influenced.

  • Advanced hunting in Microsoft Threat Protection (MTP) tends to be the go-to tool for anything related to endpoints, identities, email, Azure resources, and SaaS applications.
  • Our teams also use Azure Sentinel, Jupyter notebooks, and custom analytics to hunt across broad datasets like application and network data, as well as diving deeper into identity, endpoint, Office 365, and other log data.

Our threat hunting teams across Microsoft contribute queries, playbooks, workbooks, and notebooks to the Azure Sentinel Community, including specific hunting queries that your teams can adapt and use.

Conclusion

We have discussed the art of threat hunting, different approaches to it, and what makes a good threat hunter. In the next entry, we dive deeper into how to build and refine a threat hunting program. If you are looking for more information on the SOC and other cybersecurity topics, check out previous entries in the series (Part 1 | Part 2a | Part 2b | Part 3a | Part 3b| Part 3c), Mark’s List, and our new security documentation site. Be sure to bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Lessons learned from the Microsoft SOC—Part 3d: Zen and the art of threat hunting appeared first on Microsoft Security.

Feeling fatigued? Cloud-based SIEM relieves security team burnout

June 24th, 2020 No comments

Most CISOs and CSOs are worried that a growing volume of alerts is causing burnout among their teams, according to new research from IDG. You can learn about additional challenges to security operations teams by reading the IDG report SIEM Shift: How the Cloud is Transforming Security Operations.

In terms of SIEM-related challenges, 42 percent of respondents cited alert fatigue, second only to capacity issues (45 percent). Perhaps more worrisome is the fallout from dealing with voluminous alerts, including longer response times, more requests for additional staffing, and missed threats.

“There are admittedly a lot of dead ends that are being chased,” said the senior principal architect from a financial services firm. “You don’t want to ignore things by clicking them off and I’ve seen that people do that.”

Yet, there’s also evidence that companies with cloud-based SIEM solutions like Azure Sentinel, a cloud-native SIEM that leverages artificial intelligence (AI) and threat intelligence based on decades of Microsoft security experience, are less likely to feel these pains than their on-premises counterparts.

The effects of alert fatigue on IT staff

An image of the effects of alert fatigue on IT staff.
In fact, the CISO of an electronics company cited improved alert management as among the primary motivations for shifting to cloud-based SIEM.

“Common drivers were lack of internal knowledge, overall data volumes, and the need to have correlated, aggregated alerts that boil up to what are the most important things we should be looking at,” he said. “Simply said, we needed a single pane of glass.”

Higher levels of intelligence

Aggregation and correlation with a cloud SIEM solution allow organizations to become more proactive with their security strategies.

“We gained a lot [in terms of] the event aggregation, consolidation, and risk rating of events,” said the CISO, adding that threat correlation enabled a whole new level of SOC intelligence so they could get ahead of triage work.

Another way of putting it: “Aggregated intelligence,” according to the head of architecture, security, and privacy for a digital services provider. He suggests companies can only gain deep analysis of threats and vulnerabilities with the cloud.

“You need the cloud version because the vast amount of data that is required is only available, stored, and processed in the cloud,” he said. “If it’s onsite, you can hit the most targeted use cases, but you cannot have that aggregated intelligence that will help you prevent really big, incremental strategic attacks.”

Furthermore, SIEM solutions born in the cloud take advantage of native integrations to speed these correlations. In addition, they often use automation and AI and machine learning technology to power real-time threat detection, protection, and response—reducing alert fatigue and freeing up security teams for more strategic work.

“Babysitting an on-prem SIEM and addressing the myriad of alerts that it generates is a very tactical issue,” said Bob Bragdon, Senior Vice President and Publisher, CSO.

“One of the challenges that security organizations face is getting actionable intelligence out of all their security investments,” Bragdon said. “With a move to a cloud-based SIEM, enterprises can redirect resources that were invested to support an on-prem SIEM to other more strategic or higher-priority tasks.”

Learn about other areas where on-premises and cloud-based SIEM like Azure Sentinel measure up by reading the IDG report SIEM Shift: How the Cloud is Transforming Security Operations.

An image of a report titled "SIEM Shift: How the Cloud is Transforming Security Operations.

For more information about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Feeling fatigued? Cloud-based SIEM relieves security team burnout appeared first on Microsoft Security.

Feeling fatigued? Cloud-based SIEM relieves security team burnout

June 24th, 2020 No comments

Most CISOs and CSOs are worried that a growing volume of alerts is causing burnout among their teams, according to new research from IDG. You can learn about additional challenges to security operations teams by reading the IDG report SIEM Shift: How the Cloud is Transforming Security Operations.

In terms of SIEM-related challenges, 42 percent of respondents cited alert fatigue, second only to capacity issues (45 percent). Perhaps more worrisome is the fallout from dealing with voluminous alerts, including longer response times, more requests for additional staffing, and missed threats.

“There are admittedly a lot of dead ends that are being chased,” said the senior principal architect from a financial services firm. “You don’t want to ignore things by clicking them off and I’ve seen that people do that.”

Yet, there’s also evidence that companies with cloud-based SIEM solutions like Azure Sentinel, a cloud-native SIEM that leverages artificial intelligence (AI) and threat intelligence based on decades of Microsoft security experience, are less likely to feel these pains than their on-premises counterparts.

The effects of alert fatigue on IT staff

An image of the effects of alert fatigue on IT staff.
In fact, the CISO of an electronics company cited improved alert management as among the primary motivations for shifting to cloud-based SIEM.

“Common drivers were lack of internal knowledge, overall data volumes, and the need to have correlated, aggregated alerts that boil up to what are the most important things we should be looking at,” he said. “Simply said, we needed a single pane of glass.”

Higher levels of intelligence

Aggregation and correlation with a cloud SIEM solution allow organizations to become more proactive with their security strategies.

“We gained a lot [in terms of] the event aggregation, consolidation, and risk rating of events,” said the CISO, adding that threat correlation enabled a whole new level of SOC intelligence so they could get ahead of triage work.

Another way of putting it: “Aggregated intelligence,” according to the head of architecture, security, and privacy for a digital services provider. He suggests companies can only gain deep analysis of threats and vulnerabilities with the cloud.

“You need the cloud version because the vast amount of data that is required is only available, stored, and processed in the cloud,” he said. “If it’s onsite, you can hit the most targeted use cases, but you cannot have that aggregated intelligence that will help you prevent really big, incremental strategic attacks.”

Furthermore, SIEM solutions born in the cloud take advantage of native integrations to speed these correlations. In addition, they often use automation and AI and machine learning technology to power real-time threat detection, protection, and response—reducing alert fatigue and freeing up security teams for more strategic work.

“Babysitting an on-prem SIEM and addressing the myriad of alerts that it generates is a very tactical issue,” said Bob Bragdon, Senior Vice President and Publisher, CSO.

“One of the challenges that security organizations face is getting actionable intelligence out of all their security investments,” Bragdon said. “With a move to a cloud-based SIEM, enterprises can redirect resources that were invested to support an on-prem SIEM to other more strategic or higher-priority tasks.”

Learn about other areas where on-premises and cloud-based SIEM like Azure Sentinel measure up by reading the IDG report SIEM Shift: How the Cloud is Transforming Security Operations.

An image of a report titled "SIEM Shift: How the Cloud is Transforming Security Operations.

For more information about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Feeling fatigued? Cloud-based SIEM relieves security team burnout appeared first on Microsoft Security.

Defending Exchange servers under attack

June 24th, 2020 No comments

Securing Exchange servers is one of the most important things defenders can do to limit organizational exposure to attacks. Any threat or vulnerability impacting Exchange servers should be treated with the highest priority because these servers contain critical business data, as well as highly privileged accounts that attackers attempt to compromise to gain admin rights to the server and, consequently, complete control of the network.

If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance. This is exacerbated by the fact that Exchange servers have traditionally lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions. Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.

There are two primary ways in which Exchange servers are compromised. The first and more common scenario is attackers launching social engineering or drive-by download attacks targeting endpoints, where they steal credentials and move laterally to other endpoints in a progressive dump-escalate-move method until they gain access to an Exchange server.

The second scenario is where attackers exploit a remote code execution vulnerability affecting the underlying Internet Information Service (IIS) component of a target Exchange server. This is an attacker’s dream: directly landing on a server and, if the server has misconfigured access levels, gain system privileges.

The first scenario is more common, but we’re seeing a rise in attacks of the second variety; specifically, attacks that exploit Exchange vulnerabilities like CVE-2020-0688. The security update that fixes this vulnerability has been available for several months, but, notably, to this day, attackers find vulnerable servers to target.

In many cases, after attackers gain access to an Exchange server, what follows is the deployment of web shell into one of the many web accessible paths on the server. As we discussed in a previous blog, web shells allow attackers to steal data or perform malicious actions for further compromise.

Behavior-based detection and blocking of malicious activities on Exchange servers

Adversaries like using web shells, which are relatively small pieces of malicious code written in common programming languages, because these can be easily modified to evade traditional file-based protections. A more durable approach to detecting web shell activity involves profiling process activities originating from external-facing Exchange applications.

Behavior-based blocking and containment capabilities in Microsoft Defender ATP, which use engines that specialize in detecting threats by analyzing behavior, surface suspicious and malicious activities on Exchange servers. These detection engines are powered by cloud-based machine learning classifiers that are trained by expert-driven profiling of legitimate vs. suspicious activities in Exchange servers.

In April, multiple Exchange-specific behavior-based detections picked up unusual activity. The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells. Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain. Common services, for example Outlook on the web  (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC; formerly known as the  Exchange Control Panel or ECP), executing net.exe, cmd.exe, and other known living-off-the-land binaries (LOLBins) like mshta.exe is very suspicious and should be further investigated.

