Archive

Archive for September, 2020

Microsoft Advanced Compliance Solutions in Zero Trust Architecture

September 29th, 2020 No comments

Zero Trust revolves around three key principles:  verify explicitly, use least privileged access, and assume breach.  Microsoft’s Advanced Compliance Solutions are an important part of Zero Trust.

This post applies a Zero Trust lens to protecting an organization’s sensitive data and maintaining compliance with relevant standards. Ultimately, Zero Trust architecture is a modern approach to security that focuses on security and compliance for assets regardless of their physical or network location, which contrasts with classic approaches that attempt to force all assets on a ‘secure’ and compliant network.

A Zero Trust strategy should start with Identity and Access Management.  Microsoft built Azure Active Directory (AAD) to enable rapid Zero Trust adoption:

An image of the workflows and visualizations to manage cases.

Architects focus on applying the Zero Trust principles to protect and monitor six technical pillars of the enterprise including:

  • Identity
  • Devices
  • Applications and APIs
  • Data
  • Infrastructure
  • Networks

In an integrated Microsoft Zero Trust solution, AAD and Microsoft Defender for Identity provide protection, monitoring, and trust insights in the User/Identity Pillar. Microsoft Defender for Endpoints and Intune protect and manage the Device.  Azure Security Center and Azure Sentinel monitor, report and provide automated playbooks to deal with events.

Microsoft’s Advanced Compliance solutions are foundational to Zero Trust as well, particularly when implemented to support Microsoft 365.

Microsoft’s Advanced Compliance solutions are foundational to Zero Trust as well, particularly when implemented to support Microsoft 365.

Microsoft Information Protection, Insider Risk Management and Microsoft Cloud App Security are all part of a complete Zero Trust architecture.

Advanced Auditing can increase the visibility around insider or bad actor’s activities with sensitive data like documents and emails as well as increasing the period over which audit data is available for review.

Let’s look closer at these solutions:

  • Microsoft Information Protection: Allows policy enforcement at the document level based on AAD identity.  This protection is resident with the document throughout its lifecycle.  It controls the identities, groups or organizations that can access the document, expires access to the document and controls what authorized users can do with the document e.g. view, print, cut and paste as well as other controls like enforced watermarking.  These controls can be mandatory or can support users with suggested protection.  The policy can be informed by machine learning, standard sensitivity data types (like social security numbers), regular expressions, keywords or exact data match.  When users elect to apply different protection than recommended, their actions are tracked for later review.  Documents can thus be protected throughout their lifecycle, wherever they may travel and to whomever they may be transmitted.

Microsoft Information Protection sensitivity labels are fully integrated with our data loss prevention solution, preventing movement of sensitive information at the boundary of the cloud, between Microsoft and third-party clouds, and at the device endpoint (e.g. laptop).

  • Insider Risk Management: Applies machine learning to the signals available from Microsoft O365 tenant logs, integration with Microsoft Defender Advanced Threat Protection and an increasing number of Microsoft and third party relevant signals to alert on insiders such as employees or contractors who are misusing their access. Default policies are provided, and enterprises can customize policies to meet their needs including for specific projects or scoped to users deemed to be at high risk.   These policies allow you to identify risky activities and mitigate these risks.  Current areas of focus for the solution are:
    • Leaks of sensitive data and data spillage
    • Confidentiality violations
    • Intellectual property (IP) theft
    • Fraud
    • Insider trading
    • Regulatory compliance violations

These signals are visualized and actioned by other Microsoft solutions.  Insider Risk Management uses its specialized algorithms and machine learning to correlate signal and expose Insider Risks in context.  It also provides workflows and visualizations to manage cases.

Insider Risk Management is integrated with AAD and acts on signals from Microsoft Information Protection.

Insider Risk Management is integrated with AAD and acts on signals from Microsoft Information Protection as well as others in the tenant, providing additional security value from the systems already in place.  The alerts generated by the system can be managed with the native case management features or surfaced to Azure Sentinel or third-party systems through the API.

  • Microsoft Cloud App Security: Is a Cloud Access Security Broker that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, granular control over data travel, and sophisticated analytics to identify and combat cyber threats across all Microsoft and third-party cloud services. It controls shadow IT.  It can be used to govern the use of Microsoft and third-party clouds and the sensitive information placed there.

An image of advanced Auditing for M365.

  • Advanced Auditing for M365: Advanced Audit retains all Exchange, SharePoint, and Azure Active Directory audit records for a default of one year.  You can retain audit logs for up to ten years.  Crucial events for investigations, such as whether an attacker has accessed a mail message, whether a sensitive document is re-labelled and many other new log data types are part of this solution.  Investigation playbooks will also shortly be part of this solution.

These Advanced Compliance solutions have native visibility into AAD, the Microsoft Tenant, and into each other.  For example, Insider Risk Management has visibility into Microsoft Information Protection sensitivity labels.  Microsoft Cloud App Security has visibility into and can act on sensitivity labels.

This visibility and machine learning run through the Microsoft Security and Advanced Compliance solutions, making them particularly well suited to a holistic Zero Trust architecture.

The post Microsoft Advanced Compliance Solutions in Zero Trust Architecture appeared first on Microsoft Security.

Microsoft Digital Defense Report 2020: Cyber Threat Sophistication on the Rise

September 29th, 2020 No comments

Today, Microsoft is releasing a new annual report, called the Digital Defense Report, covering cybersecurity trends from the past year. This report makes it clear that threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets. For example, nation-state actors are engaging in new reconnaissance techniques that increase their chances of compromising high-value targets, criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services, and attackers have developed new ways to scour the internet for systems vulnerable to ransomware.

In addition to attacks becoming more sophisticated, threat actors are showing clear preferences for certain techniques, with notable shifts towards credential harvesting and ransomware, as well as an increasing focus on Internet of Things (IoT) devices. Among the most significant statistics on these trends:

  • In 2019 we blocked over 13 billion malicious and suspicious mails, out of which more than 1 billion were URLs set up for the explicit purpose of launching a phishing credential attack.
  • Ransomware is the most common reason behind our incident response engagements from October 2019 through July 2020.
  • The most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and Virtual Private Network (VPN) exploits.
  • IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.

Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace; that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies, and, especially, enabling multi-factor authentication (MFA).  Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.

To read the full blog and download the Digital Defense Report visit the Microsoft On-the-issues Blog.

CTA: To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Digital Defense Report 2020: Cyber Threat Sophistication on the Rise appeared first on Microsoft Security.

Microsoft Security—detecting empires in the cloud

September 24th, 2020 No comments

Microsoft consistently tracks the most advanced threat actors and evolving attack techniques. We use these findings to harden our products and platform and share them with the security community to help defenders everywhere better protect the planet.

Recently, the Microsoft Threat Intelligence Center (MSTIC) observed the evolution of attacker techniques by an actor we call GADOLINIUM using cloud services and open source tools to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection. These attacks were delivered via spear-phishing emails with malicious attachments and detected and blocked by Microsoft 365 Defender, formerly Microsoft Threat Protection (MTP), and able to be detected using Azure Sentinel.

As these attacks were detected, Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure. This action helped transparently protect our customers without requiring additional work on their end.

GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods.

Recently, MSTIC has observed newly expanded targeting outside of those sectors to include the Asia Pacific region and other targets in higher education and regional government organizations. As GADOLINIUM has evolved, MSTIC has continued to monitor its activity and work alongside our product security teams to implement customer protections against these attacks.

Historically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.

The following GADOLINIUM technique profile is designed to give security practitioners who may be targeted by this specific actor’s activity insight and information that will help them better protect from these attacks.

2016: Experimenting in the cloud

GADOLINIUM has been experimenting with using cloud services to deliver their attacks to increase both operation speed and scale for years. The image in Figure 1 is from a GADOLINIUM controlled Microsoft TechNet profile established in 2016. This early use of a TechNet profiles’ contact widget involved embedding a very small text link that contained an encoded command for malware to read.

An image of a GADOLINIUM controlled Microsoft TechNet profile established in 2016.

Figure 1: GADOLINIUM controlled TechNet profile with embedded malware link.

2018: Developing attacks in the cloud

In 2018 GADOLINIUM returned to using Cloud services, but this time it chose to use GitHub to host commands. The image in Figure 2 shows GitHub Commit history on a forked repository GADOLINIUM controlled. In this repository, the actors updated markdown text to issue new commands to victim computers. MSTIC has worked with our colleagues at GitHub to take down the actor accounts and disrupt GADOLINIUM operations on the GitHub platform.

An image of a GitHub repository controlled by GADOLINIUM.

Figure 2: GitHub repository controlled by GADOLINIUM.

2019-2020: Hiding in plain sight using open source

GADOLINIUM’s evolving techniques
Two of the most recent attack chains in 2019 and 2020 were delivered from GADOLINIUM using similar tactics and techniques. Below is a summary view of how these attacks techniques have evolved followed by a detailed analysis of each step that security practitioners can use to better understand the threat and what defenses to implement to counter the attacks.

A summary view of how these attacks techniques have evolved.

Weaponization
In the last year, Microsoft has observed GADOLINIUM migrate portions of its toolchain techniques based on open source kits. GADOLINIUM is not alone in this move. MSTIC has noticed a slow trend of several nation-state activity groups migrating to open source tools in recent years. MSTIC assesses this move is an attempt to make discovery and attribution more difficult. The other added benefit to using open-source types of kits is that the development and new feature creation is done and created by someone else at no cost. However, using open source tools isn’t always a silver bullet for obfuscation and blending into the noise.

Delivery & Exploitation (2019)
In 2019, we discovered GADOLINIUM delivering malicious Access database files to targets. The initial malicious file was an Access 2013 database (.accde format). This dropped a fake Word document that was opened along with an Excel spreadsheet and a file called mm.accdb.core which was subsequently executed. The file mm.accdb.core is a VBA dropper, based on the CactusTorch VBA module, which loads a .NET DLL payload, sets configuration information, and then runs the payload. Office 365 ATP detects and blocks malicious Microsoft Access database attachments in email. A redacted example of the configuration is displayed below.

An image showing the VBA setting config and calling the 'Run' function of the payload.

Figure 3: VBA setting config and calling the “Run” function of the payload

Command and Control (2019)
Having gained access to a victim machine the payload then uses attachments to Outlook Tasks as a mechanism for command and control (C2). It uses a GADOLINIUM-controlled OAuth access token with login.microsoftonline.com and uses it to call the Outlook Task API to check for tasks. The attacker uses attachments to Outlook tasks as a means of sending commands or .NET payloads to execute; at the victim end, the malware adds the output from executing these commands as a further attachment to the Outlook task.

Interestingly, the malware had code compiled in a manner that doesn’t seem to be used in the attacks we saw. In addition to the Outlook Tasks API method described above, the extra code contains two other ways of using Office365 as C2, via either the Outlook Contacts API (get and add contacts) or the OneDrive API (list directory, get and add a file).

Actions on Objective (2019)
GADOLINIUM used several different payloads to achieve its exploitation or intrusion objectives including a range of PowerShell scripts to execute file commands (read/write/list etc.) to enable C2 or perform SMB commands (upload/download/delete etc.) to potentially exfiltrate data.

LazyCat, one of the tools used by GADOLINIUM, includes privilege escalation and credential dumping capability to enable lateral movement across a victim network. Microsoft 365 Defender for Endpoint detects the privilege escalation technique used:

An image ofMicrosoft Defender ATP alert of detected escalation of privilege attempt.

LazyCat performs credential dumping through usage of the MiniDumpWriteDump Windows API call, also detected by Microsoft 365 Defender for Endpoint:

An image of Microsoft Defender ATP alert of detected credential dumping activity.

Delivery (2020)
In mid-April 2020 GADOLINIUM actors were detected sending spear-phishing emails with malicious attachments. The filenames of these attachments were named to appeal to the target’s interest in the COVID-19 pandemic. The PowerPoint file (20200423-sitrep-92-covid-19.ppt), when run, would drop a file, doc1.dotm. Similarly, to the 2019 example, Microsoft 365 Defender for Office detects and blocks emails with these malicious PowerPoint and Word attachments.

Command and Control (2020)
The malicious doc1.dotm had two payloads which run in succession.

  • The first payload turns off a type check DisableActivitySurrogateSelectorTypeCheck  which the second stage needs as discussed in this blog.
  • The second payload loads an embedded .Net binary which downloads, decrypts + runs a .png file.

The .png is actually PowerShell which downloads and uploads fake png files using the Microsoft Graph API to https://graph.microsoft.com/v1.0/drive/root:/onlinework/contact/$($ID)_1.png:/content where $ID is the ID of the malware. The GADOLINIUM PowerShell is a modified version of the opensource PowershellEmpire toolkit.

Actions on Objectives (2020)
The GADOLINIUM PowerShell Empire toolkit allows the attacker to load additional modules to victim computers seamlessly via Microsoft Graph API calls. It provides a command and control module that uses the attacker’s Microsoft OneDrive account to execute commands and retrieve results between attacker and victim systems. The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage. From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario,, no OAuth permissions consent prompts occur. Later in this blog post, we will provide additional information about how Microsoft proactively prevents attackers from using our cloud infrastructure in these ways.

Command and Control—Server compromise
GADOLINIUM campaigns often involve installing web shells on legitimate web sites for command and control or traffic redirection. Microsoft 365 Defender for Endpoint detects web shells by analyzing web server telemetry such as process creation and file modifications. Microsoft blogged earlier in the year on the use of web shells by multiple groups and how we detect such activities.

Microsoft Defender ATP alerts of suspicious web shell attacks

 

Microsoft Defender ATP alerts of suspicious web shell attacks.

