Endpoint

10/23/2017
05:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Windows 10 Update Aims to Block Attackers' Behavior

Microsoft protects machines from common attacker behaviors with security updates in Windows 10.

Microsoft unlocked a host of new security and management features in the Windows 10 Fall Creators Update, which started rolling out last week. One of its new tools, Windows Defender Exploit Guard (WDEG), aims to protect businesses from ransomware by blocking common attacker behaviors.

Several studies point to the growth of ransomware hitting enterprise victims. Dark Reading found 35% of businesses were hit with ransomware in the past year, and only 27% believe current anti-malware tech is effective in preventing ransomware.

It's not uncommon for victims to get tricked twice. An ESG Research Insight Report found many organizations have a recurrence of ransomware attacks, with 22% of 300 IT and security pros saying the same ransomware re-infected the same endpoints, and 38% claiming the same ransomware affected other endpoints within the business. Nearly half (46%) had been hit.

Microsoft is aiming to shrink the attack surface for next-gen malware with Windows Defender Exploit Guard, a suite of intrusion prevention tools shipping with the Creators Update. The set includes four parts created to block a range of attack vectors and actor techniques:

  • Attack Surface Reduction (ASR): Controls that block Office-, script-, and email-based threats to prevent malware from getting on the machine
  • Network Protection: Blocks outbound processes to untrusted hosts/IP via Windows Defender Smartscreen to defend against Web-based threats
  • Controlled Folder Access: Blocks untrusted processes from accessing protected folders with sensitive data
  • Exploit Protection: Exploit mitigations replacing EMET that can be configured to protect the systems and applications

Peter Firstbrook, Vice President at Gartner, says the idea is to get at the root cause of how attackers launch ransomware. Currently, AV systems mitigate ransomware by detecting and eliminating malicious files once they are on the endpoint. The problem is, attackers evade these technologies with new tactics to compromise endpoints and execute ransomware without writing anything to disk.

"Attackers are a pretty creative bunch," he explains. "They may just move on to different types of applications and files, or find a way around it … we need to make it harder for attackers, and that's really the key theme here with Windows."

Instead of building security tools to react to new forms of malware, Firstbrook points out how companies like Microsoft, CrowdStrike, and Carbon Black are creating more proactive systems that anticipate hackers' behavior and defend against it.

ASR, one component of WDEG, was built on the idea that email and Office apps are common attack vectors and let actors distribute fileless attacks. It can block behaviors that malicious documents use to execute; for example, it can block Office apps from injecting into process.

Controlled Folder Access, another, locks down critical folders so only authorized applications can access files. Unauthorized apps, like malicious and suspicious files, DLLs, and scripts, will be denied even when they are running with administrator's privilege.

The Controlled folder protects common folders, which contain documents and important data, by default. It's flexible, though, and admins can add other folders they want to be protected. This also allows trusted apps, such as a unique or custom app, to access protected folders. Users are alerted when unauthorized apps attempt to access or change files in protected folders.

"These are more durable changes than the traditional signature-based antivirus approach where we say, 'Is the file good or bad?'" says Firstbrook. "Instead of issuing a new signature, [Microsoft] is saying 'Why are they successful, and let's deal with the root cause.'"

The decision to push automatic updates will also ultimately benefit companies in the fight against ransomware. "With continuous updates, and focus on security, they're responding quickly to changing attack patterns on the OS they weren't before," he adds.

Microsoft isn't the only company buckling down on endpoint security. The growth of ransomware has motivated businesses to think beyond traditional antivirus and host intrusion prevention systems, and build next-gen tools that don't rely on signatures to detect malware.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
7 Ways to Keep DNS Safe
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Locked device, Ha! I knew there was another way in.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-15137
PUBLISHED: 2018-07-16
The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed.
CVE-2017-17541
PUBLISHED: 2018-07-16
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.4 and below versions, FortiAnalyzer 6.0.0, 5.6.4 and below versions allows inject Javascript code and HTML tags through the CN value of CA and CRL certificates via the import CA and CRL certificates feature.
CVE-2018-1046
PUBLISHED: 2018-07-16
pdns before version 4.1.2 is vulnerable to a buffer overflow in dnsreplay. In the dnsreplay tool provided with PowerDNS Authoritative, replaying a specially crafted PCAP file can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution. This buffer overflow ...
CVE-2018-10840
PUBLISHED: 2018-07-16
Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image.
CVE-2018-10857
PUBLISHED: 2018-07-16
git-annex is vulnerable to a private data exposure and exfiltration attack. It could expose the content of files located outside the git-annex repository, or content from a private web server on localhost or the LAN.