Figure 1. Behavior-based detections of attacker activity on Exchange servers

In this blog, we’ll share our investigation of the Exchange attacks in early April, covering multiple campaigns occurring at the same time. The data and techniques from this analysis make up an anatomy of Exchange server attacks. Notably, the attacks used multiple fileless techniques, adding another layer of complexity to detecting and resolving these threats, and demonstrating how behavior-based detections are key to protecting organizations.

Figure 2. Anatomy of an Exchange server attack

Initial access: Web shell deployment

Attackers started interacting with target Exchange servers through web shells they had deployed. Any path accessible over the internet is a potential target for web shell deployment, but in these attacks, the most common client access paths were:

  • %ProgramFiles%\Microsoft\Exchange Server\<version>\ClientAccess
  • %ProgramFiles%\Microsoft\Exchange Server\<version>\FrontEnd

The ClientAccess and FrontEnd directories provide various client access services such as Outlook on the web, EAC, and AutoDiscover, to name a few. These IIS virtual directories are automatically configured during server installation and provide authentication and proxy services for internal and external client connections.

These directories should be monitored for any new file creation. While file creation events alone cannot be treated as suspicious, correlating such events with the responsible process results in more reliable signals. Common services like OWA or ECP dropping .aspx or .ashx files in any of the said directories is highly suspicious.

In our investigation, most of these attacks used the China Chopper web shell. The attackers tried to blend the web shell script file with other .aspx files present on the system by using common file names. In many cases, hijacked servers used the ‘echo’ command to write the web shell. In other cases, certutil.exe or powershell.exe were used. Here are some examples of the China Chopper codes that were dropped in these attacks:

We also observed the attackers switching web shells or introducing two or more for various purposes. In one case, the attackers created an .ashx version of a popular, publicly available .aspx web shell, which exposes minimum functionality:

Figure 3. Microsoft Defender ATP alert for web shell

Reconnaissance

After web shell deployment, attackers typically ran an initial set of exploratory commands like whoami, ping, and net user. In most cases, the hijacked application pool services were running with system privileges, giving attackers the highest privilege.

Attackers enumerated all local groups and members on the domain to identify targets. Interestingly, in some campaigns, attackers used open-source user group enumerating tools like lg.exe instead of the built-in net.exe. Attackers also used the EternalBlue exploit and nbtstat scanner to identify vulnerable machines on the network.

Next, the attackers ran built-in Exchange Management Shell cmdlets to gain more information about the exchange environment. Attackers used these cmdlets to perform the following:

  • List all Exchange admin center virtual directories in client access services on all Mailbox servers in the network
  • Get a summary list of all the Exchange servers in the network
  • Get information on mailboxes, such as size and number of items, along with role assignments and permissions.

Figure 4. Microsoft Defender ATP alert showing process tree for anomalous account lookups

Persistence

On misconfigured servers where they have gained the highest privileges, attackers were able to add a new user account on the server. This gave the attackers the ability to access the server without the need to deploy any remote access tools.

The attackers then added the newly created account to high-privilege groups like Administrators, Remote Desktop Users, and Enterprise Admins, practically making the attackers a domain admin with unrestricted access to any users or group in the organization.

Figure 5. Microsoft Defender ATP alert showing process tree for addition of local admin using Net commands

Credential access

Exchange servers contain the most sensitive users and groups in an organization. Gaining credentials to these accounts could virtually give attackers domain admin privileges.

In our investigation, the attackers first dumped user hashes by saving the Security Account Manager (SAM) database from the registry.

Next, the attackers used the ProcDump tool to dump the Local Security Authority Subsystem Service (LSASS) memory. The dumps were later archived and uploaded to a remote location.

In some campaigns, attackers dropped Mimikatz and tried to dump hashes from the server.

Figure 6. Microsoft Defender ATP alert on detection of Mimikatz

In environments where Mimiktaz was blocked, attackers dropped a modified version with hardcoded implementation to avoid detection. Attackers also added a wrapper written in the Go programming language to make the binary more than 5 MB. The binary used the open-source MemoryModule library to load the binary using reflective DLL injection. Thus, the payload never touched the disk and was present only in memory, achieving a fileless persistence.

The attackers also enabled ‘wdigest’ registry settings, which forced the system to use WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user’s plaintext password in memory. This change allowed the attacker to steal the actual password, not just the hash.

Another example of stealthy execution that attackers implemented was creating a wrapper binary for ProcDump and Mimikatz. When run, the tool dropped and executed the ProcDump binary to dump the LSASS memory. The memory dump was loaded inside the same binary and parsed to extract passwords, another example of reflective DLL injection where the Mimikatz binary was present only in memory.

With attacker-controlled accounts now part of Domain Admins group, the attackers performed a technique called DCSYNC attack, which abuses the Active Directory replication capability to request account information, such as the NTLM hashes of all the users’ passwords in the organization. This technique is extremely stealthy because it can be performed without running a single command on the actual domain controller.

Lateral movement

In these attacks, the attackers used several known methods to move laterally:

  • The attackers heavily abused WMI for executing tools on remote systems.

  • The attackers also used other techniques such as creating service or schedule task on remote systems.

  • In some cases, the attackers simply run commands on remote systems using PsExec.

Exchange Management Shell abuse

The Exchange Management Shell is the PowerShell interface for administrators to manage the Exchange server. As such, it exposes many critical Exchange PowerShell cmdlets to allow admins to perform various maintenance tasks, such as assigning roles and permissions, and migration, including importing and exporting mailboxes. These cmdlets are available only on Exchange servers in the Exchange Management Shell or through remote PowerShell connections to the Exchange server.

To understand suspicious invocation of the Exchange Management Shell, we need to go one step back in the process chain and analyze the responsible process. As mentioned, common application pools MSExchangeOWAAppPool or MSExchangeECPAppPool accessing the shell should be considered suspicious.

In our investigation, attackers leveraged these admin cmdlets to perform critical tasks such as exporting mailboxes or running arbitrary scripts. Attackers used different ways to load and run PowerShell cmdlets through the Exchange Management Shell.

In certain cases, attackers created a PowerShell wrapper around the commands to effectively hide behind legitimate PowerShell activity.

These cmdlets allowed the attackers to perform the following:

  • Search received email

In our investigations, attackers were primarily interested in received emails. They searched for message delivery information filtered by the event ‘Received’. The search time frame showed the attackers were initially interested in the entire log history. Later, a similar command was run with a trimmed timeline of one year.

  • Export mailbox

Attackers exported mailboxes through these four steps:

    1. Granted ApplicationImpersnation role to the attacker-controlled account. This effectively allowed the supplied account to access all mailboxes in the organization.
    2. Granted ‘Mailbox Import Export’ role to the attacker-controlled account. This role is required to be added before attempting mailbox export.
    3. Exported the mailbox with filter “Received -gt ‘01/01/2020 0:00:00’”.
    4. Removed the mailbox export request to avoid raising suspicion.

Tampering with security tools

As part of lateral movement, the attackers attempted to disable Microsoft Defender Antivirus. Attackers also disabled archive scanning to bypass detection of tools and data compressed in .zip files, as well as created exclusion for .dat extension. The attackers tried to disable automatic updates to avoid any detection by new intelligence updates. For Microsoft Defender ATP customers, tamper protection prevents such malicious and unauthorized changes to security settings.

Remote access

The next step for attackers was to create a network architecture using port forwarding tools like plink.exe, a command line connection tool like ssh. Using these tools allowed attackers to bypass network restrictions and remotely access machines through Remote Desktop Protocol (RDP). This is a very stealthy technique: attackers reused dumped credentials to access the machines through encrypted tunneling software, eliminating the need to deploy backdoors, which may have a high chance of getting detected.

Exfiltration

Finally, dumped data was compressed using the utility tool rar.exe. The compressed data mostly comprised of the extracted .pst files, along with memory dumps.

Improving defenses against Exchange server compromise

As these attacks show, Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive, fileless techniques. For example, at every stage in the attack chain above, the attackers abused existing tools (LOLBins) and scripts to accomplish various tasks. Even in cases where non-system binaries were introduced, they were either legitimate and signed, like plink.exe, or just a proxy for the malicious binary, for example, the modified Mimikatz where the actual malicious payload never touched the disk.

Keeping these servers safe from these advanced attacks is of utmost importance. Here are steps that organizations can take to ensure they don’t fall victim to Exchange server compromise.

  1. Apply the latest security updates

Identify and remediate vulnerabilities or misconfigurations in Exchange servers. Deploy the latest security updates, especially for server components like Exchange, as soon as they become available. Specifically, check that the patches for CVE-2020-0688 is in place. Use threat and vulnerability management to audit these servers regularly for vulnerabilities, misconfigurations, and suspicious activity.

  1. Keep antivirus and other protections enabled

It’s critical to protect Exchange servers with antivirus software and other security solutions like firewall protection and MFA. Turn on cloud-delivered protection and automatic sample submission to use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Use attack surface reduction rules to automatically block behaviors like credential theft and suspicious use of PsExec and WMI. Turn on tamper protection features to prevent attackers from stopping security services.

If you are worried that these security controls will affect performance or disrupt operations, engage with IT pros to help determine the true impact of these settings. Security teams and IT pros should collaborate on applying mitigations and appropriate settings.

  1. Review sensitive roles and groups

Review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Attackers add accounts to these groups to gain foothold on a server. Regularly review these groups for suspicious additions or removal. To identify Exchange-specific anomalies, review the list of users in sensitive roles such as mailbox import export and Organization Management using the Get-ManagementRoleAssignment cmdlet in Exchange PowerShell.

