Loading...

Follow Cybersecurity – Microsoft Secure Blog on Feedspot

Continue with Google
Continue with Facebook
or

Valid

Cybersecurity is the central challenge of our digital age. Without it, everything from our personal email accounts and privacy to the way we do business, and all types of critical infrastructure, are under threat. As attackers evolve, staying ahead of these threats is getting harder.

Microsoft can help. We focus on three areas: running security operations that work for you, building enterprise-class technology, and driving partnerships for a heterogeneous world. We can tip the scales in favor of the good guys and make the world a safer place.

Security operations that work for you

Every day, we practice security operations at a global scale to protect our customers, in the process analyzing more than 6.5 trillion signals. This is the most recent chapter in a journey down the experience curve that we have been on for more than a decade. Beginning with securing the operating system platform, our Microsoft Threat Intelligence Center (MSTIC) learned to build multi-dimensional telemetry to support security use cases, and to spot that rogue exploit in a distant crash dump bucket. Today, more than 3,500 full-time security professionals work to secure datacenters, run our Cyber Defense Operations Center, hack our own defenses, and hunt down attackers. We block more than 5 billion distinct malware threats per month. Just one recent example shows the power of the cloud. Microsofts cloud-based machine learning models detected a stealthy and highly targeted attack on small businesses across the U.S. with only 200 discrete targets called Ursnif and neutralized the threat. We surface this operational experience and the insights we derived in the security technology we build.

Building enterprise-class technology

It is the cloud that enables us to take all this signal, intelligence, and operational experience and use it to help our customers be more secure, with enterprise-class security technology. For example, we use the insights from processing hundreds of billions of authentications to cloud services a month to deliver risk-based conditional access for customers in Azure Active Directory (AD).

The end of the password era

We are not only protecting the Microsoft platform though. Our security helps protect hundreds of thousands of line-of-business and SaaS apps as they connect to Azure AD. We are delivering new support for password-less sign-in to Azure AD-connected apps via Microsoft Authenticator. The Authenticator app replaces your password with a more secure multi-factor sign-in that combines your phone and your fingerprint, face, or PIN. Using a multi-factor sign-in method, you can reduce compromise by 99.9 percent, and you can make the user experience simpler by eliminating passwords. No company lets enterprises eliminate more passwords than Microsoft. Today, we are declaring an end to the era of passwords.

Improving your security posture with a report card

Microsoft Secure Score is the only enterprise-class dynamic report card for cybersecurity. By using it, organizations get assessments and recommendations that typically reduce their chance of a breach by 30-fold. It guides you to take steps like securing admin accounts with Multi-Factor Authentication (MFA), securing user accounts with MFA, and turning off client-side email forwarding rules. Starting today, were expanding Secure Score to cover all of Microsoft 365. We are also introducing Secure Score for your hybrid cloud workloads in the Azure Security Center, so you have full visibility across your estate.

Putting cloud intelligence in your hands with Microsoft Threat Protection

By connecting our cloud intelligence to our threat protection solutions, we can stem a mass outbreak or find a needle in a haystack. A recent highly localized malware campaign, for example, targeted just under 200 home users and small businesses in a few U.S. cities. It was designed to fly under the radar, but Windows Defenders cloud-based machine learning models detected the malicious behavior and stopped it cold.

To help security operations professionals benefit from our experience, we created a community where our researchers and others from the industry can share advanced queries to hunt attackers and new threats, giving us all more insight and better protection.

Today, were announcing Microsoft Threat Protection, an integrated experience for detection, investigation, and remediation across endpoints, email, documents, identity, and infrastructure in the Microsoft 365 admin console. This will let analysts save thousands of hours as they automate the more mundane security tasks.

Protecting data wherever it goes

Cloud workloads are often targeted by cybercriminals because they operate on some of the most sensitive data an organization has. We made Azure the first cloud platform to offer confidentiality and integrity of data while in useadding to the protections already in place to encrypt data in transit and at rest. Azure confidential computing benefits will be available soon on a new DC series of virtual machines in Azure, enabling trusted execution environments using Intel SGX chipsets to protect data while it is computed on.

Sensitive data isnt only in databases and cloud workloads. A huge amount of the information we share in email and documents is private or sensitive too. To effectively protect your most important data, you need intelligent solutions that enable you to automatically discover, classify, label, protect, and monitor itno matter where it lives or travels. The Microsoft Information Protection solutions we announced last year help to do just that. Today, we are rolling out a unified labeling experience in the Security & Compliance center, which gives you a single, integrated approach to creating data sensitivity and data retention labels. We are also previewing labeling capabilities that are built right into Office apps across all major platforms, and extending labeling and protection capabilities to include PDF documents. The Microsoft Information Protection SDK, now generally available, enables other software creators to enhance and build their own applications that understand, apply, and act on Microsofts sensitivity labels.

Driving partnerships for a heterogenous world

To address a challenge as big as cybersecurity, we do more than only drive technological innovation. We invest in a broad set of technology and policy partnership initiatives.

We work across the industry to advance the state of the art and to lead on standards through organizations like the FIDO alliance, and to tackle emerging new ecosystem challenges like security for MCU-powered devices with innovations such as Azure Sphere, now available for preview.

We also work with our fellow security vendors to integrate the variety of security tools that our mutual customers use through our Microsoft Intelligent Security Association. Specifically, the Microsoft Graph Security API, generally available starting today, helps our partners work with us and each other to give you better threat detection and faster incident response. It connects a broad heterogeneous ecosystem of security solutions via a standard interface to help integrate security alerts, unlock contextual information, and simplify security automation.

Microsoft is working with tech companies, policymakers, and institutionscritical to the democratic processon strategies to protect our midterm elections. The Defending Democracy program is working to protect political campaigns from hacking, increase security of the electoral process, defend against disinformation, and bring greater transparency to political advertising online. Part of this program is the AccountGuard initiative that provides state-of-the-art cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state, and local level, as well as think tanks and political organizations. Weve had strong interest in AccountGuard and in the first month onboarded more than 30 organizations. Weve focused on onboarding large national party operations first and have successfully done so for committees representing both major U.S. parties as well as high profile campaigns and think tanks, and we are working to onboard additional groups each week. Microsoft is developing plans to extend our Defending Democracy program to democracies around the world.

Since participating in the establishment of the Cybersecurity Tech Accord, an agreement to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation states, we have seen that group nearly double in size with 27 new organizations joining from around the globe, including Panasonic, Salesforce, Swisscom, and Rockwell Automation to name a few, bringing total signatories to 61. Our Digital Crimes Unit has worked with global law enforcement agencies to bring criminals to justice: to date, taking down 18 criminal bot-nets and rescuing nearly 500 million devices from secret bot-net control. In partnership with security teams across the company, the Digital Crimes Unit has also combatted nation-state hackers, using innovative legal approaches 12 times in two years to shut down 84 fake websites, often used in phishing attacks and set up by a group known as Strontium that is widely associated with the Russian government.

Our unique leadership and unmatched breadth of impact in security comes with a unique responsibility to make the world a safer place. We embrace it, and I am optimistic about what we can do. Together with our customers, we are turning the tide in cybersecurity.

Ill be talking about these announcements and more today in my session at Ignite. If youre not in Orlando, you can live stream it. To learn more about Microsofts security offerings, visit Microsoft.com/security.

