[SANS ISC] Comment your Packet Captures!

I published the following diary on isc.sans.org: “Comment your Packet Captures!“:

When you are investigating a security incident, a key element is to take notes and to document as much as possible. There is no “best” way to take notes, some people use electronic solutions while others are using good old paper and pencil. Just keep in mind: it must be properly performed if your notes will be used as evidence later… With investigations, there are also chances to you will have to deal with packet captures… [Read more]

 

[The post [SANS ISC] Comment your Packet Captures! has been first published on /dev/random]

from Xavier

Advertisements

Azure Backup offers several mechanisms to protect against ransomware

The start of a new year is the perfect time to reassess your security strategy and tactics especially when looking back at the new levels of ransomwares reach and damage in 2017.

Its no secret that ransomware attacks are increasing. In fact, a business is hit with ransomware every 40 seconds. If ransomware does get a hold of your data, you can pay a large amount of money hoping that you will get your data back. The alternative is to not pay anything and begin your recovery process. Whether you pay the ransom or not, your enterprise loses time and resources dealing with the aftermath. Microsoft invests in several ways to help you mitigate the effects of ransomware.

For example, in the Windows 10 Fall Creators Update, Windows Defender Exploit Guard has a feature that prevents unauthorized access to important files. The feature, controlled folder access, works with Windows Defender Advanced Threat Protection. All applications are assessed, which includes any executable file, including .exe, .scr, .dll files and others, and determineif they are malicious or safe. If an application is determined to be malicious or suspicious, it will not be allowed to make any changes to any files in a protected folder. In cases of ransomware, this helps protect files from attempted encryption by the malware. As malware becomes increasingly more sophisticated, older platforms are much more susceptible to ransomware attacks. Windows 10 has several defenses against ransomware that could help in case of a future attack.

One area to reconsider is your current backup policy and the potential outcomes to your business if your backup data is compromised by ransomware.

With Azure Backup, we are changing the ransomware story. You, not ransomware, are in control of your data. Azure Backup gives you three ways you can proactively protect your data in Azure and on-premises from ransomware. The first step is to back up your data. You need to back up virtual machines running in Azure and on-premises virtual machines, physical services, and files to Azure. If your on-premises data is compromised, youll have several copies of your data in Azure. This gives you the flexibly to restore your data back to a specific period in time and keep your business moving forward.

Next, you can set up a six-digit PIN directly from the Azure portal as an additional layer of protection for your Azure Backups. Only users with valid Azure credentials can then create and receive this security PIN required to be entered before any backup operation is performed.

Finally, Azure Backup provides just-in-time notifications to alert you to potential ransomware attacks. If a suspicious activity is attempted with your backups, a notification is immediately sent to you to get involved before ransomware has the chance.

If you are an IT professional, you can get started today by creating a free Azure Backup account. For more information on how Azure Backup protects against ransomware, check out our interactive infographic.

Microsoft is committed to helping you protect against and respond to evolving attacks. To learn more about other Microsoft security solutions, visit https://www.microsoft.com/secure.


  • Kaspersky Security Bulletin 2016

from Microsoft Secure Blog Staff

[SANS ISC] Mining or Nothing!

I published the following diary on isc.sans.org: “Mining or Nothing!“:

Cryptocurrencies mining has been a trending attack for a few weeks. Our idling CPUs are now targeted by bad guys who are looked to generate some extra revenue by abusing our resources. Other fellow handlers already posted diaries about this topic. Renato found a campaign based on a WebLogic exploit[1] and Jim detected a peak of activity on port 3333[2]… [Read more]

[The post [SANS ISC] Mining or Nothing! has been first published on /dev/random]

from Xavier

How to disrupt attacks caused by social engineering

This post is authored by Milad Aslaner, Senior Program Manager, Windows & Devices Group.

A decade ago, most cyber-attacks started with a piece of malware or a complex method to directly attack the infrastructure of a company. But this picture has changed and today all it takes is a sophisticated e-mail phishing for an identity.

Figure 1: Trying to identify a loophole in the complex infrastructure

Digitalization is happening and there is no way around it. Its a necessity for all industries and a natural evolutionary step in society. Its not about when or if digital transformation is happening, but how. Our Microsoft security approach is targeted to enable a secure digital transformation. We achieve that by enabling our customers to protect, detect and respond to cybercrime.

The art of social engineering is nothing new itself and was already present in the age where broadband connections didnt even exist. At that time, we used to call these kinds of threat actors not hackers but con men. Frank Abagnale, Senior Consultant at Abagnale & Associates once said In the old days, a con man would be good looking, suave, well dressed, well-spoken and presented themselves really well. Those days are gone because it’s not necessary. The people committing these crimes are doing them from hundreds of miles away.