  1. Restrict access

Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords and Enable MFA. Use tools like LAPS.

Place access control list (ACL) restrictions on ECP and other virtual directories in IIS. Don’t expose the ECP directory to the web if it isn’t necessary and to anyone in the company who doesn’t need to access it. Apply similar restrictions to other application pools.

  1. Prioritize alerts

Pay attention to and immediately investigate alerts indicating suspicious activities on Exchange servers. Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Common application pools like ‘MSExchangeOWAAppPool’ or ‘MSExchangeECPAppPool’ are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as net.exe, cmd.exe, and mshta.exe originating from these pools or w3wp.exe in general.

Behavior-based blocking and containment capabilities in Microsoft Defender Advanced Threat Protection stop many of the malicious activities we described in this blog. Behavior-based blocking and containment stops advanced attacks in their tracks by detecting and halting malicious processes and behaviors.

 

 

Figure 7. Microsoft Defender ATP alerts on blocked behaviors

In addition, Microsoft Defender ATP’s endpoint detection and response (EDR) sensors provide visibility into other suspicious and malicious activities on Exchange servers, which are raised as alerts. The new alert page presents data in an investigation-driven approach meant to empower SecOps teams to easily investigate and take actions.

Figure 8. Microsoft Defender ATP alert and process tree

If these alerts are immediately prioritized, security operations teams can better mitigate attacks and prevent further damage. Beyond resolving these alerts in the shortest possible time, however, organizations should focus on investigating the end-to-end attack chain and trace the vulnerability, misconfiguration, or other weakness in the infrastructure that allowed the attack to occur.

Microsoft Defender ATP is a component of the broader Microsoft Threat Protection (MTP), which provides comprehensive visibility into advanced attacks by combining the capabilities of Office 365 ATP, Azure ATP, Microsoft Cloud App Security, and Microsoft Defender ATP. Through the incidents view, MTP provides a consolidated picture of related attack evidence that shows the complete attack story, empowering SecOps teams to thoroughly investigate attacks.

In addition, MTP’s visibility into malicious artifacts and behavior empowers security operations teams to proactively hunt for threats on Exchange servers. For example, MTP can be connected to Azure Sentinel to enable web shell threat hunting.

Through built-in intelligence and automation, Microsoft Threat Protection coordinates protection, detection, and response across endpoints, identity, data, and apps. Learn more.

 

Hardik Suri

Microsoft Defender ATP Research Team

 

MITRE ATT&CK techniques

Initial access

Execution

Persistence

Privilege escalation

Defense evasion

Credential access

Discovery

Lateral movement

Collection

Command and control

Exfiltration

 

The post Defending Exchange servers under attack appeared first on Microsoft Security.

CISO Stressbusters: Post #2: 4 tips for getting the first 6 months right as a new CISO

June 23rd, 2020 No comments

In your first six months in a new Chief Information Security Officer (CISO) role, you will often be tasked with building a security program. For some of us this is the most exciting part of the job, but it can also be stressful. You’re probably working under a deadline. Plus, it can be difficult to affect change while you’re learning the corporate culture.

In my role as CISO at Mainstay Technologies, I run a team that is responsible for security for each of our clients. I’ve learned a lot about what it takes to create a security program that’s sustainable in different organization types, sizes and industries. In this post, the second in the CISO Stressbusters series, I’ve distilled my learnings into four tips that you can apply to your own organization.

1. What makes your organization tick?

An effective security program requires participation from people across the organization. If you understand what drives decision-making and behavior, it will help you develop a scalable and sustainable plan that will be implemented and accepted into your culture. Talk with and interview team members at all levels of the organization and across departments to understand the shared values that drive the company. Identify how the organization collaborates, how decisions are made, and what your company’s risk tolerance is.

2. Do you know where all your data is? Are you sure?

Before you can implement a new program, you need to understand your current state and the gap that exists between where you are today and standards that must be met. You may need to lower real-world risk, satisfy compliance demands, or likely, both.

Start by identifying data privacy laws that you must comply with (i.e., California Privacy Protect Act or Massachusetts 201 CMR 17) and compliance frameworks that you may be contractually obligated to adhere to (i.e., DFARS NIST 800-171 or CMMC) or select a standard you will align yourself to (i.e., the NIST Cybersecurity Framework). The data that you are trying to protect must be at the core of a discovery effort. Are you protecting classified information, controlled unclassified information, patient health information, personally identifiable information, etc.? Classify it, then identify how it flows and where it lives. Then build defensive layers to protect it.

A risk assessment should be completed that includes your compliance gap analysis as well as a detailed analysis of internal and external threats and vulnerabilities (technical and organizational). This will also help to generate your risk profile: Risk equals probability multiplied by impact.

It’s also helpful to gather tangible evidence when conducting your assessment. Vulnerability, account control, and role-based access reports should all be standard. During your interviews you may hear about very organized data flows. Run a data discovery scan to see what type of data is actually being stored in which locations. Do you know how well trained your staff is? Think about integrating a red team exercise or include physical security tests. Or consider starting with something basic like phishing tests.

When Mainstay engages with a new client, we interview stakeholders to understand how they manage and protect data, and then we verify. When the assessment is complete, we move into mitigation and remediation strategies. This includes developing plans to close technical, administrative, and physical gaps. If you don’t have written information security policies and a system security plan, this should be evident in your assessment and will be part of your remediation strategy. If you don’t know who is in your building or connected to your network, physical controls, and network access controls should be implemented. We often find that data controls aren’t nearly as strong as people think, so when it comes to assessment the best approach is trust but verify.

Microsoft Defender Advanced Threat Protection (ATP) is a great technical example of software that can help you identify and manage threats and vulnerabilities in your environment.

3. Mind the gap

A thorough risk assessment gives you the data you need to start building your information security program. From there, highlight your gaps and build a remediation roadmap with milestones.  Your security posture should increase each step of the way. Work towards a continuous monitoring strategy. Define where you would like your security program to be in six months vs. two years, align with your stakeholders, and build momentum. Prioritize quick wins that you can close out now to help reduce risk immediately.

4. Map everything to the “Why”

Upfront legwork to understand the corporate culture will pay off when it’s time to establish new security policies and training. You will need to embed operational change throughout the organization. To do so requires company buy-in and participation.

Educate executives and business leaders on risk management. Show them how the changes you are recommending will improve ROI. Develop a cross-discipline governance team that reports on cybersecurity risk management at the leadership level. Conduct regular training and check ins to make sure processes are being followed. By distributing the responsibility, you will alleviate the pressure on you and your team, and it will help you build a security culture. A win-win!

Looking ahead

The job of a CISO is stressful. Don’t do it alone. Ally with people in your organization who share your values and can help you achieve your goals. Connect with CISOs from other companies who can commiserate and share advice. And stay tuned for the next CISO Stressbuster post for more advice from other CISOs and security professionals in the trenches.

Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles? What works for you? Please reach out to Diana Kelley on LinkedIn if you’re interested in being interviewed for one of our upcoming posts on CISO insights and stressbusters.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post CISO Stressbusters: Post #2: 4 tips for getting the first 6 months right as a new CISO appeared first on Microsoft Security.

Microsoft continues to extend security for all with mobile protection for Android

June 23rd, 2020 No comments

Just a year ago, we shared our first steps on a journey to enable our customers to protect endpoints running a variety of platforms with our announcement of Microsoft Defender ATP for Mac. Knowing that each of our customers have unique environments and unique needs and are looking for more unification in their security solutions, we communicated our commitment to build security solutions from Microsoft, not just for Microsoft. Since then, we’ve announced capabilities for Linux servers, and at RSA, and we offered you a sneak peek into our mobile threat defense investments.

Today, I’m proud to announce the public preview of Microsoft Defender ATP for Android.

Protecting mobile devices from evolving threats, phishing attacks, unwanted apps

As more business is getting done on mobile devices, the lines blur between work and personal life. The threats here are unique. For example, one of the biggest and fastest growing threats on mobile is phishing attacks, majority of which happen outside of email, such as via phishing sites, messaging apps, games, and other applications, and are tricky to spot on smaller form factors. Other common mobile threats include malicious applications that users are lured into downloading, as well as increased risk introduced by rooted devices that may allow unnecessary escalated privileges and the installation of unauthorized applications.

In this rapidly evolving world of mobile threats, Microsoft is taking a holistic approach to tackling these challenges and to securing enterprises and their data with our new mobile threat defense capabilities. We’re leveraging our unique visibility into the threat landscape and the vast signal, intelligence, and security expertise we have from across domains, such as our expertise in phishing and email, our endpoint threat research on malware and attacker techniques, and our focus on identity and zero trust to bring protection capabilities to mobile. Our integrated approach to security enables us to provide more complete coverage. Leveraging these capabilities, Microsoft Defender ATP for Android will help to protect our customers and their users by delivering:

  • Protection from phishing and access to risky domains and URLs through web protection capabilities that will block unsafe sites accessed through SMS/text, WhatsApp, email, browsers, and other apps. We’re using the same Microsoft Defender SmartScreen services that are on Windows to quickly detect malicious sites which means that a decision to block a suspicious site will apply across all devices in the enterprise.
  • Proactive scanning of malicious applications, files, and potentially unwanted applications (PUA) that users may download to their mobile devices. Our capabilities and investments in cloud-powered protection and intelligence on application reputation allow us to quickly detect sophisticated malware and apps that that may display undesirable behavior.
  • Adding layers of protection to help prevent and limit the impact of breaches in an organization. By leveraging tight integration with Microsoft Endpoint Manager and Conditional Access, mobile devices that have been compromised with malicious apps or malware are considered high risk and are blocked from accessing corporate resources.
  • A unified security experience through Microsoft Defender Security Center where defenders can see alerts and easily get the additional context they need to quickly assess and respond to threats across Windows, Mac, Linux, and now mobile devices.