The post Delivering security innovation that puts Microsoft’s experience to work for you appeared first on Microsoft Secure.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

This year at Microsoft Ignite, we will be making some exciting announcementsfrom new capabilities for identity management and information protection to powerful artificial intelligence (AI) innovations that can help you stay ahead of an often overwhelming surge in threats and security alerts.

Join us as we share best practices for current products, reveal highlights of our new offerings, and give you a glimpse of our future product vision.

Start by attending Satya Nadellas keynote. Then kickstart your security journey with this session: Microsoft Security: How the cloud helps us all be more secure featuring Rob Lefferts (GS008). Well highlight whats new in Microsoft security and how our customers and partners are using the Microsoft Cloud to accelerate security and productivity. Watch our demo showcase to see for yourself how unique intelligence and new innovations from Microsoft can help you be more secure across your entire digital estate.

Here are just a few of the other sessions at Ignite that will showcase our security technology and the innovation we have invested in throughout 2018 and into 2019. Add them to your Session Scheduler and check out the Session Catalog for the full list. If you cant attend in person, you can watch the live stream starting on September 24 with on-demand sessions to follow.

  • Leveraging the power of Microsoft threat protection (BRK4000). Learn about the services that make up Microsoft threat protection and how they work together across data, endpoints, identities, and infrastructure.
  • Double your security team productivitywithout doubling capacity (BRK2251). Learn how automated threat protection and remediation works seamlessly out of the box, using AI to respond to alerts and help security teams solve capacity and skill-gap challenges.
  • How to build security applications using the Microsoft Graph Security API (WRK3006). The Microsoft Graph has been extended with a new Security Graph API. Join this lab to get started using the Security API, including creating and authenticating a new app and using sample code to query the API.
  • Azure Active Directory: New features and roadmap (BRK2254). Come to this can’t-miss session for anyone working with or considering their strategy for identity and access management in the cloud. Hear about the newest features and experiences across identity protection, conditional access, single sign-on, hybrid identity environments, managing partner and customer access, and more.
  • Using Microsoft Secure Score to harden your security position (BRK3247). In this session, we help you understand what your current security position is in products like Office 365 and Windows and show you how you can easily increase your position though the built-in recommendations.
  • Getting to a world without passwords (BRK3031). Get the latest info and demos on what’s new with FIDO2, WebAuthN, Azure Active Directory, Windows Hello, and Microsoft Authenticator to help you make passwords a relic of the past.
  • Accelerate deployment and adoption of Azure Information Protection (BRK3009). Learn all about best practices in deploying Azure Information Protection to help protect your sensitive datawherever it lives or travels.
  • Registering and managing apps through Microsoft Azure Portal and Microsoft Graph API (THR2079). Come learn how to register apps to sign in Azure AD and personal Microsoft accounts, manage these apps, and get access to APIs all through Azure Portal, Microsoft Graph API, and PowerShell.
  • Secure enterprise productivity with Office 365 threat protection services (BRK4001). Learn about the latest advanced in services such as Exchange Online Protection (EOP), Advanced Threat Protection (ATP), and Threat Intelligenceand get a detailed roadmap of whats to come.
  • Simplify your IT management and level up with Microsoft 365 (GS004). Come and learn how Microsoft 365 will help you simplify your modern workplace, delight and empower your users, and protect and secure your corporate assets.
  • Managing devices with Microsoft Intunewhats new (BRK3036). Learn how Intune raises the bar once again for Android, Apple, and Windows device management, and hear more about the exciting new features and new use-cases announced at Ignite.
  • Elevate the security for all your cloud apps and services with the Microsoft Cloud App Security (CASB) solution (BRK2158). Gain visibility into your cloud apps and services with sophisticated analytics to identify and combat cyberthreats, and control how your ubiquitous data travels.

And one other exciting note: To see our solutions in action and gain access to a 6-month free trial of our EMS E5 solution, be sure to stop by the Microsoft Showcase for in-depth product demos and discussions with security experts.

For more Ignite news and updates, check back to our Secure Blog as we continue to highlight specific sessions and topics throughout the week.

The post Get deeper into security at Microsoft Ignite 2018 appeared first on Microsoft Secure.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

As part of our continued efforts to tackle entire classes of threats, Office 365 client applications now integrate with Antimalware Scan Interface (AMSI), enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior.

Macro-based threats have always been a prevalent entry point for malware, but we have observed a resurgence in recent years. Continuous improvements in platform and application security have led to the decline of software exploits, and attackers have found a viable alternative infection vector in social engineering attacks that abuse functionalities like VBA macros. Microsoft, along with the rest of the industry, observed attackers transition from exploits to using malicious macros to infect endpoints. Malicious macros have since showed up in commodity malware campaigns, targeted attacks, and in red-team activities.

Figure 1. Prevalence of the exploit vs macro attack vector observed via Windows Defender ATP telemetry

To counter this threat, we invested in building better detection mechanisms that expose macro behavior through runtime instrumentation within our threat protection solutions in the cloud. Were bringing this instrumentation directly into Office 365 client applications. More importantly, were exposing this capability through AMSI, an open interface, making it accessible to any antivirus solution.

Obfuscation and other forms of detection evasion

Macros are popular among attackers because of the rich capabilities that the VBA runtime exposes and the privileged context in which macros execute. Notably, as with all scripting languages, attackers have another advantage: they can hide malicious code through obfuscation.

To evade detection, malware needs to hide intent. The most common way that attackers do this is through code obfuscation. Macro source codes are easy to obfuscate, and a plethora of free tools are available for attackers to automatically do this. This results in polymorphic malware, with evolving obfuscation patterns and multiple obfuscated variants of the same malicious macro.

Theres more: malicious code can be taken out of the macro source and hidden in other document components like text labels, forms, Excel cells, and others. Or why hide at all? A small piece of malicious code can be embedded somewhere in a huge legitimate source and keep a low profile.

How can antivirus and other security solutions cope? Today, antivirus solutions can extract and scan the obfuscated macro source code from an Office document. How can the macros intent be exposed? What if security solutions can observe a macros behavior at runtime and gain visibility into system interactions? Enter Office and AMSI integration.

AMSI on Windows 10

If AMSI rings a bell, its because we talked about how PowerShell adopted AMSI in a blog post when AMSI was introduced back in 2015.

Antimalware Scan Interface (AMSI) is an open interface available on Windows 10 for applications to request, at runtime, a synchronous scan of a memory buffer by an installed antivirus or security solution. Any application can interface with AMSI and request a scan for any data that may be untrusted or suspicious.

Any antivirus can become an AMSI provider and inspect data sent by applications via the AMSI interface. If the content submitted for scan is detected as malicious, the requesting application can take action to deal with the threat and ensure the safety of the device. To learn more, refer to the AMSI documentation.

AMSI also integrates with the JavaScript, VBScript, and PowerShell scripting engines. Over the years, we have been steadily increasing our investments in providing security solutions with deeper visibility into script-based threats. Insights seen via AMSI is consumed by our own security products. The new Office and AMSI integration is yet another addition to the arsenal of protection against script-based malware. Windows Defender Advanced Threat Protection (Windows Defender ATP) leverages AMSI and machine learning to combat script-based threats that live off the land (read our previous blog post to learn more).

Office VBA integration with AMSI

The Office VBA integration with AMSI is made up of three parts: (a) logging macro behavior, (b) triggering a scan on suspicious behavior, and (c) stopping a malicious macro upon detection.

