Category Archives: Threat Protection

Operational resilience begins with your commitment to and investment in cyber resilience

Operational resilience cannot be achieved without a true commitment to and investment in cyber resilience. Global organizations need to reach the state where their core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, and cyber events if they are to weather such events.

To help increase stability and lessen the impact to their citizens, an increasing number of government entities have drafted regulations requiring the largest organizations to achieve a true state of operational resilience: where both individual organizations and their industry absorb and adapt to shocks, rather than contributing to them. There are many phenomena that have led to this increased governance, including high-profile cyberattacks like NotPetya, WannaCrypt, and the proliferation of ransomware.

The rise in nation state and cybercrime attacks focusing on critical infrastructure and financial sectors, and the rapid growth of tech innovation pervading more and more industries, join an alarming increase in severe natural disasters, an unstable global geopolitical environment, and global financial market instability on the list of threats organizations should prepare for.

Potential impact of cybercrime attacks

Taken individually, any of these events can cripple critical business and government operations. A lightning strike this summer caused the UK’s National Grid to suffer the biggest blackout in decades. It affected homes across the country, shut down traffic signals, and closed some of the busiest train stations in the middle of the Friday evening rush hour. With trains needing to be manually rebooted, the rhythm of everyday work life was disrupted. The impact of cybercrime attacks can be as significant, and often longer term.

NotPetya cost businesses more than $10 billion; pharmaceutical giant Merck put its bill at $870 million alone. For more than a week, the malware shut down cranes and security gates at Maersk shipping terminals, as well as most of the company’s IT network—from the booking site to systems handling cargo manifests. It took two months to rebuild all the software systems, and three months before all cargo in transit was tracked down—with recovery dependent on a single server having been accidently offline during the attack due to the power being cut off.

The combination of all these threats will cause disruption to businesses and government services on a scale that hasn’t been seen before. Cyber events will also undermine the ability to respond to other types of events, so they need to be treated holistically as part of planning and response.

Extending operational resiliency to cover your cybersecurity program should not mean applying different principles to attacks, outages, and third-party failures than you would to physical attacks and natural hazards. In all cases, the emphasis is on having plans in place to deliver essential services whatever the cause of the disruption. Organizations are responding by rushing to purchase cyber-insurance policies and increasing their spending on cybersecurity. I encourage them to take a step back and have a critical understanding of what those policies actually cover, and to target the investment, so the approach supports operational resilience.

As we continue to witness an unparalleled increase in cyber-related attacks, we should take note that a large majority of the attacks have many factors in common. At Microsoft, we’ve written at length on the controls that best position an organization to defend against and respond to a cyber event.

We must not stand still

The adversary is innovating and accelerating. We must continue to be vigilant and thorough in both security posture, which must be based on “defense in depth,” and in sophistication of response.

The cost of data breaches continues to rise; the global average cost of a data breach is $3.92 million according to the 2019 Ponemon Institute report. This is up 1.5 percent from 2018 and 12 percent higher than in 2014. These continually rising costs have helped galvanize global entities around the topic of operational resilience.

The Bank of England, in July 2018, published comprehensive guidelines on operational resilience that set a robust standard for rigorous controls across all key areas: technology, legal, communications, financial solvency, business continuity, redundancy, failover, governmental, and customer impact, as well as full understanding of what systems and processes underlie your business products and services.

This paper leaves very few stones unturned and includes a clear statement of my thesis—dealing with cyber risk is an important element of operational resilience and you cannot achieve operational resilience without achieving cyber resilience.

Imagine for a moment that your entire network, including all your backups, is impacted by a cyberattack, and you cannot complete even a single customer banking transaction. That’s only one target; it’s not hard to extrapolate from here to attacks that shut down stock trades, real estate transactions, fund transfers, even to attacks on critical infrastructure like healthcare, energy, water system operators. In the event of a major attack, all these essential services will be unavailable until IT systems are restored to at least a baseline of operations.

It doesn’t require professional cybersecurity expertise to understand the impact of shutting down critical services, which is why the new paradigm for cybersecurity must begin not with regulations but with a program to build cyber resilience. The long list of public, wide-reaching cyberattacks where the companies were compliant with required regulations, but still were breached, demonstrates why we can no longer afford to use regulatory requirements as the ultimate driver of cybersecurity.