There’s more to share on how these capabilities work and how to get started on the blog in the Microsoft Defender ATP tech community.

In the coming months we will be releasing additional capabilities on Android and you will hear more from us about our investments in mobile threat defense for iOS devices as well.

I’m also thrilled to share that our initial release of Microsoft Defender ATP for Linux is now generally available. Customers have asked us to broaden our selection of platforms natively supported by Microsoft Defender ATP, and today we’re excited to officially start our journey with Linux. This release marks an important moment for all Microsoft Defender ATP customers when Microsoft Defender ATP becomes a truly unified solution to secure the full spectrum of desktop and server platforms that are common across enterprise environments: Windows, macOS, and Linux.

We are committed to helping organizations secure their unique and heterogenous environments and we have so much more in store for you this year. We’re excited for you to join us in our journey as we continue to deliver the industry’s best in integrated threat protection solutions.

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 

-Rob

The post Microsoft continues to extend security for all with mobile protection for Android appeared first on Microsoft Security.

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

June 22nd, 2020 No comments

Today, we’re excited to announce that Microsoft has acquired CyberX, a comprehensive, network-based IoT security platform with continuous threat monitoring and sophisticated analytics that addresses IoT security in a holistic way across the enterprise. CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, operational technology, and infrastructure scenarios.

To learn more, head over to the official Microsoft blog.

The post Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments appeared first on Microsoft Security.

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

June 22nd, 2020 No comments

Today, we’re excited to announce that Microsoft has acquired CyberX, a comprehensive, network-based IoT security platform with continuous threat monitoring and sophisticated analytics that addresses IoT security in a holistic way across the enterprise. CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, operational technology, and infrastructure scenarios.

To learn more, head over to the official Microsoft blog.

The post Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments appeared first on Microsoft Security.

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

June 22nd, 2020 No comments

Today, we’re excited to announce that Microsoft has acquired CyberX, a comprehensive, network-based IoT security platform with continuous threat monitoring and sophisticated analytics that addresses IoT security in a holistic way across the enterprise. CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, operational technology, and infrastructure scenarios.

To learn more, head over to the official Microsoft blog.

The post Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments appeared first on Microsoft Security.

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

June 22nd, 2020 No comments

Today, we’re excited to announce that Microsoft has acquired CyberX, a comprehensive, network-based IoT security platform with continuous threat monitoring and sophisticated analytics that addresses IoT security in a holistic way across the enterprise. CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, operational technology, and infrastructure scenarios.

To learn more, head over to the official Microsoft blog.

The post Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments appeared first on Microsoft Security.

Modernizing the security operations center to better secure a remote workforce

June 22nd, 2020 No comments

The response to COVID-19 has required many security operations centers (SOCs) to rethink how they protect their organizations. With so many employees working remotely, IT groups are routing more traffic directly to cloud apps, rather than through the network. In this model, traditional network security controls aren’t enough. Endpoint signals and identity-based security matter more than ever.

Even under the best circumstances, managing and working in an SOC is stressful—and these aren’t normal times! We know you’re under a lot of pressure, with less visibility and concerns over balancing user productivity without compromising security. But we also know many of the changes companies have made to support remote work during this crisis will remain in place once the virus is gone—some have already announced more flexible and permanent remote work policies. In light of this new reality, the SOC will also need to adjust. In this blog, we’ve outlined some principles of the modern SOC which can guide that transition. You can also hear us discuss these concepts by viewing a replay of the 2020 Microsoft Virtual Security and Compliance Summit.

It’s a multi-cloud world

Odds are good your organization doesn’t use just one cloud. You may manage much of your infrastructure on Microsoft Azure, but you also probably use Amazon Web Services (AWS) or Google Cloud Platform (GCP) too. And when we say cloud, we don’t just mean infrastructure as a service (IaaS). We also mean development work on a platform as a service (PaaS) and software-as-a-service (SaaS) apps hosted in a cloud—although it’s not always clear which cloud it’s hosted on. Without visibility across all platforms where business information is stored and transacted, you don’t have a full view of your corporate security program and risk profile.

Although the major cloud service providers offer tools that let you monitor their environment extensively, you need a holistic view to correlate threats and assess how one threat may impact another resource. Solutions like Microsoft Cloud App Security give you tools to detect cloud apps and monitor and protect them, while Azure Sentinel collects and analyzes data across on-premises and in multiple clouds.

Visibility into all connected devices

As more employees use cloud apps and mobile devices for work, the traditional network security perimeter has lost relevance. This puts greater emphasis on endpoint monitoring and protection. But it goes beyond employee devices. There has been an explosion of the internet of things (IoT) across industries. The industrial internet of things (IIoT) and industrial control systems (ICS) provide yet another opportunity for bad actors to infiltrate your environment. Security platforms like Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can help you prevent, detect, investigate, and respond to threats across all your endpoints. And Microsoft Defender ATP integrates with Microsoft Threat Protection to give you visibility across devices, identity, cloud apps, data, and infrastructure.

Humans and machine learning working together

Part of what makes this job so challenging is the sheer number of endpoints and environments that need to be monitored. Each of those entities produces thousands of alerts—not all of which are legitimate threats. If you are using several security tools that aren’t well integrated, correlating signals across your entire environment is tough. To find the real threats, you may spend hours combing through false positives. Alert fatigue is inevitable, making it easy to miss true issues.

In the modern SOC, artificial intelligence (AI) and machine learning (ML) will be deployed to help people focus on the right problems. If you’re worried that AI and ML will automate you out of a job, “help people” was the most important part of the previous sentence. We believe people are (and will continue to be) a necessary part of cyber defense work. AI and ML are simply not equipped to do the complex problem solving that people do. What AI and ML can do is reduce the noise, so that people can focus on responding to more complex threats and trying to uncover what the humans behind attacks are planning next.

In solutions like Azure Sentinel, AI and ML reason over massive amounts of data to better detect behavior that indicates compromise. Using probabilistic models, such as Markov Chain Monte Carlo simulations, Azure Sentinel takes low fidelity alerts and combines them into fewer actionable high-fidelity alerts, increasing the true positive rate to reduce analyst alert fatigue.

Gamification of security training

The core mission of the SOC is to identify compromise rapidly and respond to incidents. In the middle of an attack, minutes matter, so it’s critical that you respond quickly and intelligently. But these are also the moments when adrenaline runs high, and people panic. You may not make the best decisions in a state of high alert. To provide structure during an incident, it helps to have a plan.

A playbook includes a set of processes and steps for various triggers. Written playbooks provide you a reference in the heat of the moment. You can also automate playbooks using the security orchestration, automation, and response (SOAR) capabilities in solutions like Azure Sentinel.

Practicing your plan can help build muscle memory. In tabletop exercises, teams talk though how they would respond to specific scenarios in a low stress environment. When an actual attack occurs, they draw on these exercises to inform decision making.

To better engage participants, many SOCs are gamifying their training sessions. Capture the flag contests divide groups into a red team (the attackers) and a blue team (the defenders) and challenges them to defend (or capture) a computer system. Microsoft’s OneHunt brings together security professionals across the Microsoft organization to conduct a weeklong red team vs. blue team simulation. At the Ignite World Tour, Into the Breach was one of the most popular events. In this game, participants defended a system from an AI-generated attack using Azure Sentinel and Microsoft Threat Protection solutions. Activities like these let teams practice in a fast-moving situation that replicates the experience of a real attack, without the high stakes.

Learn more

It’s been a tough few months for technology teams supporting a rapid migration to remote work. As you begin to modernize your SOC for our new reality, the following resources may help:

For more information about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to Diana on LinkedIn or Twitter.

The post Modernizing the security operations center to better secure a remote workforce appeared first on Microsoft Security.

Barracuda and Microsoft: Securing applications in public cloud

June 18th, 2020 No comments

This blog was written by a MISA partner. To learn more about MISA, visit our website.

Barracuda Cloud Application Protection (CAP) platform features integrations with Microsoft Azure Active Directory (Azure AD) and Azure Security Center. A component of CAP, Barracuda WAF-as-a-Service is built on Microsoft Azure and provides advanced WAF capabilities in an easy to deploy and manage solution.

In our last blog, I spoke about how Barracuda and Microsoft are working together to remove barriers to faster public cloud adoption. The post focused on remote access, networks, and secure connectivity to public cloud. The topic of this blog post is to share some thoughts on how web applications in public cloud are secured. 

Accelerating digital transformation

As I mentioned last time, digital transformation is fundamentally changing today’s enterprises, making digital assets—data and applications—key to doing business. Organizations are increasingly competing based on their digital agility, and of course web applications are central to how digital businesses operate today.

In order to develop and update applications faster, organizations are deploying DevOps processes and agile methodologies, and they are moving their infrastructure to the cloud. However, while applications are developed and deployed faster than ever, secure coding practices have not kept pace, resulting in a constantly growing number of open vulnerabilities that can be exploited.

At the same time, the threat environment is continuously evolving and becoming more challenging. Hackers are getting more sophisticated; they are now professional criminals or even nation states. In addition to manual hacking attacks, bots and botnets are increasingly used to attack enterprise infrastructures through web applications. These automated exploits are often executed as Distributed Denial of Service (or DDoS) attacks, at both network and application layer. And of course, malware is constantly getting more advanced. The growth in the number of unprotected application vulnerabilities, coupled with the increase in hacking and malware, has resulted in a perfect storm of data breaches. So, application security is a key requirement for successful digital transformation. A recent Microsoft Build 2020 blog post focused on how Microsoft is helping developers build more secure applications.