Figure 2. Runtime scanning of macros via AMSI

Logging macro behavior

The VBA language offers macros a rich set of functions that can be used to interface with the operating system to run commands, access the file system, etc. Additionally, it allows the ability to issue direct calls to COM methods and Win32 APIs. The VBA scripting engine handles calls from macro code to COM and APIs via internal interfaces that implement the transition between the caller and the callee. These interfaces are instrumented such that the behavior of a macro is trapped and all relevant information, including the function name and its parameters, are logged in a circular buffer.

This monitoring is not tied to specific functions; its generic and works on any COM method or Win32 API. The logged calls can come in two formats:

  • <COM_Object>.<COM_Method>(Parameter 1, , Parameter n);
  • <API_or_function_Name>(Parameter 1, , Parameter n);

Invoked functions, methods, and APIs need to receive the parameters in the clear (plaintext) in order to work; thus, this behavioral instrumentation is not affected by obfuscation. This instrumentation thus reveals a weak spot for macro codes; the antivirus now has visibility on relevant activity of the macro in the clear.

To illustrate, consider the following string obfuscation in a shell command:

Shell(ma+l+ wa+ r + e.e + xe)

With the Office VBA and AMSI integration, this is logged like so:

Shell(malware.exe);

Triggering on suspicious behavior

When a potentially high-risk function or method (a trigger; for example, CreateProcess or ShellExecute) is invoked, Office halts the execution of the macro and requests a scan of the macro behavior logged up to that moment, via the AMSI interface. The AMSI provider (e.g., antivirus software) is invoked synchronously and returns a verdict indicating whether or not the observed behavior is malicious.

The list of high-risk functions or triggers are meant to cover actions at various stages of an attack chain (e.g., payload download, persistence, execution, etc.) and are selected based on their prevalence among malicious and benign macros. The behavior log sent over AMSI can include information like suspicious URLs from which malicious data was downloaded, suspicious file names known to be associated with malware, and others. This data is valuable in determining if the macro is malicious, as well as in the creation of detection indicators all without any influence from obfuscation.

Stopping malicious macros upon detection

If behavior is assessed malicious, macro execution is stopped. The user is notified by the Office application, and the application session is shut down to avoid any further damage. This can stop an attack in its tracks, protecting the device and user.

Figure 3. Malicious macro notification

Case study 1: Heavily obfuscated macro code

(SHA-256: 10955f54aa38dbf4eb510b8e7903398d9896ee13d799fdc980f4ec7182dbcecd)

To illustrate how the Office VBA and AMSI integration can expose malicious macro code, lets look at a recent social engineering attack that uses macro-based malware. The initial vector is a Word document with instructions in the Chinese language to Enable content.

Figure 4: The malicious document instructs to enable the content

If the recipient falls for the lure and enables content, the malicious macro code runs and launches a command to download the payload from a command-and-control server controlled by the attacker. The payload, an installer file, is then run.

The macro code is heavily obfuscated:

Figure 5: Obfuscated macro

However, behavior monitoring is not hindered by obfuscation. It produces the following log, which it passes to AMSI for scanning by antivirus:

Figure 6: De-obfuscated behavior log

The action carried out by the macro code is logged, clearly exposing malicious actions that antivirus solutions can detect much more easily than if the code was obfuscated.

Case study 2: Macro threat that lives off the land

(SHA-256: 7952a9da1001be95eb63bc39647bacc66ab7029d8ee0b71ede62ac44973abf79)

The following is an example of macro malware that lives off the land, which means that it stays away from the disk and uses common tools to run code directly in memory. In this case, it uses shellcode and dynamic pages. Like the previous example, this attack uses social engineering to get users to click Enable Content and run the macro code, but this one uses instructions in the Spanish language in Excel.

Figure 7. Malicious Excel file with instructions to enable content

When run, the macro code dynamically allocates virtual memory, writes shellcode to the allocated location, and uses a system callback to transfer execution control. The malicious shellcode then achieves fileless persistence, being memory-resident without a file.

Figure 8. Macro code utilizing Win32 APIs to launch embedded shellcode

When the shellcode gets execution control, it launches a PowerShell command to download additional payload from a command-and-control server controlled by the attacker.

Figure 9. PowerShell command that downloads payload

Even if the macro code uses fileless code execution technique using shellcode, its behavior is exposed to antivirus solutions via the AMSI interface. Sample log is shown below:

Figure 10. De-obfuscated behavior log

With the AMSI scan integration in both Office VBA and PowerShell, security solutions like Windows Defender ATP can gain clear visibility into malicious behavior at multiple levels and successfully block attacks.

Windows Defender ATP: Force multiplier and protection for down-level platforms

In addition to protecting users running Office 365 applications on Windows 10, detections via AMSI allow modern endpoint protection platforms like Windows Defender ATP to extend protection to customers via the cloud.

Figure 11. Simplified diagram showing how AMSI detections in a few machines are extended to other customers via the cloud

In Windows Defender AVs cloud-delivered antivirus protection, the Office VBA and AMSI integration enriches the signals sent to the cloud, where multiple layers of machine learning models classify and make verdicts on files. When devices encounter documents with suspicious macro code, Windows Defender AV sends metadata and other machine learning features, coupled with signals from Office AMSI, to the cloud. Verdicts by machine learning translate to real-time protection for the rest of Windows Defender AV customers with cloud protection enabled.

This protection is also delivered to the rest of Microsoft 365 customers. Through the Microsoft Intelligent Security Graph, security signals are shared across components of Microsoft 365 threat protection. For example, in the case of macro malware, detections of malicious macro-laced documents by Windows Defender AV are shared with Office 365 ATP, which blocks emails carrying the document, stopping attacks before the documents land in users mailboxes.

Figure 12. The Office and AMSI integration enriches the orchestration of protection across Microsoft 365

Within a few weeks after the release of this new instrumentation in Office VBA and the adoption by Windows Defender ATP, we saw this multiplier effect, with signals from a few hundred devices protecting several tens of thousands of devices. Because Office AMSI feature exposes behaviors of the macro irrespective of content, language, or obfuscation, signals from one part of the world can translate to protection for the rest of the globe this is powerful.

Availability

AMSI integration is now available and turned on by default on the Monthly Channel for all Office 365 client applications that have the ability to run VBA macros including Word, Excel, PowerPoint, and Outlook.

In its default configuration, macros are scanned at runtime via AMSI except in the following scenarios:

  • Documents opened..
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Cyber thieves are continuously looking for new ways to get people to click on a bad link, open a malicious file, or install a poisoned update in order to steal valuable data. In the past, they cast as wide a net as possible to increase the pool of potential victims. But attacks that create a lot of noise are often easier to spot and stop. Cyber thieves are catching on that we are watching them, so they are trying something different. Now were seeing a growing trend of small-scale, localized attacks that use specially crafted social engineering to stay under the radar and compromise more victims.

In social engineering attacks, is less really more?

A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets. Macro-laced documents masqueraded as statements from legitimate businesses. The documents are then distributed via email to target victims in cities where the businesses are located.

With Windows Defender AVs next gen defense, however, the size of the attack doesnt really matter.

Several cloud-based machine learning algorithms detected and blocked the malicious documents at the onset, stopping the attack and protecting customers from what would have been the payload, info-stealing malware Ursnif.