Figure 6: Microsoft Defender ATP alerts of suspicious web shell attacks.

Web shell alerts from Microsoft 365 Defender for Endpoint can be explored in Azure Sentinel and enriched with additional information that can give key insights into the attack. MSTIC’s Azure Sentinel team recently published a blog outlining how such insights can be derived by analyzing events from the W3CIISLog.

Microsoft’s proactive steps to defend customers
In addition to detecting many of the individual components of the attacks through Microsoft’s security products and services such as Microsoft 365 Defender for Endpoint and for Microsoft 365 Defender for Office as described above, we also take proactive steps to prevent attackers from using our cloud infrastructure to perpetrate attacks. As a cloud provider, Microsoft is uniquely positioned to disrupt this attacker technique. The PowerShell Empire scenario is a good example of this. During April 2020, the Microsoft Identity Security team suspended 18 Azure Active Directory applications that we determined to be part of GADOLINIUM’s PowerShell Empire infrastructure (Application IDs listed in IOC section below). Such action is particularly beneficial to customers as suspending these applications protects all customers transparently without any action being required at their end.)

As part of Microsoft’s broader work to foster a secure and trustworthy app ecosystem, we research and develop detection techniques for both known and novel malicious applications. Applications exhibiting malicious behavior are quickly suspended to ensure our customers are protected.

GADOLINIUM will no doubt evolve their tactics in pursuit of its objectives. As those threats target Microsoft customers, we will continue to build detections and implement protections to defend against them. For security practitioners looking to expand your own hunting on GADOLINIUM, we are sharing the below indicators of compromise (IOCs) associated with their activity.

List of related GADOLINIUM indicators

Hashes from malicious document attachments

faebff04d7ca9cca92975e06c4a0e9ce1455860147d8432ff9fc24622b7cf675
f61212ab1362dffd3fa6258116973fb924068217317d2bc562481b037c806a0a

Actor-owned email addresses

Chris.sukkar@hotmail.com
PhillipAdamsthird@hotmail.com
sdfwfde234sdws@outlook.com
jenny1235667@outlook.com
fghfert32423dsa@outlook.com
sroggeveen@outlook.com
RobertFetter.fdmed@hotmail.com
Heather.mayx@outlook.com

Azure Active Directory App IDs associated with malicious apps

ae213805-a6a2-476c-9c82-c37dfc0b6a6c
afd7a273-982b-4873-984a-063d0d3ca23d
58e2e113-b4c9-4f1a-927a-ae29e2e1cdeb
8ba5106c-692d-4a86-ad3f-fc76f01b890d
be561020-ba37-47b2-99ab-29dd1a4312c4
574b7f3b-36da-41ee-86b9-c076f999b1de
941ec5a5-d5bf-419e-aa93-c5afd0b01eff
d9404c7d-796d-4500-877e-d1b49f02c9df
67e2bb25-1f61-47b6-9ae3-c6104e587882
9085bb9e-9b56-4b84-b21e-bd5d5c7b0de0
289d71ad-54ee-44a4-8d9a-9294f19b0069
a5ea2576-4191-4e9a-bfed-760fff616fbf
802172dc-8014-42a9-b765-133c07039f9f
fb33785b-f3f7-4b2b-b5c1-f688d3de1bde
c196c17d-1e3c-4049-a989-c62f7afaf7f3
79128217-d61e-41f9-a165-e06e1d672069
f4a41d96-2045-4d75-a0ec-9970b0150b52
88d43534-4128-4969-b5c4-ceefd9b31d02

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security—detecting empires in the cloud appeared first on Microsoft Security.

Microsoft Security—detecting empires in the cloud

September 24th, 2020 No comments

Microsoft consistently tracks the most advanced threat actors and evolving attack techniques. We use these findings to harden our products and platform and share them with the security community to help defenders everywhere better protect the planet.

Recently, the Microsoft Threat Intelligence Center (MSTIC) observed the evolution of attacker techniques by an actor we call GADOLINIUM using cloud services and open source tools to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection. These attacks were delivered via spear-phishing emails with malicious attachments and detected and blocked by Microsoft 365 Defender, formerly Microsoft Threat Protection (MTP), and able to be detected using Azure Sentinel.

As these attacks were detected, Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure. This action helped transparently protect our customers without requiring additional work on their end.

GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods.

Recently, MSTIC has observed newly expanded targeting outside of those sectors to include the Asia Pacific region and other targets in higher education and regional government organizations. As GADOLINIUM has evolved, MSTIC has continued to monitor its activity and work alongside our product security teams to implement customer protections against these attacks.

Historically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.

The following GADOLINIUM technique profile is designed to give security practitioners who may be targeted by this specific actor’s activity insight and information that will help them better protect from these attacks.

2016: Experimenting in the cloud

GADOLINIUM has been experimenting with using cloud services to deliver their attacks to increase both operation speed and scale for years. The image in Figure 1 is from a GADOLINIUM controlled Microsoft TechNet profile established in 2016. This early use of a TechNet profiles’ contact widget involved embedding a very small text link that contained an encoded command for malware to read.

An image of a GADOLINIUM controlled Microsoft TechNet profile established in 2016.

Figure 1: GADOLINIUM controlled TechNet profile with embedded malware link.

2018: Developing attacks in the cloud

In 2018 GADOLINIUM returned to using Cloud services, but this time it chose to use GitHub to host commands. The image in Figure 2 shows GitHub Commit history on a forked repository GADOLINIUM controlled. In this repository, the actors updated markdown text to issue new commands to victim computers. MSTIC has worked with our colleagues at GitHub to take down the actor accounts and disrupt GADOLINIUM operations on the GitHub platform.

An image of a GitHub repository controlled by GADOLINIUM.

Figure 2: GitHub repository controlled by GADOLINIUM.

2019-2020: Hiding in plain sight using open source

GADOLINIUM’s evolving techniques
Two of the most recent attack chains in 2019 and 2020 were delivered from GADOLINIUM using similar tactics and techniques. Below is a summary view of how these attacks techniques have evolved followed by a detailed analysis of each step that security practitioners can use to better understand the threat and what defenses to implement to counter the attacks.

A summary view of how these attacks techniques have evolved.

Weaponization
In the last year, Microsoft has observed GADOLINIUM migrate portions of its toolchain techniques based on open source kits. GADOLINIUM is not alone in this move. MSTIC has noticed a slow trend of several nation-state activity groups migrating to open source tools in recent years. MSTIC assesses this move is an attempt to make discovery and attribution more difficult. The other added benefit to using open-source types of kits is that the development and new feature creation is done and created by someone else at no cost. However, using open source tools isn’t always a silver bullet for obfuscation and blending into the noise.

Delivery & Exploitation (2019)
In 2019, we discovered GADOLINIUM delivering malicious Access database files to targets. The initial malicious file was an Access 2013 database (.accde format). This dropped a fake Word document that was opened along with an Excel spreadsheet and a file called mm.accdb.core which was subsequently executed. The file mm.accdb.core is a VBA dropper, based on the CactusTorch VBA module, which loads a .NET DLL payload, sets configuration information, and then runs the payload. Office 365 ATP detects and blocks malicious Microsoft Access database attachments in email. A redacted example of the configuration is displayed below.

An image showing the VBA setting config and calling the 'Run' function of the payload.

Figure 3: VBA setting config and calling the “Run” function of the payload

Command and Control (2019)
Having gained access to a victim machine the payload then uses attachments to Outlook Tasks as a mechanism for command and control (C2). It uses a GADOLINIUM-controlled OAuth access token with login.microsoftonline.com and uses it to call the Outlook Task API to check for tasks. The attacker uses attachments to Outlook tasks as a means of sending commands or .NET payloads to execute; at the victim end, the malware adds the output from executing these commands as a further attachment to the Outlook task.

Interestingly, the malware had code compiled in a manner that doesn’t seem to be used in the attacks we saw. In addition to the Outlook Tasks API method described above, the extra code contains two other ways of using Office365 as C2, via either the Outlook Contacts API (get and add contacts) or the OneDrive API (list directory, get and add a file).

Actions on Objective (2019)
GADOLINIUM used several different payloads to achieve its exploitation or intrusion objectives including a range of PowerShell scripts to execute file commands (read/write/list etc.) to enable C2 or perform SMB commands (upload/download/delete etc.) to potentially exfiltrate data.

LazyCat, one of the tools used by GADOLINIUM, includes privilege escalation and credential dumping capability to enable lateral movement across a victim network. Microsoft 365 Defender for Endpoint detects the privilege escalation technique used:

An image ofMicrosoft Defender ATP alert of detected escalation of privilege attempt.

LazyCat performs credential dumping through usage of the MiniDumpWriteDump Windows API call, also detected by Microsoft 365 Defender for Endpoint:

An image of Microsoft Defender ATP alert of detected credential dumping activity.

Delivery (2020)
In mid-April 2020 GADOLINIUM actors were detected sending spear-phishing emails with malicious attachments. The filenames of these attachments were named to appeal to the target’s interest in the COVID-19 pandemic. The PowerPoint file (20200423-sitrep-92-covid-19.ppt), when run, would drop a file, doc1.dotm. Similarly, to the 2019 example, Microsoft 365 Defender for Office detects and blocks emails with these malicious PowerPoint and Word attachments.

Command and Control (2020)
The malicious doc1.dotm had two payloads which run in succession.

  • The first payload turns off a type check DisableActivitySurrogateSelectorTypeCheck  which the second stage needs as discussed in this blog.
  • The second payload loads an embedded .Net binary which downloads, decrypts + runs a .png file.

The .png is actually PowerShell which downloads and uploads fake png files using the Microsoft Graph API to https://graph.microsoft.com/v1.0/drive/root:/onlinework/contact/$($ID)_1.png:/content where $ID is the ID of the malware. The GADOLINIUM PowerShell is a modified version of the opensource PowershellEmpire toolkit.

Actions on Objectives (2020)
The GADOLINIUM PowerShell Empire toolkit allows the attacker to load additional modules to victim computers seamlessly via Microsoft Graph API calls. It provides a command and control module that uses the attacker’s Microsoft OneDrive account to execute commands and retrieve results between attacker and victim systems. The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage. From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario,, no OAuth permissions consent prompts occur. Later in this blog post, we will provide additional information about how Microsoft proactively prevents attackers from using our cloud infrastructure in these ways.

Command and Control—Server compromise
GADOLINIUM campaigns often involve installing web shells on legitimate web sites for command and control or traffic redirection. Microsoft 365 Defender for Endpoint detects web shells by analyzing web server telemetry such as process creation and file modifications. Microsoft blogged earlier in the year on the use of web shells by multiple groups and how we detect such activities.

Microsoft Defender ATP alerts of suspicious web shell attacks

 

Microsoft Defender ATP alerts of suspicious web shell attacks.

Figure 6: Microsoft Defender ATP alerts of suspicious web shell attacks.

Web shell alerts from Microsoft 365 Defender for Endpoint can be explored in Azure Sentinel and enriched with additional information that can give key insights into the attack. MSTIC’s Azure Sentinel team recently published a blog outlining how such insights can be derived by analyzing events from the W3CIISLog.

Microsoft’s proactive steps to defend customers
In addition to detecting many of the individual components of the attacks through Microsoft’s security products and services such as Microsoft 365 Defender for Endpoint and for Microsoft 365 Defender for Office as described above, we also take proactive steps to prevent attackers from using our cloud infrastructure to perpetrate attacks. As a cloud provider, Microsoft is uniquely positioned to disrupt this attacker technique. The PowerShell Empire scenario is a good example of this. During April 2020, the Microsoft Identity Security team suspended 18 Azure Active Directory applications that we determined to be part of GADOLINIUM’s PowerShell Empire infrastructure (Application IDs listed in IOC section below). Such action is particularly beneficial to customers as suspending these applications protects all customers transparently without any action being required at their end.)

As part of Microsoft’s broader work to foster a secure and trustworthy app ecosystem, we research and develop detection techniques for both known and novel malicious applications. Applications exhibiting malicious behavior are quickly suspended to ensure our customers are protected.

GADOLINIUM will no doubt evolve their tactics in pursuit of its objectives. As those threats target Microsoft customers, we will continue to build detections and implement protections to defend against them. For security practitioners looking to expand your own hunting on GADOLINIUM, we are sharing the below indicators of compromise (IOCs) associated with their activity.

List of related GADOLINIUM indicators

Hashes from malicious document attachments

faebff04d7ca9cca92975e06c4a0e9ce1455860147d8432ff9fc24622b7cf675
f61212ab1362dffd3fa6258116973fb924068217317d2bc562481b037c806a0a

Actor-owned email addresses

Chris.sukkar@hotmail.com
PhillipAdamsthird@hotmail.com
sdfwfde234sdws@outlook.com
jenny1235667@outlook.com
fghfert32423dsa@outlook.com
sroggeveen@outlook.com
RobertFetter.fdmed@hotmail.com
Heather.mayx@outlook.com

Azure Active Directory App IDs associated with malicious apps

ae213805-a6a2-476c-9c82-c37dfc0b6a6c
afd7a273-982b-4873-984a-063d0d3ca23d
58e2e113-b4c9-4f1a-927a-ae29e2e1cdeb
8ba5106c-692d-4a86-ad3f-fc76f01b890d
be561020-ba37-47b2-99ab-29dd1a4312c4
574b7f3b-36da-41ee-86b9-c076f999b1de
941ec5a5-d5bf-419e-aa93-c5afd0b01eff
d9404c7d-796d-4500-877e-d1b49f02c9df
67e2bb25-1f61-47b6-9ae3-c6104e587882
9085bb9e-9b56-4b84-b21e-bd5d5c7b0de0
289d71ad-54ee-44a4-8d9a-9294f19b0069
a5ea2576-4191-4e9a-bfed-760fff616fbf
802172dc-8014-42a9-b765-133c07039f9f
fb33785b-f3f7-4b2b-b5c1-f688d3de1bde
c196c17d-1e3c-4049-a989-c62f7afaf7f3
79128217-d61e-41f9-a165-e06e1d672069
f4a41d96-2045-4d75-a0ec-9970b0150b52
88d43534-4128-4969-b5c4-ceefd9b31d02

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security—detecting empires in the cloud appeared first on Microsoft Security.