While it will always be necessary to be fully compliant with regulations like GDPR, SOX, HIPAA, MAS, regional banking regulators, and any others that might be relevant to your industry, it simply isn’t sufficient for a mature cyber program to use this compliance as the only standard. Organizations must build a program that incorporates defense in depth and implements fundamental security controls like MFA, encryption, network segmentation, patching, and isolation and reduction of exceptions. We also must consider how our operations will continue after a catastrophic cyberattack and build systems that can both withstand attack and be instantaneously resilient even during such an attack. The Bank of England uses the mnemonic WAR: for withstand, absorb, recover.

The ability to do something as simple as restoring from recent backups will be tested in every ransomware attack, and many organizations will fail this test—not because they are not backing up their systems, but because they haven’t tested the quality of their backup procedures or practiced for a cyber event. Training is not enough. Operational resilience guidelines call for demonstrating that you have concrete measures in place to deliver resilient services and that both incident management and contingency plans have been tested. You’ll need to invest in scenario planning, tabletop exercises and red/blue team exercises that prove the rigor of your threat modeling and give practice in recovering from catastrophic cyber events.

Importance of a cyber recovery plan

Imagine, if you will, how negligent it would be for your organization to never plan and prepare for a natural disaster. A cyber event is the equivalent: the same physical, legal, operational, technological, human, and communication standards must apply to preparation, response, and recovery. We should all consider it negligence if we do not have a cyber recovery plan in place. Yet, while the majority of firms have a disaster recovery plan on paper, nearly a quarter never test that and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.

Cybersecurity often focuses on defending against specific threats and vulnerabilities to mitigate cyber risk, but cyber resilience requires a more strategic and holistic view of what could go wrong and how your organization will address it as whole. The cyber events you’ll face are real threats, and preparing for them must be treated like any other form of continuity and disaster recovery. The challenges to building operational resilience have become more intense in an increasingly hostile cyber environment, and this preparation is a topic we will continue to address.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Operational resilience begins with your commitment to and investment in cyber resilience appeared first on Microsoft Security.

Foundations of Flow—secure and compliant automation, part 2

In part 1 of this series, we introduced you to Microsoft Flow, a powerful automation service already being used by many organizations across the world. Flow is designed to empower citizen developers while featuring capabilities sought for by professional developers. Flow is also a foundational element of the Microsoft Power Platform announced earlier this year.

More organizations are seeking automation solutions and there will be many options. As security professionals, you’ll have to recommend the service offering all the benefits of automation, while ensuring the organization remains secure and compliant. Flow is natively integrated with best-in-class authentication services, offers powerful data loss prevention and an enhanced IT experience ranging from broad visibility and control to automating IT functions, and is built on rigorous privacy and compliance standards. We’re confident that Flow will be the right choice for your organization, so let’s get started on showing you why.

Prioritized security for your users and data

Flow is seamlessly integrated with Azure Active Directory (Azure AD), one of the world’s most sophisticated, comprehensive, and secure identity and access management services. Azure AD helps secure the citizen developer by protecting against identity compromise, gives the IT admin/pro visibility and control, and offers additional security capabilities for the pro developer. Azure AD helps support the least privilege strategy, which we recommend for Flow users. Azure AD also follows a federated model, so organizations not directly using the service are still secure. Since authentication to Flow is via Azure AD, admins using its premium features can create conditional access policies which restrict user access to only the apps and data relevant for their role. Flow’s integration with Azure AD also enhances security for more experienced developers who can register applications with the service and leverage multiple authentication protocols, including the OAuth2 authorization framework to enable their code to access platform APIs (Figure 1). This access protection can also be extended to external users.

Screenshot of an authentication type being selected for a connector in Microsoft Flow.

Figure 1. Choosing authentication framework for custom Flow connector.

To experience the full benefits of automation and unlock the potential of an organization’s data, Flow offers 270+ connectors to services, including third-party services. Some connectors are even built for social media sites, such as Twitter (Figure 2). With so many integrations, there’s always the threat of data leakage or compromise. Imagine the scenario where a user mistakenly tweets sensitive data. To prevent these types of scenarios, Flow is supported by the Microsoft Data Loss Prevention (DLP) service.

Screenshot of the Microsoft Flow dashboard. A search has been conducted for "twitter."

Figure 2. Pre-built Flow templates offering automation between Twitter and several other applications.

Microsoft DLP protects data from being exposed and DLP polices can be easily created by administrators. DLP policies can be customized at the user, environment, or tenant level to ensure security is maintained without impact to productivity. These policies enforce rules of what connectors can be used together by classifying connectors as either “Business Data Only” or “No Business Data Allowed” (Figure 3). A connector can only be used with other connectors within its group. For example, a connector in the Business Data Only group can only be used with other connectors from that group. The default setting for all connectors is No Business Data Allowed.