Threat actor groups such as STRONTIUM are nothing else than a group of modern con men. They follow the same approach as traditional con men, but they do it in the digital world. They prefer this approach because it has become easier to send a sophisticated phishing email than to find a new loophole or vulnerability allowing them to access critical infrastructure directly.

Figure 2: Example of a STRONTIUM phishing email

Keith A. Rhodes, Chief Technologist at the U.S. General Account Office says, There’s always the technical way to break into a network but sometimes it’s easier to go through the people in the company. You just fool them into giving up their own security.”

According to the Verizon data breach investigation report from 2016, 30 percent of phishing emails were opened. It took a recipient an average of only 40 seconds to open the email and an additional 45 seconds to also open the malicious attachment. 89 percent of all phishing emails were sent by organized crime syndicates and 9 percent by state-sponsored threat actors.

Figure 3: Verizon Data Breach Report 2016

The weakest link remains the human. But while some could argue and say the user is to blame, the reality is that many of the targeted phishing emails are so sophisticated that it is impossible for the average user to notice the difference between a malicious and a legitimate email.

Figure 4: Example phishing emails that look legitimate at first look

Preparing a phishing email can take only a few minutes. First, the threat actors crawl social and professional networks and find as much personal information about the victim as possible. This could include organizational charts, sample corporate documents, common email headlines, pictures of the employee badge and more. There are professional tools available that pull much of this information from public or leaked databases. In fact, if needed, the threat actor can purchase the information from the dark web. For example, one million compromised email and passwords can be traded for approximately $25, bank account logins can be traded for $1 per account, and social security numbers cost approximately $3, including birth date verification. Second, the threat actor prepares an e-mail template that will look familiar to the recipient, such as for example a password reset email, and lastly, they will send it to the user.

Social engineering has become a very powerful way for many threat actors and depending on the objective of the threat actors they either leverage computer-based, mobile-based, or human-based social engineering.

Figure 5: Stages of a phishing attack

  • Phase 1: Threat actor targets employee(s) via phishing campaign
  • Phase 2: An employee opens the attack email which allows the threat actor access to load the malicious payload or compromise the user identity
  • Phase 3: The workstation is compromised, threat actor persists malware, threat actor gathers credentials
  • Phase 4: Threat actors use stolen credentials to move laterally and gain unsolicited access and compromise key infrastructure elements
  • Phase 5: Threat actors exfiltrate PII and other sensitive business data

The built-in functionality of Enterprise Mobility + Security, Windows 10, Office 365, and Microsoft Azure enables organizations to disrupt these attacks. Below is a visualization allowing you to quickly understand which functionality helps in which phase:

Today, the entry level for threat actors to launch a cyber-attack is very low, therefore, it is critical that cybersecurity is a CEO matter. Organizations need to move away from We have a firewall, anti-virus, and disk encryption technology so we are secure mentality to a cyber-attacks will happen, therefore we can no longer only focus on building walls but also become able to detect and responds breaches quickly mindset. Assuming breach is key. It doesnt matter how large or in which industry an organization is, every company has data that can be valuable for a threat actor or in some cases even a nation-state.

A consistent approach to information security is critical in today’s world. It includes having the right incident response processes in place, technologies that help protect, detect and respond cyber-attacks and lastly IT and end-user readiness.

For more information about Microsoft security products and solutions, as well as resources to help you with your security strategy, visit https://www.microsoft.com/secure.

from Microsoft Secure Blog Staff

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017

Adopting reliable attack methods and techniques borrowed from more evolved threat types, ransomware attained new levels of reach and damage in 2017. The following trends characterize the ransomware narrative in the past year:

  • Three global outbreaks showed the force of ransomware in making real-world impact, affecting corporate networks and bringing down critical services like hospitals, transportation, and traffic systems
  • Three million unique computers encountered ransomware; millions more saw downloader trojans, exploits, emails, websites and other components of the ransomware kill chain
  • New attack vectors, including compromised supply chain, exploits, phishing emails, and documents taking advantage of the DDE feature in Office were used to deliver ransomware
  • More than 120 new ransomware families, plus countless variants of established families and less prevalent ransomware caught by heuristic and generic detections, emerged from a thriving cybercriminal enterprise powered by ransomware-as-a-service

The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices. Considering that Windows 10 has a much larger install base than Windows 7, this difference in ransomware encounter rate is significant.

Figure 1. Ransomware encounter rates on Windows 7 and Windows 10 devices. Encounter rate refers to the percentage of computers running the OS version with Microsoft real-time security that blocked or detected ransomware.