Microsoft Security: 6 tips for enabling people-centric cybersecurity with security training

September 24th, 2020 No comments

Everyone knows about phishing scams, and most of us think we’re too smart to take the bait. Our confidence often reaches superhero levels when we’re logged onto a company network. As Chief Security Advisor for Microsoft, and previously at telco Swisscom, it’s my business to understand how well employees adapt security training into their daily routines. Years of experience have taught me there are commonalities in human behavior that cut across all levels of an organization. Above all, people want to trust the company they work for and the communications they receive. It’s our task to help them understand that yes, their employer is looking out for them, but they also need to be vigilant to protect themselves and their company’s private data.

Tip #1: Make it fun. That means creating training modules that people will actually want to watch. Think of your favorite TV shows. There’s a reason you want to binge every episode. You care about the characters, or you’re at least interested in how their dilemmas work out. A good example is the Fox TV show 24; every episode was one hour in an unfolding storyline with high stakes. Your training program doesn’t need life-or-death consequences, but it should give people a reason to watch beyond just checking a box for compliance.

Tip #2: Make it easy. Your end-user is your customer; so, you need them to buy-in. When investigating new security solutions, I ask: “Could you explain how this works to my mother in thirty minutes or less?” If not, it’s probably not a user-friendly solution. Asking people to create a password with 20 characters consisting of random symbols, cases, and numbers (that they shouldn’t write down) is not easy. For a better option, try passwordless authentication options for Azure Active Directory. If your organization has  Microsoft Defender for Office 365 Plan 2, which includes Threat Investigation and Response capabilities, you can employ Attack Simulator in the Security & Compliance Center to run realistic scenarios. These simulated attacks can help you easily identify vulnerable users before a real attacker comes knocking.

Tip #3: Focus on your highest risk. Nearly one in three security breaches starts with a phishing attack costing the affected organization an average of USD1.4 million. Even after security training, employees still click on phishing links at an average rate of 20 – 30 percent. With the rise in people working from home, new forms, such as consent phishing, have cropped up to take advantage of new vulnerabilities. Direct your resources to where the people in your organization can see the risk is real, and you’ll generate positive engagement.

Tip #4: Be transparent about breaches. No organization can claim 100 percent invulnerability. Let people know they are the first line of defense. Communicating with staff when a successful attack occurs will help them remain alert. It’s okay to provide examples as long as you don’t reveal so much information that it’s obvious who clicked on that fake Zoom invitation. Be careful not to treat employees like children. They need to own their own actions, but shaming won’t make your organization safer.

Tip #5: Avoid a compliance only mindset. Yes, that once-a-year cybersecurity training your people dutifully click through meets the organizational requirement. But gaining employee buy-in means doing more than just checking the box. Schedule a refresher course after a breach, even if the victim happens to be another company. Creating a security program that’s fun and engaging will probably cost more, but ask yourself how high the costs from downtime and lost productivity from a major breach would run. Better to invest those funds in protection upfront.

Tip #6: Communicate and educate continuously. Make security news part of your normal staff communications. Talk to your people about the headline-making hacks that target large corporations and government agencies, as well as the smaller identity theft and payment-app scams we all contend with. Talk about supply chain security and the dangers of using unauthorized devices and shadow IT. Cybersecurity threats can feel overwhelming and scary. Communication helps demystify those threats and makes employees feel empowered to protect themselves and their organizations.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security: 6 tips for enabling people-centric cybersecurity with security training appeared first on Microsoft Security.

Categories: Azure Security, cybersecurity, phishing Tags:

Microsoft delivers unified SIEM and XDR to modernize security operations

September 22nd, 2020 No comments

The threat landscape continues to increase in both complexity and the level of sophistication of the attacks we observe. Attackers target the most vulnerable resources in an organization and then traverse laterally to target high-value assets. No longer can you expect to stay safe by protecting individual areas such as email or endpoints. Extended detection and response (XDR) is a new approach defined by industry analysts that are designed to deliver intelligent, automated, and integrated security across domains to help defenders connect seemingly disparate alerts and get ahead of attackers.

At today’s virtual Ignite conference, Microsoft is announcing a unique approach that empowers security professionals to get ahead of today’s complex threat landscape with integrated SIEM and XDR tools from a single vendor so you get the best of both worlds – end-to-end threat visibility across all of your resources; correlated, prioritized alerts based on the deep understanding Microsoft has of specific resources and AI that stitches that signal together; and coordinated action across the organization. With the combination of SIEM and XDR, defenders are now armed with more context and automation than ever and can leverage the time saved to apply their unique expertise within their own environment to proactively hunt and implement threat preventions.

As part of this announcement, we are unifying all XDR technologies under the Microsoft Defender brand. The new Microsoft Defender is the most comprehensive XDR in the market today and prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms. With Microsoft Defender we are both rebranding our existing threat protection portfolio and adding new capabilities, including additional multi-cloud (Google Cloud and AWS) and multi-platform (Windows, Mac, Linux, Android, and iOS) support.

Microsoft Defender is delivered in two tailored experiences, Microsoft 365 Defender for end-user environments and Azure Defender for cloud and hybrid infrastructure.

Microsoft 365 Defender

Microsoft 365 Defender delivers XDR capabilities for identities, endpoints, cloud apps, email and documents. It uses artificial intelligence to reduce the SOC’s work items, and in a recent test we consolidated 1,000 alerts to just 40 high-priority incidents. Built-in self-healing technology fully automates remediation more than 70% of the time, ensuring defenders can focus on other tasks that better leverage their knowledge and expertise.

Today, we are making the following branding changes to unify the Microsoft 365 Defender technologies:

  • Microsoft 365 Defender (previously Microsoft Threat Protection).
  • Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection).
  • Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection).
  • Microsoft Defender for Identity (previously Azure Advanced Threat Protection).

New features within Microsoft 365 Defender will also be available:

  • Extending mobile threat defense capabilities in Microsoft Defender for Endpoint to iOS (now in Preview) and Android support now moves to GA. As a result, Microsoft now delivers endpoint protection across all major OS platforms. Learn more about the latest in our endpoint security journey.
  • Extension of current macOS support with the addition of threat and vulnerability management. You can learn more here.
  • Priority account protection in Microsoft Defender for Office 365 will help security teams focus on protection from phishing attacks for users who have access to the most critical and privileged information. Customers can customize prioritized account workflows to offer these users an added layer of protection. Learn more here.

An image of the Microsoft 365 Defender dashboard.

Microsoft 365 Defender

Azure Defender

Azure Defender delivers XDR left capabilities to protect multi-cloud and hybrid workloads, including virtual machines, databases, containers, IoT, and more. Azure Defender is an evolution of the Azure Security Center threat protection capabilities and is accessed from within Azure Security Center.

Aligned with the Microsoft 365 brand changes, today we are announcing brand changes for these capabilities under Azure Defender, for example:

  • Azure Defender for Servers (previously Azure Security Center Standard Edition).
  • Azure Defender for IoT (previously Azure Security Center for IoT).
  • Azure Defender for SQL (previously Advanced Threat Protection for SQL).

We are also announcing new features will also be available within Azure Defender:

  • To help defenders identify and mitigate unprotected resources we are delivering a new unified experience for Azure Defender that makes it easy to see which resources are protected and which need protection. This updated experience can be accessed here and will be made broadly available later this month.
  • Added protection for SQL servers on-premises and in multi-cloud environments as well as virtual machines in other clouds, and improved protections for containers, including Kubernetes-level policy management and continuous scanning of container images in container registries.
  • Support for operational technology networks with the integration of CyberX into Azure Defender for IoT.

An image of Defender.

Defender

Azure Sentinel

The XDR capabilities of Microsoft Defender delivered through Azure Defender and Microsoft 365 Defender provides rich insights and prioritized alerts, but to gain visibility across your entire environment and include data from other security solutions such as firewalls and existing security tools, we connect Microsoft Defender to Azure Sentinel, our cloud-native SIEM.

Azure Sentinel is deeply integrated with Microsoft Defender so you can integrate your XDR data in only a few clicks and combine it with all your security data from across your entire enterprise.

Today, we are announcing new features within Azure Sentinel:

  • The new entity behavior analytics view makes it easier to diagnose compromised accounts or malicious insiders.
  • Simplify management of threat intelligence by including the ability to search, add, and track threat indictors, perform threat intelligence lookups, and create watchlists. To learn more about these in detail, check out the Azure Sentinel blog.

An image of Azure Sentinel.

Azure Sentinel

Modernize your security operations

Some vendors deliver XDR, some deliver SIEM. Microsoft believes that defenders can benefit from using deeply integrated SIEM and XDR for end-to-end visibility and prioritized actionable insights across all your enterprise assets. We are committed to delivering the best-integrated experience with the broadest coverage of resources to help simplify your world.

Thank you for your continued partnership and invaluable input on this journey to deliver the most comprehensive threat protection to our global customers.

Infographic of Microsoft 365 Defender and Azure Defender

YouTube video: Microsoft Defender, Extended Detection and Response (XDR) | Microsoft Ignite 2020

Stay healthy. Stay safe.

-Rob & our entire Microsoft Security Team

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft delivers unified SIEM and XDR to modernize security operations appeared first on Microsoft Security.

Microsoft announces cloud innovation to simplify security, compliance, and identity

September 22nd, 2020 No comments

2020 will be remembered as a year of historic transformation. The pandemic has changed the way businesses operate and people work. One thing that has not changed is our basic human nature and the need to feel safe. Being safe and feeling safe is what allows us to do more, create more, and have trust in the technology that connects us all.

It’s no wonder, then, that cyber-security is so important right now. Digital security is about people—it’s about empowering defenders to defend and protect employees, data, work, and personal safety. It’s about making people and organizations resilient in an environment of unexpected change, like widespread remote work. Nearly overnight, organizations worldwide have had to enable remote workforces, support rapidly evolving business requirements, and steer to the next normal without knowing what that normal would be.

All of this takes place against a backdrop of advanced threats and adversaries. For example, Microsoft threat intelligence teams recently exposed cyberattacks targeting people and organizations involved in the upcoming U.S. presidential election including unsuccessful attacks on people associated with both presidential campaigns from a variety of foreign activity groups known to Microsoft as Strontium, Zirconium, and Phosphorus.

For those responsible for securing their organization’s digital infrastructure, this has all come on top of what they were already navigating—levels of complexity that often translate into barriers for companies, their people, and the customers they serve. That’s why we’re so passionate about reimagining security, identity, and compliance. We hold a differentiated view among our peers that security should not only encompass all critical aspects of security—including cybersecurity, identity, and compliance – but that these components should be tightly integrated, and built right into the products and platforms that businesses are already using, so that managing safe access, securing data, meeting regulatory requirements and protecting against threats is seamless.

Countless innovative companies like ASOS, CenturyLink, Erie Insurance, Frost Bank, Rabobank, Unilever, Rockefeller Capital Management, Uniper, Komatsu, and The Little Potato Company; and public sector organizations including the US Department of Defense, New Jersey Administrative Office of the Courts, Ashford & St. Peter’s Hospitals (NHS), St. Luke’s, and Durham University are tapping into the Microsoft cloud to help secure their futures. Today we’re delivering a new set of security, compliance, and identity innovations to help all customers simplify and modernize their environments by embracing the reality that the past seven months have likely reshaped the next 10 years of security and digital transformation.

Modern security with a new Microsoft Defender

Poor security posture is often rooted in complexity. Security teams have historically struggled to keep up with threats and signals across a patchwork of poorly integrated solutions that fail to cover the breadth of workloads, clouds, and devices that businesses run on. Fortunately, the cloud has given rise to a new generation of modern security tools that simplify the defender experience by combining signals and automating responses to catch threats that would otherwise go unchecked. The most important emerging tools are Extended Detection and Response (XDR) and cloud-native Security Information & Event Management (SIEM). Most vendors only offer one or the other.

Microsoft offers a unique approach that empowers security professionals with both cloud-native SIEM and XDR tools from a single vendor. This brings a new level of integration that gives defenders the best of both worlds—an end to end visibility across all of their resources and intelligent alerts built with a deep understanding of individual resources, enhanced with human and machine intelligence.

Today we are making the following announcements to simplify the defender experience with modern and integrated capabilities:

  • We are unifying all of our XDR capabilities together and rebranding them as Microsoft Defender, inclusive of Microsoft 365 Defender and Azure Defender.
  • Microsoft Defender offers the broadest resource coverage of any XDR in the industry, spanning identities, endpoints, cloud apps, email and docs, infrastructure, and cloud platforms.
  • Microsoft Defender uses powerful workflows and AI to correlate alerts across attack vectors, provide an end-to-end view of the attack, and automatically heal affected assets.

In addition to bringing our XDR together under Microsoft Defender, we are also announcing new Defender capabilities:

  • Microsoft Defender for Endpoint is now available for all major platforms, with the general availability of protection for Android devices and a preview for iOS.
An image of Microsoft Defender for Endpoint on an Android device.
Microsoft Defender for Endpoint on an Android device
  • Azure Defender has a new unified dashboard experience within Azure Security Center that gives you visibility into your alerts and which resources are currently monitored.
  • Azure Defender has new protections for SQL on-premises, Azure Kubernetes, Azure Key Vault, and IoT.
  • Azure Defender for IoT now protects industrial IoT, Operational Technology (OT), and building management systems (BMS) with the integration of CyberX’s agentless capabilities for securing unmanaged devices acquired in June.

