Swedish Windows Security User Group

As the global crisis around COVID-19 continues, security teams have been forced to adapt to a rapidly evolving security landscape. Schools, businesses, and healthcare organizations are all getting work done from home on a variety of devices and locations, extending the potential security attack surface.

While we continue to help our customers enable secure access to apps in this “new normal,” we’re also thinking about the road ahead and how there are still many organizations who will need to adapt their security model to support work life. This is especially important given that bad actors are using network access solutions like VPN as a trojan horse to deploy ransomware and the number of COVID-19 themed attacks have increased and evolved.

Microsoft and Zscaler have partnered to provide a glimpse into how security will change in a post-COVID-19 world.

Accelerating to Zero Trust

“We’ve seen two years’ worth of digital transformation in two months.”
—Satya Nadella, CEO, Microsoft

With the bulk of end users now working remotely, organizations were forced to consider alternate ways of achieving modern security controls. Legacy network architectures route all remote traffic through a central corporate datacenter are suddenly under enormous strain due to massive demand for remote work and rigid appliance capacity limitations. This creates latency for users, impacting productivity and requires additional appliances that can take 30, 60, or even 90 days just to be shipped out.

To avoid these challenges many organizations were able to enable work from home by transitioning their existing network infrastructure and capabilities with a Zero Trust security framework instead.

The Zero Trust framework empowers organizations to limit access to specific apps and resources only to the authorized users who are allowed to access them. The integrations between Microsoft Azure Active Directory (Azure AD) and Zscaler Private Access embody this framework.

For the companies who already had proof of concept underway for their Zero Trust journey, COVID-19 served as an accelerator, moving up the timelines for adoption. The ability to separate application access from network access, and secure application access based on identity and user context, such as date/time, geolocation, and device posture, was critical for IT’s ability to enable remote work. Cloud delivered technologies such as Azure AD and Zscaler Private Access (ZPA) have helped ensure fast deployment, scalability, and seamless experiences for remote users.

Both Microsoft and Zscaler anticipate that if not already moving toward a Zero Trust model, organizations will accelerate this transition and start to adopt one.

Securing flexible work going forward

While some organizations have had to support remote workers in the past, many are now forced to make the shift from a technical and cultural standpoint. As social distancing restrictions start to loosen, instead of remote everything we’ll begin to see organizations adopt more flexible work arrangements for their employees. Regardless of where employees are, they’ll need to be able to securely access any application, including the mission-critical “crown jewel” apps that may still be using legacy authentication protocols like HTTP or LDAP and on-premises. To simplify the management of protecting access to apps from a now flexible working style, there should be a single policy per user that can be used to provide access to an application, whether they are remote or at the headquarters

Zscaler Private Access and Azure AD help organizations enable single sign-on and enforce Conditional Access policies to ensure authorized users can securely access specifically the apps they need. This includes their mission-critical applications that run on-premises and may have SOC-2 and ISO27001 compliance needs.

Today, the combination of ZPA and Azure AD are already helping organizations adopt flexible work arrangements to ensure seamless and secure access to their applications.

Remote onboarding or offboarding for a distributed workforce

With remote and flexible work arrangements becoming a norm, organizations will need to consider how to best onboard or offboard a distributed workforce and ensure the right access can be granted when employees join, change or leave roles. To minimize disruption, organizations will need to enable and secure Bring Your Own Devices (BYOD) or leverage solutions like Windows Autopilot that can help users set up new devices without any IT involvement.

To ensure employees can access applications on day one, automating the provisioning of user accounts to applications will be critical for productivity. The SCIM 2.0 standard, adopted by both Microsoft and Zscaler, can help automate simple actions, such as creating or updating users, adding users to groups, or deprovisioning users into applications. Azure AD user provisioning can help manage end-to-end identity lifecycle and automate policy-based provisioning and deprovisioning of user accounts for applications. The ZPA + Azure AD SCIM 2.0 configuration guide shows how this works.

Powering security going forward

Security and IT teams are already under strain with this new environment and adding an impending economic downturn into the equation means they’ll need to do more with less. The responsibility of selecting the right technology falls to the security leaders. Together, Microsoft and Zscaler can help deliver secure access to applications and data on all the devices accessing your network, while empowering employees with simpler, more productive experiences. This is the power of cloud and some of the industry’s deepest level of integrations. We look forward to working with on what your security might look like after COVID-19.

Stay safe.

For more information on Microsoft Zero Trust, visit our website: Zero Trust security framework. Learn more about our guidance related to COVID-19 here and bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust and its role in securing the new normal appeared first on Microsoft Security.