Importantly, all data used by Flow is also encrypted during transit using HTTPS. As a security leader, you can feel reassured that Flow is designed to ensure your data is secured both at rest and in transit with strict enforcement. To learn more about strategies to create DLP polices for Flow connectors, check out our white paper.

Screenshot of data groups in the Microsoft Flow admin center.

Figure 3. Flow Admin center where you can create DLP policies to protect your sensitive while benefiting from the powerful automation capabilities offered with Flow.

Enhancing management of the IT environment

Flow includes the Flow management connector, which enables admins to automate several IT tasks. The management connecter offers 19 possible actions that can be automated—from creating and deleting Flows to more complex actions, such as modifying the owner of a Flow. The Flow management connector is versatile and can be combined with other connectors to automate several admin tasks, enhancing the efficiency of IT teams. For example, security admins can create a Flow combining the management connector with Azure AD, Microsoft Cloud App Security, Outlook, and Teams to quickly send automatic notifications via email or Teams anytime Cloud App Security generates an alert on suspicious activity (Figure 4). Other use cases could include a notification when a new app is created, automatically updating user permissions based on role changes, or tracking when custom connectors are created in your environment.

Screenshot of the Flow template using the management connecter, Azure AD, Cloud App Security, Outlook, and Teams.

Figure 4. Flow template using the management connecter, Azure AD, Cloud App Security, Outlook, and Teams.

Visibility of activity logs

Many of Flow’s current users are also Office 365 users. As such, Flow event logs are available in the Office 365 Security & Compliance Center. By surfacing activity logs in the Security & Compliance Center, admins gain visibility into which users are creating Flows, if Flows are being shared, as well as which connectors are being used (Figure 5). The activity data is retained for 90 days and can be easily exported in CSV format for further analysis. The event logs surface in the Security & Compliance Center within 90 minutes of the event taking place. Admins also gain insight on which users are using paid versus trial licenses in the Security & Compliance Center.

Screenshot of Microsoft Flow activities accessed through the Office 365 Security & Compliance Center.

Figure 5. Microsoft Flow activities accessed through the Office 365 Security & Compliance Center.

Strict on data privacy and regulatory requirements

Flow adheres to Microsoft’s strict standards of privacy and protection of customer data. These policies prohibit customer data from being mined for marketing or advertising. Microsoft personnel and subcontractors are also restricted from accessing customer data and we carefully define requirements for responding to government requests for customer data. Microsoft also complies with international data protection laws regarding transfers of customer data across borders.

Microsoft Flow is also certified for many global, government, industrial, and regional compliance regulations. You can see the full list of Microsoft certifications, while Table 1 summarizes the certifications specifically covered by Flow.

Global Government Industry Regional
CSA-STAR-Attestation UK G-Cloud HIPAA/HITECH EU-Model-Clauses
CSA-Star-Certification HITRUST
ISO 27001 PCI DSS
ISO 27018
ISO 9001

Table 1. Flow’s existing certifications.

Let Flow enhance your digital transformation

Let your organization start benefiting from one of the most powerful and secure automation services available on the market. Watch the video and follow the instructions to get started with Flow. Be sure to join the growing Flow community and participate in discussions, provide insights, and even influence product roadmap. Also follow the Flow blog to get news on the latest Flow updates and read our white paper on best practices for deploying Flow in your organization. Be sure to check out part 1, where we provide a quick intro into Flow and dive into its best-in-class, secure infrastructure.

Additional resources

The post Foundations of Flow—secure and compliant automation, part 2 appeared first on Microsoft Security.

Automated incident response in Office 365 ATP now generally available

Security teams responsible for investigating and responding to incidents often deal with a massive number of signals from widely disparate sources. As a result, rapid and efficient incident response continues to be the biggest challenge facing security teams today. The sheer volume of these signals, combined with an ever-growing digital estate of organizations, means that a lot of critical alerts miss getting the timely attention they deserve. Security teams need help to scale better, be more efficient, focus on the right issues, and deal with incidents in a timely manner.

This is why I’m excited to announce the general availability of Automated Incident Response in Office 365 Advanced Threat Protection (ATP). Applying these powerful automation capabilities to investigation and response workflows can dramatically improve the effectiveness and efficiency of your organization’s security teams.

A day in the life of a security analyst

To give you an idea of the complexity that security teams deal with in the absence of automation, consider the following typical workflow that these teams go through when investigating alerts:

Infographic showing these steps: Alert, Analyze, Investigate, Assess impact, Contain, and Respond.