Our cross-domain detection and response capabilities from Microsoft Defender are deeply integrated with our cloud-native SIEM, Azure Sentinel, reducing complexity and increasing visibility so that defenders see what matters when it matters.  In Azure Sentinel we are announcing:

  • Improvements to threat intelligence management and new integrations with threat intelligence partners, including the ability to search, add, and track threat indicators, perform TI look-ups, and enrichments as well as creating watchlists for hunting threats—so you can catch more threats, faster.
  • User and entity behavior analytics that help SecOps detect unknown threats and anomalous behavior of compromised users and insider threats. New insights are unlocked with user and entity behavior profiles that leverage machine learning and Microsoft’s security research.
  • To help Microsoft 365 E5 customers modernize faster, we are offering promotional pricing that will save the typical 3,500 seat deployment $1,500 per month—for a limited time, beginning in November 2020.

ASOS, a leading online fashion retailer, is using Azure Sentinel to detect attacks even while their security team is working remotely during the pandemic.

A headshot of tuart Gregg, Cyber Security Operations Lead, ASOS.
Stuart Gregg, Cyber Security Operations Lead, ASOS

“With everything running through Azure Sentinel, we’ve reduced the time spent on case management and resolution of alerts by approximately 50 percent.” said Stuart Gregg, Cyber Security Operations Lead, ASOS. 

In addition to the XDR and SIEM news, we are enhancing security posture management in Azure Security Center with support for multi-cloud.  Now you can see all your Azure, AWS, and GCP security posture in a unified experience within Azure Security Center. Learn more about today’s Azure security announcements here.

Compliance, simplified

Our compliance cloud solutions help customers more easily navigate today’s biggest risks, from managing data or finding insider threats to dealing with legal issues or even addressing standards and regulations. We’ve listened to customers and invested heavily in a set of solutions to help them modernize and keep pace with the evolving and complex compliance and risk management challenges they face.

  • One of our key investment areas is the set of Data Loss Prevention products in Microsoft 365. We recently announced the public preview of Microsoft Endpoint Data Loss Prevention (DLP), which means customers can now identify and protect data on devices. Today, we are announcing the public preview of integration between Microsoft Cloud App Security and Microsoft Information Protection, which extends Microsoft’s data loss prevention (DLP) policy enforcement framework to third-party cloud apps—such as Dropbox, Box, Google Drive, Webex, and more—for a consistent and seamless compliance experience
  • Customers struggle to keep up with the constantly changing regulations around data protection. To help ease this challenge, we are excited to announce the general availability of Compliance Manager to help businesses simplify compliance and reduce risk by translating complex regulatory requirements to specific controls and through compliance score, get a quantifiable measure of compliance.
A headshot of Edward Contreras, CISO, EVP, Frost Bank.
Edward Contreras, CISO, EVP, Frost Bank

Customers like Frost Bank have found that tracking their compliance score makes compliance easier.

“Compliance is a really interesting field. Typically, you have somebody with a legal background, a risk background, or a security background, but very little technical background. And so trying to translate a regulation so that it fits within a technical environment is very difficult. With Compliance Manager, it actually allowed a lot of the tech talk to be translated for the side, the business side, but it also allowed a lot of the business side to be translated to the tech side. For us, it made the conversation very simple and it made the process almost seamless,” said Edward Contreras, CISO, EVP, Frost Bank.

The power of modern cloud-based identity protection

Nothing has done more to simplify the security challenges of remote work during the pandemic than modern identity solutions and Zero Trust architectures. A July 2020 Microsoft poll found that 94 percent of business leaders have already embarked on a Zero Trust journey. Identity is central to simplifying security today and shaping the next generation of the modern security infrastructure.

Microsoft is pushing the frontier of identity through the introduction of a decentralized model built on open standards to help balance the power between individuals and organizations in ways that enhance digital trust while protecting the privacy and reducing the risk of losing personal data.

  • Today we are announcing a decentralized identity pilot together with the MilGears educational program of the US Department of Defense and Trident at AIU, which helps military veterans and service members enroll in higher education and jumpstart their civilian career.

This technology will significantly reduce the time and effort it takes for veterans to verify their service records and transcripts with universities and employers. It will also help veterans maintain control of their information.

In a pilot of decentralized identity, Trident University can quickly and easily verify transcripts presented by MilGears participants.
In a pilot of decentralized identity, Trident at AIU can quickly and easily verify transcripts presented by MilGears participants.

The simplest way to manage identities and embark on a Zero Trust journey today is with Azure Active Directory (AD)—Microsoft’s cloud identity service, trusted by over 200 thousand organizations. They choose Azure AD for industry-leading security and seamless user experience.

Doug Howell, Director of IT, The Little Potato Company
Doug Howell, Director of IT, The Little Potato Company

No company or industry is immune to attack and everyone deserves modern protection. The Little Potato Company is a family-owned business with 400 employees headquartered in Alberta, Canada that uses Conditional Access as a critical component in its Zero Trust security strategy. The Little Potato Company recently saw the value of Zero Trust security firsthand when a user’s credentials were compromised and used to attempt to access corporate data. Luckily, the company had deployed Azure AD and Conditional Access, which quickly identified and blocked the login attempts from multiple locations and an unfamiliar operating system.

What you can do today

Security is a journey, and we believe in progress over perfection. The key is that every step you take in the process makes your organization safer and simpler. In fact, it makes all of us safer as we work together to stop malicious activity from causing harm and to protect data and privacy in a modern, connected world.

Here are four things you can do today to make your organization safer and more resilient:

  1. Use multi-factor authentication. Move toward passwordless.
  2. Have a plan for keeping software up to date and patch, patch, patch!
  3. Get a handle on all devices connecting to your network, from phones and laptops to edge devices, and how you’re detecting potential threats to all of them.
  4. Use benchmarks and insights like Microsoft Secure Score and Compliance Manager to understand your posture and track your progress.

2020 is marking a moment in time that none of us could have imagined; a moment that has amplified the need for a resilient response to unexpected change, and a moment in which digital safety is paramount to productivity and the peace of mind we all need to be at our best.​ We’re inspired by the way customers are using technology to turn obstacles into innovation, to turn ideas into solutions, and to embrace today’s challenges as an opportunity to build a better, safer world for all.​ That’s why we at Microsoft are reimagining security, identity, and compliance—to empower all people and organizations to thrive.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Microsoft Security blog to keep up with our expert coverage on security matters. Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft announces cloud innovation to simplify security, compliance, and identity appeared first on Microsoft Security.

Identity at Microsoft Ignite: Rising to the challenges of secure remote access and employee productivity

September 22nd, 2020 No comments

These past months have changed the way we work in so many ways. When businesses and schools went remote overnight, many of you had to adapt quickly to ensure your users could stay productive while working from home. Bad actors are trying to exploit these seismic shifts, making it more important than ever to secure access to your digital estate.

Those of us working in the Identity Division at Microsoft have learned from your resilience as we have tackled these challenges together. In July, I shared the four principles guiding our identity investments. Today on the virtual Microsoft Ignite stage, I’m pleased to announce several Azure Active Directory innovations shaped by what we have learned from working alongside you.

Empower your workforce without sacrificing control

Zero Trust principles are at the core of how we build and invest in identity. We never trust, and we always verify. Zero Trust starts with cloud identity, using real-time risk assessment powering fine-grained access controls. Many of you use Azure AD Conditional Access as your Zero Trust policy engine. Now, with Conditional Access insights in public preview, recommendations that identify gaps in your policies help you stay more protected. For example, a common recommendation is to block legacy authentication by default to protect your accounts from malicious authentication requests.

See the breakdown of sign-ins for each Conditional Access condition.

See the breakdown of sign-ins for each Conditional Access condition.

To help simplify configuration, the Azure AD Conditional Access API is now generally available in Microsoft Graph. You can use PowerShell or another custom scripting to automate and scale policy management.

Since organizations are engaging with an unprecedented number of external users, we’ve also made sure that Conditional Access works for all of your identities. Conditional Access and Identity Protection for Azure AD B2C, now available in public preview, is included in our unified Azure AD External Identities offer, so you can protect your customers’ accounts from compromise and make it easier for them to engage with your business. We’ve also enhanced our Identity Protection capabilities for all identity types, with updates such as an enhanced real-time risk engine and password spray risk detection.

Enable single sign-on for all employee apps, from any device

A seamless user experience is essential to productivity, especially when employees are collaborating from multiple locations and devices. One of the best ways to keep your users both protected and seamlessly connected to all their applications is by enabling single sign-on (SSO).

Azure AD is making it easier to provide secure and seamless access to applications of all types: to SaaS apps, to custom apps built decades ago, and to new cloud apps that you build. We enhanced Azure AD Application Proxy so that in addition to configuring SSO to legacy on-premises apps, you can connect apps that use header-based authentication, the most popular legacy authentication protocol. This update will be available in October 2020, when it reaches public preview.

 Deliver consistent single sign-on experiences to legacy apps.

Deliver consistent single sign-on experiences to legacy apps

We’ve continued to expand our ecosystem of secure hybrid access partnerships, adding Kemp, Palo Alto Networks, Cisco AnyConnect, Fortinet, and Strata. Any applications connected to existing networking and app delivery controllers from these partners can now benefit from cloud security powered by Azure AD.

And we’re continually working to make it effortless to manage your favorite SaaS apps. For example, we’ve built deeper integrations with popular applications like Adobe and ServiceNow to ensure efficient lifecycle management. With ServiceNow, IT and hiring managers can automatically provision application access with the Azure AD integration for new hires. And Adobe customers will soon be able to provision accounts using the SCIM standard for the core Adobe Identity Management platform across Adobe Creative Cloud, Adobe Document Cloud, and Adobe Experience Cloud. We’ve also worked with Apple to ensure that client apps connected to Azure AD have a seamless SSO experience on all iOS devices.

As application usage rises in the era of remote work—and with it, application-based compromises—it’s critical to empower end-users to access applications that are secure and trustworthy. At Build, we announced the preview of application consent policies that allow end-users to give applications you trust—such as applications from your organization or from verified publishers—permissions to access data. You can set up the admin consent workflow to give end-users a streamlined way to request admin approval for other applications. And with publisher verification now generally available, app developers can signal to admins and end-users that they have verified their identity using a Microsoft Partner Network account associated with the app registration.

Eliminate friction through future-proofed identity

The pandemic has accelerated digital transformation, bringing additional focus to our investments in the future of identity. At Microsoft, we believe that decentralized identifiers are core to the future of identity systems. We all want to trust that our information will be secure and only shared with our consent, so decentralized identity systems will empower users to own their own identity and the information attached to it. This is a community effort, built on new open standards. The model will easily integrate with your existing identity systems, and it uses an open-source blockchain solution designed so that no single organization owns or controls it—including Microsoft.

This vision is already becoming real. For example, we are partnering with the United States Department Defense (DOD) to pilot decentralized identity for their MilGears educational program. The MilGears program helps US military veterans and retiring service members enroll in higher education as they transition to civilian careers. Microsoft and the DOD are piloting verifiable credentials, a digital information validation feature so that MilGears participants can reduce the time it takes to confirm their skills and education from months to days. From the Microsoft Software and Systems Academy and Microsoft global skills initiative to our DOD pilot with MilGears, Microsoft is deeply invested in realizing the potential of this technology to eliminate career barriers for every individual.

Looking forward

2020 is a year we’ll all remember for its intensity and accelerated pace of change. Keeping your users secure, wherever they are, has been our collective priority. No matter how the “new normal” unfolds after this pandemic, identity will remain the heartbeat of all the services your users rely on. As you try out the new features we have announced at Microsoft Ignite, please send us your feedback so we can continue to build advancements that help you keep your employees secure and connected.

See these features in action when I take the Microsoft Ignite stage today by registering for free at Microsoft Ignite and watching my session here starting at 11:30 am PT, with future airings for other regions. Follow Microsoft identity at @AzureAD on Twitter for more news and best practices.

The post Identity at Microsoft Ignite: Rising to the challenges of secure remote access and employee productivity appeared first on Microsoft Security.

Enable secure remote work, address regulations and uncover new risks with Microsoft Compliance

September 22nd, 2020 No comments

As we talk with a broad range of customers in the current environment, we hear some consistent challenges businesses are facing. With so many remote workers, people are creating, sharing, and storing data in new ways, which fosters productivity, but can also introduce new risks. A recent Microsoft poll of Chief Information Security Officers (CISOs) revealed that providing secure remote access to resources, apps, and data is their top concern.

To help companies better protect their data, mitigate risk, and address compliance regulations, especially in this time of flexible work, we are announcing several new capabilities across Microsoft Compliance, including:

  • General availability of Microsoft Compliance Manager to address industry regulations and custom requirements.
  • New connectors and APIs to help you to extend Microsoft compliance capabilities to third-party apps.
  • Ability to protect native and third-party cloud apps through unified data loss prevention (DLP), now extended to Microsoft Cloud App Security (MCAS) in public preview.
  • Expanded security and compliance capabilities built directly into Microsoft Teams.

Read on to learn more about these and additional features beginning to roll out today in Microsoft 365 Compliance. You can also check out what Jeff Teper, Corporate Vice President for Microsoft 365, has to say about Microsoft Compliance.