Microsoft CEO Satya Nadella recently said, “We have seen two years’ worth of digital transformation in two months.” This is a result of many organizations having to adapt to the new world of document sharing and video conferencing as they become distributed organizations overnight.

At Microsoft, we understand that while the current health crisis we face together has served as this forcing function, some organizations might not have been ready for this new world of remote work, financially or organizationally. Just last summer, a simple lightning strike caused the U.K.’s National Grid to suffer the biggest blackout in decades. It affected homes across the country, shut down traffic signals, and closed some of the busiest train stations in the middle of the Friday evening rush hour. Trains needed to be manually rebooted causing delays and disruptions. And, when malware shut down the cranes and security gates at Maersk shipping terminals, as well as most of the company’s IT network—from the booking site to systems handling cargo manifests, it took two months to rebuild all the software systems, and three months before all cargo in transit was tracked down—with recovery dependent on a single server having been accidentally offline during the attack due to the power being cut off.

Cybersecurity provides the underpinning to operationally resiliency as more organizations adapt to enabling secure remote work options, whether in the short or long term. And, whether natural or manmade, the difference between success or struggle to any type of disruption requires a strategic combination of planning, response, and recovery. To maintain cyber resilience, one should be regularly evaluating their risk threshold and an organization’s ability to operationally execute the processes through a combination of human efforts and technology products and services.

While my advice is often a three-pronged approach of turning on multi-factor authentication (MFA)—100 percent of your employees, 100 percent of the time—using Secure Score to increase an organization’s security posture and having a mature patching program that includes containment and isolation of devices that cannot be patched, we must also understand that not every organization’s cybersecurity team may be as mature as another.

Organizations must now be able to provide their people with the right resources so they are able to securely access data, from anywhere, 100 percent of the time. Every person with corporate network access, including full-time employees, consultants, and contractors, should be regularly trained to develop a cyber-resilient mindset. They shouldn’t just adhere to a set of IT security policies around identity-based access control, but they should also be alerting IT to suspicious events and infections as soon as possible to help minimize time to remediation.

Our new normal means that risks are no longer limited to commonly recognized sources such as cybercriminals, malware, or even targeted attacks. Moving to secure remote work environment, without a resilience plan in place that does not include cyber resilience increases an organization’s risk.

Before COVID, we knew that while a majority of firms have a disaster recovery plan on paper, nearly a quarter never test that, and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.

Operational resilience cannot be achieved without a true commitment to, and investment in, cyber resilience. We want to help empower every organization on the planet by continuing to share our learnings to help you reach the state where core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, or even cyber events.

Learn more about our guidance related to COVID-19 here, and bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Operational resilience in a remote work world appeared first on Microsoft Security.

A global threat requires a global response. While the world faces the common threat of COVID-19, defenders are working overtime to protect users all over the globe from cybercriminals using COVID-19 as a lure to mount attacks. As a security intelligence community, we are stronger when we share information that offers a more complete view of attackers’ shifting techniques. This more complete view enables us all to be more proactive in protecting, detecting, and defending against attacks.

At Microsoft, our security products provide built-in protections against these and other threats, and we’ve published detailed guidance to help organizations combat current threats (Responding to COVID-19 together). Our threat experts are sharing examples of malicious lures and we have enabled guided hunting of COVID-themed threats using Azure Sentinel Notebooks. Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack. Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. Microsoft Threat Protection (MTP) customers are already protected against the threats identified by these indicators across endpoints with Microsoft Defender Advanced Threat Protection (ATP) and email with Office 365 ATP.

In addition, we are publishing these indicators for those not protected by Microsoft Threat Protection to raise awareness of attackers’ shift in techniques, how to spot them, and how to enable your own custom hunting. These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.

This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.

This COVID-specific threat intelligence feed represents a start at sharing some of Microsoft’s COVID-related IOCs. We will continue to explore ways to improve the data over the duration of the crisis. While some threats and actors are still best defended more discreetly, we are committed to greater transparency and taking community feedback on what types of information is most useful to defenders in protecting against COVID-related threats. This is a time-limited feed. We are maintaining this feed through the peak of the outbreak to help organizations focus on recovery.

Protection in Azure Sentinel and Microsoft Threat Protection

Today’s release includes file hash indicators related to email-based attachments identified as malicious and attempting to trick users with COVID-19 or Coronavirus-themed lures. The guidance below provides instructions on how to access and integrate this feed in your own environment.

For Azure Sentinel customers, these indicators can be either be imported directly into Azure Sentinel using a Playbook or accessed directly from queries.