And as they go through this flow for every single alert—potentially hundreds in a week—it can quickly become overwhelming. In addition, the analysis and investigation often require correlating signals across multiple different systems. This can make effective and timely response very difficult and costly. There are just too many alerts to investigate and signals to correlate for today’s lean security teams.

To address these challenges, earlier this year we announced the preview of powerful automation capabilities to help improve the efficiency of security teams significantly. The security playbooks we introduced address some of the most common threats that security teams investigate in their day-to-day jobs and are modeled on their typical workflows.

This story from Ithaca College reflects some of the feedback we received from customers of the preview of these capabilities, including:

“The incident detection and response capabilities we get with Office 365 ATP give us far more coverage than we’ve had before. This is a really big deal for us.”
—Jason Youngers, Director and Information Security Officer, Ithaca College

Two categories of automation now generally available

Today, we’re announcing the general availability of two categories of automation—automatic and manually triggered investigations:

  1. Automatic investigations that are triggered when alerts are raisedAlerts and related playbooks for the following scenarios are now available:
    • User-reported phishing emails—When a user reports what they believe to be a phishing email, an alert is raised triggering an automatic investigation.
    • User clicks a malicious link with changed verdict—An alert is raised when a user clicks a URL, which is wrapped by Office 365 ATP Safe Links, and is determined to be malicious through detonation (change in verdict). Or if the user clicks through the Office 365 ATP Safe Links warning pages an alert is also raised. In both cases, the automated investigation kicks in as soon as the alert is raised.
    • Malware detected post-delivery (Malware Zero-Hour Auto Purge (ZAP))—When Office 365 ATP detects and/or ZAPs an email with malware, an alert triggers an automatic investigation.
    • Phish detected post-delivery (Phish ZAP)—When Office 365 ATP detects and/or ZAPs a phishing email previously delivered to a user’s mailbox, an alert triggers an automatic investigation.
  1. Manually triggered investigations that follow an automated playbook—Security teams can trigger automated investigations from within the Threat Explorer at any time for any email and related content (attachment or URLs).

Rich security playbooks

In each of the above cases, the automation follows rich security playbooks. These playbooks are essentially a series of carefully logged steps to comprehensively investigate an alert and offer a set of recommended actions for containment and mitigation. They correlate similar emails sent or received within the organization and any suspicious activities for relevant users. Flagged activities for users might include mail forwarding, mail delegation, Office 365 Data Loss Prevention (DLP) violations, or suspicious email sending patterns.

In addition, aligned with our Microsoft Threat Protection promise, these playbooks also integrate with signals and detections from Microsoft Cloud App Security and Microsoft Defender ATP. For instance, anomalies detected by Microsoft Cloud App Security are ingested as part of these playbooks. And the playbooks also trigger device investigations with Microsoft Defender ATP (for malware playbooks) where appropriate.

Let’s look at each of these automation scenarios in detail:

User reports a phishing email—This represents one of the most common flows investigated today. The alert is raised when a user reports a phish email using the Report message add-in in Outlook or Outlook on the web and triggers an automatic investigation using the User Reported Message playbook.

Screenshot of a phishing email being investigated.

User clicks on a malicious linkA very common vector used by attackers is to weaponize a link after delivery of an email. With Office 365 ATP Safe Links protection, we can detect such attacks when links are detonated at time-of-click. A user clicking such links and/or overriding the Safe Links warning pages is at risk of compromise. The alert raised when a malicious URL is clicked triggers an automatic investigation using the URL verdict change playbook to correlate any similar emails and any suspicious activities for the relevant users across Office 365.

Image of a clicked URL being assigned as malicious.

Email messages containing malware removed after delivery—One of the critical pillars of protection in Office 365 Exchange Online Protection (EOP) and Office 365 ATP is our capability to ZAP malicious emails. Email messages containing malware removed after delivery alert trigger an investigation into similar emails and related user actions in Office 365 for the period when the emails were present in a user’s inbox. In addition, the playbook also triggers an investigation into the relevant devices for the users by leveraging the native integration with Microsoft Defender ATP.

Screenshot showing malware being zapped.

Email messages containing phish removed after deliveryWith the rise in phishing attack vectors, Office 365 EOP and Office 365 ATP’s ability to ZAP malicious emails detected after delivery is a critical protection feature. The alert raised triggers an investigation into similar emails and related user actions in Office 365 for the period when the emails were present in a user’s inbox and also evaluates if the user clicked any of the links.

Screenshot of a phish URL being zapped.