Is the latest health crisis going to slow down the digital transformation process? In fact, it appears the opposite is occurring—it is acting as a catalyst. In the last blog, we discussed how the sudden increase in remote work is accelerating the network evolution. In addition, similar changes are occurring in the applications landscape.

As people stay at home due to government orders, they are increasingly transacting online. Brick-and-mortar stores are closed, and to stay in business retailers and other businesses are shifting all their operations online.

Leveraging public cloud for web applications

Such rapid scaling of online operations is difficult and expensive to achieve using traditional datacenters. Fortunately, public cloud providers such as Microsoft Azure provide robust platforms that allow customers to quickly scale up application infrastructure—now things can be completed in days or even hours, instead of weeks or months. And of course, the flexibility that comes with public cloud deployments is especially valuable now, as there is a lot of uncertainty about how long lockdowns will continue and whether online capacity would need to be reduced in the future.

We have seen a significant increase in hacking, DDoS, and bot attacks during the last couple of months, so in addition to scaling up online capacity, it is critically important to ensure security and availability. Using a complete application security platform is the best way to protect applications from all attack vectors, including hacking, DDoS, bots, and even API attacks.

Types and number of online threats in the public cloud.

In the new report, Future shock: the cloud is the new network,1 published in February, Barracuda surveyed 750 IT decision makers responsible for their organizations’ cloud infrastructure. We learned that organizations are well on their way to moving their infrastructure to public cloud, with 45 percent of IT infrastructure already running in the cloud today and rising to an estimated 76 percent in 5 years.

At the same time, the top concern restricting an even faster adoption of public cloud is security, with 70 percent of the respondents indicating that security concerns restrict their organizations’ adoption of public cloud.

If you look at the type of security issues that are the biggest blockers to public cloud adoption, the top two are sophisticated hackers and open vulnerabilities in applications. Also on the list are DDoS attacks and advanced bots/botnets, and from conversations with both customers and analysts since the onset of COVID-19, it appears that both DDoS attacks and bot attacks have spiked up even higher.

Barracuda Cloud Application Protection (CAP) platform is a comprehensive, scalable and easy-to-deploy platform that secures applications wherever they reside.

 

About Barracuda

At Barracuda we strive to make the world a safer place. We believe every business deserves access to cloud-enabled, enterprise-grade security solutions that are easy to buy, deploy, and use. We protect email, networks, data, and applications with innovative solutions that grow and adapt with our customers’ journey. More than 150,000 organizations worldwide trust Barracuda to protect them—in ways they may not even know they are at risk—so they can focus on taking their business to the next level. For more information, visit barracuda.com.

View our integration videos

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Future shock: the cloud is the new network, Barracuda, February 2020

The post Barracuda and Microsoft: Securing applications in public cloud appeared first on Microsoft Security.

Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint

June 18th, 2020 No comments

The increasing pervasiveness of cloud services in today’s work environments, accelerated by a crisis that forced companies around the globe to shift to remote work, is significantly changing how defenders must monitor and protect organizations. Corporate data is spread across multiple applications—on-premises and in the cloud—and accessed by users from anywhere using any device. With traditional surfaces expanding and network perimeters disappearing, novel attack scenarios and techniques are introduced.

Every day, we see attackers mount an offensive against target organizations through the cloud and various other attack vectors with the goal of finding the path of least resistance, quickly expanding foothold, and gaining control of valuable information and assets. To help organizations fend off these advanced attacks, Microsoft Threat Protection (MTP) leverages the Microsoft 365 security portfolio to automatically analyze cross-domain threat data, building a complete picture of each attack in a single dashboard. With this breadth and depth of clarity, defenders can focus on critical threats and hunting for sophisticated breaches across endpoints, email, identities and applications.

Among the wide range of actors that Microsoft tracks—from digital crime groups to nation-state activity groups—HOLMIUM is one of the most proficient in using cloud-based attack vectors. Attributed to a Middle East-based group and active since at least 2015, HOLMIUM has been performing espionage and destructive attacks targeting aerospace, defense, chemical, mining, and petrochemical-mining industries. HOLMIUM’s activities and techniques overlap with what other researchers and vendors refer to as APT33, StoneDrill, and Elfin.

HOLMIUM has been observed using various vectors for initial access, including spear-phishing email, sometimes carrying archive attachments that exploit the CVE-2018-20250 vulnerability in WinRAR, and password-spraying. Many of their recent attacks, however, have involved the penetration testing tool Ruler used in tandem with compromised Exchange credentials.

The group used Ruler to configure a specially crafted Outlook Home Page URL to exploit the security bypass vulnerability CVE-2017-11774, which was fixed shortly after it was discovered. Successful exploitation automatically triggered remote code execution of a script when an Outlook client synced with a mailbox and rendered the profile Home Page URL. These scripts, usually VBScript followed by PowerShell, in turn initiated the delivery of various payloads.

In this blog, the first in the Inside Microsoft Threat Protection series, we will show how MTP provides unparalleled end-to-end visibility into the activities of nation-state level attacks like HOLMIUM. In succeeding blog posts in this series, we will shine a spotlight on aspects of the coordinated defense delivered by Microsoft Threat Protection.

Tracing an end-to-end cloud-based HOLMIUM attack

HOLMIUM has likely been running cloud-based attacks with Ruler since 2018, but a notable wave of such attacks was observed in the first half of 2019. These attacks combined the outcome of continuous password spray activities against multiple organizations, followed by successful compromise of Office 365 accounts and the use of Ruler in short sequences to gain control of endpoints. This wave of attacks was the subject of a warning from US Cybercom in July 2019.

These HOLMIUM attacks typically started with intensive password spray against exposed Active Directory Federation Services (ADFS) infrastructure; organizations that were not using multi-factor authentication (MFA) for Office 365 accounts had a higher risk of having accounts compromised through password spray. After successfully identifying a few user and password combinations via password spray, HOLMIUM used virtual private network (VPN) services with IP addresses associated with multiple countries to validate that the compromised accounts also had access to Office 365.

Figure 1. Password spray and compromised account sign-ins by HOLMIUM as detected in Azure Advanced Threat Protection (ATP) and Microsoft Cloud App Security (MCAS)

Armed with a few compromised Office 365 accounts and not blocked by MFA defense, the group launched the next step with Ruler and configured a malicious Home Page URL which, once rendered during a normal email session, resulted in the remote code execution of a PowerShell backdoor through the exploitation of a vulnerability like CVE-2017-11774. The two domains abused by HOLMIUM and observed during this 2019 campaign were “topaudiobook.net” and “customermgmt.net”.

Figure 2. Exploitation of Outlook Home Page feature using Ruler-like tools

Figure 3. Weaponized home page and initial PowerShell payload

This initial foothold allowed HOLMIUM to run their custom PowerShell backdoor (known as POWERTON) directly from an Outlook process and to perform the installation of additional payloads on the endpoint with different persistence mechanisms, such as WMI subscription (T1084) or registry autorun keys (T1060). Once the group has taken control of the endpoint (in addition to the cloud identity), the next phase was hours of exploration of the victim’s network, enumerating user accounts and machines for additional compromise, and lateral movement within the perimeter. HOLMIUM attacks typically took less than a week from initial access via the cloud to obtaining unhampered access and full domain compromise, which then allowed the attackers to stay persistent for long periods of time, sometimes for months on end.

Figure 4. Snippets of HOLMIUM PowerShell backdoor (POWERTON) implementing two different persistence mechanisms: WMI event subscription (T1084) and Registry run keys or Startup folder (T1060)

HOLMIUM attacks as seen and acted upon by Microsoft Threat Protection

HOLMIUM attacks demonstrate how hybrid attacks that span from cloud to endpoints require a wide range of sensors for comprehensive visibility. Enabling organizations to detect attacks like these by correlating events in multiple domains – cloud, identity, endpoints – is the reason why we build products like Microsoft Threat Protection. As we described in our analysis of HOLMIUM attacks, the group compromised identities in the cloud and leveraged cloud APIs to gain code execution or persist. The attackers then used a cloud email configuration to run specially crafted PowerShell on endpoints every time the Outlook process is opened.

During these attacks, many target organizations reacted too late in the attack chain—when the malicious activities started manifesting on endpoints via the PowerShell commands and subsequent lateral movement behavior. The earlier attack stages like cloud events and password spray activities were oftentimes missed or sometimes not linked with activities observed on the endpoint. This resulted in gaps in visibility and, subsequently, incomplete remediation.

While it’s relatively easy to remediate and stop malicious processes and downloaded malware on endpoints using endpoint security solutions, such a conventional approach would mean that the attack is persistent in the cloud, so the endpoint could be immediately compromised again. Remediating identities in the cloud is a different story.

Figure 5. The typical timeline of a HOLMIUM attack kill-chain

In an organization utilizing MTP, multiple expert systems that monitor various aspects of the network would detect and raise alerts on HOLMIUM’s activities. MTP sees the full attack chain across domains beyond simply blocking on endpoints or zapping emails, thus putting organizations in a superior position to fight the threat.

Figure 6. MTP components able to prevent or detect HOLMIUM techniques across the kill chain.