The map below shows the location of the targets.

Figure 1. Geographic distribution of target victims

Highly localized social engineering attack

Heres how the attack played out: Malicious, macro-enabled documents were delivered as email attachments to target small businesses and users. Each document had a file name that spoofed a legitimate business name and masqueraded as a statement from that business. In total, we saw 21 unique document file names used in this campaign.

The attackers sent these emails to intended victims in the city or general geographic area where the businesses are located. For example, the attachment named Dolan_Care_Statement.doc was sent almost exclusively to targets in Missouri. The document file name spoofs a known establishment in St. Louis. While we do not believe the establishment itself was affected or targeted by this attack, the document purports to be from the said establishment when its really not.

The intended effect is for recipients to get documents from local, very familiar business or service providers. Its part of the social engineering scheme to increase likelihood that recipients will think the document is legitimate and take the bait, when in reality it is a malicious document.

Most common lure document file names Top target cities
Dockery_FloorCovering_Statement Johnson City, TN
Kingsport, TN
Knoxville, TN
Dolan_Care_Statement St. Louis, MO
Chesterfield, MO
Lees Summit, MO
DMS_Statement Omaha, NE
Wynot, NE
Norwalk, OH
Dmo_Statement New Braunfels, TX
Seguin, TX
San Antonio, TX
DJACC_Statement Miami, FL
Flagler Beach, FL
Niles, MI
Donovan_Construction_Statement Alexandria, VA
Mclean, VA
Manassas, VA

Table 1. Top target cities of most common document file names

When recipients open the document, they are shown a message that tricks the person into enabling the macro.

Figure 2. Document tricks victim into enabling the macro

As is typical in social engineering attacks, this is not true. If the recipient does enable the macro, no content is shown. Instead the following process is launched to deobfuscate a PowerShell command.

Figure 3. Process to deobfuscate PowerShell

Figure 4. PowerShell command

The PowerShell script connects to any of 12 different URLs that all deliver the payload.

Figure 5. Deobfuscated PowerShell command

The payload is Ursnif, info-stealing malware. When run, Ursnif steals information about infected devices, as well as sensitive information like passwords. Notably, this infection sequence (i.e., cmd.exe process deobfuscates a PowerShell that in turn downloads the payload) is a common method used by other info-stealing malware like Emotet and Trickbot.

How machine learning stopped this small-scale, localized attack

As the malware campaign got under way, four different cloud-based machine learning models gave the verdict that the documents were malicious. These four models are among a diverse set of models that help ensure we catch a wide range of new and emerging threats. Different models have different areas of expertise; they use different algorithms and are trained on their unique set of features.

One of the models that gave the malicious verdict is a generic model designed to detect non-portable executable (PE) threats. We have found that models like this are effective in catching social engineering attacks, which typically use non-PE files like scripts and, as is the case for this campaign, macro-laced documents.

The said non-PE model is a simple averaged perceptron algorithm that uses various features, including expert features, fuzzy hashes of various file sections, and contextual data. The simplicity of the model makes it fast, enabling it to give split-second verdicts before suspicious files could execute. Our analysis into this specific model showed that the expert features and fuzzy hashes had the biggest impact in the models verdict and the eventual blocking of the attack.

Figure 6. Impact of features used by one ML model that detected the attack

Next-generation protection against malware campaigns regardless of size

Machine learning and artificial intelligence power Windows Defender Antivirus to detect and stop new and emerging attacks before they can wreak havoc. Every day, we protect customers from millions of distinct, first-seen malware. Our layered approach to intelligent, cloud-based protection employs a diverse set of machine learning models designed to catch the wide range of threats: from massive malware campaigns to small-scale, localized attacks.

The latter is a growing trend, and we continue to watch the threat landscape to keep machine learning effective against attacks. In a recent blog post, we discussed how we continue to harden machine learning defenses.

Windows Defender AV delivers the next-gen protection capabilities in the Windows Defender Advanced Threat Protection (Windows Defender ATP). Windows Defender ATP integrates attack surface reduction, next-gen protection, endpoint detection and response (EDR), automatic investigation and response, security posture, and advanced hunting capabilities. .

Because of this integration, antivirus detections, such as those related to this campaign, are surfaced in Windows Defender Security Center. Using EDR capabilities, security operations teams can then investigate and respond to the incident. Attack surface reduction rules also block this campaign, and these detections are likewise surfaced in Windows Defender ATP.To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

Across the whole Microsoft 365 threat protection, detections and other security signals are shared among Office 365 ATP, Windows Defender ATP, and Azure ATP. In this Ursnif campaign, the antivirus detection also enables the blocking of related emails in Office 365. This demonstrates how signal sharing and orchestration of remediation across solutions in Microsoft 365 results in better integrated threat protection.

Bhavna Soman
Windows Defender Research

Indicators of compromise (IOCs)

Infector:

Hashes
407a6c99581f428634f9d3b9ec4b79f79c29c79fdea5ea5e97ab3d280b2481a1
77bee1e5c383733efe9d79173ac1de83e8accabe0f2c2408ed3ffa561d46ffd7
e9426252473c88d6a6c5031fef610a803bce3090b868d9a29a38ce6fa5a4800a
f8de4ebcfb8aa7c7b84841efd9a5bcd0935c8c3ee8acf910b3f096a5e8039b1f

File names
CSC_Statement.doc
DBC_Statement.doc
DDG_Statement.doc
DJACC_Statement.doc
DKDS_Statement.doc
DMII_Statement.doc
dmo_statement.doc
DMS_Statement.doc
Dockery_Floorcovering_Statement.doc
Docktail_Bar_Statement.doc
doe_statement.doc
Dolan_Care_Statement.doc
Donovan_Construction_Statement.doc
Donovan_Engineering_Statement.doc
DSD_Statement.doc
dsh_statement.doc
realty_group_statement.doc
statement.doc
tri-lakes_motors_statement.doc
TSC_Statement.doc
UCP_Statement.doc

Payload (Ursnif)

Hashes
31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f
bd23a2eec4f94c07f4083455f022e4d58de0c2863fa6fa19d8f65bfe16fa19aa
75f31c9015e0f03f24808dca12dd90f4dfbbbd7e0a5626971c4056a07ea1b2b9
070d70d39f310d7b8842f645d3ba2d44b2f6a3d7347a95b3a47d34c8e955885d
15743d098267ce48e934ed0910bc299292754d02432ea775957c631170778d71

URLs
hxxp://vezopilan[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://cimoselin[.]com/tst/index[.]php?l=soho2[.]tkn
hxxp://cimoselin[.]com/tst/index[.]php?l=soho4[.]tkn
hxxp://vedoriska[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://baberonto[.]com/tst/index[.]php?l=soho3[.]tkn

hxxp://hertifical[.]com/tst/index[.]php?l=soho8[.]tkn
hxxp://hertifical[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://condizer[.]com/tst/index[.]php?l=soho1[.]tkn
hxxp://vezeronu[.]com/tst/index[.]php?l=soho2[.]tkn
hxxp://vezeronu[.]com/tst/index[.]php?l=soho5[.]tkn

hxxp://zedrevo[.]com/tst/index[.]php?l=soho8[.]tkn
hxxp://zedrevo[.]com/tst/index[.]php?l=soho10[.]tkn

*Note: The first four domains above are all registered in Russia and are hosted on the IP address 185[.]212[.]44[.]114. The other domains follow the same URL pattern and are also pushing Ursnif, but no registration info is available.