Automated investigation triggered from within the Threat Explorer—As part of existing hunting or security operations workflows, Security teams can also trigger automated investigations on emails (and related URLs and attachments) from within the Threat Explorer. This provides Security Operations (SecOps) a powerful mechanism to gain insights into any threats and related mitigations or containment recommendations from Office 365.

Screenshot of an action being taken in the Office 365 Security and Compliance dash. An email is being investigated.

Try out these capabilities

Based on feedback from our public preview of these automation capabilities, we extended the Office 365 ATP events and alerts available in the Office 365 Management API to include links to these automated investigations and related artifacts. This helps security teams integrate these automation capabilities into existing security workflow solutions, such as SIEMs.

These capabilities are available as part of the following offerings. We hope you’ll give it a try.

Bringing SecOps efficiency by connecting the dots between disparate threat signals is a key promise of Microsoft Threat Protection. The integration across Microsoft Threat Protection helps bring broad and valuable insights that are critical to the incident response process. Get started with a Microsoft Threat Protection trial if you want to experience the comprehensive and integrated protection that Microsoft Threat Protection provides.

The post Automated incident response in Office 365 ATP now generally available appeared first on Microsoft Security.

Deep learning rises: New methods for detecting malicious PowerShell

Scientific and technological advancements in deep learning, a category of algorithms within the larger framework of machine learning, provide new opportunities for development of state-of-the art protection technologies. Deep learning methods are impressively outperforming traditional methods on such tasks as image and text classification. With these developments, there’s great potential for building novel threat detection methods using deep learning.

Machine learning algorithms work with numbers, so objects like images, documents, or emails are converted into numerical form through a step called feature engineering, which, in traditional machine learning methods, requires a significant amount of human effort. With deep learning, algorithms can operate on relatively raw data and extract features without human intervention.

At Microsoft, we make significant investments in pioneering machine learning that inform our security solutions with actionable knowledge through data, helping deliver intelligent, accurate, and real-time protection against a wide range of threats. In this blog, we present an example of a deep learning technique that was initially developed for natural language processing (NLP) and now adopted and applied to expand our coverage of detecting malicious PowerShell scripts, which continue to be a critical attack vector. These deep learning-based detections add to the industry-leading endpoint detection and response capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).

Word embedding in natural language processing

Keeping in mind that our goal is to classify PowerShell scripts, we briefly look at how text classification is approached in the domain of natural language processing. An important step is to convert words to vectors (tuples of numbers) that can be consumed by machine learning algorithms. A basic approach, known as one-hot encoding, first assigns a unique integer to each word in the vocabulary, then represents each word as a vector of 0s, with 1 at the integer index corresponding to that word. Although useful in many cases, the one-hot encoding has significant flaws. A major issue is that all words are equidistant from each other, and semantic relations between words are not reflected in geometric relations between the corresponding vectors.

Contextual embedding is a more recent approach that overcomes these limitations by learning compact representations of words from data under the assumption that words that frequently appear in similar context tend to bear similar meaning. The embedding is trained on large textual datasets like Wikipedia. The Word2vec algorithm, an implementation of this technique, is famous not only for translating semantic similarity of words to geometric similarity of vectors, but also for preserving polarity relations between words. For example, in Word2vec representation:

Madrid – Spain + Italy ≈ Rome

Embedding of PowerShell scripts

Since training a good embedding requires a significant amount of data, we used a large and diverse corpus of 386K distinct unlabeled PowerShell scripts. The Word2vec algorithm, which is typically used with human languages, provides similarly meaningful results when applied to PowerShell language. To accomplish this, we split the PowerShell scripts into tokens, which then allowed us to use the Word2vec algorithm to assign a vectorial representation to each token .

Figure 1 shows a 2-dimensional visualization of the vector representations of 5,000 randomly selected tokens, with some tokens of interest highlighted. Note how semantically similar tokens are placed near each other. For example, the vectors representing -eq, -ne and -gt, which in PowerShell are aliases for “equal”, “not-equal” and “greater-than”, respectively, are clustered together. Similarly, the vectors representing the allSigned, remoteSigned, bypass, and unrestricted tokens, all of which are valid values for the execution policy setting in PowerShell, are clustered together.

Figure 1. 2D visualization of 5,000 tokens using Word2vec

Examining the vector representations of the tokens, we found a few additional interesting relationships.

Token similarity: Using the Word2vec representation of tokens, we can identify commands in PowerShell that have an alias. In many cases, the token closest to a given command is its alias. For example, the representations of the token Invoke-Expression and its alias IEX are closest to each other. Two additional examples of this phenomenon are the Invoke-WebRequest and its alias IWR, and the Get-ChildItem command and its alias GCI.