Addressing the complexity of data regulations with Microsoft Compliance Manager

In addition to the talent shortage and complexity of compliance management, customers also face the need to comply with an increased volume and frequency of regulations, with hundreds of updates a day globally to thousands of industry and regional regulations. Additionally, the complexity of regulations makes it challenging for organizations to know specific actions to take and their impact.

Compliance Manager offers a vast library of assessments for expanded regulatory coverage, built-in automation to detect tenant settings, and step-by-step guidance to help you manage risk. Compliance Manager translates complex regulatory requirements to specific technical controls, and through compliance score, provides a quantifiable measure of risk assessment. Generally available today, Compliance Manager brings together the existing Compliance Manager and Compliance Score solutions in the Microsoft 365 compliance center.

Now, with more than 150 out-of-the-box and scalable assessments in Compliance Manager, you can address industry- and region-specific requirements, while also meeting multiple requirements through a single action.

The flexibility of custom assessments also allows you to extend compliance and risk management beyond Microsoft 365 to meet your specific business needs. For example, if you are currently tracking compliance of your SAP data in an Excel file, you can bring that into Compliance Manager.

You can learn more about Compliance Manager on Tech Community. Check out Frost Bank’s experience with Compliance Manager on the Microsoft Customer site.

Extending compliance capabilities to manage data risk beyond Microsoft 365

To provide greater visibility into your data, wherever it lives, we are making new connectors available that can pull data from other apps into Microsoft Compliance (including Microsoft Information Protection, Insider Risk Management, Communication Compliance, and eDiscovery) to help you to reason over, protect, and govern that data. These new connectors – available in partnership with Globanet and Telemessage – include SMS/text connectors for various telecom operators (e.g., AT&T, Verizon, T-Mobile, etc.), WhatsApp, Zoom, and Slack.

A key ask from our partners and customers is the ability to access Microsoft Compliance solutions and integrate them with existing applications and services that are part of broader compliance, security, and operations (SecOps) ecosystems, including Symantec, McAfee, and Relativity.

To help, we are announcing new APIs, which are part of the broader Microsoft Graph ecosystem:

  • Teams Data Loss Prevention (DLP) API: Allows third-party products to integrate and enable data loss prevention capabilities for Microsoft Teams.
  • eDiscovery API: Allows the automation of Advanced eDiscovery processes, including case creation and the entire legal hold notification workflow to communicate with custodians involved in a case.
  • Teams Export API: Allows the export of Teams Messages (1:1 and group chat) along with attachments (file links and sticker), emojis, GIFs, and user @Mentions. This API supports polling daily Teams messages and allows archiving of deleted messages up to 30 days.

An image showing the Microsft 365 Compliance ecosystem.

Figure 1: Extending compliance beyond Microsoft 365 — We have partnered with Globanet and Telemessage to deliver ready-to-use connectors. All Microsoft and ​third-party built connectors are now available in a single catalog.

You can learn more in the Tech Community blog.

Extending unified data loss prevention to Microsoft Cloud App Security (MCAS)

Having the right data protection and governance approach is critical to not only addressing regulatory compliance but also to mitigating risks around data leakage.

Microsoft Information Protection helps you to identify your data and ensure you have the right data classification in place to properly protect and govern that data, which enables you to apply data loss prevention (DLP) to enforce policies against that data. In July, we announced the public preview of Microsoft Endpoint Data Loss Prevention (DLP), which builds on the labeling and classification in Microsoft Information Protection. Endpoint DLP extends the existing DLP capabilities in Microsoft 365, helping you to meet compliance requirements and protect sensitive information on devices by restricting what data apps can access. Endpoint DLP is also natively integrated with the new Microsoft Edge browser, providing additional policy options to restrict the flow of data when accessing web sites.

Today we announce the extension of Microsoft data loss prevention solutions to Microsoft Cloud App Security. This new capability, now in public preview, extends the integration for DLP policy-based content inspection across connected applications such as Dropbox, Box, Google Drive, Webex, One Drive, SharePoint, and others. This extension of Microsoft data loss prevention solutions to MCAS helps users remain continuously compliant when using popular native and third-party cloud apps and helps to ensure sensitive content is not accidentally or inappropriately shared. MCAS uses the same policy framework and more than 150 sensitive information types that is common across all Microsoft data loss prevention solutions, to provide a familiar, consistent, and seamless experience.

You can learn more about our unified approach to data loss prevention on Tech Community.

Additional security and compliance features, including Advanced eDiscovery, being added to Microsoft Teams

As Microsoft Teams usage has grown with the shift to remote work, organizations are looking for seamless integration in order to keep their data and employees secure and compliant.

With the volume of business conversations happening now in Microsoft Teams, we are also adding additional security and compliance features, including:

  • Advanced eDiscovery now supports live documents and links shared in Microsoft Teams. Advanced eDiscovery automatically collects documents from a storage location, such as SharePoint or OneDrive, to pull the content into an eDiscovery case. The attachments are collected, reviewed, and exported along with the Teams conversations so customers don’t need to manually find and collect the documents one by one.
  • Auto-apply retention policies for Microsoft Teams meeting recording allow you to retain and delete recordings with in-place governance, which means the retention policies apply wherever the recordings are saved without the need to export elsewhere. When the rollout for this begins in October, we will provide guidance on how you can leverage Keyword Query Languages to create retention policies for Teams meeting recordings.
  • We now include Teams-specific actions in Compliance Manager, which provide guidance around improvement and implementation of actions you can take to help to align with protection regulations and standards.
  • We are also announcing Customer Key support for Teams. Microsoft helps keep Teams data safe by encrypting it while at rest in Microsoft datacenters. Now we are extending this capability to enable customers to add a layer of encryption using their own keys for Teams, similar to Exchange Online, SharePoint Online, and OneDrive.  
  • Insider Risk Management now offers native integration with Microsoft Teams to securely coordinate, collaborate, and communicate on a case with relevant stakeholders in the organization. When an Insider Risk management case is created, a private Microsoft Teams team will also be created and bound to the case for its duration. This Microsoft Teams team will, by default, include insider risk management analysts and investigators, and additional contributors such as HR and Legal, can be added as appropriate. With Teams integration, stakeholders can:
    • Use channel conversations to coordinate and track review/response activities.
    • Share, store, and review relevant files and associate evidence. 

Additional new capabilities coming to Microsoft Compliance

While I’ve discussed some of the biggest areas of investment for us in Microsoft Compliance, there are many additional new capabilities we’re excited to bring to you today:

  • Microsoft Information Protection now includes more than 150 sensitive data types, improvements to Exact Data Match, the general availability of automatic labeling in Office apps, and more.
  • Microsoft Information Governance and Records Management include new in-place retention and deletion policies for Yammer messages (rolling out now in public preview), as well as integration with the new SharePoint Syntex.
  • Insider Risk Management now integrates with Power Automate, provides a richer investigation experience, and includes expanded signal visibility to badging systems for building security.
  • Communication Compliance now provides enhanced visibility across a variety of communication channels and integration with Power Automate.
  • Advanced eDiscovery now has improved workflows, support for linked content in emails or chat messages, and enhanced collection experience.
  • Advanced Audit now includes two new audit events to help with forensic investigations and the ability to add 10-year audit log retention.

Remote and hybrid work scenarios have demonstrated that there has never been a more important time to invest in security and compliance. Get started today with Microsoft 365. To learn more about Microsoft Compliance and gain more technical training, visit the Virtual Hub today.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Enable secure remote work, address regulations and uncover new risks with Microsoft Compliance appeared first on Microsoft Security.

New and improved Security Update Guide!

September 21st, 2020 No comments

We’re excited to announce a significant update to the Security Update Guide, our one-stop site for information about all security updates provided by Microsoft. This new version will provide a more intuitive user experience to help protect our customers regardless of what Microsoft products or services they use in their environment. We’ve listened to your feedback over the years …

New and improved Security Update Guide! Read More »

What to Expect When Reporting Vulnerabilities to Microsoft

September 21st, 2020 No comments

At the Microsoft Security Response Center’s (MSRC), our primary mission is to help protect our customers. One of the ways we do this is by working with security researchers to discover security vulnerabilities in our services and products, and then making sure those that pose a threat to customers get fixed. Many researchers report these …

What to Expect When Reporting Vulnerabilities to Microsoft Read More »

The post What to Expect When Reporting Vulnerabilities to Microsoft appeared first on Microsoft Security Response Center.

Vectra and Microsoft join forces to step up detection and response

September 21st, 2020 No comments

This blog post is part of the Microsoft Intelligence Security Association (MISA) guest blog series. Click here to learn more about MISA.

Traditional security operations center (SOC) processes typically involve a wide variety of disparate event notification tools that force overworked analysts to battle massive amounts of inbound alerts. This often leads to missed signals and incorrect alert prioritization.

The move to cloud, hybrid environments, and IoT further exacerbates the situation as the attack surface is distributed, boundless, and ever-changing. Perimeter defenses, although necessary, are insufficient.

To address these challenges, SOCs today are focusing on continuous real-time detection and response capabilities that are based on three tightly integrated vantage points and solutions – network detection and response (NDR), endpoint detection and response (EDR), and security information and event management (SIEM).

Gartner calls this approach the SOC visibility triad. It combines the widespread visibility of NDR with the deep process-level insight of EDR, and couples them together with log and security analytics from a variety of sources in the SIEM.

Using these three components in a deeply integrated solution gives security professionals the tools and visibility into modern networking environments and allows them to detect and stop attacks that evade perimeter defenses.

The Cognito® platform from Vectra® delivers high-fidelity NDR by keeping a watchful eye on hidden attacker behaviors in workloads in the cloud and hybrid cloud as well as on-premises enterprise networks.

By combining security research with data science, Vectra AI-derived machine learning algorithms automatically detect and prioritize the highest-risk attacker behaviors in cloud/SaaS and data center workloads as well as user and IoT devices.

As a result, Vectra enables security professionals to reduce the SOC workload, instantly get deep insights and context about every attack, and respond faster to encroaching threats with surgical precision.

An image of the SOC Vectra Triad.

The deep native integrations between Vectra (NDR), Microsoft Defender ATP (EDR) and Microsoft Azure Sentinel (SIEM) make the SOC triad fully operational for customers, enabling them to use tools they are already familiar with.

This SOC triad brings together context from each data source, creating an extraordinary solution that is greater than the sum of its parts.

In addition to enriching Vectra detections with contextual endpoint data from Microsoft Defender ATP, this solution automatically shows attacker detections in the Microsoft Azure Sentinel dashboard, where SOC teams can conduct conclusive investigations.

The SOC visibility triad further helps drive integrated enforcement actions like disabling compromised accounts and isolating hosts that an attacker is using. This allows SOCs to deliver well-coordinated responses, enhance efficiency, and reduce attacker dwell-times.

The Host Lockdown feature from Vectra is a perfect example of this. When a high-risk attack is detected by the Cognito platform, SOC teams can respond quickly and accurately to lockdown Microsoft Defender ATP hosts from the Cognito dashboard.

This can be performed manually with a button-click or configured for automated enforcement that triggers when host threat, certainty, and observed-privilege scores exceed SOC-defined thresholds.

In summary, together with Microsoft Defender ATP, Vectra enables SOC teams to:

  • Combine the Vectra 360-degree aerial view of interactions on cloud and data center workloads with the in-depth ground-level view from Microsoft Defender ATP.
  • Enrich high-fidelity Vectra detections with deep process-level host-context from Microsoft Defender ATP.
  • Take precise and immediate enforcement actions from Vectra closer to the source using Microsoft Defender ATP.

And together with Microsoft Azure Sentinel, Vectra enables SOCs to:

  • Bring Vectra high-certainty behavior-based detections straight to Microsoft Azure Sentinel workbooks for immediate attention.
  • Automate incidents in Microsoft Azure Sentinel based on configurable threat and certainty score thresholds from Vectra.
  • Perform forensic analysis on incidents to identify involved devices, accounts, and attackers.

With these deep integrations between NDR, EDR, and SIEM that Vectra and Microsoft have collaborated on, we are able to realize the SOC visibility triad, ultimately allowing customers to elevate SOC visibility and prevent attackers from establishing footholds across cloud, data center, IoT, and enterprise networks.

For more details, check out the Cognito platform from Vectra and our integration with Microsoft Defender ATP and Microsoft Azure Sentinel.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our web site where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft security solutions, visit the Microsoft security web site. Bookmark the security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Vectra and Microsoft join forces to step up detection and response appeared first on Microsoft Security.

Industry-wide partnership on threat-informed defense improves security for all

September 16th, 2020 No comments

MITRE Engenuity’s Center for Threat-Informed Defense has published a library of detailed plans for emulating the threat actor FIN6 (which Microsoft tracks as TAAL), a collection of threat intelligence, MITRE ATT&CK data, supporting scripts, and utilities designed to enable red teams to emulate the adversary and evaluate defensive capabilities in their environments.

Microsoft, a founding member of MITRE Engenuity’s Center for Threat-Informed Defense, is proud to be part of this industry-wide collaborative project. The Center for Threat-Informed Defense aims to bring together security researchers from across the globe to advance state-of-the-art approaches in cybersecurity.

Through projects like publishing the FIN6 adversary emulation plan, the center supports applied research and advanced development to improve cyber defense at scale. And because the center builds on MITRE ATT&CK, the emulation plan aligns with a framework that security researchers and analysts are already familiar with and use in security operations.

FIN6: Evolving e-crime group

FIN6 is a sophisticated e-crime group, suspected to be of Russian origins, that has been operating since 2015. The financially motivated group is known to target point-of-sale or (POS) systems in the retail and hospitality industries using the FrameworkPOS and GratefulPOS malware strains. Recently, the group has expanded their activities to “Magecart” campaigns, in which they insert malicious scripts into online shopping websites to steal credit card data and other sensitive info.