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

As I write this blog post, Im sitting by the beach on my computer in a sunny destination while my family plays in the water. Were on vacation, but we all have our own definition of fun. For me its writing blogs on the beachreally! The headspace is outstanding for uninterrupted thinking time and focus. However, my employer may not find my vacation destination to be the safest place to access certain applications and data. They want me to strongly authenticate, and they want to understand the health of the systems and devices I am using, as well as the network and geolocation. But thanks to the power of machine learning and conditional access I am able to write this blog when and where I want. My employer is able to enforce all-encompassing security measures to ensure my device, location, and network are safe and confirm its really me trying to sign in.

The ability for my organization to reason over all of the data, including location, device health, sign-in, and app health, is just one example of the way artificial intelligence (AI) is helping us evolve the tools we use to fight cybercrime. In this post Ill focus on two practical use cases for deploying AI in the cybercrime battlefield. In the first example, I explain how layering AI onto on-premises Security Information and Event Management (SIEM) solutions can give you better insights and predictive capabilities. The second use case is the one I just hinted at, which is how we can take AI even further to protect user access. By the end I hope Ive proven to you that there is tremendous opportunity to use AIparticularly machine learningto improve the efficacy of cybersecurity, the detection of hackers, and even prevent attacks before they occur.

If you are skeptical, I understand. I often tell a story about how for many years at the annual RSA Conference, vendors and customers rallied around themes such as the year of the smart card, the year of biometrics, “the year of machine learning, the year of blockchain. Some of these technologies never lived up to their promise, and many are still nascent and immature in their application, architecture, and use cases. But I think there are practical applications of AI that will meet our expectations, especially when it comes to cybersecurity. If one reflects on broad based attacks like WannaCry and NotPetya and critical vulnerabilities like Spectre and Meltdown, it only stands to reason that the attack surface is rapidly growing, the bad actors are becoming more sophisticated, and the need for tool evolution is compelling. AI is the path to that evolution. As an industry, we need to be cautious in how we position and explain machine learning and AI, avoiding confusion, conflating capabilities, and overpromising results. There is definitely a place for both, and they are highly complementary. AI has the power to deliver on some of the legacy promise of machine learning, but only if it is trained, architected, and implemented properly.

Like all technologies, there is a risk that AI will be misused or poorly used. For the purpose of this blog, I ask you to make the assumption that the tech is being used ethically, the engines are properly trained in a non-biased manner, and the user understands the full capability of the technology they are deploying. Am I asking you to suspend reality? No, I am simply asking you to imagine the potential if we fully harness AI to further improve our cybersecurity defenses and recognize the threat of bad actors who will also embrace AI now and in the future. Please also read The Future Computed: Artificial Intelligence and its role in society by Brad Smith and Harry Shum for a broader vision on AI and its role in society.

Using AI to gain powerful insights

There are several use cases where AI is interesting for cybersecurity applications but lets first start with what is possibly the most obvious use casemaking sense of signal and intelligence. Collective sigh readers before continuing. I understand the consternation related to legacy SIEM solutions, and your visceral response. SIEM solutions were purpose-built to collect logs and data from a wide range of sources, largely for compliance, and they do this particularly well. They also enable users to effectively produce reporting specific to a use case. They do not, however, work well in detecting real-time attacks and allowing an organization to automate and/or orchestrate defenses that will minimize damage to the organization.

Take a moment to think about how powerful it would be to apply the machine learning algorithms that exist today to the data and logs that SIEM collects. AI could reason over the data at global scale in near real-time using the cloud and produce attack scenarios, which you could then tie to a security operations tool that automates the response and defenses based on the outcome of the AI reasoning. With a large volume of globally sourced data, you could use AI to look at anomalies in the behavior patterns of humans, devices, data, and applications at scale and make accurate predictions of the threats to your enterpriseallowing you to deploy defenses well in advance of a specific attack. AI, when trained and deployed properly, has the ability to allow your enterprise to be this effective. You can continue to gain value from the on-premise SIEM infrastructure you built and use the data you gathered for historical context. The cloud provides a true value in this use case in its ability to analyze the data at a global scale. And finally, AI will become predictive as it learns what is normal and what isnt normal. You can then automate responses via tooling that will allow your admins to focus only on the highest value tasks.AI will reduce the workload of security administrators in the short term, reducing duplication and increasing efficacy of signal.

Intelligently secure conditional access

My ability to write this blog from the beach is evidence that todays systems for conditional access are good and getting better. The ability to provide access control based on the authentication of the user, device, data, application, and known geo-location provide us a certain level of confidence. The tools that exist can potentially maintain state, have the potential to be quite granular, and are powered by global cloud networks. They often use machine learning to detect anomalous behavior, but todays tooling suffers from a dependence on legacy architecture, technical debt, dependence on the integration of disparate authentication systems, and hybrid systems. The tooling is often built for just one environment, one use case, or one system of record. In most large, complex enterprises, security admins dont have the luxury of using the most up-to-date tools for a single environment or use case. Their environments are complex, the attack surface is large, and their users are often unaware of sophisticated security risks. I encounter this in my own home when I explain to family members the inherent risks of free, public Wi-Fi, as an example.

AI for conditional access use cases is not only practical, its necessary. We have long lived with an employee base that is working from a large variety of personal and company-issued devices and working from a wide range of locations including corporate owned office space, shared work facilities, coffee houses, hotel rooms, conference facilities, and other global locations. There is also still a gap in the security industry related to the percentage of the population that owns and successfully deploys Multi-Factor Authentication (MFA) tooling. Biometrics HAS actually made MFA more ubiquitous by reducing the friction and expense of purchasing and deploying authentication systems, but organizations are still not investing in MFA across 100 percent of their enterprises. Cybersecurity, like many fields, operates on a risk model. High risk applications and users equal higher security profiles and tools. Now, imagine if we can reduce the risk while also reducing the friction of rolling out tools? AI is dependent on data and good architects and developers to truly live up to its promise, but it is systems agnostic. The data you supply from your mainframe is not ranked higher in priority than the data you supply from the cloud, unless you create a scenario where you desire specific data types to be higher priority or ordinal in ranking.

Conditional accesspowered by AI reasoning over the behavior of the user, device, data, application, network, location, etc.has the ability to create much safer data access for companies and reduce the overall risk. Imagine a dynamic, real-time, global environment whereregardless of where your users choose to workyou can determine their precise level of access and change their level of access in real-time without human intervention. Did something change that causes concern, and would you like your user to reauthenticate? Do you want to block access to some or all systems? Do you want to block access to certain data sets or require some level of encryption? The AI enginelinked with automated toolingwill give you this ability and provide the logging and reporting needed to support the automated actions or human intervention. Your ability to integrate with current tooling to enforce the actions will be the highest bar to full usage in your environment.

There are no silver bullets when it comes to technology and, particularly, cybersecurity. I have talked about two use cases where I believe AI can improve cybersecurity, but there are others a well, such as AI’s ability to allow more robust device-related IoT detection, sophisticated malware detection, and improvements in vulnerability management. The bad actors will continue to innovate and create weapons that can be deployed for large scale attacks. The attack surface is growing with the proliferation of IoT devices on corporate networks on control systems. As an industry, we have a moral responsibility and imperative to continue improving processes, training, and technology to meet new and yet to be developed threats. Artificial intelligence is one weapon in our tool bag. It must be used prudently. And when used effectively, it can truly be a change agent for the industry. Check out my blog, Application fuzzing in the era of Machine Learning and AI, where I wrote about application fuzzing and AI.