We also measured distances within sets of several tokens. Consider, for example, the four tokens $i, $j, $k and $true (see the right side of Figure 2). The first three are usually used to represent a numeric variable and the last naturally represents a Boolean constant. As expected, the $true token mismatched the others – it was the farthest (using the Euclidean distance) from the center of mass of the group.

More specific to the semantics of PowerShell in cybersecurity, we checked the representations of the tokens: bypass, normal, minimized, maximized, and hidden (see the left side of Figure 2). While the first token is a legal value for the ExecutionPolicy flag in PowerShell, the rest are legal values for the WindowStyle flag. As expected, the vector representation of bypass was the farthest from the center of mass of the vectors representing all other four tokens.

Figure 2. 3D visualization of selected tokens

Linear Relationships: Since Word2vec preserves linear relationships, computing linear combinations of the vectorial representations results in semantically meaningful results. Below are a few interesting relationships we found:

high – $false + $true ≈’ low
‘-eq’ – $false + $true ‘≈ ‘-neq’
DownloadFile – $destfile + $str ≈’ DownloadString ‘
Export-CSV’ – $csv + $html ‘≈ ‘ConvertTo-html’
‘Get-Process’-$processes+$services ‘≈ ‘Get-Service’

In each of the above expressions, the sign ≈ signifies that the vector on the right side is the closest (among all the vectors representing tokens in the vocabulary) to the vector that is the result of the computation on the left side.

Detection of malicious PowerShell scripts with deep learning

We used the Word2vec embedding of the PowerShell language presented in the previous section to train deep learning models capable of detecting malicious PowerShell scripts. The classification model is trained and validated using a large dataset of PowerShell scripts that are labeled “clean” or “malicious,” while the embeddings are trained on unlabeled data. The flow is presented in Figure 3.

Figure 3 High-level overview of our model generation process

Using GPU computing in Microsoft Azure, we experimented with a variety of deep learning and traditional ML models. The best performing deep learning model increases the coverage (for a fixed low FP rate of 0.1%) by 22 percentage points compared to traditional ML models. This model, presented in Figure 4, combines several deep learning building blocks such as Convolutional Neural Networks (CNNs) and Long Short-Term Memory Recurrent Neural Networks (LSTM-RNN). Neural networks are ML algorithms inspired by biological neural systems like the human brain. In addition to the pretrained embedding described here, the model is provided with character-level embedding of the script.

Figure 4 Network architecture of the best performing model

Real-world application of deep learning to detecting malicious PowerShell

The best performing deep learning model is applied at scale using Microsoft ML.Net technology and ONNX format for deep neural networks to the PowerShell scripts observed by Microsoft Defender ATP through the AMSI interface. This model augments the suite of ML models and heuristics used by Microsoft Defender ATP to protect against malicious usage of scripting languages.

Since its first deployment, this deep learning model detected with high precision many cases of malicious and red team PowerShell activities, some undiscovered by other methods. The signal obtained through PowerShell is combined with a wide range of ML models and signals of Microsoft Defender ATP to detect cyberattacks.

The following are examples of malicious PowerShell scripts that deep learning can confidently detect but can be challenging for other detection methods:

Figure 5. Heavily obfuscated malicious script

Figure 6. Obfuscated script that downloads and runs payload

Figure 7. Script that decrypts and executes malicious code

Enhancing Microsoft Defender ATP with deep learning

Deep learning methods significantly improve detection of threats. In this blog, we discussed a concrete application of deep learning to a particularly evasive class of threats: malicious PowerShell scripts. We have and will continue to develop deep learning-based protections across multiple capabilities in Microsoft Defender ATP.

Development and productization of deep learning systems for cyber defense require large volumes of data, computations, resources, and engineering effort. Microsoft Defender ATP combines data collected from millions of endpoints with Microsoft computational resources and algorithms to provide industry-leading protection against attacks.

Stronger detection of malicious PowerShell scripts and other threats on endpoints using deep learning mean richer and better-informed security through Microsoft Threat Protection, which provides comprehensive security for identities, endpoints, email and data, apps, and infrastructure.

 

Shay Kels and Amir Rubin
Microsoft Defender ATP team

 

Additional references:

The post Deep learning rises: New methods for detecting malicious PowerShell appeared first on Microsoft Security.

Improve security and simplify operations with Windows Defender Antivirus + Morphisec

My team at Morphisec (a Microsoft Intelligent Security Association (MISA) partner) often talks with security professionals who are well-informed about the latest cyberthreats and have a longterm security strategy. The problem many of them face is how to create a stronger endpoint stack with limited resources. Towne Properties is a great example. We recently helped them simplify operations and increase endpoint security with Windows Defender Antivirus and Morphisec for advanced threat prevention.