The group has also been observed utilizing existing Trickbot infections to gain access to target networks, move laterally through RDP brute force, and deploy Ryuk and LockerGoga ransomware payloads in specific locations. In addition, FIN6 has been seen leveraging the malware framework called “Anchor”, which has also been tied to Trickbot activity since 2018, lending credence to the alleged operational link between the two groups.

These campaigns point to the group continuously evolving and broadening its objectives, attack tooling, and partnerships with other e-crime groups to further its financially motivated goals.

Critical, practical emulation plan

The FIN6 emulation plan published by the Center for Threat-Informed Defense assembles threat actor information, individual tactics, technique, and procedures (TTPs), and emulation plans. It collects threat intelligence that today exist in multiple places into a single resource, saving red teams time and effort in scouring, reading, and digesting information, while also delivering essential emulation information.

Red teams looking to emulate the adversary, no matter their skill level, will find the plan beneficial. In addition to providing an overview of the threat actor, it lists required, publicly available tooling that will help ensure that prerequisites are met for a successful operation.

The emulation plans are organized in phases, which are useful for structuring red team operations to emulate FIN6’s goals and procedures. Tactics, techniques, and procedures (TTPs) implemented in CALDERA and Atomic Red Team style provide signals for all relevant MITRE ATT&CK techniques. This assembly of information takes red teams from minimal knowledge to working emulation in short order.

More advanced teams will likewise find this plan valuable. Even when teams are not limited to publicly available tools and command-line emulation, the TTP emulation plan can save time and be used as basis for implementing more complex and nuanced emulation, or for absorbing these capabilities into custom tooling.

Ultimately, research like the FIN6 emulation plan provides critical, realistic emulation signals to blue teams faster. Because emulation plans that are usable off-the-shelf lowers the bar to receiving threat emulation signals, by and large, it helps improve defense capabilities.

Microsoft Threat Protection coverage

The FIN6 emulation plan covers a total of 16 MITRE ATT&CK techniques, many of which are very tricky to detect because they blend into normal network activity, but all 16 are visible to Microsoft Threat Protection. Microsoft Threat Protection, which delivers coordinated cross-domain defense by consolidating threat data across endpoint, email and data, identities, and apps, has demonstrated its industry-leading detection capabilities in the latest MITRE ATT&CK evaluation.

For seven of the techniques utilized by FIN6, Microsoft Threat Protection automatically raises real-time alerts, notifying security operations teams about the presence of the threat actor and its activities in a network. The rest of the FIN6 techniques are recorded by Microsoft Threat Protection as telemetry, which are presented as details within process trees in alerts.

In addition, even with the evasive nature of these techniques, Microsoft Threat Protection stops processes related to three of the techniques on endpoints. It does this through next-generation protection capabilities, as well as the new endpoint and detection response (EDR) in block mode. EDR in block mode transforms EDR detections into blocking and containment of malicious behaviors and artifacts.

All related alerts and signals, as well as other important information like affected entities and remediation status, are consolidated into a single incident view. This correlation of threat data allows security operations teams to determine the full scope of the threat on their environments, prioritize alerts based on severity level, and swiftly remediate affected assets.

As part of Microsoft’s own learning from the emulation plan and the partnership with the Center for Threat-Informed Defense, our researchers are looking into further improving coverage by looking into transforming telemetry into specific detections that raise alerts, where applicable.

Industry collaborations yields stronger protection for ecosystem

Microsoft Threat Protection’s 100% coverage of the MITRE ATT&CK techniques covered by the FIN6 emulation plan demonstrates Microsoft’s broad visibility into threats, especially sophisticated and persistent ones like FIN6 attacks. By partnering with the MITRE Engenuity’s Center for Threat-Informed Defense, we can share our insights and experiences to other members of the Center and to the industry in general, while also learning from other experts.

Microsoft has always been a champion of industry-wide partnerships, because these result in better security for the whole ecosystem. To this end, we will continue to work with MITRE Engenuity for projects like this. We will also continue partnering with MITRE Corporation to build transparent and collaborative testing that benefits all.

 

Dana Baril, Ivan Macalintal, Kate Farris

Microsoft Threat Protection Research Team

The post Industry-wide partnership on threat-informed defense improves security for all appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale

September 15th, 2020 No comments

Microsoft is dedicated to working with the community and our customers to continuously improve and tune our platform and products to help defend against the dynamic and sophisticated threat landscape. Earlier this year, we announced that we would replace the existing software testing experience known as Microsoft Security and Risk Detection with an automated, open-source tool as the industry moved toward this model. Today, we’re excited to release this new tool called Project OneFuzz, an extensible fuzz testing framework for Azure. Available through GitHub as an open-source tool, the testing framework used by Microsoft Edge, Windows, and teams across Microsoft is now available to developers around the world.

Fuzz testing is a highly effective method for increasing the security and reliability of native code—it is the gold standard for finding and removing costly, exploitable security flaws. Traditionally, fuzz testing has been a double-edged sword for developers: mandated by the software-development lifecycle, highly effective in finding actionable flaws, yet very complicated to harness, execute, and extract information from. That complexity required dedicated security engineering teams to build and operate fuzz testing capabilities making it very useful but expensive. Enabling developers to perform fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and simultaneously frees security engineering teams to pursue proactive work.

Microsoft’s goal of enabling developers to easily and continuously fuzz test their code prior to release is core to our mission of empowerment. The global release of Project OneFuzz is intended to help harden the platforms and tools that power our daily work and personal lives to make an attacker’s job more difficult.

Recent advancements in the compiler world, open-sourced in LLVM and pioneered by Google, have transformed the security engineering tasks involved in fuzz testing native code. What was once attached—at great expense—can now be baked into continuous build systems through:

  • Crash detection, once attached via tools such as Electric Fence, can be baked in with asan.
  • Coverage tracking, once attached via tools such as iDNA, Dynamo Rio, and Pin can be baked in with sancov.
  • Input harnessing, once accomplished via custom I/O harnesses, can be baked in with libfuzzer’s LLVMFuzzerTestOneInput function prototype.

These advances allow developers to create unit test binaries with a modern fuzzing lab compiled in: highly reliable test invocation, input generation, coverage, and error detection in a single executable. Experimental support for these features is growing in Microsoft’s Visual Studio. Once these test binaries can be built by a compiler, today’s developers are left with the challenge of building them into a CI/CD pipeline and scaling fuzzing workloads in the cloud.

Project OneFuzz has already enabled continuous developer-driven fuzzing of Windows that has allowed Microsoft to proactively harden the Windows platform prior to shipment of the latest OS builds. With a single command line (baked into the build system!) developers can launch fuzz jobs ranging in size from a few virtual machines to thousands of cores. Project OneFuzz enables:

  • Composable fuzzing workflows: Open source allows users to onboard their own fuzzers, swap instrumentation, and manage seed inputs.
  • Built-in ensemble fuzzing: By default, fuzzers work as a team to share strengths, swapping inputs of interest between fuzzing technologies.
  • Programmatic triage and result deduplication: It provides unique flaw cases that always reproduce.
  • On-demand live-debugging of found crashes: It lets you summon a live debugging session on-demand or from your build system.
  • Observable and Debug-able: Transparent design allows introspection into every stage.
  • Fuzz on Windows and Linux OSes: Multi-platform by design. Fuzz using your own OS build, kernel, or nested hypervisor.
  • Crash reporting notification callbacks: Currently supporting Azure DevOps Work Items and Microsoft Teams messages

Project OneFuzz is available now on GitHub under an MIT license. It is updated by contributions from Microsoft Research & Security Groups across Windows and by more teams as we grow our partnership and expand fuzzing coverage across the company to continuously improve the security of all Microsoft platforms and products. Microsoft will continue to maintain and expand Project OneFuzz, releasing updates to the open-source community as they occur. Contributions from the community are welcomed. Share questions, comments, and feedback with us: fuzzing@microsoft.com

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale appeared first on Microsoft Security.

Microsoft Security: Use baseline default tools to accelerate your security career

September 14th, 2020 No comments

I wrote a series of blogs last year on how gamified learning through cyber ranges can create more realistic and impactful cybersecurity learning experiences and help attract tomorrow’s security workforce. With the global talent shortage in this field, we need to work harder to bring people into the field. This blog is for new cyber professionals or perhaps younger aspirants considering getting into cyber. From an employee’s perspective, it can seem daunting to know where to start, especially when you’re entering an organization with established technology investments, priorities, and practices. Having come to this field later in my career than others, I say from experience that we need to do a better job collectively in providing realistic and interesting role-based learning, paths toward the right certifications and endorsements, and more definitive opportunities to advance one’s career.

I’m still a big fan of gamified learning, but if gaming isn’t your thing, then another way to acquire important baseline learning is to look at simpler, more proactive management tools that up-level different tasks and make your work more efficient. Microsoft has recently released two important cloud security posture management tools that can help a newer employee quickly grasp basic yet critically important security concepts AND show immediate value to your employer. They’re intuitive to learn and deserve more attention.  I’m talking about Azure Security Defaults and Microsoft Secure Score (also including Azure Secure Score). While tools like these don’t typically roll off the tongue, and your experience won’t grab you like an immersive gaming UI, their purpose-built capabilities that focus on commonly-accepted cyber hygiene best practices reinforce solid foundational practices that are no less important than SecOps, incident response, or forensics and hunting. Learning how to use these tools can make you a champion and influencer, and we encourage you to learn more below. These capabilities are also built directly into our larger Azure and M365 services, so by using built-in tools, you’ll help your organization maximize its investments in our technologies and help save money and reduce complexity in your environment.

Azure Security Defaults is named for what it does—setting often overlooked defaults. With one click, you automatically enable several foundational security controls that if left unaddressed are convenient and time-tested targets for attackers to go after your organization. One question that I frequently receive is why Microsoft doesn’t simply pre-configure these settings by default and force customers to turn them off. Several large, high-threat customers have asked specifically that we do that. It’s tempting, but until or unless we make such a move, this is a great self-service add-on. As explained in this blog, ASD does the following:

  • Requires all users to register for Azure Multi-Factor Authentication.
  • Requires admins to perform MFA.
  • Blocks legacy authentication protocols.
  • Requires users to perform MFA when necessary.
  • Protects privileged activities to access the Azure Portal.

A recent important addition to ASD is that Microsoft announced on August 12th that ASD is now also available through Azure Security Center. This is an important and beneficial addition in that it adds another opportunity for your IT organization—whether identity and access management, or security operations—to implement the defaults. I’ve noticed on several occasions when briefing or providing a demo on Azure Security Center to a CISO team that a challenge in effectively using this service may come down to organizational issues, specifically, Who OWNS it?  Is ASC a CISO tool? Regardless of who may own the responsibility, we want to provide the capability upfront.

MICROSOFT SECURE SCORE is a relatively new feature that is designed to quantify your security posture based on how you configure your Microsoft resources. What’s cool and impactful about it is that it provides in a convenient top-down meu approach the relative approach your organization has taken compared (anonymously) with your industry segment’s peers (given in many cases similar reference architectures), and provides clear recommendations for what you can do to improve your score. From a Microsoft perspective, this is what we’d say all carrot and no stick. Though as covered above we provide Azure Security Defaults, customers are still on point to make a proactive decision to implement controls based on your particular work culture, compliance requirements, priorities, and business needs. Take a look at how it works:

This convenient landing page provides an all-up view into the current state of your organization’s security posture, with specific recommendations to improve certain configuration settings based on an art-of-the-possible. In this demo example, if you were to turn enable every security control to its highest level, your score would be 124, as opposed to the current score of 32, for a percentage of 25.81. Looking to the right of the screen, you get a sense of comparison against peer organizations. You can further break down your score by categories such as identity, data, device, apps, and infrastructure; this in turn gives a security or compliance team the opportunity to collaborate with hands-on teams that control those specific resources and who might be operating in silos, not necessarily focused on security postures of their counterparts.

An image of Microsoft Secure Score.

 

Azure Secure Score

You’ll also find Secure Score in the Azure Security Center blade where it provides recommendations front and center, and a color-coded circular graph on important hybrid infrastructure configurations and hygiene.

An image of Secure Score in the Azure Security Center.

Drilling deeper, here we see a variety of recommendations to address specific findings.  For example, the top line item is advice to ‘remediate vulnerabilities’, indicating that 35 of 59 resources that ASC is monitoring are in some way not optimized for security. optimized for security.

An image of variety of recommendations to address specific findings.

Going a level further into the ‘secure management ports’ finding, we see a sub-heading list of actions you can take specific to these resources’ settings. Fortunately, in this case, the administrator has addressed previously-discovered findings, leaving just three to-do’s under the third subheading. For added convenience, the red/green color-coding on the far right draws your attention.

An image of the ‘secure management ports’ finding.

Clicking on the third item above shows you a description of what ASC has found, along with remediation steps.  You have two options to remediate:  more broadly enable and require ‘just in time’ VM access; or, manually enable JIT for each resource. Again, Microsoft wants to incentivize and make it easier for your organization to take more holisitic and proactive steps across your resources such as enabling important settings by default; but we in no way penalize you for the security settings that you implement.

An image of a description of what ASC has found, along with remediation steps.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security: Use baseline default tools to accelerate your security career appeared first on Microsoft Security.