Check back in a month when I will blog about how we can use AI to improve device-related IoT detection. In the meantime, I invite you to follow me at @ajohnsocyber.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

This is a blog series that responds to common questions we receive from customers about the deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out Cybersecurity threats: How to discover, remediate, and mitigate, the third blog in our eight-part series on deploying Intelligent Security scenarios.

Its not just a problem for consumers. Identity theft in the workplace is also on the riseand with good reason. Stealing employee credentials is an easy path to bypassing security around sensitive data, making unauthorized purchases, and many other cybercrimes.

Microsoft 365 security solutions help you protect users and corporate accounts. By making identity the control plane, Microsoft 365 offerings manage identities as the first step to providing access to corporate resources and restricting users who are high risk. Tools like single sign-on (SSO), Multi-Factor Authentication (MFA), and Windows 10 Hello for Business help you secure access. Additionally, there are actions you can take if an identity is compromised and ways to lock down or wipe devices to protect sensitive data in case of loss or theft.

How do I provide secure access for my users?

Managing identities is the first step in protecting your environment. You can provision user identities through Azure Active Directory (Azure AD) and then connect to your on-premises Active Directory, allowing you to centralize identities for each user. Then you can set conditional access policies in Azure AD (Figure 1) for users in your organization. Conditional access policies allow you to control how users access cloud apps. You can set conditions that restrict access based on sign-in risk, user location, or client app, as well as only allowing access to managed devices. Start by implementing recommended identity access policies.

Managing user access is your next step. Azure AD SSO lets you manage authentication across devices, cloud apps, and on-premises apps with one user sign-in. Once you enable SSO, your employees can access resources in real-time on any device in addition to confidential or sensitive work documents away from the office. Next, deploy MFA in Azure AD to reauthenticate high-risk users, and take automated action to secure your network.

Figure 1. Set user policies using Azure AD conditional access.

Finally, encourage your employees to use Windows Hello for Business. Its a security feature that allows users unlock their device using their PCs camera, PIN, or their fingerprint.

How do I ensure that my employees credentials are not compromised?

Whats needed is a multi-layered approach to identity protection that goes beyond passwords and starts to identify risk even before a password is entered.

Early and active monitoring of potential threats is essential. With Azure AD Identity Protection, you get an overview of risk and vulnerabilities that may be affecting your organizations identities. You can then set up risk-based conditional access policies to automatically mitigate threats. Risk-based conditional access uses machine learning to identify high-risk users. For example, a user may be flagged based on unfamiliar locations or failed sign-ins from the same IP address. Once flagged, a user can be required to use MFA in Azure AD or be blocked altogether (Figure 1).

Another useful monitoring tool is Azure AD Privileged Identity Management (PIM). With Azure AD PIM, you can monitor admin access to resources and minimize the number of people who have access to them. By continuously monitoring these high access points, you limit vulnerabilities. You can configure Azure AD PIM in the Azure portal to generate alerts when theres suspicious or unsafe activity in your environment and then recommend mitigation strategies.

Along with monitoring, Microsoft 365 security solutions offer tools to better protect a users credentials. Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them, thus helping prevent unauthorized access to these secrets which can lead to credential theft attacks.

Deployment tips from the experts

Start by managing user identities as your control plane. Provision your user identities through Azure AD and use Azure AD Connect to integrate identities across Azure AD and your on-premises AD. Enable MFA for all administrators, set conditional access policies, and initiate SSO.

Manage your devices from the cloud. Managing employee devices remotely engenders productivity and bolsters security. Deploy Microsoft Intune as your mobile device manager for company- and employee-owned devices.

Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the Protect your users and their identity white paper. You can find additional security resources on Microsoft.com.

More blog posts from this series:

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

This post was coauthored by Diana Kelley, Cybersecurity Field CTO, and Sin John, EMEA Chief Security Advisor, Cybersecurity Solutions Group.

Youve got a big dinner planned and your dishwasher goes on the fritz. You call the repair company and are lucky enough to get an appointment for that afternoon. The repairperson shows up and says, Yes, its broken, but to figure out why I will need to run some tests. They start to remove your dishwasher from the outlet. What are you doing? you ask. Im taking it back to our repair shop for analysis and then repair, they reply. At this point, youre annoyed. You have a big party in three hours, and taking the dishwasher all the way back to the shop for analysis means someone will be washing dishes by hand after your partywhy not test it right here and right now so it can be fixed on the spot?

Now, imagine the dishwasher is critical business data located throughout your organization. Sending all that data to a centralized location for analysis will give you insights, eventually, but not when you really need it, which is now. In cases where the data is extremely large, you may not be able to move it at all. Instead it makes more sense to bring services and applications to your data. This at the heart of a concept called data gravity, described by Dave McCrory back in 2010. Much like a planet, your data has mass, and the bigger that mass, the greater its gravitational pull, or gravity well, and the more likely that apps and services are drawn to it. Gravitational movement is accelerated when bandwidth and latency are at a premium, because the closer you are to something the faster you can process and act on it. This is the big driver of the intelligent cloud/intelligent edge. We bring analytics and compute to connected devices to make use of all the data they collect in near real-time.

But what might not be so obvious is what, if anything, does data gravity have to do with cybersecurity and the security operations center (SOC) of tomorrow. To have that discussion, lets step back and look at the traditional SOCs, built on security information and event management (SIEM) solutions developed at the turn of the century. The very first SIEM solutions were predominantly focused on log aggregation. Log information from core security tools like firewalls, intrusion detection systems, and anti-virus/malware tools were collected from all over a company and moved to a single repository for processing.

That may not sound super exciting from our current vantage point of 2018, but back in 2000 it was groundbreaking. Admins were struggling with an increasing number of security tools, and the ever-expanding logs from those tools. Early SIEM solutions gave them a way to collect all that data and apply security intelligence and analytics to it. The hope was that if we could gather all relevant security log and reporting data into one place, we could apply rules and quickly gather insights about threats to our systems and security situational awareness. In a way this was antidata gravity, where data moved to the applications and services rather than vice versa.

After the initial hype for SIEM solutions, SOC managers realized a few of their limitations. Trying to write rules for security analytics proved to be quite hard. A minor error in a rule led to high false positives that ate into analyst investigative time. Many companies were unable to get all the critical log data into the SIEM, leading to false negatives and expensive blind spots. And one of the biggest concerns with traditional SIEM was the latency. SIEM solutions were marketed as real-time analytics, but once an action was written to a log, collected, sent to the SIEM, and then parsed through the SIEM analytics engine, quite a bit of latency was introduced. When it comes to responding to fast moving cyberthreats, latency is a distinct disadvantage.

Now think about these challenges and add the explosive amounts of data generated today by the cloud and millions of connected devices. In this environment its not uncommon that threat campaigns go unnoticed by an overloaded SIEM analytics engine. And many of the signals that do get through are not investigated because the security analysts are overworked. Which brings us back to data gravity.