The challenge: increase endpoint security and simplify operations

Towne Properties is a leading commercial and residential property management company in the Midwest. Our customer, Bill Salyers, the IT Director at Towne Properties, recently migrated the company to Windows 10 to adopt its embedded security features, including Windows Defender Antivirus. Yet he remained concerned about advanced zero-day attacks that bypass antivirus solutions and cause damage to the firm and its clients.

When we met Bill, Towne Properties used a commercial third-party antivirus. The product protects against known attacks, but it didn’t prevent zero-day, evasive memory attacks, which are increasing at a rapid rate. Bill needed to address this gap in his endpoint protection but couldn’t deploy another security detection tool given the lean composition of his security team. They just didn’t have the resources and bandwidth to manage another tool. Bill required better endpoint protection and simplified operations.

“At Towne, our goal is to make our endpoints as secure as possible from advanced threats, while simplifying our environment and maintaining fixed budgets.”
—Bill Salyers, IT Director, Towne Properties

Windows Defender Antivirus provides built-in endpoint protection

When we learned that Towne Properties needed a lightweight solution that would improve endpoint protection, we reintroduced Bill to Windows Defender Antivirus. Built into Windows 10, Windows Defender Antivirus protects endpoints against known software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.

Bill performed a thorough evaluation of Windows Defender Antivirus and was thrilled to find that it compared favorably in terms of efficacy and capabilities to their incumbent third-party antivirus. With no installation required or new interface to learn, his team was able to quickly eliminate a third-party tool and reduce their total cost of ownership (TCO).

“Windows Defender Antivirus met all our requirements at no incremental cost. We replaced our third-party antivirus without sacrifice.”
—Bill Salyers, IT Director, Towne Properties

Screenshot of the Morphisec Moving Target Defense dashboard.

Morphisec adds a new layer of prevention

The money Bill saved dropping the third-party antivirus gave him more flexibility to address zero-days and memory-based attacks. He invested in Morphisec, which is based on their highly innovative Moving Target Defense technology. Morphisec Moving Target Defense stops unknown attacks by morphing critical assets to make them inaccessible to the adversary and killing the attack pre-execution. Morphisec is integrated with Windows Defender Antivirus and extends Towne Properties’ endpoint protection to include zero-days, advanced memory-based threats, malicious documents, and browser-based attacks. It’s lightweight and easy to manage, which is important to Bill. The integration with Windows Defender Antivirus allowed Towne to achieve both better protection and simpler operational management with visibility through a single pane of glass.

Infographic which reads: Endpoint Application; Keyless, one-way randomization each time an application loads; application memory (both original and morphed).

Figure 1: As an application loads to the memory space, Morphisec morphs the process structures, making the memory constantly unpredictable to attackers (Source: Morphisec website).

Infographic which reads: Endpoint Application; Malicious code injection; legitimate code runs seamlessly with the morphed application structure; call to original resources exposes and traps the attack; Skeleton/Trap; and Application memory (morphed).

Figure 2: Legitimate application code memory is dynamically updated to use the morphed resources; applications load and run as usual while a skeleton of the original structure is left as a trap. Attacks target the original structure, fail to execute, and are trapped.

“We chose Morphisec because Moving Target Defense’s highly innovative approach prevents the most dangerous unknown memory-based attacks.”
—Bill Salyers, IT Director, Towne Properties

The Morphisec and Microsoft partnership supports Towne Properties’ cybersecurity roadmap

One reason Bill and his management team were so enthusiastic about Morphisec and Windows Defender Antivirus is because it supports their overall security plan. Towne Properties is a Microsoft shop aligned with the Microsoft cybersecurity strategy. Morphisec also integrates with Microsoft Defender Advanced Threat Protection (ATP), which allows Towne Properties to seamlessly chart their Microsoft and Morphisec journey.

“It was also important to learn how Microsoft has partnered closely with Morphisec. Morphisec integrates with Microsoft Defender ATP, giving us high confidence to continue down the Microsoft and Morphisec journey.”
—Justin Hall, Security Specialist, Towne Properties

Windows Defender Antivirus and Morphisec Moving Target Defense are better together

Windows Defender Antivirus and Morphisec Moving Target Defense offer the following features:

Windows Defender Antivirus:

  • Delivers leading machine learning and behavior-based antimalware and threat protection.
  • Is built into Windows 10 at no additional cost.
  • Requires no installation—just turn on features in Windows 10.