The Azure Sentinel Playbook that Microsoft has authored will continuously monitor and import these indicators directly into your Azure Sentinel ThreatIntelligenceIndicator table. This Playbook will match with your event data and generate security incidents when the built-in threat intelligence analytic templates detect activity associated to these indicators.

These indicators can also be accessed directly from Azure Sentinel queries as follows:

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"]
with (format="csv"));
covidIndicators

A sample detection query is also provided in the Azure Sentinel GitHub. With the table definition above, it is as simple as:

1. Join the indicators against the logs ingested into Azure Sentinel as follows:

covidIndicators
| join ( CommonSecurityLog | where TimeGenerated >= ago(7d)
| where isnotempty(FileHashValue)
) on $left.FileHashValue == $right.FileHash

2. Then, select “New alert rule” to configure Azure Sentinel to raise incidents based on this query returning results.

You should begin to see Alerts in Azure Sentinel for any detections related to these COVID threat indicators.

Microsoft Threat Protection provides protection for the threats associated with these indicators. Attacks with these Covid-19-themed indicators are blocked by Office 365 ATP and Microsoft Defender ATP.

While MTP customers are already protected, they can also make use of these indicators for additional hunting scenarios using the MTP Advanced Hunting capabilities.

Here is a hunting query to see if any process created a file matching a hash on the list.

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"]
with (format="csv"))
| where FileHashType == 'sha256' and TimeGenerated > ago(1d);
covidIndicators
| join (DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == 'FileCreated'
| take 100) on $left.FileHashValue  == $right.SHA256

This is an Advanced Hunting query in MTP that searches for any recipient of an attachment on the indicator list and sees if any recent anomalous log-ons happened on their machine. While COVID threats are blocked by MTP, users targeted by these threats may be at risk for non-COVID related attacks and MTP is able to join data across device and email to investigate them.

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )    [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"] with (format="csv"))
| where FileHashType == 'sha256' and TimeGenerated > ago(1d);
covidIndicators
| join (  EmailAttachmentInfo  | where Timestamp > ago(1d)
| project NetworkMessageId , SHA256
) on $left.FileHashValue  == $right.SHA256
| join (
EmailEvents
| where Timestamp > ago (1d)
) on NetworkMessageId
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0])
| join (
DeviceLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
| where (LogonTime - TimeEmail) between (0min.. 90min)
| take 10

Connecting an MISP instance to Azure Sentinel

The indicators published on the Azure Sentinel GitHub page can be consumed directly via MISP’s feed functionality. We have published details on doing this at this URL: https://aka.ms/msft-covid19-misp. Please refer to the Azure Sentinel documentation on connecting data from threat intelligence providers.

Using the indicators if you are not an Azure Sentinel or MTP customer

Yes, the Azure Sentinel GitHub is public: https://aka.ms/msft-covid19-Indicators

Examples of phishing campaigns in this threat intelligence

The following is a small sample set of the types of COVID-themed phishing lures using email attachments that will be represented in this feed. Beneath each screenshot are the relevant hashes and metadata.

Figure 1: Spoofing WHO branding with “cure” and “vaccine” messaging with a malicious .gz file.

Name: CURE FOR CORONAVIRUS_pdf.gz

Figure 2: Spoofing Red Cross Safety Tips with malicious .docm file.

Name: COVID-19 SAFETY TIPS.docm

Figure 3: South African banking lure promoting COVID-19 financial relief with malicious .html files.

Name: SBSA-COVID-19-Financial Relief.html

Figure 4: French language spoofed correspondence from the WHO with malicious XLS Macro file.

Name: –-Covid-19 Relief Plan5558-23636sd.htm

If you have questions or feedback on this COVID-19 feed, please email msft-covid19-ti@microsoft.com.

The post Open-sourcing new COVID-19 threat intelligence appeared first on Microsoft Security.

As the volume of remote workers quickly increased over the past two to three months, the IT teams in many companies scrambled to figure out how their infrastructures and technologies would be able to handle the increase in remote connections. Many companies were forced to enhance their capabilities to allow remote workers access to systems and applications from their homes and other locations outside the network perimeter. Companies that couldn’t make changes rapidly enough to increase capacity for remote workers might rely on remote access using the remote desktop protocol, which allows employees to access workstations and systems directly.

Recently, John Matherly (founder of Shodan, the world’s first search engine for internet-connected devices) conducted some research on ports that are accessible on the internet, surfacing some important findings. Notably, there has been an increase in the number of systems accessible via the traditional Remote Desktop Protocol (RDP) port and a well-known “alternative” port used for RDP. A surprising finding from John’s research is the ongoing prevalent usage of RDP and its exposure to the internet.

