03:27 PM
Connect Directly

Microsoft: How the Threat Landscape Will Shift This Year

Exclusive interview with Windows Security lead on how 2017 was a "return to retro" security threats and 2018 will bring increasingly targeted, advanced, and dangerous cyberattacks.

Unlike security professionals, who have stressed over digital threats for years, most average consumers didn't recognize the importance of security until 2017.

"Grandmothers and grandfathers and moms and dads are now aware of cyber intrusions," says David Weston, principal security group manager for the Windows Enterprise and Security team at Microsoft. "It's amazing, but it also means we have a lot of work to do."

In an exclusive interview with Dark Reading this week, Weston shared insight on the threats and trends were top of mind for Microsoft last year, and what he's worried about in the new year.

2017: Ransomware, targeted attacks stand out  

Massive cyberattacks WannaCry and NotPetya, which hit major global brands, drove security to the forefront of consumers' minds. Weston says the two outbreaks topped Microsoft's list last year. Both used a ransomware worm, which he calls "a hallmark" of 2017 and describes as a sort of "return to retro" that caught the security community off guard.

From a technical perspective, use of a worm on both occasions was "particularly interesting." During WannaCry, the Microsoft team "learned a ton about where we need to keep investing," Weston adds. "Bug classes some of us thought were extinct will be key going forward."

WannaCry symbolizes a level of destruction that Weston predicts will grow as cybercriminals' goals shift. This doesn't necessarily mean more targeted attacks, but it does mean threats will become broader and more advanced as threat actors aim to destroy networks.

"Originally attackers focused on stealth," he says. "They wanted to exfiltrate information while staying quiet … what you're seeing with WannaCry, they're potentially using that to send a statement and do more destructive things. It's a maturity and evolution of targeted attacks."

Both attacks used an interesting strategy that Weston says has, so far, been overshadowed.

"They're automating techniques, which you'd see from a red team or adversary, into their malware or implants," he explains. "You're in a situation where, after it gets a foothold, the piece of malware is operating like a full-on red team. That's actually a big challenge."

In NotPetya, for example, once the threat landed on a machine it would spread, looking for places to move laterally and credentials to steal. It's part of evolving threat sophistication, says Weston. Hacking platforms like Metasploit and PowerSploit have research to support red teams, but much of that research is accessible to threat actors who are "using it to great effect," he adds.

"A smart adversary will take advantage of intelligence and use it," says Weston. "They're trying to impact as much of the network as possible, and per-incident impact and cost will go way up. You can't just defend a single machine, you have to look at it holistically, at a network level."

2018: Rise of supply chain, cryptocurrency attacks

Weston says supply chain attacks are "of grave concern" this year as criminal groups shift their strategy.

"We're seeing some of the attack groups that used to use zero-days, moving away from watering-hole types of attacks to compromising large websites that might distribute common utility software and putting their implant in there," he explains.

It's a growing technique among attack groups: Infect as many people as possible then sift through the victims to find specific targets. Attackers are hitting supply chain software because it's easy to hide within a process that vendors will associate with something good. In some cases, supply chain software can bypass app control settings and cause problems for defenders.

Take Operation WilySupply, where an attacker was using a compromised update mechanism for a third-party editing tool to deliver malware. While it didn't use a zero-day, the attack abused the trust relationship involved with software supply chains. Microsoft discovered the attack attempt early last year.

Defending against supply chain attacks will be tough because each software vendor has a different distribution mechanism and signing infrastructure, says Weston. In the past, companies could put software on a "trusted list" if it had a history of being secure. However, he says, businesses have to realize anything can change from good to bad at any time.

"Getting your software sources from centralized locations where possible is one of the practical means for protecting against supply chain attacks," Weston adds.

Cryptocurrency will be a growing security issue as more people adopt it. Attackers will target machines to cannibalize their resources and focus on cryptocurrencies, which are getting harder to mine in legitimate ways. Wallets will also become popular among hackers.

"Targeting wallets will become more popular as more people dabble in investing in bitcoins and accessing them," he explains. "If we get to the point where everyone has a wallet on their machine, there's an opportunity for cybercriminals on every machine."

Weston says Microsoft is exploring ways to use analytics in Windows and Azure to determine when a machine is using resources in ways it previously hasn't. Did you take up a lot of storage space overnight? Does this connection come from a trusted IP? Is it being used for spam? Machine learning, he says, can help establish a baseline of what the PC uses and train on it.

He points out sophisticated threat actors are using similar technologies to identify anomalous behaviors. "They can use the same thing to find gaps in our defenses. They can hire capable engineers, they can hire clouds that scale to their needs." As attackers build their strategies, defenders must do the same.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.