The data shows that attackers are targeting Windows 7. Given todays modern threats, older platforms can be infiltrated more easily because these platforms dont have the advanced built-in end-to-end defense stack available on Windows 10. Continuous enhancements further make Windows 10 more resilient to ransomware and other types of attack.

Windows 10: Multi-layer defense against ransomware attacks

The year 2017 saw three global ransomware outbreaks driven by multiple propagation and infection techniques that are not necessarily new but not typically observed in ransomware. While there are technologies available on Windows 7 to mitigate attacks, Windows 10s comprehensive set of platform mitigations and next-generation technologies cover these attack methods. Additionally, Windows 10 S, which is a configuration of Windows 10 thats streamlined for security and performance, locks down devices against ransomware outbreaks and other threats.

In May, WannaCry (Ransom:Win32/WannaCrypt) caused the first global ransomware outbreak. It used EternalBlue, an exploit for a previously fixed SMBv1 vulnerability, to infect computers and spread across networks at speeds never before observed in ransomware.

On Windows 7, Windows AppLocker and antimalware solutions like Microsoft Security Essentials and System Center Endpoint Protection (SCEP) can block the infection process. However, because WannaCry used an exploit to spread and infect devices, networks with vulnerable Windows 7 devices fell victim. The WannaCry outbreak highlighted the importance of keeping platforms and software up-to-date, especially with critical security patches.

Windows 10 was not at risk from the WannaCry attack. Windows 10 has security technologies that can block the WannaCry ransomware and its spreading mechanism. Built-in exploit mitigations on Windows 10 (KASLR, NX HAL, and PAGE POOL), as well as kCFG (control-flow guard for kernel) and HVCI (kernel code-integrity), make Windows 10 much more difficult to exploit.

Figure 2. Windows 7 and Windows 10 platform defenses against WannaCry

In June, Petya (Ransom:Win32/Petya.B) used the same exploit that gave WannaCry its spreading capabilities, and added more propagation and infection methods to give birth to arguably the most complex ransomware in 2017. Petyas initial infection vector was a compromised software supply chain, but the ransomware quickly spread using the EternalBlue and EternalRomance exploits, as well as a module for lateral movement using stolen credentials.

On Windows 7, Windows AppLocker can stop Petya from infecting the device. If a Windows 7 device is fully patched, Petyas exploitation behavior did not work. However, Petya also stole credentials, which it then used to spread across networks. Once running on a Windows 7 device, only an up-to-date antivirus that had protection in place at zero hour could stop Petya from encrypting files or tampering with the master boot record (MBR).

On the other hand, on Windows 10, Petya had more layers of defenses to overcome. Apart from Windows AppLocker, Windows Defender Application Control can block Petyas entry vector (i.e., compromised software updater running an untrusted binary), as well as the propagation techniques that used untrusted DLLs. Windows 10s built-in exploit mitigations can further protect Windows 10 devices from the Petya exploit. Credential Guard can prevent Petya from stealing credentials from local security authority subsystem service (LSASS), helping curb the ransomwares propagation technique. Meanwhile, Windows Defender System Guard (Secure Boot) can stop the MBR modified by Petya from being loaded at boot time, preventing the ransomware from causing damage to the master file table (MFT).

Figure 3. Windows 7 and Windows 10 platform defenses against Petya

In October, another sophisticated ransomware reared its ugly head: Bad Rabbit ransomware (Ransom:Win32/Tibbar.A) infected devices by posing as an Adobe Flash installer available for download on compromised websites. Similar to WannaCry and Petya, Bad Rabbit had spreading capabilities, albeit more traditional: it used a hardcoded list of user names and passwords. Like Petya, it can also render infected devices unbootable, because, in addition to encrypting files, it also encrypted entire disks.

On Windows 7 devices, several security solutions technologies can block the download and installation of the ransomware, but protecting the device from the damaging payload and from infecting other computers in the network can be tricky.

With Windows 10, however, in addition to stronger defense at the infection vector, corporate networks were safer from this damaging threat because several technologies are available to stop or detect Bad Rabbits attempt to spread across networks using exploits or hardcoded user names and passwords.

More importantly, during the Bad Rabbit outbreak, detonation-based machine learning models in Windows Defender AV cloud protection service, with no human intervention, correctly classified the malware 14 minutes after the very first encounter. The said detonation-based ML models are a part of several layers of machine learning and artificial intelligence technologies that evaluate files in order to reach a verdict on suspected malware. Using this layered approach, Windows Defender AV protected Windows 10 devices with cloud protection enabled from Bad Rabbit within minutes of the outbreak.