Although Remote Desktop Services (RDS) can be a fast way to enable remote access for employees, there are a number of security challenges that need to be considered before using this as a remote access strategy. One of these challenges is that attackers continue to target the RDP and service, putting corporate networks, systems, and data at risk (e.g., cybercriminals could exploit the protocol to establish a foothold on the network, install ransomware on systems, or take other malicious actions). In addition, there are challenges with being able to configure security for RDP sufficiently, to restrict a cybercriminal from moving laterally and compromising data.

Security considerations for remote desktop include:

• Direct accessibility of systems on the public internet.
• Vulnerability and patch management of exposed systems.
• Internal lateral movement after initial compromise.
• Multi-factor authentication (MFA).
• Session security.
• Controlling, auditing, and logging remote access.

Some of these considerations can be addressed using Microsoft Remote Desktop Services to act as a gateway to grant access to remote desktop systems. The Microsoft Remote Desktop Services gateway uses Secure Sockets Layer (SSL) to encrypt communications and prevents the system hosting the remote desktop protocol services from being directly exposed to the public internet.

Identify RDP use

To identify whether your company is using the Remote Desktop Protocol, you may perform an audit and review of firewall policies and scan internet-exposed address ranges and cloud services you use, to uncover any exposed systems. Firewall rules may be labeled as “Remote Desktop” or “Terminal Services.” The default port for Remote Desktop Services is TCP 3389, but sometimes an alternate port of TCP 3388 might be used if the default configuration has been changed.

Use this guidance to help secure Remote Desktop Services

Remote Desktop Services can be used for session-based virtualization, virtual desktop infrastructure (VDI), or a combination of these two services. Microsoft RDS can be used to help secure on-premises deployments, cloud deployments, and remote services from various Microsoft partners (e.g., Citrix). Leveraging RDS to connect to on-premises systems enhances security by reducing the exposure of systems directly to the internet. Further guidance on establishing Microsoft RDS can be found in our Remote Desktop Services.

On-premises deployments may still have to consider performance and service accessibility depending on internet connectivity provided through the corporate internet connection, as well as the management and maintenance of systems that remain within the physical network.

Leverage Windows Virtual Desktop

Virtual desktop experiences can be enhanced using Windows Virtual Desktop, delivered on Azure. Establishing an environment in Azure simplifies management and offers the ability to scale the virtual desktop and application virtualization services through cloud computing. Leveraging Windows Virtual Desktop foregoes the performance issues associated with on-premises network connections and takes advantage of built-in security and compliance capabilities provided by Azure.

To get more information about setting up, go to our Windows Virtual Desktop product page.

Microsoft documentation on Windows Virtual Desktop offers a tutorial and how-to guide on enabling your Azure tenant for Windows Virtual Desktop and connecting to the virtual desktop environment securely, once it is established.

Secure remote administrator access

Remote Desktop Services are being used not only by employees for remote access, but also by many system developers and administrators to manage cloud and on-premises systems and applications. Allowing administrative access of server and cloud systems directly through RDP elevates the risk because the accounts used for these purposes usually have higher levels of access across systems and environments, including system administrator access. Microsoft Azure helps system administrators to securely access systems using Network Security Groups and Azure Policies. Azure Security Center further enhances secure remote administration of cloud services by allowing “just in time” (JIT) access for administrators.

Attackers target management ports such as SSH and RDP. JIT access helps reduce attack exposure by locking down inbound traffic to Microsoft Azure VMs (Source: Microsoft).

Azure Security Center JIT access enhances security through the following measures:

• Approval workflow.
• Automatic removal of access.
• Restriction on permitted internet IP address.

For more information, visit Azure Security Center JIT.

Evaluate the risk to your organization

Considerations for selection and implementation of a remote access solution should always consider the security posture and risk appetite of your organization. Leveraging remote desktop services offers great flexibility by enabling remote workers to have an experience like that of working in the office, while offering some separation from threats on the endpoints (i.e., user devices, both managed and unmanaged by the organization). At the same time, those benefits should be weighed against the potential threats to the corporate infrastructure (network, systems, and thereby data). Regardless of the remote access implementation your organization uses, it is imperative that you implement best practices around protecting identities and minimizing attack surface to ensure new risks are not introduced.

The post Security guidance for remote desktop adoption appeared first on Microsoft Security.