These systems work in unison to prevent attacks or detect, block, and remediate malicious activities. Across affected domains, MTP detects signs of HOLMIUM’s attacks:

  • Azure ATP identifies account enumeration and brute force attacks
  • MCAS detects anomalous Office 365 sign-ins that use potentially compromised credentials or from suspicious locations or networks
  • Microsoft Defender ATP exposes malicious PowerShell executions on endpoints triggered from Outlook Home Page exploitation

Figure 7. Activities detected across affected domains by different MTP expert systems

Traditionally, these detections would each be surfaced in its own portal, alerting on pieces of the attack but requiring the security team to stitch together the full picture. With Microsoft Threat Protection, the pieces of the puzzle are fused automatically through deep threat investigation. MTP generates a combined incident view that shows the end-to-end attack, with all related evidence and affected assets in one view.

Figure 8. The MTP incident brings together in one view the entire end-to-end attack across domain boundaries

Understanding the full attack chain enables MTP to automatically intervene to block the attack and remediate assets holistically across domains. In HOLMIUM attacks, MTP not only stops the PowerShell activity on endpoints but also contains the impact of stolen user accounts by marking them as compromised in Azure AD. This invokes Conditional Access as configured in Azure AD and applies conditions like MFA or limitations on the user account’s permissions to access organizational resources until the account is remediated fully.

Figure 9. Coordinated automatic containment and remediation across email, identity, and endpoints

Security teams can dig deep and expand their investigation into the incident in Microsoft 365 Security Center, where all details and related activities are available in one place. Furthermore, security teams can hunt for more malicious activities and artifacts through advanced hunting, which brings together all the raw data collected across product domains into one unified schema with powerful query constructs.

Figure 10. Hunting for activities across email, identity, endpoint and cloud applications

Finally, when the attack is blocked and all affected assets are remediated, MTP helps organizations identify improvements to their security configuration that would prevent the attacker from returning. The Threat Analytics report provides an exposure view and recommends prevention measures relevant to the threat. For example, the Analytics Report for HOLMIUM recommended, among other things, applying the appropriate security updates to prevent tools like Ruler from operating, as well as completely eliminating this attack vector in the organization.

Figure 11. Threat Analytics provides organizational exposure and recommended mitigations for HOLMIUM 

Microsoft Threat Protection: Stop attacks with automated cross-domain security

HOLMIUM exemplifies the sophistication of today’s cyberattacks, which leverage techniques spanning organizational cloud services and on-prem devices. Organizations must equip themselves with security tools that enable them to see the attack sprawl and respond to these attacks holistically and automatically. Protecting organizations from sophisticated attacks like HOLMIUM is the backbone of MTP.

Microsoft Threat Protection harnesses the power of Microsoft 365 security products and brings them together into an unparalleled coordinated defense that detects, correlates, blocks, remediates, and prevents such attacks across an organization’s Microsoft 365 environment. Existing Microsoft 365 licenses provide access to Microsoft Threat Protection features in Microsoft 365 security center without additional cost. Learn how Microsoft Threat Protection can help your organization to stop attacks with coordinated defense.

 

The post Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint appeared first on Microsoft Security.

Moving to cloud-based SIEM: the cost advantage

June 17th, 2020 No comments

Companies weigh multiple factors in any technology implementation, balancing risks with business needs and IT capabilities. And while the same is true with cloud-based security information and event management (SIEM) solutions, cost overwhelmingly shapes the discussion as well.

For example, according to new IDG research among 300 IT and security leaders, the top outcomes respondents expect by switching to cloud-based SIEM include:

  • Forty percent—lower staffing costs.
  • Forty percent—lower operational expenses (OpEx).
  • Thirty-four percent—lower capital expenses (CapEx).

“If you look at it on the surface, the cloud is more expensive than on-premises. But you have to factor in the soft costs…” said one technology services CIO. In fact, for this CIO and his company, it no longer made sense to continue running traditional on-premises SIEM in his datacenter.

“It was very hard to continue to expand,” he explained. “It wasn’t super cost effective. It was pushing our bandwidth. Managing it internally required skillsets that I wouldn’t need with a cloud-based implementation.”

This blog will summarize some of the key findings in a new IDG report published by Microsoft Azure. You can learn about additional challenges to security operations teams by reading the IDG report: SIEM Shift: How the Cloud is Transforming Security Operations.

Unmasking cost factors

All those soft costs add up. IDG found that cloud-based SIEM users spend, on average, $541,000 per year to support their solution, while on-premises companies are averaging $607,000.

Traditional on-premises SIEM users reported higher costs across the board—including for licensing, maintenance, software, and staffing expenditures. They were also more likely to cite hidden costs associated with supporting their on-premises solutions, including:

  • Staffing/training SIEM analysts.
  • Initial purchase/licensing costs.
  • Integration of data sources.

On the other hand, respondents using cloud-based SIEM solutions are focused on finding further efficiencies. For example, they’re automating operations at nearly double the rate of on-premises users. They’ve discovered that by shifting these tasks to an automated cloud solution, personnel can focus on more strategic initiatives.

Following a transition to cloud-based SIEM, “Nobody lost their job,” said one senior solutions architect for a telecom company. In fact, those workers who originally supported the on-premises solution were retrained and moved into DevOps, he said.

The bottom line

On-premises SIEM users are 11 percent more likely than cloud-based implementers to cite total cost of ownership as an existing challenge, according to IDG. As data volumes continue to grow, managing total cost of ownership (TCO) for traditional SIEM can become unwieldy. Infrastructure expenses will increase, right along with the staffing needs to support the solution.

“When you look at total cost of ownership, the cloud SIEM model becomes very attractive,” said Bob Bragdon, Senior Vice President and Publisher, CSO. “Particularly in terms of not having to build out and maintain a supporting infrastructure. When you can push that to the cloud and move from a CapEx model to an OpEx model, the financial dynamics shift considerably.”

Learn about other areas where on-premises and cloud-based SIEM like Azure Sentinel measure up by reading the IDG report: SIEM Shift: How the Cloud is Transforming Security Operations.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on Twitter: @MSFTSecurity for the latest news and updates on cybersecurity.

The post Moving to cloud-based SIEM: the cost advantage appeared first on Microsoft Security.

UEFI scanner brings Microsoft Defender ATP protection to a new level

June 17th, 2020 No comments

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is extending its protection capabilities to the firmware level with a new Unified Extensible Firmware Interface (UEFI) scanner.

Hardware and firmware-level attacks have continued to rise in recent years, as modern security solutions made persistence and detection evasion on the operating system more difficult. Attackers compromise the boot flow to achieve low-level malware behavior that’s hard to detect, posing a significant risk to an organization’s security posture.

Windows Defender System Guard helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like hypervisor-level attestation and Secure Launch, also known as Dynamic Root of Trust (DRTM), which are enabled by default in Secured-core PCs. The new UEFI scan engine in Microsoft Defender ATP expands on these protections by making firmware scanning broadly available.

The UEFI scanner is a new component of the built-in antivirus solution on Windows 10 and gives Microsoft Defender ATP the unique ability to scan inside of the firmware filesystem and perform security assessment. It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Microsoft Defender ATP.

How the UEFI scanner in Microsoft Defender ATP works

The new UEFI scanner reads the firmware file system at runtime by interacting with the motherboard chipset. To detect threats, it performs dynamic analysis using multiple new solution components that include:

  • UEFI anti-rootkit, which reaches the firmware through Serial Peripheral Interface (SPI)
  • Full filesystem scanner, which analyzes content inside the firmware
  • Detection engine, which identifies exploits and malicious behaviors

Firmware scanning is orchestrated by runtime events like suspicious driver load and through periodic system scans. Detections are reported in Windows Security, under Protection history.

Screenshot of Windows Security notification showing detection of malicious content in non-volatile memory (NVRAM)

Figure 1. Windows Security notification showing detection of malicious content in non-volatile memory (NVRAM)

Microsoft Defender ATP customers will also see these detections raised as alerts in Microsoft Defender Security Center, empowering security operations teams to investigate and respond to firmware attacks and suspicious activities at the firmware level in their environments.

Screenshot of Microsoft Defender ATP alert for detection of malicious code in firmware

Figure 2. Microsoft Defender ATP alert for detection of malicious code in firmware

Security operations teams can also use the advanced hunting capabilities in Microsoft Defender ATP to hunt for these threats:

DeviceEvents
| where ActionType == "AntivirusDetection"
| extend ParsedFields=parse_json(AdditionalFields)
| extend ThreatName=tostring(ParsedFields.ThreatName)
| where ThreatName contains_cs "UEFI"
| project ThreatName=tostring(ParsedFields.ThreatName),
 FileName, SHA1, DeviceName, Timestamp
| limit 100

To detect unknown threats in SPI flash, signals from the UEFI scanner are analyzed to identify anomalies and where they have been executed. Anomalies are reported to the Microsoft Defender Security Center for investigation.

Screenshot of Microsoft Defender ATP alert for possible malware implant in UEFI file system

Figure 3. Microsoft Defender ATP alert for possible malware implant in UEFI file system

These events can likewise be queried through advanced hunting:

DeviceAlertEvents
| where Title has "UEFI"
| summarize Titles=makeset(Title) by DeviceName, DeviceId, bin(Timestamp, 1d)
| limit 100

How we built the UEFI scanner

The Unified Extensible Firmware Interface (UEFI) is a replacement for legacy BIOS. If the chipset is configured correctly (UEFI & chipset configuration itself) and secure boot is enabled, the firmware is reasonably secure. To perform a hardware-based attack, attackers exploit a vulnerable firmware or a misconfigured machine to deploy a rootkit, which allows attackers to gain foothold on the machine.

Figure 4. Expected boot flow vs. compromised boot flow

As figure 4 shows, for devices that are configured correctly, the boot path from power-on to OS initialization is reliable. If secure boot is disabled or if the motherboard chipset is misconfigured, attackers can change the contents of UEFI drivers that are unsigned or tampered with in the firmware. This could allow attackers to take over control of devices and give them the capability to deprivilege the operating system kernel or antivirus to reconfigure the security of the firmware.