Morphisec Moving Target Defense:

  • Delivers an entirely new layer of deterministic prevention against the most advanced and most damaging threats to the enterprise, including unknown attacks, zero-days, ransomware, evasive fileless attacks, and web-borne attacks.
  • Simple to manage and extremely lightweight with zero impact on operations.
  • Virtually patches vulnerabilities.
  • Integrates with Microsoft Defender ATP to visualize attacks prevented by Morphisec and incorporate threats identified by Morphisec in the Microsoft Defender ATP dashboard.

Morphisec + Microsoft:

  • Provides superior endpoint protection at an affordable cost.
  • Is simple to deploy, manage, and maintain.

“Morphisec with Windows Defender Antivirus offers a truly set it and forget it solution. Morphisec’s lightweight design coupled with Windows Defender Antivirus provides strong endpoint security, the best value, and a simpler operational environment.”
—Bill Salyers, IT Director, Towne Properties

Learn more

The post Improve security and simplify operations with Windows Defender Antivirus + Morphisec appeared first on Microsoft Security.

One simple action you can take to prevent 99.9 percent of attacks on your accounts

There are over 300 million fraudulent sign-in attempts to our cloud services every day. Cyberattacks aren’t slowing down, and it’s worth noting that many attacks have been successful without the use of advanced technology. All it takes is one compromised credential or one legacy application to cause a data breach. This underscores how critical it is to ensure password security and strong authentication. Read on to learn about common vulnerabilities and the single action you can take to protect your accounts from attacks.

Animated image showing the number of malware attacks and data breaches organizations face every day. 4,000 daily ransomware attacks. 300,000,000 fraudulent sign-in attempts. 167,000,000 daily malware attacks. 81% of breaches are caused by credential theft. 73% of passwords are duplicates. 50% of employees use apps that aren't approved by the enterprise. 99.9% of attacks can be blocked with multi-factor authentication.

Common vulnerabilities

In a recent paper from the SANS Software Security Institute, the most common vulnerabilities include:

  • Business email compromise, where an attacker gains access to a corporate email account, such as through phishing or spoofing, and uses it to exploit the system and steal money. Accounts that are protected with only a password are easy targets.
  • Legacy protocols can create a major vulnerability because applications that use basic protocols, such as SMTP, were not designed to manage Multi-Factor Authentication (MFA). So even if you require MFA for most use cases, attackers will search for opportunities to use outdated browsers or email applications to force the use of less secure protocols.
  • Password reuse, where password spray and credential stuffing attacks come into play. Common passwords and credentials compromised by attackers in public breaches are used against corporate accounts to try to gain access. Considering that up to 73 percent of passwords are duplicates, this has been a successful strategy for many attackers and it’s easy to do.

What you can do to protect your company

You can help prevent some of these attacks by banning the use of bad passwords, blocking legacy authentication, and training employees on phishing. However, one of the best things you can do is to just turn on MFA. By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access. To learn more, read Your Pa$$word doesn’t matter.

MFA is easier than you think

According to the SANS Software Security Institute there are two primary obstacles to adopting MFA implementations today:

  1. Misconception that MFA requires external hardware devices.
  2. Concern about potential user disruption or concern over what may break.

Matt Bromiley, SANS Digital Forensics and Incident Response instructor, says, “It doesn’t have to be an all-or-nothing approach. There are different approaches your organization could use to limit the disruption while moving to a more advanced state of authentication.” These include a role-based or by application approach—starting with a small group and expanding from there. Bret Arsenault shares his advice on transitioning to a passwordless model in Preparing your enterprise to eliminate passwords.

Take a leap and go passwordless

Industry protocols such as WebAuthn and CTAP2, ratified in 2018, have made it possible to remove passwords from the equation altogether. These standards, collectively known as the FIDO2 standard, ensure that user credentials are protected end-to-end and strengthen the entire security chain. The use of biometrics has become more mainstream, popularized on mobile devices and laptops, so it’s a familiar technology for many users and one that is often preferred to passwords anyway. Passwordless authentication technologies are not only more convenient for people but are extremely difficult and costly for hackers to compromise. Learn more about Microsoft passwordless authentication solutions in a variety of form factors to meet user needs.

Convince your boss

Download the SANS white paper Bye Bye Passwords: New Ways to Authenticate to read more on guidance for companies ready to take the next step to better protect their environments from password risk. Remember, talk is easy, action gets results!

The post One simple action you can take to prevent 99.9 percent of attacks on your accounts appeared first on Microsoft Security.