As the number of home-based workers has accelerated in the last few weeks, it’s introduced new challenges. You may want to expand the number and types of devices employees can use to access company resources. You need to support a surge in SaaS usage. And it’s important to adjust security policies to enable productivity from home, while keeping sensitive data secure. As you navigate these changes, turn to us for help. Microsoft Defender Advanced Threat Protection (ATP) customers can expect the following:

• Coverage for additional devices without requiring additional licenses.
• Guidance and support services to rapidly expand deployment.
• Proactive and reactive assistance to help security teams identify, respond to, and remediate threats.

Read Secure your remote workforce with Microsoft Defender ATP for details.

The post Microsoft Defender ATP can help you secure your remote workforce appeared first on Microsoft Security.

With the bulk of end users now working remotely, legacy network architectures that route all remote traffic through a central corporate network are suddenly under enormous strain. The result can be poorer performance, productivity, and user experience. Many organizations are now rethinking their network infrastructure design to address these issues, especially for applications like Microsoft Teams and Office 365. At Microsoft, for example, we adopted split tunneling as part of our VPN strategy. Our customers have asked us for guidance on how to manage security in this changing environment.

An architecture that routes all remote traffic back to the corporate network was originally intended to provide the security team with the following:

• Prevention of unauthorized access
• Control of authorized user access
• Network protections such as Intrusion Detection/Prevention (IDS/IPS) and Distributed Denial of Service (DDoS) mitigation
• Data loss prevention (DLP)

In this post, we’ll address alternative ways of achieving modern security controls, so security teams can manage risk in a more direct-to-internet network architecture.

Prevention of unauthorized access

Multi-factor authentication (MFA) helps increase authentication assurance. We recommend requiring it for all users. If you are not ready to deploy to all users, consider entering an emergency pilot for higher risk or more targeted users. Learn more about how to use Azure Active Directory (Azure AD) Conditional Access to enforce MFA. You will also want to block legacy authentication protocols that allow users to bypass MFA requirements.

Control of authorized user access

Ensure only registered devices that comply with your organization’s security policies can access your environment, to reduce the risk that would be posed by resident malware or intruders. Learn more about how to use Azure AD Conditional Access to enforce device health requirements. To further increase your level of assurance, you can evaluate user and sign-on risk to block or restrict risky user access. You may also want to prevent your users from accessing other organizations’ instances of the Office 365 applications. If you do this with Azure AD tenant restrictions, only logon traffic needs to traverse the VPN.

Network protections

Some of the protections that you may have traditionally provided by routing traffic back through your corporate network can now be provided by the cloud apps your users are accessing. Office 365, for example, is globally distributed and designed to allow the customer network to route user requests to the closest Office 365 service entry point. Learn more about Office 365 network connectivity principles. We build resiliency into Office 365 to minimize potential disruption. We protect Office 365 and Azure from network attacks like DDoS on behalf of our customers.

With the above controls in place, you may be ready to route remote users’ traffic directly to Office 365. If you still require a VPN link for access to other applications, you can greatly improve your performance and user experience by implementing split tunneling.

We strongly recommend that you review VPN and VPS infrastructure for updates, as attackers are actively tailoring exploits to take advantage of remote workers. Microsoft Threat Intelligence teams have observed multiple nation state and cybercrime actors targeting unpatched VPN systems for many months. In October 2019, both the National Security Agency and National Cyber Security Centre issued alerts on these attacks. The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and Department of Commerce National Institute of Standards and Technology (NIST) have published useful guidance on securing VPN/VPS infrastructure.

DLP

To help you prevent the accidental disclosure of sensitive information, Office 365 has a rich set of built-in tools. You can use the built-in DLP capabilities of Teams and SharePoint to detect inappropriately stored or shared sensitive information. If part of your remote work strategy involves a bring-your-own-device (BYOD) policy, you can use Conditional Access App Control to prevent sensitive data from being downloaded to users’ personal devices.

Malware detection

By default, SharePoint Online automatically scans file uploads for known malware. Enable Exchange Online Protection to scan email messages for malware. If your Office 365 subscription includes Office 365 Advanced Threat Protection (ATP), enable it to provide advanced protection against malware. If your organization uses Microsoft Defender ATP for endpoint protection, remember that each user is licensed for up to five company-managed devices.

Additional resources

• Microsoft FastTrack is available to assist organizations setting up remote work and learning in response to COVID-19.
• Read more general guidance on how CISOs can securely enable remote work on the Microsoft Security blog: Work remotely, stay secure—guidance for CISOs.
• For more on how to configure Azure AD to enable remote work, see Top 5 ways your Azure AD can help you enable remote work.
• To learn more about how to adapt to remote work, visit the Microsoft 365 blog.

The post Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios appeared first on Microsoft Security.