Diagram of UEFI platform initalization

Figure 5. UEFI platform initialization

The Serial Peripheral Interface (SPI) flash stores important information. Its structure depends on OEMs design, and commonly includes processor microcode update, Intel Management Engine (ME), and boot image, a UEFI executable. When a computer runs, processors execute the firmware code from SPI flash for a while during UEFI’s SEC phase. Instead of memory, the flash is permanently mapped to x86 reset vector (physical address 0xFFFF_FFF0). However, attackers can interfere with memory access to reset vector by software. They do this by reprogramming the BIOS control register on misconfigured devices, making it even harder for security software to determine exactly what gets executed during boot.

Once an implant is deployed, it’s hard to detect. To catch threats at this level, security solutions at the OS level relies on information from the firmware, but the chain of trust is weakened.

Technically, the firmware is not stored and is not accessible from main memory. As opposed to other software, it’s stored in SPI flash storage, so the new UEFI scanner must follow the hardware protocol provided by hardware manufacturers. To be compatible and be up to date with all platforms, it needs to take into consideration protocol differences.

Diagram of UEFI scanner internals

Figure 6. UEFI scanner internals overview

The UEFI scanner performs dynamic analysis on the firmware it gets from the hardware flash storage. By obtaining the firmware, the scanner is able to parse the firmware, enabling Microsoft Defender ATP to inspect firmware content at runtime.

Comprehensive security levels up with low-level protections

The new UEFI scanner adds to a rich set of Microsoft technologies that integrate to deliver chip-to-cloud security, from a strong hardware root of trust to cloud-powered security solutions at the OS level.

Hardware backed security features like Secure Launch and device attestation help stop firmware attacks. These features, which are enabled by default in Secured-core PCs, seamlessly integrate with Microsoft Defender ATP to provide comprehensive endpoint protection.

With its UEFI scanner, Microsoft Defender ATP gets even richer visibility into threats at the firmware level, where attackers have been increasingly focusing their efforts on. Security operations teams can use this new level of visibility, along with the rich set of detection and response capabilities in Microsoft Defender ATP, to investigate and contain such advanced attacks.

This level of visibility is also available in Microsoft Threat Protection (MTP), which delivers an even broader cross-domain defense that coordinates protection across endpoints, identities, email, and apps.

 

 

Kelvin Chan, Shweta Jha, Gowtham Reddy A

Microsoft Defender ATP team

 

 

The post UEFI scanner brings Microsoft Defender ATP protection to a new level appeared first on Microsoft Security.

Exploiting a crisis: How cybercriminals behaved during the outbreak

June 16th, 2020 No comments

In the past several months, seemingly conflicting data has been published about cybercriminals taking advantage of the COVID-19 outbreak to attack consumers and enterprises alike. Big numbers can show shifts in attacker behavior and grab headlines. Cybercriminals did indeed adapt their tactics to match what was going on in the world, and what we saw in the threat environment was parallel to the uptick in COVID-19 headlines and the desire for more information.

If one backtracked to early February, COVID-19 news and themed attacks were relatively scarce. It wasn’t until February 11, when the World Health Organization named the global health emergency as “COVID-19”, that attackers started to actively deploy opportunistic campaigns. The week following that declaration saw these attacks increase eleven-fold. While this was below two percent of overall attacks Microsoft saw each month, it was clear that cybercriminals wanted to exploit the situation: eople around the world were becoming aware of the outbreak and were actively seeking information and solutions to combat it.

Worldwide, we observed COVID-19 themed attacks peak in the first two weeks of March. That coincided with many nations beginning to take action to reduce the spread of the virus and travel restrictions coming into effect. By the end of March, every country in the world had seen at least one COVID-19 themed attack.

Graph showing trend of COVID-19 themed attacks and mapping key events during the outbreak

Figure 1. Trend of COVID-19 themed attacks

The rise in COVID-19 themed attacks closely mirrored the unfolding of the worldwide event. The point of contention was whether these attacks were new or repurposed threats. Looking through Microsoft’s broad threat intelligence on endpoints, email and data, identities, and apps, we concluded that this surge of COVID-19 themed attacks was really a repurposing from known attackers using existing infrastructure and malware with new lures.

In fact, the overall trend of malware detections worldwide (orange line in Figure 2) did not vary significantly during this time. The spike of COVID-19 themed attacks you see above (yellow line in Figure 1) is barely a blip in the total volume of threats we typically see in a month. Malware campaigns, attack infrastructure, and phishing attacks all showed signs of this opportunistic behavior. As we documented previously, these cybercriminals even targeted key industries and individuals working to address the outbreak. These shifts were typical of the global threat landscape, but what was peculiar in this case was how the global nature and universal impact of the crisis made the cybercriminal’s work easier. They preyed on our concern, confusion, and desire for resolution.

Graph showing trend of all attacks versus COVID-19 themed attacks

Figure 2. Trend of overall global attacks vs. COVID-19 themed attacks

After peaking in early March, COVID-19 themed attacks settled into a “new normal”. While these themed attacks are still higher than they were in early February and are likely to continue as long as COVID-19 persists, this pattern of changing lures prove to be outliers, and the vast majority of the threat landscape falls into typical phishing and identity compromise patterns.

Cybercriminals are adaptable and always looking for the best and easiest ways to gain new victims. Commodity malware attacks, in particular, are looking for the biggest risk-versus-reward payouts. The industry sometimes focuses heavily on advanced attacks that exploit zero-day vulnerabilities, but every day the bigger risk for more people is being tricked into running unknown programs or Trojanized documents. Likewise, defenders adapt and drive up the cost of successful attacks. Starting in April, we observed defenders greatly increasing phishing awareness and training for their enterprises, raising the cost and complexity barrier for cybercriminals targeting their employees. These dynamics behave very much like economic models if you turn “sellers” to “cybercriminals” and “customers” to “victims”.

Graph showing trend of COVID-19 themed attacks

Figure 3. Trend of COVID-19 themed attacks

Lures, like news, are always local

Cybercriminals are looking for the easiest point of compromise or entry. One way they do this is by ripping lures from the headlines and tailoring these lures to geographies and locations of their intended victims. This is consistent with the plethora of phishing studies that show highly localized social engineering lures. In enterprise-focused phishing attacks this can look like expected documents arriving and asking the user to take action.

During the COVID-19 outbreak, cybercriminals closely mimicked the local developments of the crisis and the reactions to them. Here we can see the global trend of concern about the outbreak playing out with regional differences. Below we take a deeper look at three countries and how local events landed in relation to observed attacks.

FOCUS: United Kingdom

Attacks targeting the United Kingdom initially followed a trajectory similar to the global data, but spiked early, appearing to be influenced by the news and concerns in the nation. Data shows a first peak approximately at the first confirmed COVID-19 death in the UK, with growth beginning again with the FTSE 100 stock crash on March 9, and then ultimately peaking around the time the United States announced a travel ban to Europe.

Graph showing trend of COVID-19 themed attacks and mapping key events during the outbreak in the UK

Figure 4. Trend of COVID-19 themed attacks in the United Kingdom showing unique encounters (distinct malware files) and total encounters (number of times the files are detected)

In the latter half of March, the United Kingdom increased transparency and information to the public as outbreak protocols were implemented, including the closure of schools. The attacks dropped considerably all the way to April 5, when Queen Elizabeth II made a rare televised address to the nation. The very next day, Prime Minister Boris Johnson, who was hospitalized on April 6 due to COVID-19, was moved to intensive care. Data shows a corresponding increase in attacks until April 12, the day the Prime Minister was discharged from the hospital. The level of themed attacks then plateaued at about 3,500 daily attacks until roughly the end of April. The UK government proclaimed the country had passed the peak of infections and began to restore a new normalcy. Attacks took a notable drop to around 2,000 daily attacks.

Sample phishing email with COVID-19 themed lure

Sample phishing email using COVID-19 themed lure

Figure 5. Sample COVID-19 themed lures in attacks seen in the UK

FOCUS: Republic of Korea

The Republic of Korea was one of the earliest countries hit by COVID-19 and one of the most active in combating the virus. We observed attacks in Korea increase and, like the global trend, peak in early March. However, the spike in attacks for this country is steeper than the worldwide average, coinciding with the earlier arrival of the virus here.

Graph showing trend of COVID-19 themed attacks and key events during the outbreak in South Korea

Figure 6. Trend of COVID-19 themed attacks in the Republic of Korea showing unique encounters (distinct malware files) and total encounters (number of times the files are detected)

Interestingly, themed attacks were minimal at the beginning of February despite the impact of the virus. Cybercriminals did not truly ramp up attacks until the middle of February, closely mapping key events like identifying patients from the Shincheonji religious organization, military base lock downs, and international travel restrictions. While these national news events did not create the attacks, it’s clear cybercriminals saw an opening to compromise more victims.

Increased testing and transparency about the outbreak mapped to a downward trajectory of attacks in the first half of March. Looking forward through the end of May, the trend of themed attacks targeting Korean victims significantly departed from the global trajectory. We observed increasing attacks as the country restored some civic life. Attacks ultimately reached a peak around May 23. Analysis is still ongoing to understand the dynamics that drove this atypical increase.

FOCUS: United States

COVID-19 themed attacks in the United States largely followed the global attack trend. The initial ascent began mid-February after the World Health Organization officially named the virus. Attacks reached first peak at the end of February, coinciding with the first confirmed COVID-19 death in the country, and hit its highest point by mid-March, coinciding with the announced international travel ban. The last half of March saw a significant decrease in themed attacks. Telemetry from April and May shows themed attacks leveling off between 20,000 and 30,000 daily attacks. The same pattern of themed attacks mirroring the development of the outbreak and local concern likely played out at the state level, too.