Figure 4. Windows 7 and Windows 10 platform defenses against Bad Rabbit

As these outbreaks demonstrated, ransomware has indeed become a highly complex threat that can be expected to continue evolving in 2018 and beyond. The multiple layers of next-generation security technologies on Windows 10 are designed to disrupt the attack methods that we have previously seen in highly specialized malware but now also see in ransomware.

Ransomware protection on Windows 10

For end users, the dreaded ransom note announces that ransomware has already taken their files hostage: documents, precious photos and videos, and other important files encrypted. On Windows 10 Fall Creators Update, a new feature helps stop ransomware from accessing important files in real-time, even if it manages to infect the computer. When enabled, Controlled folder access locks down folders, allowing only authorized apps to access files.

Controlled folder access, however, is but one layer of defense. Ransomware and other threats from the web can be blocked by Microsoft Edge, whose exploit mitigation and sandbox features make it a very secure browser. Microsoft Edge significantly improves web security by using Windows Defender SmartScreens reputation-based blocking of malicious downloads and by opening pages within low-privilege app containers.

Windows Defender Antivirus also continues to enhance defense against threats like ransomware. Its advanced generic and heuristic techniques and layered machine learning models help catch both common and rare ransomware families. Windows Defender AV can detect and block most malware, including never-before-seen ransomware, using generics and heuristics, local ML models, and metadata-based ML models in the cloud. In rare cases that a threat slips past these layers of protection, Windows Defender AV can protect patient zero in real-time using analysis-based ML models, as demonstrated in a real-life case scenario where a customer was protected from a very new Spora ransomware in a matter of seconds. In even rarer cases of inconclusive initial classification, additional automated analysis and ML models can still protect customers within minutes, as what happened during the Bad Rabbit outbreak.

Windows 10 S locks down devices from unauthorized content by working exclusively with apps from the Windows Store and by using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common entry points for ransomware and other threats.

Reducing the attack surface for ransomware and other threats in corporate networks

For enterprises and small businesses, the impact of ransomware is graver. Losing access to files can mean disrupted operations. Big enterprise networks, including critical infrastructures, fell victim to ransomware outbreaks. The modern enterprise network is under constant assault by attackers and needs to be defended on all fronts.

Windows Defender Exploit Guard locks down devices against a wide variety of attack vectors. Its host intrusion prevention capabilities include the following components, which block behaviors commonly used in malware attacks:

  • Attack Surface Reduction (ASR) is a set of controls that blocks common ransomware entry points: Office-, script-, and email-based threats that download and install ransomware; ASR can also protect from emerging exploits like DDEDownloader, which has been used to distribute ransomware
  • Network protection uses Windows Defender SmartScreen to block outbound connections to untrusted hosts, such as when trojan downloaders connect to a malicious server to obtain ransomware payloads
  • Controlled folder access blocks ransomware and other untrusted processes from accessing protected folders and encrypting files in those folders
  • Exploit protection (replacing EMET) provides mitigation against a broad set of exploit techniques that are now being used by ransomware authors

Additionally, the industry-best browser security in Microsoft Edge is enhanced by Windows Defender Application Guard, which brings Azure cloud grade isolation and security segmentation to Windows applications. This hardware isolation-level capability provides one of the highest levels of protection against zero-day exploits, unpatched vulnerabilities, and web-based malware.

For emails, Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers against ransomware attacks that begin with email. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Integrated security for enterprises

Windows Defender Advanced Threat Protection allows SecOps personnel to stop the spread of ransomware through timely detection of ransomware activity in the network. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware attack kill-chain, enabling SecOps to promptly investigate and respond to ransomware attacks.

With Windows 10 Fall Creators Update, Windows Defender ATP was expanded to include seamless integration across the entire Windows protection stack, including Windows Defender Exploit Guard, Windows Defender Application Guard, and Windows Defender AV. This integration is designed to provide a single pane of glass for a seamless security management experience.

With all of these security technologies, Microsoft has built the most secure Windows version ever with Windows 10. While the threat landscape will continue to evolve in 2018 and beyond, we dont stop innovating and investing in security solutions that continue to harden Windows 10 against attacks. The twice-per-year feature update release cycle reflects our commitment to innovate and to make it easier to disrupt successful attack techniques with new protection features. Upgrading to Windows 10 not only means decreased risk; it also means access to advanced, multi-layered defense against ransomware and other types of modern attacks.

 

Tanmay Ganacharya (@tanmayg)
Principal Group Manager, Windows Defender Research

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

from Eric Avena