STRONTIUM: Detecting new patterns in credential harvesting

September 10th, 2020 No comments

Microsoft has tied STRONTIUM to a newly uncovered pattern of Office365 credential harvesting activity aimed at US and UK organizations directly involved in political elections. Analysts from Microsoft Threat Intelligence Center (MSTIC) and Microsoft Identity Security have been tracking this new activity since April 2020. Credential harvesting is a known tactic used by STRONTIUM to obtain valid credentials that enable future surveillance or intrusion operations. Subsequent analysis revealed that between September 2019 and June 2020, STRONTIUM launched credential harvesting attacks against tens of thousands of accounts at more than 200 organizations. In the two weeks between August 18 and September 3, the same attacks targeted 6,912 accounts belonging to 28 organizations. None of these accounts were successfully compromised.

Not all the targeted organizations were election-related. However, we felt it important to highlight a potential emerging threat to the 2020 US Presidential Election and future electoral contests in the UK.

Microsoft CVP Customer Security and Trust, Tom Burt provided some additional details on this campaign in his recent On The Issues blog post. The purpose of this post is to provide defenders in any organization, but especially those directly or indirectly affiliated with electoral systems, insight into the technical nature of this activity. By providing these details, we hope to enable better defense against future attacks and share best practices for securing cloud environments against this type of activity.

Tactical Details

STRONTIUM relied heavily upon spear phishing in its credential harvesting efforts leading up to the 2016 US presidential election. In 2016, spear-phishing was the most common tactic for stealing credentials from targeted accounts. This time around, STRONTIUM appears to be taking a different approach, namely, brute-force/password-spray tooling. This shift in tactics, also made by several other nation-state actors, allows them to execute large-scale credential harvesting operations in a more anonymized manner. The tooling STRONTIUM is using routes its authentication attempts through a pool of approximately 1,100 IPs, the majority associated with the Tor anonymizing service. This pool of infrastructure has evolved over time, with an average of approximately 20 IPs added and removed from it per day. STRONTIUM’s tooling alternates its authentication attempts amongst this pool of IPs approximately once per second. Considering the breadth and speed of this technique, it seems likely that STRONTIUM has adapted its tooling to use an anonymizer service to obfuscate its activity, evade tracking, and avoid attribution.

During the two-week period, August 19 – September 3, STRONTIUM’s credential harvesting tooling utilized a daily average of 1,294 IPs associated with 536 netblocks and 273 ASNs. Of these netblocks, some were much more heavily utilized by the tooling than others, both in terms of the total number of authentications attempted from them and the total number of IPs utilized within them. Figure 1 below represents the 5 netblocks from which the highest number of total auth attempts were observed. As highlighted in the table, several of these netblocks had much higher IP utilization rates than the rest. This observed behavior indicates that the underlying anonymization services providing the infrastructure backbone for STRONTIUM auth attempts are, in a sense, over-serving IPs in these specific netblocks.

Figure 1: Highest volume netblocks used in STRONTIUM auth attempts.

Figure 1: Highest volume netblocks used in STRONTIUM auth attempts.

The fact that the anonymization service is over-serving specific netblocks gives defenders an opportunity to hunt for activity associated both with this STRONTIUM activity or other malicious tooling that is utilizing the same anonymization service. The following Azure Sentinel query (GitHub link) is designed to identify failed authentication attempts from the three highest-signal, highest-utilization netblocks highlighted above, and group the results by UserAgent.

An image of code.

Microsoft Threat Protection (MTP) also provides a platform for users to identify failed authentication attempts. The following query will give MTP users the ability to hunt and address these threats as well:

An image of code. MSTIC has observed that the STRONTIUM tooling operates in two modes when targeting accounts: brute-force and password-spray.

In password-spray mode, the tooling attempts username: password combinations in a ‘low-‘n-slow’ manner. Organizations targeted by the tooling running in this mode typically see approximately four authentication attempts per hour per targeted account over the course of several days or weeks, with nearly every attempt originating from a different IP address.

In brute-force mode, the tooling attempts many username: password attempts very rapidly for a much shorter time period. Organizations targeted by the tooling running in this mode typically see over 300 authentication attempts per hour per targeted account over the course of several hours or days.

Tooling Operating Mode Avg ## of Attempts Per Account Per Hour Avg # Of IPs Utilized for Auth Attempts Per Account Per Hour Avg Length of Attack
Password-Spray 4 4 Days-Weeks
Brute-Force 335 200 Hours-Days

Organizations targeted by STRONTIUM using this tooling saw auth attempts against an average of 20% of their total accounts. In some instances, MSTIC assesses the tooling may have discovered these accounts simply by attempting authentications against a large number of possible account names until it found ones that were valid.

Guidance: Proactive defense 

There are some very simple steps businesses and targeted individuals can take to significantly improve the security of their accounts and make these types of attacks much more difficult.

1. Enable multi-factor authentication

We have seen clear proof that enabling multi-factor authentication (MFA) across both business and personal email accounts successfully thwarts the majority of credential harvesting attacks. Our colleagues in Azure Active Directory put it more precisely—

“… doing any form of MFA takes you out of reach of most attacks. MFA (using any mechanism) is just too costly to break – unless a highly motivated attacker is after that high-value account or asset.”

However, most enterprise accounts have not implemented this simple protection:

“When we evaluate all the tokens issued with MFA claims, we see that less than 10% of users use MFA per month in our enterprise accounts (and that includes on-premises and third-party MFA). Until MFA is more broadly adopted, there is little reason for attackers to evolve.”

2. Actively monitor failed authentications

When monitoring login activity in your accounts, look for any type of discernable patterns in these failed authentications and track them over time. Password spray is an increasingly common tactic of nation-state actors.

You can also maintain broader visibility into behavioral anomalies like failed login attempts by running detections and monitoring using Microsoft Cloud App Security (MCAS) which monitors user sessions for third-party cloud apps, including G-Suite, AWS, and Salesforce. The MCAS detection engine looks for anomalous user activity for indicators of compromise. One indicator, “multiple failed login attempts,” can be used to create a dynamic baseline per user, across the tenant, and alert on anomalous login behavior that may represent an active brute force or password spray attack.

Microsoft Threat Protection (MTP) can help to automatically track and rebuild the Incident view of all the compromised identities by password-spray leveraged later by the attacker to expand the breach to endpoint or cloud assets.

3. Test your organization’s resilience

Attack Simulator in Office 365 ATP lets you run realistic, but simulated phishing and password attack campaigns in your organization. Pick a password and then run the campaign against as many users as you want. The results will let you know how many people are using that password. Use the data to train users and build your custom list of banned passwords.

The post STRONTIUM: Detecting new patterns in credential harvesting appeared first on Microsoft Security.

Accelerate your adoption of SIEM using Azure Sentinel and a new offer from Microsoft

September 8th, 2020 No comments

Take advantage of the efficiency benefits of Cloud-native SIEM using Azure Sentinel

Today, security needs are evolving faster than ever—and the importance of being agile and cost-effective has never been clearer. Security teams need to get more done, faster, with less budget. On-premises security information and event management (SIEM) solutions can’t keep up with these demands and are expensive to maintain. By embracing a cloud-native SIEM like Azure Sentinel, you can save money and enable your security operations team to be more effective.

According to an IDG survey of IT leaders, cloud-based SIEM solutions cost 11 percent less to support than on-premises solutions, since they drastically reduce infrastructure, licensing, and labor costs. Plus, that same survey found that cloud-based SIEM users missed fewer threats—only 43 percent of cloud SIEM users reported concerns about missed threats, compared to 66 percent of traditional SIEM users. This is likely because cloud adopters were twice as likely to utilize automation.

We know that right now, security operations teams need these cost savings and efficiency benefits more than ever. To help accelerate your move to the cloud, we’re pleased to announce an Azure Credit offer from Microsoft. For a limited time, get $25,000 of Azure credits when you ingest an average of 50GB/day into Azure Sentinel for three consecutive months.

This offer allows you to experience the benefits of the cloud firsthand by scaling up your Azure Sentinel deployment or accelerating your migration from an on-premises SIEM. With Azure Sentinel, you can get enterprise-wide intelligent security analytics, eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs – all while reducing IT costs.

Details of the $25,000 Azure Credit Offer

This offer is available for qualified customers starting September 1, for a limited time.

Customers must fulfill all the requirements below to be eligible for inclusion into the program:

  • Must have a Microsoft Enterprise Agreement
  • Must be a new Azure Sentinel customer or an existing customer ingesting less than an average of 5 GB of data per day over the last 6 months
  • Must have access to a minimum of 10 E5 security suite licenses or component licenses. Qualifying products include:
    • Microsoft 365 E5
    • Microsoft 365 E5 security
    • Standalone products including Microsoft Defender Advanced Threat Protection, Office Advanced Threat Protection, Azure Advanced Threat Protection, Microsoft Cloud App Security (MCAS), Azure Active Directory P2, Advanced Threat Protection Plan 1, Advanced Threat Protection Plan 2
    • Other suites that include some of the standalone components above, such as Office 365 E5, Windows E5, Enterprise Mobility and Security E5

In order to qualify for the $25,000 Azure Credit Offer, customers must ingest an average of 50GB per day or more into Azure Sentinel for three consecutive full months (measured out of the previous four months to accommodate billing cycle alignment) following their inclusion into the program. This consumption excludes data consumption from other free offers, such as trials, Azure Pass, Azure Access Sponsorship, or ACO, as well as the free data sources offered in Sentinel.

Once a customer’s eligibility to receive the offer has been verified, the customer will receive the Azure credits within two billing cycles. The Azure credits will be available until either the next enrollment anniversary or the end of the customer’s EA term – whichever comes first.

Get started today

Contact your Microsoft representative to learn more about the qualification criteria and how to take advantage of this offer. Or, if you don’t have a Microsoft representative, reach out to sales to learn more about Azure Sentinel.

Visit our website to learn more about Azure Sentinel or Microsoft Security solutions. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Accelerate your adoption of SIEM using Azure Sentinel and a new offer from Microsoft appeared first on Microsoft Security.

New & Updated Security Tools

September 3rd, 2020 No comments

It took us a little longer than we wanted but we are finally ready to announce new versions of LGPO and Policy Analyzer as well as two new tools, GPO2PolicyRules and SetObjectSecurity.  These new and updated tools are now available on the Microsoft Download Center


 


The goal is to keep this post as short as possible so let’s just jump into the details.


 


LGPO v3.0


Two new options were added in LGPO.exe.  The first, /ef which enables Group Policy extensions referenced in the backup.xml. The second, /p which allows for importing settings directly from a .PolicyRules file which negates the need to have the actual GPOs on hand. Additionally, LGPO.exe /b and /g now capture locally-configured client-side extensions (CSEs) (which we had an issue with previously).   Lastly, /b also correctly captures all user rights assignments, overcoming a bug in the underlying “secedit.exe /export” that fails to capture user rights assignments that are granted to no one.


 


Policy Analyzer v4.0


The “Compare to Effective State” button has replaced the “Compare local registry” and “Local Policy” checkboxes that used to be in the Policy Analyzer main window.  Press it to compare the selected baseline(s) to the current system state. If the selected baseline(s) contain any user configuration settings, they are compared against the current user’s settings. “Compare to Effective State” requires administrative rights if the selected baseline(s) include any security template settings or Advanced Auditing settings. The effective state corresponding to the selected baseline(s) settings are saved to a new policy rule set.


 


Rick_Munck_0-1599136789454.png


 


Policy Analyzer now captures information about Group Policy Client-Side Extensions (CSEs) when you import GPO backups. From a Policy Viewer window, choose View \ Client Side Extensions (CSEs) to view the Machine and User CSEs for each baseline in the Viewer. (Note that LGPO.exe’s improved support for CSEs includes the ability to apply CSE configurations from Policy Analyzer’s .PolicyRules files.)


 


Rick_Munck_1-1599136789470.png


 


Policy Analyzer now maps settings and sub-settings to display names more completely and more accurately, including mapping the GUIDs for Attack Surface Reduction (ASR) rules to their display names, and improved localization.


 


GPO2PolicyRules


You can now automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a new command-line tool that is included with the Policy Analyzer download. It takes two command-line parameters: the root directory of the GPO backup that you want to create a .PolicyRules file from, and the path to the new .PolicyRules file that you want to create. For example:


 


 


 

GPO2PolicyRules.exe C:\BaselinePkg\GPOs C:\Users\Analyst\Documents\PolicyAnalyzer\baseline.PolicyRules

 


 


 


SetObjectSecurity v3.0


SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.


 


Use cases include:



  •              Restoring default security descriptor on the file system root directory (which sometimes gets misconfigured by some system setup tools)

  •              Restricting access to sensitive event logs that grant access too broadly (examples include AppLocker and PowerShell script block logs that grant read or read-write to NT AUTHORITY\INTERACTIVE)

  •              Locking down (or opening access to) file shares, directories, registry keys


 


SetObjectSecurity.exe is a 32-bit standalone executable that needs no installer, has no dependencies on redistributable DLLs, and works on all supported x86 and x64 versions of Windows. (x64 systems must support WOW64)


 


Terms of Use


We have now included standard use terms for the tooling that is delivered as part of the Security Compliance Toolkit.


 


We continually try to process all your feedback and make improvements along the way so please give the new and updated tooling a try and as always let us know any feedback in the comments below.

Categories: Uncategorized Tags:

3 ways Microsoft 365 can help you reduce helpdesk costs

September 3rd, 2020 No comments

With more people than ever working remotely, organizations must maximize employee productivity while protecting an ever-growing digital footprint. Many have stitched together specialized security solutions from different vendors to improve their cybersecurity posture, but this approach is expensive and can result in gaps in coverage and a fragmented user experience. With Microsoft’s integrated security solutions, you can enhance security and user productivity more cost-effectively.