What was one of the forcing factors for data gravity? Low tolerance for latency. What was the other? Building applications by applying insights and machine learning to data. So how can we build the SOC of tomorrow? By respecting the law of data gravity. If we can perform security analytics close to where the data already is, we can increase the speed of response. This doesnt mean the end of aggregation. Tomorrows SOC will employ a hybrid approach by performing analytics as close to the data mass as possible, and then rolling up insights, as needed, to a larger central SOC repository for additional analysis and insight across different gravity wells.

Does this sound like an intriguing idea? We think so. Being practitioners, though, we most appreciate when great theories can be turned into real-world implementations. Please stay tuned for part 2 of this blog series, where we take the concept of tomorrows SOC and data gravity into practice for today.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Every day, antivirus capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) protect millions of customers from threats. To effectively scale protection, Windows Defender ATP uses intelligent systems that combine multiple layers of machine learning models, behavior-based detection algorithms, generics, and heuristics that make a verdict on suspicious files, most of the time in a fraction of a second.

This multilayered approach allows us to proactively protect customers in real-time, whether in the form of stopping massive malware outbreaks or detecting limited sophisticated cyberattacks. This quality of antivirus capabilities is reflected in the consistently high scores that Windows Defender ATP gets in independent tests and the fact that our antivirus solution is the most deployed in the enterprise.

The tradeoff of an intelligent, scalable approach is that some of our more aggressive classifiers from time to time misclassify normal files as malicious (false positives). While false positives are a very tiny occurrence compared to the large number of malware we correctly identify (true positives) and protect customers from, we are aware of the impact that misclassified files might have. Keeping false positives at a minimum is an equally important quality metric that we continually work to improve on.

Avoiding false positives is a two-way street between security vendors and developers. Publishing apps to the Microsoft Store is the best way for vendors and developers to ensure their programs are not misclassified. For customers, apps from the Microsoft Store are trusted and Microsoft-verified.

Here are other ways developers can raise the level of trust by both security vendors and customers and help make sure programs and files are not inadvertently detected as malware.

Digitally sign files

Digital signatures are an important way to ensure the integrity of software. By verifying the identity of the software publisher, a signature assures customers that they know who provided the software theyre installing or running. Digital signatures also assure customers that the software they received is in the same condition as when the publisher signed it and the software has not been tampered with.

Code signing does not necessarily guarantee the quality or functionality of software. Digitally signed software can still contain flaws or security vulnerabilities. However, because software vendors reputations are based on the quality of their code, there is an incentive to fix these issues.

We use the reputation of digital certificates to help determine the reputation of files signed by them. The reverse is also true: we use the reputation of digitally signed files to determine the reputation of the digital certificates they are signed with. One of the most effective ways for developers to reduce the chances of their software being detected as malware is it to digitally sign files with a reputable certificate.

The second part of reducing the risk of unintended detection is to build a good reputation on that certificate. Microsoft uses many factors to determine the reputation of a certificate, but the most important are the files that are signed by it. If all the files using a certificate have good reputation and the certificate is valid, then the certificate keeps a good reputation.

Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. This process requires a more comprehensive identity verification and authentication process for each developer. The EV code signing certificates require the use of hardware to sign applications. This hardware requirement is an additional protection against theft or unintended use of code signing certificates. Programs signed by an EV code signing certificate can immediately establish reputation with Windows Defender ATP even if no prior reputation exists for that file or publisher.

Keep good reputation

To gain positive reputation on multiple programs and files, developers sign files with a digital certificate with positive reputation. However, if one of the files gains poor reputation (e.g., detected as malware) or if the certificate was stolen and used to sign malware, then all of the files that are signed with that certificate will inherit the poor reputation. This situation could lead to unintended detection. This framework is implemented this way to prevent the misuse of reputation sharing.

We thus advise developers to not share certificates between programs or other developers. This advice particularly holds true for programs that incorporate bundling or use advertising or freemium models of monetization. Reputation accruesif a software bundler includes components that have poor reputation, the certificate that bundler is signed with gets the poor reputation.

Be transparent and respect users ability to choose

Malware threats use a variety of techniques to hide. Some of these techniques include file obfuscation, being installed in nontraditional install locations, and using names that dont reflect that purpose of the software.

Customers should have choice and control over what happens on their devices. Using nontraditional install locations or misleading software names reduce user choice and control.

Obfuscation has legitimate uses, and some forms of obfuscation are not considered malicious. However, many techniques are only employed to evade antivirus detection. Developers should refrain from using non-commercial packers and obfuscation software.

When programs employ malware-like techniques, they trigger flags in our detection algorithms and greatly increase the chances of false positives.

Keep good company

Another indicator that can influence the reputation of a file are the other programs the file is associated with. This association can come from what the program installs, what is installed at the same time as the program, or what is seen on the same machines as the file. Not all of these associations directly lead to detections, however, if a program installs other programs or files that have poor reputation, then by association that program gains poor reputation.

Understand the detection criteria

Microsofts policy aims to protect customers against malicious software while minimizing the restrictions on developers. The diagram below demonstrates the high-level evaluation criteria Microsoft uses for classifying files:

  • Malicious software: Performs malicious actions on a computer
  • Unwanted software: Exhibits the behavior of adware, browser modifier, misleading, monitoring tool, or software bundler
  • Potentially unwanted application (PUA): Exhibits behaviors that degrade the Windows experience
  • Clean: We trust the file is not malicious, is not inappropriate for an enterprise environment, and does not degrade the Windows experience

These evaluation criteria describe the characteristics and behavior of malware and potentially unwanted applications and guide the proper identification of threats. Developers should make sure their programs and files dont demonstrate undesirable characteristics or behavior to minimize chances their programs are not misclassified.

Challenging a detection decision

If you follow these pieces of advice and we unintentionally detect your file, you can help us fix the issue by reporting it through the Windows Defender Security Intelligence portal.

Customer protection is our top priority. We deliver this through Windows Defender ATPs unified endpoint security platform. Helping Microsoft maintain high-quality protection benefits customers and developers alike, allowing for an overall productive and secure computing experience.

Michael Johnson

Windows Defender Research

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

I dont know about you, but I find large conferences overwhelming. Dont get me wrong, nothing beats the innovative potential of bringing a diverse group of brilliant people together to hash through thorny issues and share insights. But there are so many speakers, booths, and people, it can be a challenge to find the signal in all the noisedid I mention conferences are also really loud?

So last week when I stepped into the first of multiple showrooms at the Mandalay Hotel in Las Vegas for the Black Hat Briefing, I have to admit I felt a little nostalgia for the very first Black Hat Conference. It was 1997 at the old Aladdin Casino in Las Vegas. A casino with a long and colorful history, slated to close a few months after the conference ended. 1997: That was before Facebook and the iPhone, before the cloud. At the time, the RSA Conference was still mostly focused on cryptography, and those of us concerned about security vulnerabilities and how they impacted practitioners day in and day out had few opportunities to just get together and talk. The first Black Hat Briefing was very special. If my memory serves, there were only a couple hundred of us in attendancecompared to thousands todayand through those connections we built a community and an industry.

Building a community was key to creating the information security industry that exists today, and I believe that building community is just as critical now as we face down the new security threats of a cloud-and-edge world, an IoT world. We need the whole defender communitywhite hat hackers, industry, and governmentworking together to protect the security of our customers.