Graph showing trend of COVID-19 themed attacks and mapping key events during the outbreak in the United States

Figure 7. Trend of COVID-19 themed attacks in the United States showing unique encounters (distinct malware files) and total encounters (number of times the files are detected)

Sample COVID-19 themed lure

Figure 8. Sample COVID-19 themed lures in attacks seen in the US

Conclusions

The COVID-19 outbreak has truly been a global event. Cybercriminals have taken advantage of the crisis to lure new victims using existing malware threats. In examining the telemetry, these attacks appear to be highly correlated to local interest and news.

Overall, COVID-19 themed attacks are just a small percentage of the overall threats the Microsoft has observed over the last four months. There was a global spike of themed attacks cumulating in the first two weeks of March. Based on the overall trend of attacks it appears that the themed attacks were at the cost of other attacks in the threat environment.

These last four months have seen a lot of focus on the outbreak – both virus and cyber. The lessons we draw from Microsoft’s observations are:

  • Cybercriminals adapt their tactics to take advantage of local events that are likely to lure the most victims to their schemes. Those lures change quickly and fluidly while the underlying malware threats remain.
  • Defender investment is best placed in cross-domain signal analysis, update deployment, and user education. These COVID-19 themed attacks show us that the threats our users face are constant on a global scale. Investments that raise the cost of attack or lower the likelihood of success are the optimal path forward.
  • Focus on behaviors of attackers will be more effective than just examining indicators of compromise, which tend to be more signals in time than durable.

To help organizations stay protected from the opportunistic, quickly evolving threats we saw during the outbreak, as well as the much larger total volume of threats, Microsoft Threat Protection (MTP) provides cross-domain visibility. It delivers coordinated defense by orchestrating protection, detection, and response across endpoints, identities, email, and apps.

Organizations should further improve security posture by educating end users about spotting phishing and social engineering attacks and practicing credential hygiene. Organizations can use Microsoft Secure Score to assesses and measure security posture and apply recommended improvement actions, guidance, and control. Using a centralized dashboard in Microsoft 365 security center, organizations can compare their security posture with benchmarks and establish key performance indicators (KPIs).

 

The post Exploiting a crisis: How cybercriminals behaved during the outbreak appeared first on Microsoft Security.

Stay ahead of multi-cloud attacks with Azure Security Center

June 15th, 2020 No comments

The COVID-19 crisis has challenged just about every business on the planet to quickly adapt and transform. With massive workforces now remote, IT administrators and security professionals are under increased pressure to keep these workers connected and productive while combating evolving threats, many of which are taking advantage of the situation.

For example, in the process of monitoring 8 trillion daily signals from a range of Microsoft products, services, and feeds, the Microsoft security team has identified multiple COVID-19-themed email campaigns that deliver the powerful credential-stealing program Agent Tesla.

To learn how to defend against these threats and others, join me and Eric Doerr, General Manager of Microsoft Security Response Center, in our next Azure Security Experts Virtual Events Series, Stay Ahead of Attacks with Azure Security Center, on June 30, 2020, from 10:00 AM to 11:00 AM Pacific Time.

There, we’ll step through three strategies to help you lock down your environment:

  • Protect all cloud resources across cloud-native workloads, virtual machines, data services, containers, and IoT edge devices.
  • Strengthen your overall security posture with enhanced Azure Secure Score.
  • Connect Azure Security Center with Azure Sentinel for proactive hunting and threat mitigation with advanced querying and the power of AI.

You’ll see demos of Secure Score and other Security Center features, while Stuart Gregg, Security Operations Manager at global online fashion retailer ASOS shares how his organization has gained stronger threat protection by pairing these technologies with smarter security management practices.

You’ll have the opportunity to take deep dives into how to use Security Center to achieve hybrid and multi-cloud threat protection for:

  • Servers and virtual machines. Learn how to protect your Linux and Windows virtual machines (VMs) using new Security Center features Just-In-Time VM Access, adaptive network hardening, and adaptive application controls. You’ll learn, too, how Security Center works with Microsoft Defender Advanced Threat Protection for Servers to provide threat detection for endpoint servers.
  • Cloud-native workloads. You’ll learn how Security Center supports containers and provides vulnerability assessment.
  • Data services. Breakthroughs in big data and machine learning make it possible for Security Center to detect anomalous database access and query patterns, SQL injection attacks, and other threats targeting your SQL databases in Azure. Learn, too, about malware reputation screening for Azure Storage and threat protection for Azure Key Vault.

In just one hour, you’ll learn how to implement broad threat protection across all your cloud resources, improve your cloud security posture management, keep up with compliance requirements, and stay ahead of a constantly evolving threat landscape.

Register now >

How do I learn more about Azure security and connect with peers and security experts?

In staying ahead of evolving security threats, it’s helpful to stay connected to other security professionals. Here are several ways to do that:

Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Stay ahead of multi-cloud attacks with Azure Security Center appeared first on Microsoft Security.

Barracuda and Microsoft: Removing security barriers to faster public cloud adoption

June 11th, 2020 No comments

Barracuda’s CloudGen Firewall is tightly integrated with Microsoft Azure Virtual WAN, Azure Active Directory (Azure AD), Azure Security Center, and Azure Sentinel. Integrated into Azure, Barracuda’s networking and security capabilities enable customers’ secure infrastructure migrations and the use of public cloud for additional security solutions such as scalable remote access.

As I write this blog, people in many areas around the world continue to stay home due to lockdowns and shelter-in-place orders, while some countries and states are starting to gradually relax restrictions to get at least some businesses and operations re-opened. These are unprecedented times, and a lot of uncertainty remains. Will most people go back to commuting and working mostly from their offices? Or will the world substantially shift to working from home? How will our recent experiences affect key technology trends such as digital transformation and IT infrastructure migration to public cloud?

Accelerating digital transformation

Digital transformation is fundamentally changing today’s enterprises, making digital assets—data and applications—key to doing business. As more value shifts from physical to digital assets, businesses increasingly compete based on how quickly they can ramp up and manage their digital assets; in effect, they are becoming digital businesses. DevOps processes, agile methodologies, and the move to cloud help enterprises to develop and update their digital assets faster.

By their nature, in order to generate value, digital assets need to be networked and available. These assets need to be protected from threats that are continuously evolving and becoming more challenging. Hackers are getting more sophisticated and malware is constantly getting more advanced. So, security is a critical requirement for successful digital transformation.

In speaking with customers and partners, we at Barracuda are hearing one consistent theme: It appears that the crisis and the resulting changes in work patterns are accelerating digital transformation. In many parts of the world, for example, where working from home has not been common and the infrastructure was not built to support it, IT professionals are evaluating how to enable it. In places where electronic signatures have not yet gone mainstream, there is a strong push for wider acceptance. Industries and geographies relying on brick-and-mortar stores are quickly moving operations online.

Leveraging public cloud for remote access

Public cloud adoption and cloud connectivity are key long-term trends that are getting an additional boost from the latest crisis. As lockdowns and restrictions went into effect, we at Barracuda got a major increase in customer requests for scaling up remote access functionality. IT departments were asked to very quickly ramp up remote access capabilities.

This is one example where public cloud can be quickly leveraged to expand remote access capacity. While an on-premises firewall or VPN gateway may not be sized to provide remote access to the entire employee population now working from home, it may be a complicated and lengthy process to expand that capacity. A quicker option is to stand up a remote access service in public cloud and connect it back to the on-premises firewall. This solution can be acquired from the Microsoft Azure Marketplace on a pay-as-you-go basis, for example, and set up within hours. All remote workers are given a new website to connect, and VPN and security processing are offloaded to the cloud. The entire system can be quickly and easily scaled up when shelter-in-place restrictions go into effect and scaled down when employees go back to working in the office.

Public cloud and SD-WAN

Remote access is, of course, just one example of the fact that traditional network and security infrastructures are inflexible—they cannot effectively accommodate digital transformation requirements. The health crisis just brought this into the spotlight. The move to public cloud is already broadly under way, and networks need to catch up.

Image of a graph show the percentage of IT infrastructure in the public cloud.

In the new report, Future shock: the cloud is the new network,* that was published in February, Barracuda surveyed 750 IT decision makers responsible for their organizations’ cloud infrastructure. We learned that organizations are well on their way to moving their infrastructure to public cloud, with 45 percent of IT infrastructure already running in the cloud today and rising to an estimated 76 percent in five years.

A graph showing “Future shock: the cloud is the new network."

At the same time, companies need to re-evaluate their security strategies as they move to public cloud, with 70 percent of respondents indicating that security concerns restrict their organizations’ adoption of public cloud. And their solution of choice for optimizing and securing access to public cloud is a fully integrated secure SD-WAN, with 56 percent of respondents having already deployed or are in the process of deploying it.

About Barracuda

At Barracuda, we strive to make the world a safer place. We believe every business deserves access to cloud-enabled, enterprise-grade security solutions that are easy to buy, deploy, and use. We protect email, networks, data, and applications with innovative solutions that grow and adapt with our customers’ journey. More than 150,000 organizations worldwide trust Barracuda to protect them—in ways they may not even know they are at risk—so they can focus on taking their business to the next level. For more information, visit barracuda.com.

View our integration videos:

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

*Future shock: the cloud is the new network, Barracuda, February 2020

The post Barracuda and Microsoft: Removing security barriers to faster public cloud adoption appeared first on Microsoft Security.