Focusing a lens on the helpdesk illuminates how consolidating with Microsoft helps streamline and strengthen your security posture. Your helpdesk plays an important role in enabling employees to be more effective, but it can also reveal organization-wide productivity challenges. Productivity matters because if security controls are too cumbersome, employees will find workarounds. In this blog, I’ll highlight three examples of how Microsoft 365 can help you reduce costs while strengthening cybersecurity.

1. Reduce password reset calls by 75 percent

One of the most common reasons that employees call the helpdesk is to reset their password. These calls result in a loss of productivity for employees who are locked out of their accounts. They also require employees and helpdesk analysts to take time out of their busy days to work through steps to reset the password. With a high volume of calls, the costs add up.

The best way to reduce password reset calls is to eliminate passwords entirely. Microsoft has built in support for passwordless authentication methods such as biometrics, FIDO-2 security keys, and PINs into all our products and services. Because they are encrypted and stored locally on your users devices, these methods are more secure than passwords and easier for employees—and they can reduce your costs. When Microsoft rolled out passwordless to our employees the hard and soft costs of supporting passwords fell by 87 percent.

Deploying passwordless is a phased journey and not everyone is ready to start that process now, so it’s important to also improve productivity for password users. Azure Active Directory (Azure AD) is an identity and access management solution that allows users to sign in to all their on-premises and cloud apps with one set of credentials—whether they use passwords or passwordless methods. With single sign-on employees will have far fewer passwords to remember; however, sometimes they may still forget or Azure AD may force them to reset a password if an account appears compromised. In either case, Azure AD self-service password reset lets employees unblock their accounts, on their time, via an online portal.

According to a new study, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, Azure AD self-service password reset can reduce the number of password reset calls per month by 75 percent. In this commissioned study, Forrester Consulting developed a composite organization based on interviews with four customers in different industries who have used Azure AD for years. Deploying Azure AD self-service password reset resulted in a return on investment of USD 1.7 million over three years.

 

2. Streamline Windows 10 upgrade path

Twice a year Microsoft releases new features and security capabilities for Windows 10. Typically, users are able to download the new operating system and quickly get back to work—but if you use a non-Microsoft product for endpoint detection or antivirus, it can complicate the process.

When a non-Microsoft vendor’s security product is not compatible with a new version of Windows 10, it prevents users from upgrading. This can be confusing for employees, who call the helpdesk for assistance. In addition to facilitating these calls, your team must also run software compatibility testing once a new version of the security software is released. Meanwhile, your company can’t take advantage of the productivity and security features available in the latest version of Windows 10.

To reduce dependencies without compromising security, turn on Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Microsoft Defender ATP helps you protect, detect, and respond to advanced attacks against all your endpoints. Microsoft Defender Antivirus, a Microsoft Defender ATP capability, uses artificial intelligence and machine learning to find and block malware and other viruses. Both solutions are designed to work together and are integrated with Windows 10, which reduces the likelihood of helpdesk calls during the upgrade process.

An image of Microsoft Defender ATP.

3. Empower uses to manage their devices

A third driver of helpdesk calls is device management. Any time an employee needs help with a device, such as when they start a new job or want to use a personal device to access email, a helpdesk analyst is often involved. The analyst sets up devices with the appropriate applications and permissions and troubleshoots challenges with access.

As the way we work has changed, people no longer access corporate resources solely from the office using company-provided devices. Reading emails from a coffee shop on a personal phone or reviewing presentations from a tablet makes working more convenient, but it can also introduce security challenges. Employees may not upgrade their devices or apply security patches in a timely manner. They sometimes, unknowingly, download apps with security flaws. Attackers leverage these vulnerabilities to gain access to sensitive company resources.

An image showing how Attackers leverage use vulnerabilities to gain access to sensitive company resources.

Microsoft Endpoint Manager makes it easier to provision, update, and manage personal and business laptops and mobile devices with support for Windows, MacOS, iOS, and Android Enterprise. Integration with Azure AD enables employees to use Microsoft Intune Portal to enroll both corporate-owned and personal devices without helpdesk intervention. Intune automatically installs appropriate apps, or you can allow employees to choose apps through the portal.

With Microsoft Endpoint Manager, you can also enforce security policies on all enrolled devices. For example, you can require that employees use the most current operating system to access corporate resources. You can define PIN requirements or install threat protection software. If users don’t want to enroll their device, mobile app management capabilities let you isolate organizational data from personal data. These policies are defined globally and automatically applied when users register devices, streamlining the process for everyone.

An image showing how Microsoft 365 security solutions work across identities, endpoints, emails, apps, data, clouds, networks, and IOT devices

Microsoft 365 security solutions work across identities, endpoints, emails, apps, data, clouds, networks, and IoT devices to detect, block, and elevate threats. Consolidate with Microsoft to strengthen security, simplify the user experience, and reduce helpdesk costs.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 3 ways Microsoft 365 can help you reduce helpdesk costs appeared first on Microsoft Security.

Force firmware code to be measured and attested by Secure Launch on Windows 10

September 1st, 2020 No comments

You cannot build something great on a weak foundation – and security is no exception.

Windows is filled with important security features like Hypervisor-protected code integrity (HVCI) and Windows Defender Credential Guard that protect users from advanced hardware and firmware attacks. For these features to properly do their jobs, the platform’s firmware and hardware must be trustworthy and healthy, otherwise the chain of trust that verifies the integrity of the system by validating that every component in the boot process is cryptographically signed by a trusted source could be tampered with maliciously, thereby compromising the security of operating system features that use the firmware and hardware as a fundamental building block.

Without these detection and prevention capabilities, the system won’t be able to detect and block malicious software that runs before the operating system initialized, or during the boot process itself. The malicious software could then grant itself elevated privileges, expand foothold, and persist on the system undetected. In the case of Secured-core PCs, Secure Launch, which leverages the principle of Dynamic Root of Trust for Measurement (DRTM), is a technology that is built-in and enabled by default to greatly increase protection from these sophisticated boot attacks. By leveraging built-in silicon instructions or firmware enclaves, Secure Launch allows a system to freely boot untrusted code initially, but shortly after launches the system into a trusted state by taking control of the CPUs and forcing any untrusted code down a well-known and measured code path to verify it isn’t malicious. This removes early Unified Extensible Firmware Interface (UEFI) code from the trust boundary, meaning systems are better protected against bugs or exploits in UEFI after the Secure Launch, combating an entire class of threat.

For some time, Windows devices have been able to leverage a hardware-based root of trust to help ensure unauthorized firmware or software does not take root before the Windows bootloader launches. This root of trust comes from a UEFI feature called Secure Boot. Secure Boot leverages a Trusted Platform Module (TPM) to take cryptographic measurements of each piece of firmware or software during the early boot process. This technique of measuring these static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).

As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements at startup. There are two techniques that can be used to establish trust here —either maintain a list of known ‘bad’ SRTM measurements (a block list), or a list of known ‘good’ SRTM measurements (an allow list). Each option has a drawback:

  1. A list of known ‘bad’ SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle – a minor change can invalidate the chain of trust.
  2. A list of known ‘good’ SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which can be slow. In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy.

As Windows relies on the Hypervisor being secure, trusted, and unmodified to implement numerous security technologies, it is important to protect it from any potential threats that can arise from these issues. System Guard Secure Launch was designed and introduced in Windows 10 version 1809 to address these drawbacks.

Leveraging a Dynamic Root of Trust to measure code integrity

Secure Launch is the first line of defense against exploits and vulnerabilities that try to take advantage of early-boot flaws or bugs. Firmware enclaves and built-in silicon instructions allow systems to boot into a trusted state by forcing untrusted, exploitable code down a specific and measured path before launching into a trusted state.

To achieve a security boundary between the UEFI/ firmware and later OS code, the Windows boot environment is divided into two phases. The first phase runs with UEFI and leverages boot services that are considered untrusted for Secure Launch, and the second phase is the trusted portion that runs without firmware services after the DRTM event. This trusted phase is referred to as the Trusted Computing Base (TCB) launch phase. The Trusted Computing Base includes the minimally scoped firmware enclave and hardware necessary to perform a DRTM event.

The phase with firmware support utilizes the traditional boot binaries Boot Manager and Winload. In this model, Winload no longer prepares the OS and its data structures but acts to prepare enough data in memory for the TCB phase of the boot environment to be able to operate without firmware. This includes loading all unexpanded binaries needed for the OS in memory, as well as staging other firmware or disk sourced information. All data, binaries, and associated storage structures are validated by the TCB before use.

The TCB phase of the boot environment is started by the new TCB Launch application. This binary is measured into the DRTM TPM registers and starts the chain of trust for the launched OS. TCB Launch ensures the security of the system, and then prepares the OS for execution by loading and validating all binaries as well as building data structures for OS launch.

Although all OS data is sourced from disk by Winload and firmware, the TCB phase validates all signatures and code integrity before use. TCB Launch itself is not directly code integrity checked by this phase, but the root of trust measurement provided by the DRTM event is used to attest the authenticity of the binary. For the TCB phase of boot to continue to be secure, the following state must be verified by the DRTM event and TCB Launch:

  1. Continuous protection against Direct Memory Access (DMA) of TCB Launch and OS memory
  2. Hardware description of RAM is accurate
  3. Security critical hardware description must be validated, such as IOMMU structures
  4. Memory will be cleared upon an unexpected reset from the TCB

After TCB Launch, control of the DRTM environment and associated controls are transferred to the Hypervisor. The Hypervisor is then responsible for managing DMA protections, memory clearing protections, and other DRTM- related state control.

DRTM allows the platform to mitigate real-world attacks that attempt to modify the hypervisor or perform other malicious actions during early boot/hibernate. For example, an S3 boot script exploit that attempts to tamper the hypervisor across suspend/resume would be mitigated by DRTM.

Another common tool used to perform DMA style read/writes over PCIe, frequently leveraged by attackers, is PCILeech. While Kernel DMA protections help ensure that malicious, unauthorised peripherals cannot access memory, even if an attacker does gain a foothold in early-boot, pre-DRTM firmware, the DRTM event insulates the Windows environment from these exploits.

System Management Mode isolation protections can help enforce conditional access

Another dimension of protection that comes with Secured-core PCs is System Management Mode (SMM) protection. System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. If an attacker can exploit SMM, they could attempt to bypass some of the checks in Secure Launch or exploit the runtime operating system. By leveraging new hardware-based supervision and attestation, Secured-core PCs can measure and detect when SMM is trying to access a platform resource (like memory, IO, or certain CPU registers) which violates our policy. This adds an additional layer of hardening to the Secure Launch event and an additional layer of hardening to Secured-core PCs.

SMM execution takes place in the form of System Management Interrupt (SMI) handlers. During the DRTM event, SMIs will be suspended to allow the DRTM event and beginning of the TCB to execute without SMM interference. A system’s SMM isolation is based on an access policy provided by the platform firmware stating what SMM does or does not require access to. This policy will then be enforced on SMM by the silicon vendor specific mechanism, and a copy of this policy will be provided to the boot loader for evaluation. TCB Launch will check that the provided isolation policy being enforced on the system meets the minimum Windows requirements. If the policy is not compliant, say for being able to access OS memory, then TCB Launch may destroy DRTM state and clear OS secrets. TCB Launch will resume SMIs after it has completed its evaluation and has taken any necessary precautions.

Exploits that previously looked to leverage SMM vulnerabilities to read/write these sensitive resources like memory, IO, or certain CPU registers to access secrets, or potentially modify the Hypervisor, are no longer permitted access as part of the policy evaluation. A detected violation upon boot will destroy the DRTM state and prevent access from previously sealed OS secrets and keys. Microsoft has worked with silicon partners and OEMs to ensure that capable Secured-core devices have SMM authored in such a way that meets the SMM policy described, hardening them against this class of attacks. The strength of the ecosystem partnership between Microsoft, silicon vendors and OEMs helps take the security burden of protecting SMM off of security operations teams and recent attacks leveraging SMI handler vulnerabilities are examples of the types of scenarios mitigated by the described SMM protections. When the exploit attempts to leverage a bug in the system management interrupt handler to gain code execution privileges in SMM and modify OS memory, the attempted OS memory access would fall outside our policy boundary and be flagged in the attestation report. The state of DRTM and the SMM protections can be used to help strengthen conditional access strategies in organizations by gating access to sensitive resources based on the health of these hardware and firmware security features.

AMD’s SMM protection component also leverages an SMM supervisor running at a higher processor privilege level (CPL0) to execute SMI handler logic at a lower processor privilege level (CPL3) to isolate and protect resources from SMI handler access and even itself from tampering. Fault handlers are used to protect IO ports & MSRs and enforces CR3 lockdown to protect memory & MMIO components. SMM Supervisor is cryptographically signed and authenticated as well as measured into PCR[17] during SKINIT launch. OEMs include support for SKINIT and AMD’s SMM protections by including the necessary packages in the OS images that are applied to Secured-core PCs.

Getting started with Secure Launch and SMM Protections

Enabling System Guard Secure Launch on a platform may be achieved when the following support is present:

  • Intel, AMD, or ARM virtualization extensions
  • Trusted Platform Module (TPM) 2.0
  • On Intel: TXT support in the BIOS
  • On AMD: SKINIT package must be integrated in the Windows system image
  • On Qualcomm: Implements DRTM TrustZone application and supports SMC memory protections.
  • Kernel DMA Protection

Further configuration information and requirements can be found here. On secured-core PCs, virtualization-based security is supported and hardware-backed security features like System Guard Secure Launch with SMM Protections are enabled by default. Learn more about the line of secured-core PCs available today.

 

Nazmus Sakib

Enterprise and OS Security

The post Force firmware code to be measured and attested by Secure Launch on Windows 10 appeared first on Microsoft Security.