The security research community plays a fundamental role in community-based defense

Over the last few years, Microsoft has been expanding and redefining what makes up our security communityone of the many positive evolutions since that first Black Hat. Like most tech companies, we once believed that any hacker outside of the organization posed a risk, but as weve gotten to know each other through many years of hard-earned trust and collaboration, we, and the security research community, have learned that our values arent so different. Sometimes the only way to make something stronger is to break it. We know we cant on our own find all the gaps and errors in code that lead to vulnerabilities that criminals exploit to steal money and data. We need great minds both inside and outside our organization. Many of those great minds in the security research community collaborate with us through the Microsoft Security Response Center, and Black Hat was the perfect place to announce the subset of those researchers that made our annual Top 100 Security Researchers List.

We really appreciate the ongoing support from the community and encourage new researchers to report vulnerabilities to the Microsoft Security Response Center and participate in the Microsoft Bounty Program.

It takes a community to protect the security of our customers

As much as Microsoft values the relationship we have with researchers, we also attended Black Hat as industry partners. We want to help educate our peers on notable vulnerabilities and exploits, and share knowledge following major security events. As an example, one of our sessions focused on how Spectre and Meltdown are a wake-up call on multiple dimensions: how we engineer, how we partner, how we react when we find new security vulnerabilities, and how we need to become more coordinated. When I think about what was so exciting about that first conference, this is what comes to mind: those moments when we hear what our partners have learned, share what we know, and build on those insights to strengthen our collective response. The tech industry is increasingly interdependent. Its going to take all of us working together to protect the safety and security of our customers devices and data.

But the meeting of the minds at annual security conferences, while important, is not enough. Microsoft also believes that we need a more structured approach to our collaboration. Cybersecurity is not just about threats from hackers and criminal groups; it has increasingly become a situation where we’re facing a cyberweapons arms race with governments attacking users around the world. We know this is a challenge we must pursue with our partners and customers, with a sense of shared responsibility and a focus on constantly making it easier for everyone to benefit from the latest in security advances. Microsoft has been working to help organize the industry in pursuit of this goal.

This past April during the RSA Conference, we came together as initially 34 companies, now 44 companies, and agreed to a new Cybersecurity Tech Accord. In this accord, we all pledge to help protect every customer, regardless of nationality, and will refrain from helping governments attack innocent civilians. It’s a foundationon which we are buildingto take coordinated action and to work with all our partners and many others to strengthen the resilience of the ecosystem for all our customers.

I admit it, I do sometimes miss attending those small, tightly knit conferences of old. But Im even more inspired about the possibilities that I see as we continue to build on these collaborative models. Weve seen a lot of progress recently working with our partners and the security research community. If you listen closely, I think you can hear the signal breaking through.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Todays post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

Customer satisfaction is one of the most important goals for Microsoft 365 Security. In part 1 of this series, we discussed Microsofts overall security strategy for connecting with the broader security community, and in part 2, we looked at how Microsoft services help secure non-Microsoft services of an organizations IT environment.

In the final part of this blog series, we highlight how Microsoft 365 Security solutions work together to help customers secure their IT environments. The benefits of Microsoft 365 Security services are universal, as demonstrated by the fact that our customers are large and small, and focused on different industry verticals across the globe.

Helping enable a mobile workforce at a healthcare network

Sutter Health is a not-for-profit network of healthcare professionals and hospitals serving Northern California. CTO Wes Wrights main goal is to provide IT and software solutions that allow employees to maximize their time spent on patient and family care. Sutter Healths network employs nearly 52,000 people, supporting 24 acute care hospitals and care centers, serving more than 100 communities. Sutter has an ecosystem of 65,000 mobile devices and modernizing IT was not trivial for them. They deployed Microsoft Intune to help manage and support an internal app store called the Sutter Intune Store. Intune also helps ensure Sutters clinical and business partners can access and use Sutter Health authorized apps from anywhere, at any time. Their Intune-powered solution is designed to:

  • Manage and secure any mobile device used by the workforce to access company data.
  • Manage and secure the mobile apps used by their workforce.
  • Protect company information even after it is accessed.
  • Ensure devices and apps are compliant with company security policies.

With services like Intune (Figure 1), simplifying security management and reducing IT complexity, Sutter Health can support the latest devices, embrace modern apps, leverage a distributed workforce, and deliver the highest quality patient care.

Figure 1. The Intune architecture diagram.

Enhancing productivity through security at a power company

Wrtsil is a Finnish company manufacturing and servicing power sources and other equipment for the marine and energy markets. Joachim Kjellman, solutions manager at Wrtsil was looking for a solution with conditional access and multifactor authentication (MFA) capabilities. He selected Azure Active Directory (Azure AD), which enables single sign-on capability for all company resources anywhere with internet access, removing the need of unreliable VPN connections. Additionally, with Conditional Access, Wrtsil can provide remote access to apps that can be secured with MFA and managed when originating from unmanaged devices.Azure AD (Figure 2) is designed to help organizations:

  • Provide seamless access.
  • Facilitate collaboration.
  • Unlock IT efficiencies.
  • Enhance security and compliance.

Figure 2. Azure AD overview.

Azure AD also supports seamless collaboration (even on large-scale, complex projects) between Wrtsil and its contractors and partners. Azure AD B2B collaboration features ensure that access to shared resources is heavily protected. Azure AD has helped Wrtsil IT staffers save time and money, enabling Wrtsil to remain focused on serving their global customer base.

Securing an entire IT environment at a transportation firm

Throughout this series, we have discussed how Microsoft 365 Security services integrate well with the myriad IT solutions our customers utilize. However, some of our customers chose Microsoft 365 Security services to help secure their entire environment. HS1 Limited operates and maintains infrastructure for the high-speed railway connecting St. Pancras International Station in London and the Channel Tunnel, joining international high-speed routes between London, Paris, and Brussels, along with several domestic routes. The 50-person firm works with hundreds of counterparts and vendors, so security and collaboration are high priorities. Shawn Marcellin, IT and facilities manager at HS1 Limited needed a highly secure, collaborative solution without investing in a full datacenter and turned to Microsoft 365 E5. Marcellin adopted Microsoft 365 E5 for its advanced security features, including Windows Defender Advanced Threat Protection, Office 365 Advanced Threat Protection, and Office 365 Threat Intelligence. Identity management through Microsoft Azure Active Directory Premium P2 was another advantage of his choosing Microsoft 365 E5protecting data with Microsoft Cloud App Security and Office 365 Advanced Threat Protection. Marcellin is confident that the move to a total cloud-based, secure solution will continue to benefit HS1 Limited.

Figure 3. The entire Microsoft 365 Security reference architecture.

To learn more about how Microsoft security solutions fit together, read Cybersecurity Reference Architecture: Security for a Hybrid Enterprise.

Digging deeper

These are only a few examples of organizations using Microsoft 365 Security services to secure their extended or entire IT ecosystem. We encourage you to visit the Microsoft Secure site and learn more about the full scope of Microsoft 365 Security capabilities. Also, check out more customer stories to learn how organizations leverage Microsoft 365 Security.

To get started envisioning a plan, onboarding, and driving user adoption, go to FastTrack.microsoft.com, sign in with your subscription ID, and complete the Request for Assistance Form.

Thanks for reading this series. We hope you will try the services discussed in this blog to start benefitting from their capabilities, which include:

Read Full Article

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview