Securing a new world of hybrid work: What to know and what to do

Microsoft Malware Protection Center - Wed, 05/12/2021 - 9:00am

The cybersecurity landscape has fundamentally changed, as evidenced by large-scale, complex attacks like Nobelium, Hafnium, and more recently last week’s Colonial Pipeline attack, which signals that human-operated ransomware is on the rise.

Hackers launch an average of 50 million password attacks every day—579 per second. Phishing attacks have increased. Firmware attacks are on the rise, and ransomware has become incredibly problematic. And while Microsoft intercepted and thwarted a record-breaking 30 billion email threats last year, our work is never done.

We are now actively tracking 40 plus active nation-state actors and over 140 threat groups representing 20 countries—that number used to be a handful.

We are also rapidly delivering innovation to meet the needs of a changing landscape and you can read more about our latest product updates for RSA in a blog I published today.

Security continues to be a number one priority for our customers, especially as many companies around the world are looking to transition from remote work to hybrid. To truly meet this challenge, defenders across the industry must come together for an end-to-end, Zero Trust security approach that covers the entire technology ecosystem. Because today, digital transformation cannot happen without security transformation.

The future of work is hybrid: Here’s what we can do

Even as many people start to transition back to the office, we expect a future where hybrid work is the norm. Forrester predicts that once people have settled into their new work patterns post-pandemic, we will still see a 300 percent increase in employees working remotely from pre-pandemic levels. According to our own Work Trend Index, The Next Great Disruption is Hybrid Work—Are We Ready?, 46 percent of people plan to move because they can now work remotely.

People are working on corporate networks and home networks and moving fluidly between business and personal activity online thanks to technologies intertwined with both aspects of our daily routines. The network is changing with employees’ home networks and devices are now part of the corporate network. What this means for organizations is that the network is suddenly without firm borders.


Our own approach

My friend and colleague Bret Arsenault, Microsoft’s Chief Information Security Officer, had the mammoth task of transitioning Microsoft and its 160,000 plus employees to remote work in March 2020 and has created our technology plan to transition to hybrid work.

Bret’s approach to solving this has been to foster a culture where security is everyone’s job. Just today, new guidance went out on a few areas:

  • Keeping devices healthy and managed: All devices that need access to corporate resources must be managed to seamlessly keep your device secure and protected from phishing and malicious websites.
  • Making security everyone’s job: We will offer new training, opportunities to provide feedback, and a new virtual security summit to ensure our employees are empowered and equipped to be more secure.
  • Securing home offices: We will continue to build and offer resources and guidelines for employees that will work remotely either part or full time.
  • Building for Zero Trust: We are asking our developers to build with a Zero Trust mentality.

While we have been remote, and as part of our Zero Trust approach, we have also been moving employees off the corporate network. An internet-first approach reduces exposure and gives employees a consistent experience whether they are at home or in the office.

We believe that security is a team sport and that when we share what we’re learning, we can all make the world a safer place. So we are sharing Bret’s guidance with our customers and partners. These specific steps will be the first of many in ensuring our hybrid workforce is as secure as possible.

There are other practical things that we will continue to focus on, and every business should consider as we move into hybrid work.

Identity is more important than ever: Use the tools you likely already have to protect it

Through NOBELIUM and other recent attacks, a clear theme has emerged—identity is the battleground for attacks of the future. We know weak passwords, password spraying, and phishing are the entry point for the vast majority of attacks. As our own CISO, Bret Arsenault, likes to say, “hackers don’t break in, they log in.”

In building a defense for our new threat landscape, the first thing every business should do is examine the tools they already have.

A great example of this is multifactor authentication (MFA). MFA is a defense that our customers have available to them, yet when looking at our own customer data, only 18 percent have it turned on. Any customer with a commercial service subscription—Azure or Microsoft 365—can turn on MFA at no additional cost.

We saw a significant jump in usage when the pandemic began. And when that happened, we saw a significant decrease in aggregate compromises—people thought they were activating to protect only remote access, but MFA protects the entire network.

We work with many kinds of organizations of all sizes—for some, implementing MFA is as easy as flipping the switch. But we understand and empathize that for others it’s much more complex. We’re actively working to make MFA rollout easier and more seamless for our customers, as well as ensuring that the end-user experience is as frictionless and friendly as possible. We are dedicated to working alongside our customers to make everyone more secure. We’ve introduced a number of programs to drive MFA adoption—from the introduction of security defaults to giving customers an entire toolset for internal communications.

Embrace a Zero Trust mindset

In a world where identity is the new battleground, adopting a Zero Trust strategy is no longer an option, it’s a new business imperative. People and organizations need to have trust in the technologies that bring them together. The term Zero Trust may feel like the opposite of that, but when you assume breach and provide the least privileged access necessary, it actually empowers employees with the flexibility and freedom they want.

The hybrid world is largely perimeterless, so wrapping protections around identity and devices is critical. As part of Zero Trust, we also think the future is passwordless and we will start to see that transition this year.

In fact, to help our customers on their Zero Trust journey we are excited to roll out a new Zero Trust assessment tool today that can help companies understand where they are currently and where they need to go.

For a deeper look at the imperatives around Zero Trust and how Microsoft is reimagining the concept of identity for a perimeterless world, read Joy Chick’s blog, 5 identity priorities for 2021—strengthening security for the hybrid work era and beyond, from Microsoft Ignite.

Take advantage of more robust security in the cloud

The benefits of the cloud for a remote or hybrid workforce are plentiful. Business-critical information can be accessed over the network, making it easy to have workers in any location.

Over the next 6 to 12 months, we will see rapid migration to the cloud, as companies recover from 2020 and implement new infrastructure. In a recent survey of our Microsoft Intelligent Security Association (MISA) partners, 90 percent reported that customers have accelerated their move to the cloud due to the pandemic.

Having a strong cloud posture also provides a level of security that most companies just couldn’t achieve on their own. And we learned from NOBELIUM that the vast majority of attacks originated on-premises, while attacks via the cloud were largely unsuccessful.

Invest in people and skills—and focus on diversity

We know that attackers exploit not just our digital holes, but the holes in our defender teams. Right now, we have two big problems: a shortage of cybersecurity professionals and a lack of diversity within teams. In the coming year, attackers will find these gaps and take advantage.

There is an estimated shortfall of 3.5 million security professionals this year—91 percent of our MISA partners report more demand than supply for cybersecurity professionals. This shortage can mean not only unfilled positions but also too much work on the shoulders of existing teams.

How do we solve this? We build the workforce of the future. We teach, train, and arm new defenders. After all, anyone can be a superhero of cybersecurity. It just takes passion and purpose—and some skilling.

I firmly believe anyone can be a defender, and with the proper training programs, we can all work together to build a cybersecurity workforce that reflects our planet. We must build diverse teams that reflect the many viewpoints of people globally, including the same demographics as the attackers themselves, to meet the security and privacy challenges of our time.

That’s why we’re pleased to offer new skilling programs and certifications across security, compliance, and identity. There are programs available for all levels of expertise, no matter where a defender is on their journey.

Fortunately, in a future where remote work is more common, the world is our oyster in terms of cultivating new and diverse talent. No longer constrained by physical office locations, it’s an exciting time to find the next generation of defenders and help them develop.

What’s next

We’re emerging from a year that has altered the world forever. It changed the way we live and work, brought new challenges in cybersecurity, and reminded all of us that there is no playbook for change.

But where there’s uncertainty, there is also the power to shape the world in positive and profound ways. At the heart of security and privacy protection is the freedom to imagine, plan, empower, and inspire.

As security professionals, it is within our superpowers to help people and organizations feel safe and be safe—to help them persist in the face of adversity with optimism, empathy, and peace of mind.

Learn more

Learn more about Microsoft’s approach to securing hybrid work, including context from our CISO Bret Arsenault, as well as a link to his new podcast Security Unlocked.

You can also assess your Zero Trust maturity stage to determine where your organization is and how to move to the next stage.

To learn more about Microsoft security solutions and how to optimize your Zero Trust strategy, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing a new world of hybrid work: What to know and what to do appeared first on Microsoft Security.

How to secure your hybrid work world with a Zero Trust approach

Microsoft Malware Protection Center - Wed, 05/12/2021 - 9:00am

We are operating in the most complex cybersecurity landscape we’ve ever seen. Sophisticated and determined attackers are the norm. And we all are preparing for the next great disruption—hybrid work.

Security has never been more important, and as I shared in another Security blog today, it’s clearer than ever that a Zero Trust approach, which basically means you have to assume breach, will be critical to success. We’ve been listening and working closely with our customers around the world and rapidly innovating to help you to secure and protect your organizations. Today, I’d like to share some of our latest updates across security, compliance, identity, and management in response to that feedback to help you in your Zero Trust journey.

Strengthening your Zero Trust approach across your environment

The hybrid work environment, with some users working remotely and others in group office settings, introduces more digital attack surfaces, complexity, and risk as perimeters are now increasingly fluid. As such, a Zero Trust strategy will be top of mind for many organizations because its principles—verify explicitly, grant least privileged access, and assume breach—help maintain security amid the IT complexity that comes with hybrid work.

Verify explicitly

One of the most important first steps in a Zero Trust journey is to establish strong authentication. As Bret Arsenault, Microsoft’s CISO would say, “Hackers don’t break in. They log in.” Regardless of length or complexity, passwords alone won’t protect your account in the majority of attacks. Monitoring logins for suspicious activity and limiting or blocking access until additional proof of identity is presented drastically reduces the chances of a breach. Modern multifactor authentication (MFA) doesn’t have to be complicated for the user. We recently announced passwordless authentication and Temporary Access Pass in Azure Active Directory (Azure AD), our cloud identity solution, to help customers strengthen their access controls and simplify the user experience.

Verifying explicitly requires the ability to make real-time access decisions based on all available information for any user trying to access any resource. For us, Azure AD Conditional Access is this real-time access policy engine, which looks at all the data and signals related to the user gaining access, and today we’re announcing powerful new features that give admins more granular access controls while making it easier to control a growing list of policies. The GPS-based named locations and filters for devices enable a new set of scenarios, such as restricting access from specific countries or regions based on GPS location and securing the use of devices from Surface Hubs to privileged access workstations.

Additionally, to empower security for all, you need to be able to verify explicitly for all. We are expanding granular adaptive access controls to all users with the general availability of Azure AD Conditional Access and Identity Protection for business-to-consumer (B2C) apps and users. And we’ve made it easier to manage all your new policies with new search, sort, and filter capabilities, as well as enhanced audit logs to track recent policy changes. You can learn more on the Azure Active Directory Identity blog.

We also believe that for comprehensive protection through Zero Trust, we need to have end-to-end integration across device management and identity. New today, we are announcing the preview of filters for devices in Microsoft Endpoint Manager. These unique integrated capabilities between Microsoft Endpoint Manager (which brings together Configuration Manager and Intune) and Azure AD Conditional Access create even more granular controls. With device filters, administrators can target policies and applications to users on specific devices. For example, you can assign a filter so that a policy restriction is only applied to Surface Pro devices. You can learn more in today’s Tech Community blog.

Healthy devices and unified device management across platforms continue to be anchors of Zero trust, and to help protect data from potential leakage on mobile devices; we are introducing new conditional launch settings with App Protection Policies in Microsoft Endpoint Manager. These controls can block access or wipe data based on conditions such as maximum OS version, jailbroken or rooted devices, or require Android devices to pass SafetyNet attestation.

In addition, we are making it easier for you to manage your devices, regardless of the operating system. First, you can configure Android Enterprise-enrolled devices with Azure AD shared device mode in Microsoft Endpoint Manager. This new capability is now generally available and provides a simplified and more secure experience on devices shared across multiple users. With single sign-in, single sign-out, and data clearing across applications, shared device mode increases privacy between users and reduces the number of steps a frontline worker needs to take to access their work apps.

Then to make it easier to manage and secure your Apple devices, we recently released a Microsoft Endpoint Manager preview of the Setup Assistant for iOS, iPadOS, and macOS automated device enrollment. Based on customer feedback, you can now allow users to start using their iPadOS device immediately after enrollment without waiting for the Company Portal to install on a locked-down device. You can also configure a Conditional Access policy to require multifactor authentication either during enrollment in the Setup Assistant or upon authentication in the Company Portal. Learn more about the administrator and user experiences for shared devices and Setup Assistance in this Tech Community blog.

Finally, we continue to invest in BitLocker, which helps you to protect data at rest. BitLocker now has several enhancements, such as comprehensive modern management with Microsoft Endpoint Manager, role-based access controls for BitLocker recovery passwords, recovery password search, and recovery password auditing. Check out our BitLocker series that explains how to manage BitLocker in Microsoft Endpoint Manager, such as enabling silent encryption.

Grant least privileged access

As we have entered into new hybrid work environments, businesses need to think about how they will proactively protect their organizations from the influx of new or “bring your own” (BYO) connected devices—or even new apps that have helped people to work in new ways. This new normal has exposed the most challenging cybersecurity landscape we’ve ever encountered, and the least privileged access ensures that only what must be shared is.

To help, we recently added the ability to discover and secure unmanaged endpoints and network devices to Microsoft Defender for Endpoint. Once network devices are discovered, security administrators will receive the latest security recommendations and vulnerabilities on them. Discovered endpoints (such as workstations, servers, and mobile devices) can be onboarded to Microsoft Defender for Endpoints, allowing all its deep protection capabilities. You can learn more in the Microsoft Security blog, Secure unmanaged devices with Microsoft Defender for Endpoint now.

The early detection of vulnerabilities and misconfiguration is critical to an organization’s overall security posture, and to prevent those weaknesses from being exploited. With our commitment to support multi-platform, the threat and vulnerability management capabilities in Microsoft Defender for Endpoint now also support Linux OS, giving organizations the ability to view discovered vulnerabilities, assess the latest security recommendations, and issue remediation tasks for Linux devices. With the addition of Linux, threat and vulnerability management now covers all major platforms, including Windows and macOS.

Assume breach

Comprehensive security that is multi-platform and multi-cloud with simplification front and center is going to be important for the “assume breach” approach. With that in mind, today we are announcing the general availability of the converged portal for Microsoft 365 Defender, which unifies and simplifies XDR capabilities for endpoints, email, and collaboration. For Azure Sentinel, we are announcing solutions, which is a simplified means to deploy connectors, detections, playbooks, and workloads for both first and third-party integrations, all together as one package. To simplify team communications in the Security Operations Center, we now have built-in integration of Microsoft Teams into Azure Sentinel, so now you can create a Teams call directly from an incident.

With threats continuing to get more sophisticated, it is important to have the latest AI and machine learning capabilities at hand to separate important incidents from noise. Customers using Azure Sentinel consistently tell us how useful it is when incidents we raise are closed directly in the product. This quarter, more than 92 percent of incidents produced by Azure Sentinel’s AI were reported as useful by security professionals, which is dramatically higher than industry standards and enables you to focus on what’s important. Today we are adding new anomaly detections, including User and Entity Behavioral Analytics (UEBA) to Azure Sentinel that are powered by configurable machine learning. These anomalies can be used to provide additional context while hunting or fused with incidents. What’s powerful is that you can configure the variables for the machine learning driven anomalies with just a few clicks to customize for your specific environment.

Today’s hybrid work environment spans multiple platforms, multiple clouds, and on-premises. We recently extended the multi-cloud support in Azure Defender to include not just servers and SQL but also Kubernetes, all using Azure Arc. Azure Security Center remains the only security portal from a cloud vendor with multi-cloud support, including Azure, Amazon Web Services, and Google Cloud Platform. Today we are announcing that we are extending protection to the application level with the preview of the SAP threat monitoring solution for Azure Sentinel. This supports SAP running in any cloud or on-premises and includes continuous monitoring of SAP with built-in detections and can be customized to your specific SAP environment. You can learn more about this and the rest of Azure Sentinel’s announcements in the Tech Community blog post.

Enabling a secure way to access cloud apps while protecting your resources in this hybrid work environment is critical. New enhancements to Microsoft Cloud App Security will help protect against recent cloud-based attack types by detecting suspicious app activity and data exfiltration attempts from cloud services. Over the next few weeks, the general availability of the integration between Microsoft Information Protection and Cloud App Security will also be available. This integrated information protection policy management from the Cloud App Security portal enables greater visibility, control, and protection for your sensitive data in the cloud.

With over 90 percent of threats surfacing through email, it’s critical that organizations can configure security tools in a way that works for their environment. Over time, settings can age, new attack scenarios develop, and new security controls are available, necessitating regular review, upkeep, modifications, and even removal of old configurations. We’ve been on a journey to make it easier for customers to understand configuration gaps in their environment with recently launched features like preset security policies, Configuration Analyzer, and override alerts in Microsoft Defender for Office 365. Essentially, when Microsoft is confident that an email contains malicious content, we will not deliver the message to users, regardless of tenant configuration. We also recently announced our Secure by Default capabilities that eliminate the risks posed by legacy configurations. You can learn more in today’s Tech Community blog post.

But “assuming breach” isn’t just about external threats—you also have to be thoughtful about protecting your organization from the inside out. We released new capabilities today in our Insider Risk Management solution to help you to address insider risk in a holistic, collaborative way. Today’s Tech Community blog has more details.

For investigations, eDiscovery is critical. Today we’re announcing that eDiscovery support for Microsoft Graph connectors will be available in Summer 2021 as a developer preview. With Microsoft Graph connectors, investigators can query across more than 130 systems—directly from Microsoft 365 and our partners. Use the same eDiscovery tools in Microsoft 365 to search for content in third-party systems connected to Microsoft Search as used to search for content in Microsoft 365 apps and services. You can learn more in today’s Tech Community blog post.

Your Zero Trust journey

In a risk landscape as complex as today’s, your adoption of a Zero Trust approach won’t happen overnight. It’s important to value progress over perfection and to enlist help when you need it. Microsoft and its partners are committed to helping you on this journey. To chart out your path, or assess your progress, enable a remote workforce by embracing Zero Trust security.

Thank you for being part of our community and doing your part to build a safer world.

Learn more about Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to secure your hybrid work world with a Zero Trust approach appeared first on Microsoft Security.

Threat and Vulnerability Management now supports all major platforms

Microsoft Malware Protection Center - Tue, 05/11/2021 - 2:00pm

We are swiftly adapting to the lasting reality of a hybrid workforce, with the number of remote workers in the US expected to nearly double over the next five years, compared to pre-pandemic times. As a result, security teams are being challenged to rethink how to secure a growing and increasingly diverse portfolio of devices outside of the traditional boundaries of their organization. However, what has stayed constant during this time of change is the focus of adversaries to identify and take advantage of vulnerabilities that have been left unpatched or misconfigurations as a gateway to sensitive information. It stresses the need for a proactive approach to vulnerability management and a focus on an organization’s high-risk assets.

Microsoft’s Threat and Vulnerability Management (TVM) capabilities play a crucial role in monitoring an organization’s overall security posture, with devices being a key entry point for compromise if left exposed. It equips customers with real-time insights into risk with continuous vulnerability discovery, intelligent prioritization that takes business and threat context into account, and the ability to seamlessly remediate vulnerabilities with a single click. The recent  Nobelium attack is only one example of a critical vulnerability, where TVM enabled customers to identify affected devices in their environment and take immediate action.

As threat and vulnerability management evolves, we continue to expand our coverage to include additional devices and OS platforms. Today, we are announcing that Microsoft’s Threat and Vulnerability Management capabilities now cover Linux operating systems, in addition to macOS and Windows—with support for Android and iOS planned for later this summer.

Organizations can now review recently discovered vulnerabilities within installed applications across the Linux OS and issue remediation tasks for all affected devices. Initial support is available for RHEL, CentOS, and Ubuntu, with Oracle Linux, CentOS, SUSE, and Debian being added shortly. In addition, TVM now also provides secure configuration assessment capabilities for Linux and macOS. These allow organizations to discover, prioritize, and remediate dozens of insecure configurations to improve their overall security posture.

Figure 1: Security recommendation to update Google Chrome for Windows, macOS, and Linux.

Figure 2: Details of all vulnerabilities associated with Google Chrome for Linux.

Figure 3: Security configuration recommendation for macOS.

Microsoft’s investment in cross-platform coverage now enables customers to take full advantage of the powerful TVM capabilities on all major platforms across managed and unmanaged devices. They are available in Microsoft Defender for Endpoint as part of an integrated experience that provides device context, prioritizes based on risk, and minimizes time to remediation across their entire portfolio of managed and unmanaged devices.

An added focus on interoperability

As we continue to expand the coverage for our TVM capabilities and remain focused on providing natively integrated experiences across the Microsoft portfolio, we are also partnering with industry-leading solution providers to ensure the interoperability of our solution.

We understand that our customers have existing investments and established processes to run their security and IT operations. That is why a broad ecosystem of integration partners is a critical focus as we continue to grow our vulnerability management capabilities. Customers can already leverage integrations with Skybox, Kenna Security, and ServiceNow Vulnerability Response, and we are actively working on expanding this list.

In addition, the Threat and vulnerability management APIs give customers and partners full access to the threat and vulnerability management dataset, including vulnerability assessment, security configuration assessment, and the software inventory for all devices. This enables any partner to leverage and integrate threat and vulnerability management data into their platforms and create custom solutions with the available data set.

As a hybrid workforce becomes the new normal and organizations continue to face new security challenges, Microsoft Threat and Vulnerability Management enables better insight into organizational risk and the overall security posture of their devices. With a focus on broad platform support and interoperability, we are committed to providing customers with the flexibility and coverage they need to detect vulnerabilities and misconfigurations early on and make remediation simple.

Learn more

Microsoft Threat and Vulnerability Management bridges the gap between security and IT teams to seamlessly remediate vulnerabilities and reduce risk in your organization. It is deeply integrated with Microsoft’s portfolio of security and IT management solutions, and you can sign up for a free trial today or get started even faster with our interactive guide.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Threat and Vulnerability Management now supports all major platforms appeared first on Microsoft Security.

Gartner names Microsoft a Leader in the 2021 Endpoint Protection Platforms Magic Quadrant

Microsoft Malware Protection Center - Tue, 05/11/2021 - 12:00pm

Our mission to empower defenders and protect and secure organizations has never been more important to us. Over the last year, our customers have faced unpredictable challenges and nearly overnight have had to quickly adapt in the face of a new hybrid work environment, evolving sophistication and scope of threats, and global and economic uncertainty. The trust that customers have put into us through this journey has been humbling. No matter what the future holds, we are deeply committed to continuing to help customers prepare and adapt with security innovation that offers the best protection, detection, and response in their multi-cloud, multi-platform environments and empowers defenders to move ahead of the speed of an attack.

We are so grateful to our customers who have collaborated with us in creating one of the best endpoint security solutions on the market and are thrilled that Gartner has recognized this work and the journey we’ve taken alongside our customers by naming Microsoft a Leader in the 2021 Endpoint Protection Platforms (EPP) Magic Quadrant, positioned highest on the ability to execute.

According to Gartner, Leaders “have broad capabilities in advanced malware protection, and proven management capabilities for large enterprise accounts. Increasingly, Leaders provide holistic XDR platforms that allow customers to consolidate their other tools and adopt a single-vendor solution.”

Our evolution in the endpoint security space has been accelerating with the release of proven security capabilities that are central to our customer’s needs, including:

All of these innovations are seamlessly built into Microsoft 365 Defender, our solution offering XDR capabilities for identities, endpoints, cloud apps, email, and documents. Microsoft 365 Defender delivers intelligent, automated, and integrated security in a unified SecOps experience, with detailed threat analytics and insights, unified threat hunting, and rapid detection and automation across domains—detecting and stopping attacks anywhere in the kill chain and eliminating persistent threats.

You can download the complimentary report to get more details on our positioning as a Leader. Our customers and partners have been on this incredible journey with us, and for that, we owe our immense gratitude and share this recognition with them.

Learn more

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


Gartner Magic Quadrant for Endpoint Protection Platforms, Peter Firstbrook, Dionisio Zumerle, Prateek Bhajanka, Lawrence Pingree, Paul Webber, 05 May 2021.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request here.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Gartner names Microsoft a Leader in the 2021 Endpoint Protection Platforms Magic Quadrant appeared first on Microsoft Security.

Forrester names Microsoft a Leader in the 2021 Enterprise Email Security Wave

Microsoft Malware Protection Center - Thu, 05/06/2021 - 12:00pm

Today, organizations face an evolving threat landscape and an exponentially increasing attack surface. Email represents the primary attack vector for cybercrime, and security teams are in search of efficient and cost-effective means to minimize the risk of these threats and the impact they have on organizational productivity and innovation.

We are proud to announce today that Microsoft is positioned as a leader in The Forrester Wave: Enterprise Email Security, Q2 2021¹, receiving among the highest scores in the strategy category. The Forrester Wave report evaluates enterprise email security solutions and provides a detailed overview of the current offering, strategy, and market presence of these vendors. From the report, “Forrester’s 2021 Wave evaluation of the email security market revealed that secure email gateways (SEGs) are slowly becoming dinosaurs as customers turn to the native security capabilities of cloud email infrastructure providers”. Microsoft Defender for Office 365 received the highest possible score in the incident response, threat intelligence, and endpoint and endpoint detection and response (EDR) solutions integration criteria, as well as in the product strategy, customer success, and performance and operations criteria.

For us at Microsoft, being recognized as a leader is a testament to our ongoing commitments to innovate and improve in this space. Over the last few years, we’ve worked to build a solution our customers love, and today’s news is just the latest validation of the work we’ve done and the feedback we’ve been hearing from customers who love our solution.

Microsoft offers best-of-breed email and collaboration security capabilities that play a pivotal role in our industry-leading extended detection and response (XDR) solution, Microsoft 365 Defender. Together, Microsoft Defender for Office 365 and Microsoft 365 Defender help customers reduce gaps in coverage by trading disparate point solutions for comprehensive coverage. As customers face attacks that increasingly surface across multiple domains, Microsoft 365 Defender looks across these domains to understand the entire chain of events, identifies affected assets, like users, endpoints, mailboxes, and applications, and auto-heals them back to a safe state.

We will continue to innovate in this space as we build a best-of-breed and best-in-suite solution that offers the best protection, experiences, and value to our customers.

Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.

Download this complimentary full report and read the analysis behind Microsoft’s positioning as a Leader.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


¹The Forrester Wave: Enterprise Email Security, Q2 2021, Joseph Blankenship, May 6, 2021.

This graphic was published by Forrester Research as part of a larger research document and should be evaluated in the context of the entire document. The Forrester document is available upon request here.

The post Forrester names Microsoft a Leader in the 2021 Enterprise Email Security Wave appeared first on Microsoft Security.

Business email compromise campaign targets wide range of orgs with gift card scam

Microsoft Malware Protection Center - Thu, 05/06/2021 - 12:00pm

Cybercriminals continue to target businesses to trick recipients into approving payments, transferring funds, or, in this case, purchasing gift cards. This kind of email attack is called business email compromise (BEC)—a damaging form of phishing designed to gain access to critical business information or extract money through email-based fraud.

In this blog, we want to share our investigation of a BEC campaign that used attacker-created email infrastructure to facilitate gift card theft. In this campaign, we found that attackers targeted organizations in the consumer goods, process manufacturing and agriculture, real estate, discrete manufacturing, and professional services sectors using typo-squatted domains to make the emails appear as if they were originating from valid senders.

BEC emails are intentionally designed to look like ordinary emails, appearing to come from someone the targeted recipient already knows, but these campaigns are more complex than they appear. They require behind-the-scenes operations, preparation, and staging. Advanced email solutions like Microsoft Defender for Office 365 detect and block these elusive threats. Defender for Office 365 safeguards organizations against the threat posed by emails and URLs associated with BEC campaigns.

In our blog titled Business email compromise: How Microsoft is combating this costly threat, we wrote about the process of orchestrating BEC attacks and discussed Microsoft strategies to combat these threats. Additionally, Microsoft released a three-part blog series on BEC scams titled Business Email: Uncompromised, which offers an in-depth look into the evolution of BEC attacks and how Microsoft Defender for Office 365 employs multiple native capabilities to help customers defend against them.

Understanding the BEC gift card scam

Imagine this work-from-home scenario for an executive assistant (EA):

It’s a typical day at work for you as a remote EA. You prepare your to-do list for the day and check your CEO’s calendar for their scheduled meetings, all while communicating with other EAs via email and chat. You categorize your emails and prioritize your tasks—nothing out of the ordinary.

In the middle of the workday, you get an email appearing to come from your boss, requesting that you purchase gift cards to give to the team as an incentive for their hard work during the pandemic.

The request seems a little strange, you think. Maybe it was a spur-of-the-moment initiative. But you’re a rock star assistant and decide to go ahead and purchase the gift cards using department funds.

You reply to your boss’s email with the gift card codes. After a while of not hearing back, you finally ping them on chat to make sure they received them. Your boss expresses their confusion in response to your chat message–they never requested gift cards for the team.

This is a classic business email compromise (BEC) scenario.

Defining BEC attacks

BEC is a type of phishing attack that targets organizations, with the goal of stealing money or critical information. Our blog post Business Email: Uncompromised – Part One provides examples of real-world BEC attacks and how to identify key visual cues for spotting attacks.

The emails used in BEC attacks appear simple, but there is a wide level of complexity behind them—from reconnaissance and targeting, social engineering, to the delivery infrastructure.

If you’re wondering why these complex threats are crafted for a seemingly insignificant payout, think again. BEC continuously poses a serious area of concern, with attacks totaling approximately $1.8 billion in victim losses in 2020, according to the FBI’s Internet Crime Compliant Center (IC3). While attacks similar to the BEC gift card scenario we described earlier can add up to a hefty sum, many BEC attackers are known to target significantly larger transactions, such as intercepting and redirecting wire transfers, ultimately making BEC scams a highly profitable cybercriminal operation.

Conducting reconnaissance, social engineering for BEC attacks

For BEC actors to know who to target and who to impersonate, they frequently conduct reconnaissance prior to launching attacks. Social media sites, “about us” pages on a company’s website, or news articles about a targeted company may all give actors the information they need to craft a specific, believable message intended for a chosen victim. In our blog post, Business Email: Uncompromised – Part Two, we discuss the multiple stages of a BEC attack, from identifying target organizations to the attackers setting up transaction details.

BEC gift card campaign seen targeting various organizations

In this campaign, attackers targeted a variety of companies in the consumer goods, process manufacturing and agriculture, real estate, discrete manufacturing, and professional services sectors.

Figure 1. Breakdown of email volume sent to the top targeted industries we observed in this BEC campaign

This specific campaign started with an extremely vague request, such as “I need you to do a task for me” or “Let me know if you’re available.” The message body contained a few details related to the target to make the email seem legitimate.

Figure 2. A sample BEC email impersonating an executive

In the Figure 2 screenshot, the attacker signed the email as “Steve,” which is the name of an executive at this targeted organization. Additionally, the email was addressed to someone who worked with the impersonated executive while the subject line contained the recipient’s first name.

If the recipient replied to the email, the attacker responded with a more specific demand for a gift card. In other cases, attackers skipped the generic email altogether and jumped directly to the gift card demand, using a method of generating fake replies to add legitimacy to the email. We discussed the anatomy of BEC attacks in this blog post and detailed telltale signs of common phishing techniques.

Figure 3. A sample BEC email targeting the education sector demanding a gift card purchase

In this case, the attacker pretended to be a teacher at a K-12 institution and claimed that they were unable to leave their house to buy a gift card. In addition, the email subject contained the name of the purported teacher followed by “SICK” in the subject line.

The email body included a message requesting the recipient to purchase a physical gift card for them. According to our past BEC research, attackers frequently used the stolen gift card codes for websites that allow them to redeem and convert gift cards to cryptocurrency or other foreign currencies. The funds generated from cashing out gift cards can then be transferred to attacker-owned accounts untraceably.

In this campaign, we noticed that the email also contained a fake reply, wherein the threat actor included what appeared to be an original message in the email body, with the subject line starting with “Re:”. The ‘From’ email address in the crafted original message used, but the ‘From address of the actual email was a typo-squatted domain spoofing, hinting that the email reply was indeed fake.

Figure 4. The attacker used a typo-squatted domain that spoofed a Yahoo account

Upon closer examination, the actors had taken the extra step of faking the In-Reply-To and References headers, which added an extra air of legitimacy to the email. An email’s In-Reply-To header contains the unique Message ID of the previous message in the reply thread, and the References header contains the unique Message IDs from all previous messages in the reply thread. In a typical email that is not a reply, these two header fields would be blank.

Figure 5. Spoofed fields for the In-Reply-To and References headers

As shown in Figure 5, both the In-Reply-To and References headers are populated with Message IDs associated with legitimate email providers, including, which this campaign spoofed. We can see that these headers were manually added by the attacker as made apparent by the sender. In addition, the email’s HTML contents show that the message was manually typed to appear as though it’s a reply.

Filling these headers in made the email appear legitimate and that the attacker was simply replying to the existing email thread between the Yahoo and Outlook user. This characteristic sets this campaign apart from most BEC campaigns, where attackers simply include a real or specially crafted fake email, adding the sender, recipient, and subject, in the new email body, making appear as though the new email was a reply to the previous email.

Delivery infrastructure

For this campaign, attackers registered typo-squatted domains for over 120 different organizations to impersonate actual businesses. We observed patterns in using the correct domain name but an incorrect TLD, or slightly spelling the company name wrong. These domains were registered just days before this email campaign began.

We noted that these domains did not have domain privacy enabled, nor were they under the EU’s GDPR protections. Each domain used a unique registrant name and email. The registrant names appeared to be autogenerated random first names and last names, and the registrant contact email used a free email service such as Gmail or with accounts that were often simply <first name>.<last name> or similar. Each name was used to register just one domain used in the campaign, which made pivoting to related domains more challenging.

Another observation about this campaign is that the registered domains did not always align with the organization being impersonated in the email. This could have been a mistake on the actor’s part, as BEC domains are typically designed to closely mimic the impersonated organization. For example, an actor may register or, both of which would normally be used to send emails pretending to originate from Microsoft. In this campaign, those types of homoglyphed and typo-squatted domains were used to send emails pretending to originate from a variety of organizations.

Our in-depth research into this campaign’s delivery infrastructure directly informed the protection Microsoft provides against this BEC threat.

How Microsoft security solutions combat BEC campaigns

Microsoft Defender for Office 365 defends organizations against malicious threats posed by this BEC campaign.

For a better understanding on how Defender for Office 365 protects against BEC attacks, you can refer to our blog post about detecting user and domain impersonation at scale in a fast-evolving attack landscape. Email authentication in Defender for Office 365 allows you to verify whether email messages from a sender are legitimate and come from expected sources for that email domain. Email standards like SPF, DKIM, and DMARC are evaluated by Office 365 to prevent domain spoofing. Our spoof intelligence technology uses advanced algorithms to observe the sending patterns of domains and flag anomalies.

You can strengthen your security posture further by empowering employees through user awareness tools in Defender for Office 365 that are integrated into products like Outlook and Office 365 apps. For instance, attack simulation training in Defender for Office 365 allows you to craft and run realistic BEC-like attack scenarios in your organization.

As these threats are always changing and evolving, Microsoft has dedicated research teams who constantly stay abreast of the changing threat landscape and combine that knowledge with our extensive customer telemetry data to stay current on BEC and other attacks.

Microsoft’s portfolio of security products processes trillions of signals every day. This signal base drives constant improvements to the artificial intelligence layers backing our protection and detection systems. Microsoft threat analysts leverage these signals to track actors, infrastructure, and techniques used in phishing and BEC attacks to ensure Defender for Office 365 stays ahead of current and future threats.

Defender for Office 365 equips security operations teams with automated threat investigation and response capabilities to understand, simulate, and prevent email-related threats. Defender for Office 365 enables you to define threat protection policies to set up the appropriate level of protection for your organization, while allowing you to view and monitor real-time reports. Learn more about Microsoft Defender for Office 365.


 Microsoft 365 Defender Threat Intelligence Team

The post Business email compromise campaign targets wide range of orgs with gift card scam appeared first on Microsoft Security.

Business email compromise: How Microsoft is combating this costly threat

Microsoft Malware Protection Center - Thu, 05/06/2021 - 12:00pm

Amongst all cybercrime, phishing attacks continue to be the most prevalent today. With over 90 percent of attacks coming via email, it’s important that every organization has a plan to prevent these threats from reaching users. At Microsoft, we’re passionate about providing our customers with simplified and comprehensive protection against such threats with Defender for Office 365. Earlier today, we announced that Microsoft is positioned as a leader in The Forrester Wave: Email Security, Q2 2021. This represents the latest validation of our relentless effort, strategy, and focus to keep our customers secure and offer industry-leading protection against threats orchestrated over email and collaboration tools.

One such threat that has been making waves recently is a class of phishing attacks called business email compromise (BEC). BEC is also proving to be one of the costliest flavors of attacks to organizations—the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) recorded almost 20,000 complaints of business email compromise in 2020 alone, with adjusted losses of over $1.8 billion according to their recent IC3 report. What’s more, BEC attacks continue to increase in scope and sophistication. No wonder then that business email compromise is a top concern for CISOs across the globe, especially in a climate where remote work and collaboration have increased significantly.

We at Microsoft share that concern. And that is why we’ve been working aggressively to protect customers by detecting and blocking such attacks through innovation in our products and by staying ahead of current and future threats through research. Additionally, through the Digital Crimes Unit at Microsoft, we have been working to disrupt and thwart such attack networks in partnership with law enforcement.

What is business email compromise?

The term itself has seen an evolution over the years, but quite simply business email compromise (BEC) is a type of phishing attack that targets organizations with a view to steal money or sensitive information. At its core, it’s a social engineering attack, where the attacker looks to dupe the target into believing that they are interacting with a trusted entity. Once they have deceived their target, the attacker proceeds to coax them to share valuable information or process a payment.

These attacks are sometimes referred to as ‘CxO Fraud’ or ‘vendor compromise,’ taking the name of the entity the attacker is claiming to be.

How are these attacks orchestrated?

BEC attacks are so dangerous and costly that we recently devoted an entire blog series to this topic in an effort to raise visibility and help protect customers. The blog series covers the various types of tactics used in BEC attacks and the different levels of sophistication we see in these attacks. But I’ll summarize some top takeaways here:

Generally, the attacker uses one of the tactics below to dupe a target.

  • Look-alike tactics (like domain or user impersonation):
    • For example, the attacker can forge the email properties of an email to make the sender appear to be a trusted entity. They can achieve this by using the same display name, even if using a different address. Or they can choose very subtle changes in the user part or domain part of the email address to make the email appear visually similar to a trusted email address, such as (notice the ‘0’ instead of ‘o’—which upon cursory inspection, might not be obvious to the target).
  • Exact-domain spoofing:
    • In this case, the attacker forges the email to use the exact same email address as the ‘trusted entity’—but sent from an email infrastructure they own. This is made possible by improperly protected domains (Email domains without domain authentication standards like DMARC enforced).

To learn more about these attacks and how they work, check out the first blog in our recent series.

What is Microsoft doing to combat security threats?

Microsoft has been working on a multi-pronged approach to keep customers safe. One that leverages our massive scale of optics and signals across our service portfolio to drive advancements in three dimensions:

  • Product innovation.
  • Research focus to keep track of ever-shifting campaigns and strategies.
  • Fighting crime and taking down attack networks.
Product innovation in Microsoft Defender for Office 365

Defender for Office 365 offers customers unparalleled protection from business email compromise and other attacks such as credential phishing, whaling, malware, ransomware, and much more that might be orchestrated over email or other collaboration vectors. In an era of ever-increasing cybercrime, protection from such attacks is critical for organizations to safeguard their users.

The massive scale of protection offered means that each month Defender for Office 365 detects and blocks close to 40 million emails containing BEC tactics. We block 100 million emails with malicious credential phishing links each month. And each month, we detect and thwart thousands of user compromise activities.

This level of protection is paired with innovative and comprehensive product capabilities that span the different spheres of protection captured below—blocking and detecting threats, maximizing the efficiency and effectiveness of security teams as they investigate, hunt for and respond to threats, and focusing on capabilities that help raise end-user awareness and preparedness for these social engineering attacks. All of these play a critical role in protecting organizations from BEC attacks. To learn more about these capabilities, check out the second blog from the BEC series.

Figure 1:  Microsoft Defender for Office 365 capabilities

Research powered by human intelligence and artificial intelligence

Across Microsoft’s portfolio of security products, we process trillions of signals every single day. This massive signal base drives constant improvements to the artificial intelligence layers backing our protection and detection systems. We pair that with our top-notch dedicated research teams. This human intelligence layer of the Microsoft 365 Defender Threat Research team leverages these signals to track actorsinfrastructure, and techniques used in phishing and BEC attacks to ensure Defender for Office 365 stays ahead of current and future threats.

Our most recent research into BEC provides an investigation of a campaign that uses attacker-created email infrastructure to facilitate monetary theft through gift cards. To learn more about this campaign, read the blog post we published.

Fighting cybercrime—Digital Crimes Unit

Microsoft’s Digital Crimes Unit (DCU) focuses on fighting cybercrime through a combination of technology, forensics, civil actions, and partnerships with law enforcement, often involving criminal case referrals. DCU actively tracks and takes down cybercriminals and the infrastructure they use. A good example of this is how Microsoft took legal action against COVID-19-related cybercrime.

In 2020 alone, DCU’s efforts led to the removal of almost 745,000 phishing URLs and the closure of more than 3,500 malicious email accounts.

Take steps now to protect your organization

Fighting cybercrime and eliminating costly breaches is going to take all of us. At Microsoft, we’ll continue to focus on the pivots we covered above to keep our customers protected. But to supplement that, it’s important that each and every organization take the threat of business email compromise seriously. CISOs need to ask themselves: Do we have the right level of protection against these attacks?

In the third blog of the series, we’ve included a set of recommendations that you can take to protect yourself now. These are important measures to take to protect your users against a possibly expensive breach:

  1. Upgrade to an email security solution that provides advanced phishing protection, business email compromise detection, internal email protection, and account compromise detection.
  2. Complement email security with user awareness and training.
  3. Implement multi-factor authentication to prevent account takeover and disable legacy authentication.
  4. Review your protection against domain spoofing.
  5. Implement procedures to authenticate requests for financial or data transactions and move high-risk transactions to more authenticated systems.
Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Business email compromise: How Microsoft is combating this costly threat appeared first on Microsoft Security.

Stopping Carbanak+FIN7: How Microsoft led in the MITRE Engenuity® ATT&CK® Evaluation

Microsoft Malware Protection Center - Wed, 05/05/2021 - 6:00pm

In MITRE Engenuity’s recent Carbanak+FIN7 ATT&CK Evaluation, Microsoft demonstrated that we can stop advanced, real-world attacks by threat actor groups with our industry-leading security capabilities.

In this year’s evaluation, we engaged our unified Microsoft 365 Defender stack, with market-leading capabilities in Microsoft Defender for Endpoint and Microsoft Defender for Identity collaborating to provide:

  • Best overall protection: In the protection test, Microsoft Defender for Endpoint blocked all steps of the attack, and did so earliest in the attack chain compared to other vendors. This means that organizations protected by Microsoft Defender for Endpoint would have been the least affected in a real attack, as the attack would have been blocked at the very beginning.
  • Superior detection and protection on Linux: Microsoft Defender for Endpoint was one of only a handful of vendors that detected all the attack steps on Linux and blocked the attack overall, all while providing exceptional visibility into Linux file server activity.
  • Excellent detection and attack chain visibility: Microsoft provided 100 percent coverage of attack chain steps, with more than 1,700 detections combined into two comprehensive incidents representing each of the end-to-end attacks. 87 percent of the techniques were covered while maintaining security operation center (SOC) efficiency.

Coordinated detection and visibility across Microsoft 365 Defender combined with automation, prioritization, and prevention were key to stopping these advanced attacks.

It’s important to note that Microsoft operated in the ATT&CK Evaluation exactly as it does in customer environments: with out-of-the-box protection and detection delivered by automated AI and behavioral algorithms. No special “aggressive mode” was needed, nor were there any performance gaps. And while detection performance is what’s mainly measured by the evaluation, it’s equally important to see how attack activities—including alerts, techniques, and impacted assets—were correlated together into a coherent end-to-end attack story. For security teams, the user experience matters since it’s critical for the SOC analyst to have the ability to investigate and respond to such attacks effectively.

Best protection means threats are prevented from affecting your assets

This year’s MITRE Engenuity Carbanak+FIN7 Evaluation offered a new benchmark: measuring whether participants are able to prevent an advanced attack. We believe empowered protection is more than attack awareness; preventing attacks is critical to successfully securing the enterprise.

While many vendors chose not to participate in the MITRE Engenuity protection evaluation, Microsoft was positioned at the top of protection test capabilities, as shown in the diagram below, by blocking the attack simulation at the earliest stage on every test. Microsoft Defender for Endpoint blocked and alerted precisely where the simulated attack could have been completely prevented, offering a clear alert story of the prevented attack.

Figure 1: Number of tests in which the vendor blocked the attack at the earliest stage possible. Microsoft successfully blocked at the earliest possible point on six protection tests, more than any other vendor participating in the test. 

Microsoft delivers top-level cross-platform protection and detection

Microsoft Defender for Endpoint provides out-of-the-box full visibility, protection, and detection across a wide variety of platforms, including macOS, multiple Linux flavors, Android, and iOS.

This year, MITRE Engenuity emphasized the importance of cross-platform protection by including an attack on a Linux file server, including advanced techniques such as system discovery, data collection, and lateral movement across Windows and Linux using remote service or pass-the-hash. A protection test was also simulated for the Linux platform.

Microsoft earned the best coverage results in all attack steps on Linux. As the diagram below shows, Microsoft Defender for Endpoint detected 100 percent of the simulated Linux attack techniques. In the protection test, it blocked the attack at the first stage of execution, making Microsoft one of the four top vendors for Linux protection and detection.

Figure 2: Emulation steps executed on Linux. Each column represents the number of techniques detected by the vendor. The vendors that blocked the attack at the earliest stage are represented in light blue.

An incident-based approach enables real-time threat prioritization and remediation

In the detection test, where protection was intentionally turned off, Microsoft demonstrated exceptional depth of coverage and visibility across all the 20 tested attack stages and across different platforms. Microsoft provided coverage for 87 percent of the techniques tested, representing end-to-end detection across the attack chain, including the most advanced steps.

Figure 3: Total detection counts across vendors, showing leading detection coverage from Microsoft. Microsoft also correlated all the alerts into two incidents (representing distinct attacks), reducing alert queue noise and ensuring a more efficient and effective investigation of the attack. 

We know the pain of security teams who must deal with alert load and queue fatigue, so Microsoft Defender for Endpoint uses its deep understanding of attack patterns and progression to correlate alerts, telemetry, and impacted assets and group them into a smaller set of comprehensive incidents. In this evaluation, this correlation resulted in two incidents, one for each attack simulation, reducing the queue to just two work items to investigate. Incidents enable SOC analysts to review the entire scope of the attack, including all alerts, blocking actions, and all supporting evidence, in a single consolidated view.

Figure 4: Microsoft 365 security center showing an incident view for one of the two simulated MITRE Engenuity attacks, including all correlated alerts, detections, affected assets, and supporting evidence

Each incident provides a summary of impacted devices and users to help analysts triage and prioritize at a glance. Details of alerted attack stages and related activities are mapped to MITRE ATT&CK tactics and techniques, summarizing in common language “what was done” (techniques) and “why it was done” (tactics), along with all collected evidence. Incidents provide full visibility into telemetry, down to process execution sequences for each stage of the simulated attack scenarios, including initial access, deployment of tools, discovery, persistence, credential access, lateral movement, and exfiltration.

Figure 5: Microsoft delivered 100 percent technique/tactic coverage of evaluation steps executed by MITRE on the first day (Carbanak). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Figure 6: Microsoft delivered 100 percent technique/tactic coverage of evaluation steps executed by MITRE on the second day (FIN7). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Figure 7: Microsoft 365 security center showing a series of related endpoint alerts, demonstrating how Microsoft successfully correlated alerts together across the attack stages and exposed detailed data on each attack step. 

Figure 8: Microsoft 365 security center showing details of one of the endpoint alerts: a suspicious schedule task. This view offers analysts in-context expanded views of task name, technique, and the process involved, in this case, a renamed wscript.exe. 

Microsoft recently expanded the use of MITRE ATT&CK tactics and techniques across its security portfolio, including alerted execution sequences and detailed device timelines, transforming telemetry into logical attacker activities mapped to MITRE ATT&CK techniques. This further improves the investigation and hunting experience for defenders, helping to tell the story of the attack, provide rich context, and drive the response process.

Figure 9: Microsoft 365 security center showing detailed device timeline, exposing events as well as a technique for credential access to enumerate credentials from web browsers. 

Figure 10: Microsoft Defender Security Center showing the second day attack incident page, Evidence tab. SOC analysts can use this view to see and take one-click remedial actions on all the files, processes, IPS, and URLs involved in the attack

Unique cross-domain visibility is critical to defending against modern attacks.

The powerful capabilities of Microsoft 365 Defender originate from combining unique signals across endpoints, identity, email and data, and cloud apps. This combination of proficiencies delivers coverage where other solutions may lack visibility.

Lateral movement is a key stage in any advanced attack, where the attacker moves from asset to asset with the goal of gaining access to specific valuable information or to as many assets as possible for maximum damage. Identifying and tracking lateral movement is a critical phase in investigating attacks, establishing the scope, and removing the threat. The following are three examples of lateral movement simulated in this evaluation that were detected and exposed by Microsoft using signals from the different workloads, delivering full coverage on different aspects:

  • File transfer over SMB: Microsoft’s unique approach for detecting lateral movement attacks does not solely rely on endpoint-based command-line sequences, PowerShell strings, or file operations heuristics that can be evaded by advanced attackers. Microsoft leverages direct optics into the Domain Controller via Microsoft Defender for Identity and correlates identity signals with device telemetry via Microsoft Defender for Endpoint. Microsoft uses a combination of machine learning and protocol heuristics, looking at anomalies such as forged authorization data, nonexistent account, ticket anomaly, logon anomaly, and time anomaly. These signals are correlated with file, process, and memory operations between different devices. Microsoft 365 Defender is the only product that provided the SOC with context of the source and target machines, resources accessed, and identities involved.

Figure 11: Microsoft 365 Defender alert based on correlated signals using AI across identity and endpoint activity

  • Remote executions: Microsoft leverages exclusive signals from Microsoft Defender for Identity, which provides visibility and alerts for a large variety of anomalies in user behavior, including unexpected remote execution by a user. In the evaluation, Microsoft monitored user activity across devices and raised an automatic alert when a user was suspiciously logged in using pass-the-hash and ran a service on a new device.

Figure 12: Microsoft Defender for Identity alert on lateral movement by a compromised identity via remote service execution

  • System discovery: Microsoft Defender for Endpoint uses Anti-Malware Scripting Interface (AMSI) to detect suspicious activity in memory. While many vendors rely on process operations and command-line, in the evaluation, Microsoft identified a system discovery activity running in PowerShell memory via AMSI. Detection algorithms analyzed the script loaded to memory and identified a discovery activity executed by the PowerShell process. The activity was detected, identifying lateral movement at an early stage, when the attacker was still learning the environment, and allowing quick remediation of the attack.

Figure 13: Microsoft 365 security center showing alert on system discovery using WMI. Activity detected by analyzing AMSI content from PowerShell

Real-life protection delivered, as-is, out of the box

Microsoft believes protection must be provided out of the box as automated AI-driven expert systems built into our security product portfolio. Our products should require minimal to no manual custom tuning or configuration to detect and protect, and they must be optimized to reduce false alerts, which are the main cause of friction and fatigue.

We brought to the MITRE Engenuity simulation environment the exact same product that customers deploy to their production environments with no special or aggressive test-optimized settings that may affect performance or degrade real user productivity. The same level of alert coverage, accuracy (not measured by MITRE Engenuity in the test), visibility, and investigation experience is reflected in production deployments as it was in the test.

A final word

As mentioned in our initial blog on the MITRE Engenuity FIN7+Carbanak Evaluation, we are excited to collaborate and contribute to the evolution of this evaluation from one year to the next. It’s an opportunity for us to test the efficacy of our solutions and contribute to the security community as a whole. This is only one part of the greater collaboration and contribution efforts that Microsoft is focused on in the industry to strengthen defenses and respond to attacks. As we have seen in recent months, with attacks becoming more coordinated and sophisticated, community collaboration and sharing such as this can help us all take the steps needed for a safer world. We again thank MITRE Engenuity for this opportunity and very much look forward to our continued partnership and the next evaluation.

Learn more about Microsoft 365 Defender and Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. Take advantage of Microsoft’s unrivaled threat optics and proven capabilities. Learn more about Microsoft 365 Defender or Microsoft Defender for Endpoint, and sign up for a trial today.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Stopping Carbanak+FIN7: How Microsoft led in the MITRE Engenuity® ATT&CK® Evaluation appeared first on Microsoft Security.

How to apply a Zero Trust approach to your IoT solutions

Microsoft Malware Protection Center - Wed, 05/05/2021 - 9:00am

For many, 2020 was a year of survival as they rapidly transformed their businesses in response to a new normal. From enabling new remote and hybrid work models to implementing new technology to help optimize operations, the last year has seen a significant uptick in the proliferation and role of IoT devices. Many organizations have suddenly found themselves facing an expanded attack surface area with new security challenges they were not fully prepared for.

IoT solutions need to be secured end-to-end, all the way from the device to the cloud or hybrid service that the data is processed in. Securing IoT devices presents a couple of additional layers of complexity because of the incredible diversity in design, hardware, operating systems, deployment locations, and more. For example, many are “user-less” and run automated workloads, presenting challenges when integrating into existing identity and access management tools. Many IoT devices have also been deployed using infrastructure and equipment not originally designed for a connected world or have limited capabilities and connectivity, making them challenging to secure. And because IoT devices are typically deployed in diverse environments—ranging from inside factories or office buildings to remote worksites or critical infrastructure—they’re exposed in unique ways and can offer high-value targets to attackers.

Figure 1: Technical characteristics of IoT and their challenges.

Embracing Zero Trust for your IoT solutions

As organizations continue to drive their digital transformation efforts, especially through the increased deployment of IoT solutions, it quickly becomes clear that the current approach to securing and managing these devices needs to be adapted to the reality of their environment. Enter Zero Trust, the security model that assumes breach and treats every access attempt as if it originates from an open network.

In October 2019, we published a whitepaper with our official guidance on implementing a Zero Trust security model, which breaks down Zero Trust requirements across identities, endpoints, apps, networks, infrastructure, and data. This paper provides a strong starting point to assess your current Zero Trust maturity, prioritize security efforts to maximize impact, and get a foundational understanding of overall capabilities and requirements. If you haven’t read it, we highly recommend starting there as everything we discuss from here on will build on the requirements in that model.

A practical approach for implementing Zero Trust for IoT

Securing IoT solutions with a Zero Trust security model starts with non-IoT specific requirements—specifically ensuring you have implemented the basics to securing identities, their devices, and limit their access. These include explicitly verifying users, having visibility into the devices they’re bringing on to the network, and being able to make dynamic access decisions using real-time risk detections. This helps limit the potential blast radius of users gaining unauthorized access to IoT services and data in the cloud or on-premises, which can lead to both mass information disclosure (like leaked production data of a factory) and potential elevation of privilege for command and control of cyber-physical systems (like stopping a factory production line).

Once those requirements are met, we can shift our focus to the specific Zero Trust requirements for IoT solutions:

  • Strong identity to authenticate devices. Register devices, issue renewable credentials, employ passwordless authentication, and use a hardware root of trust to ensure you can trust its identity before making decisions.
  • Least privileged access to mitigate blast radius. Implement device and workload access control to limit any potential blast radius from authenticated identities that may have been compromised or running unapproved workloads.
  • Device health to gate access or flag devices for remediation. Check security configuration, assess for vulnerabilities and insecure passwords, and monitor for active threats and anomalous behavioral alerts to build ongoing risk profiles.
  • Continual updates to keep devices healthy. Utilize a centralized configuration and compliance management solution and a robust update mechanism to ensure devices are up to date and in a healthy state.
  • Security monitoring and response to detect and respond to emerging threats. Employ proactive monitoring to rapidly identify unauthorized or compromised devices.

Today, we’re publishing a new whitepaper on how to apply a Zero Trust approach to your IoT solutions based on our experience helping other customers and securing our own environment. In this whitepaper, we break down the requirements above in more detail as well as provide guidance on applying Zero Trust to your existing IoT infrastructure. Finally, we’ve also included criteria to help select IoT devices and services for a Zero Trust environment.

Read the Zero Trust Cybersecurity for the Internet of Things whitepaper for full details.

Additional resources:

Watch The IoT Show: Zero Trust for IoT for a Channel9 interview where I explain the key capabilities of Zero Trust for IoT and how Microsoft solutions enable your journey.

Watch the playback of this week’s Azure IoT Security Summit for an overview of our IoT Security solutions and guidance on how to prevent security breaches, address weak spots, and monitor the health of your IoT devices in near real-time to find and eliminate threats.   

For more information about Microsoft Zero Trust please visit our website. Check out our deployment guides for step-by-step technical guidance.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to apply a Zero Trust approach to your IoT solutions appeared first on Microsoft Security.

AI security risk assessment using Counterfit

Microsoft Malware Protection Center - Mon, 05/03/2021 - 12:00pm

Today, we are releasing Counterfit, an automation tool for security testing AI systems as an open-source project. Counterfit helps organizations conduct AI security risk assessments to ensure that the algorithms used in their businesses are robust, reliable, and trustworthy.

AI systems are increasingly used in critical areas such as healthcare, finance, and defense. Consumers must have confidence that the AI systems powering these important domains are secure from adversarial manipulation. For instance, one of the recommendations from Gartner’s Top 5 Priorities for Managing AI Risk Within Gartner’s MOST Framework published in Jan 20211 is that organizations “Adopt specific AI security measures against adversarial attacks to ensure resistance and resilience,” noting that “By 2024, organizations that implement dedicated AI risk management controls will successfully avoid negative AI outcomes twice as often as those that do not.”

However, performing security assessments of production AI systems is nontrivial. Microsoft surveyed 28 organizations, spanning Fortune 500 companies, governments, non-profits, and small and medium sized businesses (SMBs), to understand the current processes in place to secure AI systems. We found that 25 out of 28 businesses indicated they don’t have the right tools in place to secure their AI systems and that security professionals are looking for specific guidance in this space.

This tool was born out of our own need to assess Microsoft’s AI systems for vulnerabilities with the goal of proactively securing AI services, in accordance with Microsoft’s responsible AI principles and Responsible AI Strategy in Engineering (RAISE) initiative. Counterfit started as a corpus of attack scripts written specifically to target individual AI models, and then morphed into a generic automation tool to attack multiple AI systems at scale.

Today, we routinely use Counterfit as part of our AI red team operations. We have found it helpful to automate techniques in MITRE’s Adversarial ML Threat Matrix and replay them against Microsoft’s own production AI services to proactively scan for AI-specific vulnerabilities. Counterfit is also being piloted in the AI development phase to catch vulnerabilities in AI systems before they hit production.

To ensure that Counterfit addresses a broader set of security professionals’ needs, we engaged with a diverse profile of partners spanning large organizations, SMBs, and governmental organizations to test the tool against their ML models in their environments.

“AI is increasingly used in industry; it is vital to look ahead to securing this technology particularly to understand where feature space attacks can be realized in the problem space. The release of open-source tools from an organization such as Microsoft for security practitioners to evaluate the security of AI systems is both welcome and a clear indication that the industry is taking this problem seriously.”

Matilda Rhode, Senior Cybersecurity Researcher, Airbus

Three key ways Counterfit is flexible

As a result of internal and external engagements, Counterfit is flexible in three key ways:

  1. Counterfit is environment agnostic—it can help assess AI models hosted in any cloud environment, on-premises, or on the edge.
  2. Counterfit is model agnostic—the tool abstracts the internal workings of their AI models so that security professionals can focus on security assessment.
  3. Counterfit strives to be data agnostic—it works on AI models using text, images, or generic input.

Under the hood, Counterfit is a command-line tool that provides a generic automation layer for adversarial AI frameworks such as Adversarial Robustness Toolbox and TextAttack. Our tool makes published attack algorithms accessible to the security community and helps to provide an extensible interface from which to build, manage, and launch attacks on AI models.

Designed for security professionals

Counterfit uses workflows and terminology similar to popular offensive tools that security professionals are already familiar with, such as Metasploit or PowerShell Empyre. Security professionals can benefit from the tool in the following ways:

  • Penetration testing and red teaming AI systems: The tool comes preloaded with published attack algorithms that can be used to bootstrap red team operations to evade and steal AI models. Since attacking AI systems also involves elements of traditional exploitation, security professionals can use the target interface and built-in cmd2 scripting engine to hook into Counterfit from existing offensive tools. Additionally, the target interface can allow for granular control over network traffic. We recommend using Counterfit alongside Adversarial ML Threat Matrix, which is an ATT&CK style framework released by MITRE and Microsoft for security analysts to orient to threats against AI systems.

  • Vulnerability scanning for AI systems: The tool can help scan AI models using published attack algorithms. Security professionals can use the defaults, set random parameters, or customize them for broad vulnerability coverage of an AI model. Organizations with multiple models in their AI system can use Counterfit’s built-in automation to scan at scale. Optionally, Counterfit enables organizations to scan AI systems with relevant attacks any number of times to create baselines. Running this system regularly, as vulnerabilities are addressed, also helps to measure ongoing progress toward securing AI systems.
  • Logging for AI systems: Counterfit also provides logging to record the attacks against a target model. Telemetry may help data science and engineering teams improve their understanding of failure modes in their AI systems.

This tool is part of broader efforts at Microsoft to empower engineers to securely develop and deploy AI systems. We recommend using it alongside the following resources:

  • For security analysts to orient to threats against AI systems, Microsoft, in collaboration with MITRE, released an ATT&CK style Adversarial ML Threat Matrix complete with case studies of attacks on production ML systems.
  • For security incident responders, we released our own bug bar to systematically triage attacks on ML systems.
  • For industry practitioners and security professionals to develop muscle in defending and attacking ML systems, we hosted a realistic Machine Learning Evasion Competition.
  • For developers, we released threat modeling guidance specifically for ML systems.
  • For engineers and policymakers, Microsoft, in collaboration with Berkman Klein Center at Harvard University, released a taxonomy documenting various ML failure modes.
Learn more

To learn more about this effort:

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Gartner, Top 5 Priorities for Managing AI Risk Within Gartner’s MOST Framework, Avivah Litan, et al., 15 January 2021.

The post AI security risk assessment using Counterfit appeared first on Microsoft Security.

Center for Threat-Informed Defense teams up with Microsoft, partners to build the ATT&CK® for Containers matrix

Microsoft Malware Protection Center - Thu, 04/29/2021 - 1:00pm

The MITRE ATT&CK® for Containers matrix was published today, establishing an industry knowledge base of attack techniques associated with containerization and related technologies that are increasingly more ubiquitous in the current computing landscape. Microsoft is happy to have contributed and worked closely with the Center for Threat-Informed Defense and other partners to develop this framework for understanding and investigating this growing attack surface.

The ATT&CK for Containers builds on efforts including the threat matrix for Kubernetes developed by the Microsoft for Azure Defender for Kubernetes. The Center for Threat-Informed Defense expanded on this initial framework by documenting real-world attacks, with Microsoft and other partners providing guidance and feedback throughout the process.

Building the ATT&CK for Containers matrix is helpful in understanding the risks associated with containers, including misconfigurations that are often the initial vector for attacks, as well as the specific implementation of attack techniques in the wild. This knowledge informs approaches for detecting threats, and thus helps in providing comprehensive protections, as more and more organizations adopt containers and container orchestration technologies like Kubernetes.

Organizations use containers to package software code, configuration files and libraries, and dependencies to enable fast software development and deployment. Containerization involves abstracting the OS and hardware. This abstraction creates scenarios where users are unaware that the base image of a container has exploitable vulnerabilities or where users may not pay close attention to what libraries and binaries are present on the images they’re using.

The convenience of platform-agnostic deployment of containers can benefit software developers, but it can also potentially benefit attackers aiming to run malware on multiple platforms. In addition, the ease in the deployment of containers can mean containers with vulnerabilities can be distributed across an organization as part of normal deployment operations.

Microsoft security coverage for threats and risks associated with containers

Microsoft delivers protection against container threats in two areas: on endpoints and on Kubernetes clusters.

Microsoft Defender for Endpoint detects threats on endpoints running container hosts, focusing on behavior commonly observed on endpoints, including attackers stealing locally stored credentials for accessing the cloud, downloading and running malicious images, and privilege escalation from dockers to hosts. Below is a mapping of Microsoft Defender for Endpoint detections with the ATT&CK for Containers techniques.


ATT&CK for Containers technique Microsoft Defender for Endpoint detection Valid Accounts
  • Suspicious cloud credential access
  • Unix credentials were illegitimately accessed
Unsecured Credentials
  • Suspicious cloud credential access
  • Unix credentials were illegitimately accessed
Build Image on Host
  • Malicious Docker image run
  • Suspicious network connection from Docker container
Deploy Container
  • Malicious Docker image run
  • Suspicious network connection from Docker container
User Execution: Malicious Image
  • Malicious Docker image run
  • Suspicious network connection from Docker container
Resource Hijacking
  • Malicious Docker image run
Container Resource Discovery
  • Suspicious kubectl exploratory command sequence
Exploit Public-Facing Application
  • Suspicious connection to unsecured Docker daemon
Escape to Host
  • Suspicious file opens by WSL

Detections of malicious or suspicious behaviors associated with containers are reported as alerts in the Microsoft 365 security center, enabling defenders to investigate and remediate the threat and hunt for related or similar behaviors. These detections enrich the telemetry that Microsoft Defender for Endpoint uses to build device timelines and cross-domain end-to-end attack chains:

Azure Defender offers a Kubernetes plan to protect Kubernetes clusters, both in the orchestration layer and in the node-level. The orchestration layer protection monitors Kubernetes API operations to find suspicious and malicious activities in the Kubernetes control plane. The node-level protection, based on the Server plan of Azure Defender, inspects activity on the Kubernetes worker-node to detect suspicious activity that run by the containers on the nodes. Below is mapping of Azure Defender detections with the ATT&CK for Containers techniques.


ATT&CK for Containers technique Azure Defender detection Exploit Public-Facing Application External Remote Services
  • Orchestration level alerts:
    • Exposed Kubeflow dashboard detected
    • Exposed Kubernetes dashboard detected
    • Exposed Kubernetes service detected
    • Exposed Redis service in AKS detected
  • Node level alerts:
    • Exposed Docker daemon detected (node level)
Valid accounts
  • Orchestration level alerts:
    • AKS API requests from proxy IP address detected
    • Node level alerts:
    • Successful SSH brute force attack (node level)
    • Suspicious incoming SSH network activity from multiple sources (node level)
    • Suspicious incoming SSH network activity (node level)
Container Administration Command
  • Orchestration level alerts:
    • Suspicious command executed in container
  • Node level alerts:
    • Privileged command run in container
    • Suspicious request to Kubernetes API
Deploy Container
  • Orchestration level alerts:
    • AKS API requests from proxy IP address detected
    • Digital currency mining container detected
  •  Node level alerts:
    • Suspicious request to Kubernetes API
Scheduled Task/Job
  • Kubernetes CronJob controller, such as other controllers, creates a pod resource. See “Deploy Container” technique for relevant detections.
User Execution
  • Digital currency mining container detected
Implant Internal Image Escape to Host
  • Orchestration level alerts:
    • Container with a sensitive volume mount detected
    • Privileged container detected
Exploitation for Privilege Escalation
  • Orchestration level alerts:
    • Privileged container detected
Build Image on Host
  • Node level alerts:
    • Docker build operation detected on a Kubernetes node
Indicator Removal on Host
  • Orchestration level alerts:
    • Kubernetes events deleted
  • New container in the kube-system namespace detected
Brute Force
  • Successful SSH brute force attack (node level)
  • Suspicious incoming SSH network activity from multiple sources (node level)
  • Suspicious incoming SSH network activity (node level)
Unsecured Credentials
  • Suspicious request to Kubernetes API (node level)
Resource Hijacking
  • Digital currency mining container detected (Orchestration)
  • Suspicious command executed in container (Orchestration)
  • Process associated with digital currency mining detected (node level)
  • Possible Crypto coin miner download detected (node level)
  • Digital currency mining related behavior detected (node level)

In addition, as was observed is several attacks in the past, like the one that targets Kubeflow workloads,  many incidents start with a misconfiguration. Azure Defender can help detect misconfiguration, such as exposure of sensitive interfaces to the internet. In addition, it can also help reduce the attack surface by detecting sensitive operations like creating high-privilege RBAC rules, auditing for Kubernetes best practices and providing deployment gates.

The work to secure containers continues

The partnership between MITRE Engenuity’s Center for Threat-Informed Defense and Microsoft on investigating and understanding container threats doesn’t stop with the release of ATT&CK for Containers. We will continue to work with MITRE and the rest of the industry to share intelligence and insights from Microsoft’s products, sensors, and research. We will continue to look for innovative ways for surfacing telemetry, especially from within the container, not just on  hosts, and for detecting behavior associated with both malicious activity and misconfigurations.

To learn more about how Microsoft can help you protect containers and relevant technologies today, read about Microsoft Defender for Endpoint and Azure Defender.

To learn more about the Center for Threat-Informed Defense, read about the Center’s collaborative approach to advancing threat-informed defense.


Microsoft 365 Defender Research Team

Azure Defender Team


The post Center for Threat-Informed Defense teams up with Microsoft, partners to build the ATT&CK® for Containers matrix appeared first on Microsoft Security.

Meet critical infrastructure security compliance requirements with Microsoft 365

Microsoft Malware Protection Center - Tue, 04/27/2021 - 12:00pm

Critical infrastructure operators face a hostile cyber threat environment and a complex compliance landscape. Every operator of an industrial control system also operates an IT network to service its productivity needs. A supervisory control and data acquisition (SCADA) system operator of a power grid or chemical plant needs email, databases, and business applications to support it, much like any enterprise.

IT environments, with their large attack surface, can be the entryway to attack critical infrastructure even where those IT systems are not critical infrastructure themselves. Security and compliance failures may include life safety, environmental, or national security consequences—a different risk management challenge from other enterprise IT systems.

Ransomware, thought more of as an IT problem as opposed to an industrial control system (ICS) one, has been used to attack critical infrastructure operators Norsk Hydro, Brazilian utilities Electrobras and Copel, as well as Reading Municipal Light Department and Lansing Board of Water and Light among other US utilities. Dragos and IBM X-Force identified 194 ransomware attacks against industrial entities between 2018 and 2020, including ICS-specific strains like EKANS.

The range of threats to our increasingly converged IT and ICS environments highlights the need for a combined approach to IT and ICS security.

Azure Defender for IoT is the cornerstone of security for on-premises, cloud, and hybrid ICS. In addition to the anti-malware features of Microsoft 365, the integration of Advanced Threat Protection (ATP) and Microsoft Compliance Manager to manage, visualize, and report on standards-based compliance are also foundational.

Complex compliance landscape

As the cyber threat landscape to ICS has grown more hostile and publicized, the compliance responsibilities of critical infrastructure operators have increased as well. In the US and Canada, Bulk Electric System (BES) participants need to comply with the North American Electric Reliability Corporation Critical Infrastructure Protection Standards (NERC CIP), as well as using NIST 800-53 as the basis for their organizational security policies and benchmarking to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. They may also be architecting their ICS to IEC62443/ISA 99. Many forward-looking utilities are increasing their use of the cloud through infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) like Microsoft 365 with Zero Trust architecture.

While NERC CIP standards were written around on-premises systems, NERC has become more open to Registered Entities’ use of the cloud for Bulk Electric System Cyber System Information (BCSI). This includes NERC’s Order on Virtualization and Cloud Computing Services and their Technical Rationale for Reliability Standard CIP-011-3, where they discuss risk assessment of a cloud services provider. This risk assessment will include the ongoing standards-based assessment of the cloud service provider.

Comprehensive and efficient compliance

As an organization moves workloads to the cloud, they move responsibility for a portion of the security controls to the cloud service provider.

The organization can thus focus its resources on the remaining security controls and on vetting how the cloud service provider manages the security controls for which it is responsible.

When customers use Office 365, Microsoft helps them manage 79 percent of the 1,021 NIST 800-53 controls, so customers need only focus on implementing and maintaining the remaining 21 percent of the controls. By using the shared responsibility model, these customer resources are made available to further secure their systems. Customers that are using on-premises infrastructure to provide those functions need to implement and maintain all 1,021 controls.

Tools for comprehensive and efficient compliance

Microsoft Compliance Manager is a feature in Microsoft 365 compliance center. It uses signals from the customer’s Microsoft 365 tenant, Microsoft’s compliance program, and workflows completed by the customer to manage and report compliance against regulatory and industry-standard templates. These templates include NERC CIP, NIST Cybersecurity Framework (CSF), NIST 800-53, and the US Protecting and Securing Chemical Facilities from Terrorist Attacks Act (H.R. 4007), as well as more than 330 standards-based assessments globally. You can also create custom templates based on other standards or mapped to your own policies and control set.

With each Compliance Manager assessment template, you get simplified guidance on “what to do” to meet the regulatory requirements. In this regard, you get to understand what controls are Microsoft’s responsibility as your cloud service provider and what controls are your responsibility. Furthermore, for each of the controls that are your responsibility, we break down actions that you need to take to meet these control requirements. These actions can be procedural, documentation, or technical.

For technical actions, you get step-by-step guidance on how to use Microsoft security, compliance, identity, or management solutions to implement and test technical actions. With this detailed information, you can efficiently implement, test, and demonstrate your compliance against regulations as per your industry and region. This information also helps you to draw maximum benefits from your Microsoft 365 security and compliance solutions. Once you create assessments within Compliance Manager, we make it very easy for you to understand what solutions you can use to implement and test technical actions on Compliance Manager.

You can use the custom assessment feature to “extend” Compliance Manager assessment templates to track compliance against any non-Microsoft 365 assets as well. With this functionality, Compliance Manager helps you to track and manage compliance across all your assets.

There are different template sets available for the different license levels.

Microsoft updates the assessment templates when the standards change, relieving the customer of this responsibility. The changes are called out to the customer and the option to update the assessment is provided.

Compliance Manager tracks, reports, and provides visualizations for:

  • Microsoft-managed controls: these are controls for Microsoft cloud services, for which Microsoft is responsible for implementing.
  • Your controls: these are controls implemented and managed by your organization, sometimes referred to as “customer-managed controls.”
  • Shared controls: these are controls that both your organization and Microsoft share responsibility for implementing.

The assessments are provided with visualizations that allow the user to drill down into the individual control status and view evidence. High impact improvement actions are suggested.

Compliance Manager covers both the Microsoft and customer-managed controls as part of the shared cloud security and compliance responsibility model. Automated workflows and evidence repositories are provided for customer-managed and shared controls.

You can assign a stakeholder and an automated message with instructions and upload link is provided on a schedule to remind them of the compliance activity required, report status, and upload evidence. This provides an efficient and defensible system to respond to auditors and benchmark compliance programs.

Many of the controls that enable compliance for critical infrastructure operators are common across the standards, so implementing a control once enables compliance across multiple standards.

Mapping controls across standards such as:

NIST CSF Category NIST CSF Subcategory NIST 800-53 Rev. 4 Control ISO 27001 Control NERC CIP Control Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. PR.AC-1: Identities and credentials are managed for authorized devices and users. NIST SP 800-53 Rev. 4 AC-2, IA Family ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 CIP-004-6 – Access Management Program, parts 4 and 5

This crosswalk across standards is part of the Compliance Manager and populated automatically across a customer’s assessments.

The level of effort to benchmark and report compliance with a new standards regime is dramatically reduced.

IT and ICS convergence is a continuing trend for critical infrastructure operators. Attack methodologies, surfaces, and threat actors are crossing over to put our most critical resources at risk. Compliance regimes must be efficiently met in an auditable way to protect the availability of our systems. Microsoft provides the range of tools described above to help you manage across the IT and ICS environments.

Learn more

Learn more about Microsoft Compliance Manager and how it helps simplify compliance and reduce risk.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Meet critical infrastructure security compliance requirements with Microsoft 365 appeared first on Microsoft Security.

Defending against cryptojacking with Microsoft Defender for Endpoint and Intel TDT

Microsoft Malware Protection Center - Mon, 04/26/2021 - 11:00am

Cryptocurrency mining—once considered no more than a nuisance, a relatively benign activity that was a drain on machine resources—has been on the rise in recent years. This increase in cryptocurrency mining activity is driven by the increasing value of cryptocurrencies like Bitcoin, the growth in popularity of different kinds of cryptocurrency (Ethereum, Litecoin, and Dogecoin), and the volatility in these markets. As cryptocurrency prices rise, many opportunistic attackers now prefer to use cryptojacking over ransomware. The risks for organizations have increased, as attackers deploy coin miners as a payload for malware campaigns. According to recent research from Avira Protection Labs, there was a 53 percent increase in coin miner malware attacks in Q4 2020 compared to Q3 2020.

In addition, with malware evolving over the years to evade typical anti-malware defenses, detecting coin miners has become increasingly more challenging.

This rising threat is why Microsoft and Intel have been partnering to deliver technology that uses silicon-based threat detection to enable endpoint detection and response (EDR) capabilities in Microsoft Defender for Endpoint to better detect cryptocurrency mining malware, even when the malware is obfuscated and tries to evade security tools.

Intel Threat Detection Technology in Microsoft Defender for Endpoint

Today, we are announcing the integration of Intel Threat Detection Technology (TDT) into Microsoft Defender for Endpoint, an addition that enhances the detection capability and protection against cryptojacking malware. This builds on our existing partnership and prior collaboration to integrate Intel’s Accelerated Memory Scanning with Defender.

Figure 1: CoinMiner alert from Microsoft Defender for Endpoint.

Intel TDT applies machine learning to low-level hardware telemetry sourced directly from the CPU performance monitoring unit (PMU) to detect the malware code execution “fingerprint” at runtime with minimal overhead. TDT leverages a rich set of performance profiling events available in Intel SoCs (system-on-a-chip) to monitor and detect malware at their final execution point (the CPU). This happens irrespective of obfuscation techniques, including when malware hides within virtualized guests, without needing intrusive techniques like code injection or performing complex hypervisor introspection. TDT can further offload machine learning inference to the integrated graphics processing unit (GPU), enabling continuous monitoring with negligible overhead. While we haven’t seen any performance issues with the current deployments, we plan to enable the GPU offloading capabilities of Intel TDT in the near future.

This technology is based on telemetry signals coming directly from the PMU, the unit that records low-level information about performance and microarchitectural execution characteristics of instructions processed by the CPU. Coin miners make heavy use of repeated mathematical operations and this activity is recorded by the PMU, which triggers a signal when a certain usage threshold is reached. The signal is processed by a layer of machine learning which can recognize the footprint generated by the specific activity of coin mining. Since the signal comes exclusively from the utilization of the CPU, caused by execution characteristics of malware, it is unaffected by common antimalware evasion techniques such as binary obfuscation or memory-only payloads.

Figure 2: Diagram showing how Intel TDT and Microsoft Defender detect and remediate malware.

Even though we have enabled this technology specifically for cryptocurrency mining, it expands the horizons for detecting more aggressive threats like side-channel attacks and ransomware. Intel TDT already has the capabilities for such scenarios, and machine learning can be trained to recognize these attack vectors.

Figure 3: Intel TDT and Microsoft Defender detect malware. The user is notified of a threat via a Windows Security notification.

Figure 4: Windows security protection history showing CoinMiner threat blocked. Detected with Intel TDT and Microsoft Defender.

This technology doesn’t require any additional investments, IT configuration, or installation of agents. The Microsoft Defender for Endpoint and Intel TDT integrated solution works natively with Intel® Core processors and the Intel vPro® platform, 6th Generation or later.

Since the main signal used for this detection capability comes right from the hardware (the Intel CPU), it can detect coin miners running inside unprotected virtual machines and other containers. This demo video showcases how, in such a scenario, Microsoft Defender for Endpoint can stop the virtual machine itself or report virtual machine abuse, thus preventing the spread of an attack as well as saving resources. This is one step towards agentless malware detection, where the “protector” can protect the asset from the “attacker” without having to be in the same OS.

As we enable the technology on more and more supported platforms, we are getting valuable machine learning telemetry back, which informs and makes the existing models better and more effective.

As organizations look to simplify their security investments, we’re committed to our focus on built-in platform-based security technologies, delivering a best-of-breed and streamlined solution that empowers defenders to elevate their security and protect their organizations. This partnership is part of Microsoft’s investment into collaborations with original equipment manufacturers (OEMs) and technology partners. We’re working closely with chipmakers to always explore new possibilities for hardware-based defense hardening and deliver robust and resilient protection against cyber threats.

Learn more

For additional details, please read Intel’s News Byte.

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


Amitrajit Banerjee, Andrea Lelli, Gowtham Animi Reddy, Karthik Selvaraj, Shweta Jha

Microsoft Defender for Endpoint Team

The post Defending against cryptojacking with Microsoft Defender for Endpoint and Intel TDT appeared first on Microsoft Security.

Evolving beyond password complexity as an identity strategy

Microsoft Malware Protection Center - Thu, 04/22/2021 - 12:00pm

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Troy Hunt, founder of Have I Been Pwned, information security author, and instructor at Pluralsight. In this blog, Troy talks about the future of identity and shares strategies for protecting identities.

Natalia: What threats will be the most important to focus on in the next year?

Troy: We’re seeing more one-time password phishing. This is the value proposition of something like U2F, but how do we make phish-resilient authentication mechanisms? The other thing that’s particularly concerning is the rate of SIM card hijacking. It concerns me greatly that it seems to be so prevalent and that it’s so easy, almost by design, to port a SIM from one location to another. As an industry, we need to say, “Where is the level of identity assurance for a phone number?” Is it very weak or is it very strong, in which case telecommunications companies need legislation to change the ease with which stuff gets ported? Unless we can get people on the same page, we’re going to keep having these problems.

Natalia: What should IT professionals prioritize?

Troy: I would really like IT professionals to better understand the way humans interact with systems. Everyone says, “Just force people to use two-factor authentication.” Do you still want customers? I think every IT professional should have to go through two-factor authentication enrollment with my parents. Everyone should have to learn what it’s like to take non-technical people and try and get some of these things working for them. We can’t just look at these things in a vacuum.

I think U2F is a brilliant technical solution, but it is such an inherently human-flawed mechanism for many reasons. I have enough trouble trying to get my parents to use SMS-based two-factor authentication. Imagine if I had to tell my parents, “You’ve now got this little USB-looking thing, and you need to always have it with you in case you need to log into your device.” We have so many good technical solutions that come at the cost of being usable for most humans, myself included on many occasions.

I’d like us to have a much better understanding of that, which also speaks to solutions like passwordless authentication. We need to give more credit to what passwords in the traditional sense do extremely well. The thing that passwords do better than just about everything else is that everyone knows how to use them. It’s like using your date of birth for knowledge-based authentication. It sucks, but every single person knows how to use it, and that makes a really big difference.

Natalia: What’s the use case for password managers?

Troy: Password managers are a way of storing one-time passcodes (OTPs), but it’s important to recognize that password managers are not just for passwords. I have my credit card details in there, and every time I go to pay at a store, I do the control backslash and automatically fill in the credit card details. I have other secrets in there, like my driver’s license and other data. In many ways, passwords are just one part of the password manager solution, but certainly, for the foreseeable future, we’re going to have passwords so there’s a strong use case for password managers.

Another use case is a family account. If my partner wants to log into our Netflix account, she has her own identity, but there’s one set of credentials. She asks, “Hey Troy, what’s the password for the Netflix account?” It’s a string of gobbledygook. How am I going to get her the password? Do I message it to her, because then it’s in the thread in my unencrypted SMS? But if you have a password manager where you have shared vaults, you can just drop it in the shared vault. That’s another good example of where a password manager is more than just me trying to remember my secrets.

Natalia: Since we’re likely to continue to use passwords, what controls should we put in place to protect them?

Troy: Ultimately, this password is the key to your identity. We’ve had passwords on computer systems for about 60 years and the era in which they were born was so simple. It was before the internet and before social media and before all these other ways we can lose or disclose them. Over time, we started saying, “Let’s have password complexity rules. More entropy. More entropy equals stronger.”

When I used to be able to travel and speak to an audience, I’d talk about passwords and password complexity. I’d say, “Imagine you want to have a password that is the word “password”, and a website says you have to have at least one uppercase character. What do you do? You capitalize the first letter.” Everyone in the audience is laughing nervously and looking at me like, “Oh, you figured it out?” I’d tell them, “You have to have a number. What do you do? You put a one at the end.” And there’s the same nervous laughter. There is this human side that works in complete parallel to the whole mathematics of entropy and having more character types and longer passwords.

As we’ve progressed, we’ve started to recognize that arbitrary password composition criteria is not a very good thing to do, and we’re looking at whether we can have lists of banned passwords, like passwords from previous data breach corpuses. Are you using a password that is already out there floating around in data breaches? Maybe we will get to a time where this won’t be necessary because we will be truly passwordless. In the interim, I think that having a better understanding of what makes a bad password is important and educating users on this first and foremost.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Evolving beyond password complexity as an identity strategy appeared first on Microsoft Security.

MITRE Engenuity ATT&CK® Evaluation proves Microsoft Defender for Endpoint stops advanced attacks across platforms

Microsoft Malware Protection Center - Wed, 04/21/2021 - 12:00pm

For the third year in a row, Microsoft successfully demonstrated industry-leading defense capabilities in the independent MITRE Engenuity ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Evaluations.

As the attack surface evolves on a near-daily basis, threat actors are creating more advanced techniques targeted across domains such as endpoints, identities, emails, documents, and cloud apps, requiring security solutions with the capability to automatically analyze threat data across these domains and build a complete picture of the attacks. The 2020 ATT&CK Evaluations concentrated on advanced threat actors known to the industry as FIN7 and Carbanak (also called Carbon Spider). This year’s rigorous evaluation included new benchmarks of detection and protection simulations of more than 174 steps across the attack chain, affecting both Windows client endpoints, servers, and, for the first time, Linux devices.

This cross-platform, sophisticated attack simulation significantly elevated the stakes for detection and protection, and we are proud to report that results showed Microsoft Defender for Endpoint effectively detected and prevented malicious activity at every major attack stage. In this evaluation, we were able to put Microsoft Defender for Endpoint’s Linux capabilities to the test. MITRE Engenuity ran the simulated Carbanak and FIN7 attack end-to-end and across multiple attack domains, meaning defenders benefited from the added capabilities in Microsoft 365 Defender and got visibility beyond just endpoint protection. MITRE Engenuity’s ATT&CK Evaluations results showed that Microsoft provides:

  • Industry-leading protection: Microsoft’s industry-leading capabilities quickly identified suspicious activity and offered real-time containment to rapidly stop the attack.
  • Superior detection and protection on Linux: Microsoft Defender for Endpoint blocked everything on Linux, providing exceptional detection, protection, and visibility that comprehensively captured Linux file server activity.
  • Excellent detection and visibility across the attack chain: Our world-class SecOps experience and Microsoft 365 Defender capabilities showed the full attack story across domains and quickly correlated all activity down to two incidents.

Figure 1. MITRE Engenuity’s ATT&CK Evaluation results demonstrated that Microsoft provides industry-leading protection, superior detection and protection on Linux, and excellent detection and visibility across the attack chain. 

Microsoft participated in the ATT&CK Evaluations because we believe it is the most comprehensive testing environment that most closely mirrors real-world attacks. Our mission is to empower world-class defenders by continuing to drive product excellence, listening to customers, and investing in research to deliver intelligent solutions. We attribute this success to these investments and our customer-first approach.

Microsoft Defender once again prevails over the adversary

Microsoft’s massive depth and breadth of security optics and threat intelligence is integrated into Microsoft Defender products and uniquely enables us to stand out in complex attack scenarios.

Industry-leading protection

Microsoft Defender for Endpoint blocked the attack at the earliest stage, providing containment in real-time. Defender for Endpoint quickly identified the suspicious activity and incriminated it as malicious. This prevented the attacker from taking actions that may have had a negative impact on the device, such as shell execution, discovery, persistence, or exfiltration, effectively blocking the simulation and stopping the attack from proceeding.

Figure 2. Defender for Endpoint alert page: SystemPropertiesAdvanced.exe attempts to execute code in the illegitimate srrstr.dll and is blocked by Defender for Endpoint.

Microsoft Defender for Endpoint provided extensive visibility and coverage for the attack chain on Linux.

Superior detection and protection on Linux

Our endpoint security capabilities for Linux fit seamlessly into the attack story, and Microsoft Defender for Endpoint was able to provide extensive visibility and coverage for the attack chain, which indicates how essential endpoint detection and response (EDR) detection, protection, and visibility are for navigating today’s Linux threat landscape. Defender for Endpoint was able to completely capture Linux file server activity, including sign-in, connections, read and copied files, various discovery activities, and Pass-the-Hash (PtH). We are proud to offer this kind of coverage on Linux as we continue to extend endpoint security capabilities across all the major platforms (Windows, Linux, macOS, Android, and iOS).

Figure 3. Defender for Endpoint alert page on a Linux device: Lateral movement attack story, from remote system discovery, suspicious login, and remote code execution using Python from Linux device to endpoint.

Microsoft 365 Defender dramatically reduced alert noise from over 1,000 alerts down to just two incidents.

Excellent detection and visibility across the attack chain

The results of the ATT&CK Evaluation highlighted our deep detection capabilities and the comprehensive optics across the attack chain, including:

  • Detecting advanced attack techniques on endpoints: Microsoft Defender for Endpoint recorded and alerted on all malicious activities across the attack chain, including advanced attack techniques such as injections, shellcode execution, execution using scheduled tasks, UAC bypass, web browser and OS credentials collection, screen and keystroke collection, and persistence using application shimming.
  • Providing deep visibility into the timeline of events on devices: Microsoft 365 Defender presented a detailed view of the events taking place on the device through the device timeline. The device timeline also provided a new capability to surface attack techniques: a specific sequence of standalone events is combined to build a more meaningful representation of identified attack technique. This recent addition to the device timeline empowers Security Operations Center (SOC) analysts to glean more insight into the activities on the device, as well as the potential reason for their execution.

Figure 4. Defender for Endpoint device timeline on a Linux device: Lateral movement technique for remote code execution from Linux device to endpoint is highlighted. 

  • Identifying activities associated with compromised identities: Leveraging both device and identity signals, Microsoft 365 Defender provided deep visibility and alerting for actions taking place on a device by what’s known as a compromised account. Microsoft 365 Defender used sophisticated techniques, such as pass-the-hash and pass-the-ticket. Microsoft Defender for Identity analyzed and detected account compromise at the domain level, tracking and alerting account activity for lateral movement using remote service creation. Having this view beyond endpoint and across other domains, such as identities, is a unique advantage of Microsoft 365 Defender, giving customers more robust security against today’s modern, multifaceted threats.

Figure 5. Defender for Identity alert page: Lateral movement using remote code execution from Windows server to endpoint detected by Defender for Identity as a suspicious identity behavior for user kmitnick.

With this depth of detection capabilities and breadth of visibility, Microsoft 365 Defender provided a unified view of the attack and empowered SOCs to respond by delivering:

  • A detailed attack story of alerted activities is linked together, tagged with the appropriate MITRE ATT&CK techniques, and included every needed piece of data. This was achieved through our massive optics and unique native integration of signal, sources, and capabilities, enabling the SOC analyst to arrive at an accurate conclusion and act effectively.

Figure 6. Defender for Endpoint alert page: Lateral movement using remote desktop connection, script execution via Registry run key, and suspicious script execution being detected.

  • Two meaningful incidents generated from over 1,000 alerts, bringing together the rich information and context necessary for SOCs to effectively evaluate the scope of the attack, without the volume of triage and investigation work that is normally needed. With today’s limited time and resources, security teams need tools that rapidly and effectively investigate challenging scenarios, such as lateral movement from Windows to Linux and suspicious behavior across the organization by a compromised identity.

Figure 7. Microsoft 365 Defender incident page correlating all the devices, users, alerts, and evidence that describe the first attack simulated by MITRE Engenuity.  

MITRE Engenuity Carbanak and FIN7 Evaluation details

The 2020 MITRE Engenuity ATT&CK Evaluations reflect an evolution of industry testing that Microsoft supports and is happy to contribute to. Our participation demonstrates our commitment to work with the industry to evaluate our capabilities using modern approaches that simulate real-world attack scenarios and that allow participants to learn from each other.

  1. In this evaluation, MITRE Engenuity expanded the scope to evaluate protection and detection capabilities on Linux, as well as Windows, as the Carbanak and FIN7 attacker groups used tools that interacted with both platforms, including point of sale specific technologies. We were excited to put our Linux capabilities to the test in this evaluation as we’ve continued to extend endpoint security across all the major platforms (Linux, macOS, Android, and iOS).
  2. This year, MITRE Engenuity did not include managed security service providers (MSSP) in the evaluation. This means that all the protection and detection value presented by Microsoft Defender for Endpoint is the result of fully automated, AI-driven advanced algorithms meant to protect organizations from advanced attacks with no additional services needed.
  3. Finally, for the first time, MITRE Engenuity executed two evaluations. The first was a detection evaluation, which tested our visibility and awareness of an ongoing attack and its techniques. The second was a protection evaluation, which tested our capabilities to block the attack at an early stage.

To fully execute the end-to-end detection and protection simulations of Carbanak and FIN7, MITRE Engenuity required participants to provide two different environments:

  • Detection environment: MITRE Engenuity asked participants to turn off all proactive protection and blocking capabilities. For Microsoft Defender for Endpoint and the additional value of Microsoft 365 Defender, this meant all capabilities that normally block this kind of attack, such as automatic remediation flows, application isolation, attack surface reduction, network protection, exploit protection, controlled folder access, and next-gen antivirus prevention were turned off.
  • Protection environment: All proactive protection and blocking capabilities are turned on. Some steps executed in the detection evaluation were chosen by MITRE Engenuity to be tested in a protection setup. That enabled Microsoft 365 Defender to prove its blocking abilities for a variety of steps, where it prevented and blocked execution at a very early stage of each step.
Real-world testing is critical to detection and prevention

As the security landscape changes, we are on a mission to help defenders solve the toughest and most critical problems. Coordinated, targeted, and advanced attacks carried out by sophisticated adversaries are some of the most complex threats that security teams encounter. This is why participating in evaluations such as MITRE ATT&CK is so important in ensuring we’re delivering solutions that empower defenders to protect their organizations. Our vision with our Microsoft Defender products is to provide industry-leading, best-of-breed, cross-domain security for the modern workplace. Microsoft 365 Defender is designed to provide extended detection and response (XDR) by combining protection for endpoints (Microsoft Defender for Endpoint), email and productivity tools (Microsoft Defender for Office 365), identities (Microsoft Defender for Identity), and cloud applications (Microsoft Cloud App Security). This unique combination helps to stop attacks before they happen, enables a rapid and complete response, and gives back time to the security team to focus on their most critical priorities.

In response to MITRE Engenuity’s call for community contribution related to the Carbanak and FIN7 actor groups, Microsoft researchers worked to consolidate and share threat intelligence with MITRE Engenuity. Microsoft shared key similarities and differences in focus, tooling, and operations observed for these two groups, as well as shared evidence for known and new tactics, techniques, and procedures (TTPs). This year, MITRE Engenuity elevated their attack scenarios, starting from gathering threat intelligence and then through the implementation of sophisticated and realistic attack chains. We’re delighted to see that MITRE Engenuity incorporated the feedback Microsoft shared from previous rounds and that this evaluation continues to evolve with each year. This kind of collaboration and continued evolution is of benefit to all in the security community. We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.

Learn more

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. Take advantage of Microsoft’s unrivaled threat optics and proven capabilities. Learn more about Microsoft 365 Defender or Microsoft Defender for Endpoint, and sign up for a trial today.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post MITRE Engenuity ATT&CK® Evaluation proves Microsoft Defender for Endpoint stops advanced attacks across platforms appeared first on Microsoft Security.

Afternoon Cyber Tea: Cybersecurity has become a pillar of the business

Microsoft Malware Protection Center - Mon, 04/19/2021 - 2:00pm

In a famous two-part episode of “Star Trek: The Next Generation,” Captain Jean-Luc Picard is captured by the Cardassians. During a pivotal scene, a Cardassian interrogator shows Picard four bright lights and demands that he “see” five lights. Picard resists, culminating with him shouting, “There are four lights!” When I hosted Tarah Wheeler on Afternoon Cyber Tea with Ann Johnson to talk about encryption, she shared this particular story about the Next Generation episode during our conversation because she believes it’s a good description of how we should think about encryption.

In addition to being a Star Trek fan, Tarah Wheeler is an accomplished information security researcher, political scientist, Fulbright Scholar, and author of the best-selling book “Women in Tech: Take Your Career to the Next Level with Practical Advice and Inspiring Stories.” Just as with that infamous episode, there’s no way to meet in the middle when it comes to encryption according to Tarah. Encryption experts refuse to compromise because it simply isn’t possible when math is involved. Math can’t be half-implemented and taking a backdoor approach to encryption doesn’t work. This can confuse people because protection and the right to data privacy are not fundamental opposites. Instead of having to choose one or the other, companies should balance the two, which will achieve better than a zero-sum.

Tarah has previously said that the right to private and encrypted communication is a fundamental right of humanity. She’s heartened by the change in the perception of cybersecurity, which is now considered one of the pillars of supporting a business rather than something you bolt on from the side. Cybersecurity is viewed as just as important—and necessary—as keeping the lights on and training employees. Keeping the company’s digital assets safe has become as necessary as those fundamental practices for a modern business, and cybersecurity is as valued as the Human Resources and Legal departments. Securing assets before an attack can occur has become the priority versus cleaning up after a cyberattack.

This shift toward viewing cybersecurity as a cost center has been one of the biggest changes in international business over the last few years. But Tarah characterizes that shift as reluctant and frustrated. That frustration isn’t always due to attitude; sometimes, it’s because of the difficulty in demonstrating the cost incentives of internally treating cybersecurity like a cost center. However, the money saved from effective risk management is changing that. Some of the most successful cybersecurity departments report up to Risk or Finance and not to Technology. The biggest corporate impact of international cybersecurity has been regulatory regimes like the General Data Protection Regulation (GDPR), the European Union law on data protection and privacy. The passage of GDPR was a big wake-up call for how the US conducted its affairs in corporations because many companies were stunned that compliance on requirements like data deletion would be enforced.

During our in-depth conversation, we also had the opportunity to explore the concept of “imposter syndrome” in the cybersecurity community, in addition to the changing role of the Chief Security Information Officer in an organization. I invite you to listen to our discussion and learn more about this shift on Apple Podcasts or Podcast One.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, IoT, and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:
  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • Podcast One: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Cybersecurity has become a pillar of the business appeared first on Microsoft Security.

Surface expands its Secured-core portfolio with the new Surface Laptop 4 powered by AMD Ryzen™ Mobile Processors

Microsoft Malware Protection Center - Mon, 04/19/2021 - 12:00pm

As operating systems are becoming more secure and resistant to compromise, advanced vectors like firmware, kernel and hardware direct memory access (DMA) have emerged as new favored targets for threat actors. Recent trends indicate a substantial growth in the number of hardware and firmware exploits. The March 2021 Security Signals report, commissioned by Microsoft, indicates that a vast majority of enterprise customers have experienced at least one firmware attack in the past two years.

To safeguard against increasingly sophisticated and targeted attacks, we need more than just software protection – integrated hardware and software security is now essential in an era of heightened threat. Collaborating closely with AMD, Microsoft is proud to announce our latest Secured-core offering, the all-new Surface Laptop 4 powered by AMD Ryzen Mobile Processors. These devices offer comprehensive security out of the box with tightly integrated hardware, software, firmware, and identity protection layers.

Defense against hardware and firmware exploits Leveraging hardware for security

At the heart of the Surface Laptop 4, the device leverages the Trusted Platform Module 2.0 (TPM) and the AMD Ryzen Mobile Processors with System Guard to boot securely and minimize the impact of firmware vulnerabilities by sandboxing firmware to protect critical subsystems and sensitive data. Kernel Direct Memory Access Protection is pre-enabled on these devices, helping to ensure that the system is protected against malicious and unintended Direct Memory Access (DMA) attacks for all DMA-capable devices, such as PCI devices, thwarting the entire class of drive-by DMA attacks like Thunderspy.

The TPM 2.0 serves as the hardware root-of-trust for the Surface Laptop 4. With hardware protections for sensitive assets like BitLocker keys and security measurements for the state of the system, the TPM 2.0 helps make the Surface Laptop 4 ready for Zero Trust security.

UEFI firmware protection

As pointed out in the Security Signals report, firmware is emerging as a primary target because it’s where devices store sensitive information, like credentials and encryption keys. To address this Microsoft introduced its own open-source UEFI to help enable a secure and maintainable interface to manage firmware. On the Surface side, we have been enabling the automation of firmware protection since the 2015 release of Surface Pro 4. That’s when we made the decision to build our own Microsoft UEFI 1 and facilitate full transparency for our customers with the open-source project called Project Mu.

If you’re not already familiar with UEFI, it stands for Unified Extensible Firmware Interface. It’s essentially a modern version of a BIOS that initializes and validates system hardware components, boots Windows 10 from an SSD, and provides an interface for the OS to interact with the keyboard, display, and other input/output devices.

Centralized device management down to the firmware level

As Microsoft further developed the UEFI for Surface, we also built tools for managing and updating UEFI, beginning with SEMM (Surface Enterprise Management Mode). You can use it as a stand-alone tool or integrated with Microsoft Endpoint Configuration Manager to manage the UEFI settings on your Surface. SEMM lets you remotely enable and disable key components of Surface devices that would otherwise require you to physically go to every machine and boot straight into the UEFI (Power button + Volume Up). From a security perspective this is important as the more components you disable, that are not normally used, the smaller the attack vector.

Aligned to Microsoft’s broader commitments, we moved SEMM capabilities to the cloud with the launch of DFCI (Device Firmware Configuration Interface). DFCI enables cloud-based control over UEFI settings through the Intune component of Microsoft Endpoint Manager. The best part is that DFCI can be enabled via policy and deployed with Windows Autopilot before anyone even logs into the device. With DFCI a Surface device can be fully managed from Windows 10 down to firmware all through the power of the cloud and Microsoft Endpoint Manager.

Surface drives innovation into firmware security

Surface takes a multi-pronged approach to raise the security of our UEFI. To start, it can be updated via Windows Update. Our UEFI does not require an outside tool from a third party or download site. In fact, when the vulnerability of Spectre and Meltdown was announced, Surface already had a fix available that was automatically pushed to every Surface device accepting updates. Windows Update patched the microcode of our processors all through UEFI. Another security step we take is to lock down the UEFI, to help protect against known exploits. Surface UEFI uses a combination of Platform Secure Boot (PSB) and UEFI Secure Boot, which translates to a measured and signed firmware check at each stage in the initial boot process.

Proactive operating system protection

Along with limiting to a small, trusted computing base by establishing a hardware root of trust, Surface Laptop 4 confirms that code running within that trusted computing base runs with integrity.

Virtualization-based security (VBS) isolates the operating system and provides a hardware-based security boundary, thereby separating security features and sensitive code and data from vulnerabilities in the operating system. Hypervisor-enforced Code Integrity (HVCI) checks the system software before it is loaded, allowing only executables that are signed by known, approved authorities to start. The hypervisor also helps ensure that kernel executable memory is not writable. This prevents the modifications of sensitive kernel structures and provides strong protections against kernel viruses and malware. Time and again, the protections offered by VBS and HVCI have been shown to provide essential resistance against practical real-world threats.

Identity protection

Complementing the platform security provided by secured-core and Project Mu, Surface Laptop 4 helps ensure that user identities and credentials are protected against theft, compromise, and phishing attacks.

Windows Hello helps prevent phishing and credential-based attacks through a combination of biometric sensors and hardware-based credential storage. Using your face, secure FIDO2 key, or PIN, Windows Hello allows you to sign in password-free and gives you a faster, more secure way to unlock your device.

Windows Defender Credential Guard, an optional feature that can be enabled, leverages VBS to help isolate secrets and confidential information such that only privileged system software can access it. This helps prevent identity attack techniques such as Pass-the-Hash and Pass-the-Ticket.

New Surface expands Secured-core PC line

Surface Laptop 4, powered by AMD Ryzen Mobile Processors, joins Surface Pro X as the second secured-core PC offering in the Surface portfolio. These devices provide powerhouse protection out of the box, with capabilities such as Virtualization-Based Security, System Guard, and Kernel DMA protection enabled by default. With these devices, users and businesses can be confident that they have the right protections in place to mitigate security risks and simplify the end-user experience in configuring the device.

Find out more about our Secured-core PC lineup.



1 Surface Go and Surface Go 2 use a third-party UEFI and do not support DFCI. DFCI is currently available for Surface Laptop Go, Surface Book 3, Surface Laptop 3, Surface Pro 7, Surface Pro 7+ and Surface Pro X. Find out more about managing Surface UEFI settings at

The post Surface expands its Secured-core portfolio with the new Surface Laptop 4 powered by AMD Ryzen™ Mobile Processors appeared first on Microsoft Security.